🔒

Privacy Policy

Updated January 2025

Summary
1. Who we are 2. Data we collect 3. How we use your data 4. Legal basis 5. Data sharing 6. Retention and deletion 7. Your rights (GDPR/LGPD) 8. Cookies 9. Security 10. Minors 11. Policy changes 12. Contact
Plain summary: We collect only what is necessary to operate. We do not sell your data. You have full control. We comply with LGPD (Brazil) and GDPR (EU).
1 Who we are

QRLabX (qrlabx.com) is a dynamic QR Code management service. The data controller is QRLabX, contactable at [email protected].

2 Data we collect

We collect the following categories:

  • Registration data: email address provided when creating a QR Code or registering.
  • Usage data: destination URLs, labels and categories of QR Codes, creation and expiration dates.
  • Scan data (anonymized): partially anonymized IP (last octet zeroed), approximate location via GeoIP, device type, browser and OS.
  • Payment data: processed via PayPal/Mercado Pago — we do not store card numbers directly.
  • Technical logs: server access logs for security and error diagnosis, retained for up to 90 days.
3 How we use your data

Your data is used exclusively to:

  • Create and manage your QR Codes and user account;
  • Perform redirects when a QR Code is scanned;
  • Display usage statistics in your dashboard;
  • Send transactional emails: registration confirmation, expiration notices, password reset;
  • Process and confirm subscription payments;
  • Ensure platform security and prevent abuse.

We do not use your data for advertising, behavioral profiling or sale to third parties.

4 Legal basis
  • Contract execution — to provide the contracted services;
  • Consent — for marketing communications (when applicable);
  • Legitimate interests — for security, fraud prevention and service improvement;
  • Legal obligation — to comply with regulatory requirements when required.
5 Data sharing

We do not sell or rent your data. We may share it only with:

  • Infrastructure providers for platform hosting, under confidentiality agreement;
  • Payment processor (PayPal/Mercado Pago) to confirm subscription transactions;
  • Public authorities, when there is a legal obligation or court order.
6 Retention and deletion
  • Account data: kept while the account is active;
  • Deleted QR Codes: moved to trash and permanently removed after 30 days;
  • Scan logs: kept for up to 12 months then deleted;
  • Technical logs: retained for 90 days;
  • After account closure: personal data is deleted within 30 days, unless legal retention is required.
7 Your rights (GDPR/LGPD)

As a data subject, you have the following rights:

AccessKnow what data we have about you.
CorrectionFix incorrect or incomplete data.
DeletionRequest removal of your personal data.
PortabilityReceive your data in structured format.
ObjectionObject to processing in certain cases.
WithdrawalWithdraw consent at any time.

To exercise any of these rights, email [email protected] with subject "GDPR Rights". We respond within 15 business days.

8 Cookies

We use only essential cookies for the platform to work (authenticated user session and CSRF protection). We do not use tracking, advertising or third-party analytics cookies.

9 Security
  • Encrypted communications via HTTPS/TLS throughout the platform;
  • Passwords stored with secure hashing (bcrypt);
  • Anonymized IPs in scan records (LGPD/GDPR compliance);
  • Database access restricted to the application server;
  • Regular encrypted backups.
10 Minors

QRLabX is not directed at minors under 18 and does not intentionally collect data from children. If we identify that we have collected data from a minor without parental consent, we will delete it immediately.

11 Policy changes

This policy may be updated periodically. Significant changes will be communicated by email or by a highlighted notice on the platform with at least 15 days notice. Continued use of the service after changes implies acceptance of the new policy.

12 Contact

This policy complies with Brazil's General Data Protection Law (LGPD — Law 13.709/2018) and the EU General Data Protection Regulation (GDPR — Regulation EU 2016/679).