What data QRTudo collects when someone scans your QR Code
When a person scans a dynamic QR code created in QRTudo, our system automatically records some technical information:
| Data collected | Purpose | Lawful basis (GDPR) | Retention |
|---|---|---|---|
| Device IP address | Approximate location for analytics | Legitimate Interest — Art. 6(1)(f) | 18 months |
| Device type | Analytics reporting (mobile/desktop) | Legitimate Interest — Art. 6(1)(f) | 18 months |
| Operating system | Analytics reporting | Legitimate Interest — Art. 6(1)(f) | 18 months |
| Timestamp | Peak-time analytics | Legitimate Interest — Art. 6(1)(f) | 18 months |
| QR Code ID | Link scan to customer campaign | Contract performance — Art. 6(1)(b) | Contract term + 6 months |
| UTM parameters | Campaign attribution | Legitimate Interest — Art. 6(1)(f) | 18 months |
QRTudo does not collect names, email addresses, or any data that directly identifies the person scanning.
Your rights under GDPR
| Right | What it means |
|---|---|
| Right to Access | Request a copy of all personal data QRTudo holds about you. |
| Right to Rectification | Correct inaccurate or incomplete personal data. |
| Right to Erasure | Request deletion of your personal data ("right to be forgotten"). |
| Data Portability | Receive your data in a structured, machine-readable format. |
| Right to Object | Object to processing based on legitimate interest. |
| Restriction | Request restriction of processing in certain circumstances. |
To exercise any of these rights, email [email protected]. We respond within 30 days as required by GDPR.
International data transfers
QRTudo is hosted on Hostinger, a company headquartered in Lithuania (European Union). Our infrastructure operates within the EU, meaning your data does not leave the European Economic Area for our primary hosting.
EU adequacy framework applies — No Standard Contractual Clauses (SCCs) are required for our primary hosting relationship.
We use ip-api.com (US-based) to derive approximate geographic location from IP addresses for analytics. This constitutes a transfer to a third country. We are monitoring the EU-US Data Privacy Framework for applicability and will update this page as our compliance position evolves.
Data Protection Contact
Data Protection Contact
DPO: Marc Martins — [email protected]. Response time: within 30 days (GDPR requirement).
Frequently asked questions — GDPR
Does scanning a QR Code transfer my data outside the EU?
No. QRTudo's infrastructure is hosted in the EU (Hostinger, Lithuania). Your scan data remains within the European Economic Area.
What is QRTudo's lawful basis for processing scan data?
Legitimate Interest under Art. 6(1)(f) GDPR. We process technical scan data (IP, device type, timestamp) to provide analytics services to our customers. This processing is necessary, proportionate, and balanced against your interests.
Can I request deletion of my scan data?
Yes. Email [email protected] with "GDPR Request — Erasure" as the subject. We will confirm deletion within 30 days.
Does QRTudo use cookies when I scan a QR Code?
No cookies are set during the QR scan itself. Cookies may be set by the destination website after redirection — those are under the destination site's privacy policy, not QRTudo's.
Is QRTudo GDPR compliant as a data processor?
QRTudo acts as a data processor for our customers (who are data controllers). We process scan data on their behalf and under their instructions. We maintain appropriate technical and organizational measures to protect this data.
How can I contact QRTudo's Data Protection Officer?
Email [email protected] for all GDPR-related requests. Our DPO is Marc Martins. We respond within 30 days as required by GDPR.