Data Protection

QR Code Tracking and GDPR Compliance

Full transparency on what QRTudo collects when someone scans your QR code, and your rights under the EU General Data Protection Regulation.

EU-hosted infrastructure (Lithuania) Your rights protected Updated June 2026

What data QRTudo collects when someone scans your QR Code

When a person scans a dynamic QR code created in QRTudo, our system automatically records some technical information:

Data collected Purpose Lawful basis (GDPR) Retention
Device IP addressApproximate location for analyticsLegitimate Interest — Art. 6(1)(f)18 months
Device typeAnalytics reporting (mobile/desktop)Legitimate Interest — Art. 6(1)(f)18 months
Operating systemAnalytics reportingLegitimate Interest — Art. 6(1)(f)18 months
TimestampPeak-time analyticsLegitimate Interest — Art. 6(1)(f)18 months
QR Code IDLink scan to customer campaignContract performance — Art. 6(1)(b)Contract term + 6 months
UTM parametersCampaign attributionLegitimate Interest — Art. 6(1)(f)18 months
QRTudo does not collect names, email addresses, or any data that directly identifies the person scanning.

Your rights under GDPR

Right to Access

Request a copy of all personal data QRTudo holds about you.

Right to Rectification

Correct inaccurate or incomplete personal data.

Right to Erasure

Request deletion of your personal data ("right to be forgotten").

Data Portability

Receive your data in a structured, machine-readable format.

Right to Object

Object to processing based on legitimate interest.

Restriction

Request restriction of processing in certain circumstances.

To exercise any of these rights, email [email protected]. We respond within 30 days as required by GDPR.

International data transfers

QRTudo is hosted on Hostinger, a company headquartered in Lithuania (European Union). Our infrastructure operates within the EU, meaning your data does not leave the European Economic Area for our primary hosting.

EU adequacy framework applies — No Standard Contractual Clauses (SCCs) are required for our primary hosting relationship.

We use ip-api.com (US-based) to derive approximate geographic location from IP addresses for analytics. This constitutes a transfer to a third country. We are monitoring the EU-US Data Privacy Framework for applicability and will update this page as our compliance position evolves.

Data Protection Contact

DPO
Marc Martins
Email
[email protected]
Response time
Within 30 days (GDPR requirement)
Submit a request

Frequently asked questions — GDPR

No. QRTudo's infrastructure is hosted in the EU (Hostinger, Lithuania). Your scan data remains within the European Economic Area.

Legitimate Interest under Art. 6(1)(f) GDPR. We process technical scan data (IP, device type, timestamp) to provide analytics services to our customers. This processing is necessary, proportionate, and balanced against your interests.

Yes. Email [email protected] with "GDPR Request — Erasure" as the subject. We will confirm deletion within 30 days.

No cookies are set during the QR scan itself. Cookies may be set by the destination website after redirection — those are under the destination site's privacy policy, not QRTudo's.

QRTudo acts as a data processor for our customers (who are data controllers). We process scan data on their behalf and under their instructions. We maintain appropriate technical and organizational measures to protect this data.

Email [email protected] for all GDPR-related requests. Our DPO is Marc Martins. We respond within 30 days as required by GDPR.

Leitura relacionada

LGPD

Conformidade com a LGPD (versão PT-BR)
Blog

LGPD e QR Codes: Guia para Empresas
Analytics

Rastreamento de QR Code e LGPD