Dynamic QR Pro
en/et
Sign in

Privacy policy

Version 1.0 ยท How we collect, process, and protect your data. This is not legal advice.

1. Data controller

Dynamic QR Pro is operated by Blue Networks Oรœ (registry code 11490042), Vase 5, 10155 Tallinn, Estonia. We are the data controller for the personal data described here.

Privacy contact: Reio Rajaveer โ€” [email protected]. We have not appointed a separate Data Protection Officer (DPO); for any data processing questions, reach us at the address above.

2. What personal data we process

  • โ†’Account data: name, email, password (hashed), and billing details (handled by Stripe โ€” we don't store card numbers).
  • โ†’Workspace data: workspace name, team members you invite, the codes you create, and the destinations you set.
  • โ†’Scan metadata (about people who scan your codes): timestamp, device and browser type, and a rough location derived from a truncated IP address.
  • โ†’Product usage: pages visited and actions taken in the app, to improve it.
  • โ†’Cookies: see the Cookies policy.

3. What we don't collect

  • โ†’The identity or personal details of the people who scan your codes.
  • โ†’The contents of the destinations you link to.
  • โ†’Your phone number.

4. Why we process it

  • โ†’Account & service: we use account data to create and manage your account, provide the service, and issue invoices.
  • โ†’Functionality: we use workspace data to deliver the service โ€” creating and managing codes and routing destinations.
  • โ†’Analytics & security: we use scan metadata and product usage data for aggregate analytics, service security, and fraud prevention.
  • โ†’Communication: we use email to send transactional messages (invoices, notifications) and, with consent, marketing messages.

5. Legal basis (GDPR)

  • โ†’Performance of a contract โ€” to provide the service you pay for.
  • โ†’Legitimate interest โ€” product analytics, security, and fraud prevention.
  • โ†’Consent โ€” marketing emails and optional cookies (analytics, ads, chat).
  • โ†’Legal obligation โ€” tax, accounting, and lawful requests.

Where we rely on legitimate interest, we have carried out a legitimate-interest assessment. To review it, email [email protected].

6. Recipients and subprocessors

ProviderPurposeRegion
StripePayments & invoicingEU/global
Amazon Web Services (AWS)App hosting, database & object storage (S3)EU
ResendTransactional email (invoices, notifications)US/global (SCCs)
CloudflareMarketing site, CDN, securityEU edge
Google AnalyticsWebsite analytics (consent-gated)Global
Meta (Pixel)Ads measurement, when campaigns run (consent-gated)Global
CrispWebsite live chat (consent-gated)EU (France)
CookieYesCookie consent managementEU

Each operates under its own Data Processing Agreement (DPA), in line with Article 28 of the GDPR. A current DPA list is available on request.

7. Security and access to data

We apply appropriate physical, organizational, and technical safeguards: TLS encryption in transit, hashed passwords, encrypted daily backups, and production access limited to named people.

Access to personal data is restricted to named staff who need it to provide the service and customer support. See our security overview on the Trust page for more.

8. International transfers

Your data is stored in the European Union. Where a subprocessor processes data outside the EU, we rely on the European Commission's Standard Contractual Clauses or an adequacy decision.

9. Retention

  • โ†’Account data: while your account is active, plus 30 days after closure.
  • โ†’Scan metadata: retained while your subscription is active.
  • โ†’Aggregate, non-identifying analytics: retained indefinitely.
  • โ†’Accounting source documents: personal data contained in them is kept for seven years (Estonian Accounting Act).
  • โ†’Payment and legal disputes: related data is kept until the claim is satisfied or the limitation period ends.

10. Your rights

  • โ†’Access and correction: you can access and correct your data in account settings or by emailing [email protected].
  • โ†’Portability: the right to receive your data in a machine-readable format; we respond within one month.
  • โ†’Erasure: the right to request deletion; we respond within one month and specify which data we won't delete and on what legal basis (e.g. accounting obligations).
  • โ†’Restriction: the right to request restriction of processing where data is inaccurate, incomplete, or processed unlawfully.
  • โ†’Objection: the right to object to processing, including direct marketing.
  • โ†’Withdraw consent: where processing is based on consent, you can withdraw it at any time in account settings or by notifying support.

To exercise any of these rights, email [email protected].

11. Direct marketing

We use your email address to send direct marketing messages only with your consent. You can opt out via the link in the footer of any message or by emailing [email protected]. We do not carry out profiling for automated decision-making.

12. Children

The service isn't intended for children under 16, and we don't knowingly collect their data.

13. Changes

If we make material changes, we'll email account holders and post a notice here, keeping prior versions on record.

14. Dispute resolution and supervisory authority

For any questions or disputes about the processing of personal data, contact [email protected]. You also have the right to lodge a complaint with the supervisory authority: the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon โ€” [email protected], www.aki.ee).