Who we are
qr-cow is operated by the HSN family — a small group of engineers shipping the site independently. There is no parent company. For GDPR purposes we are the data controller for everything described below.
What we collect
If you only use the free studio (no account)
- Nothing personal. The QR code you design is rendered in your browser and never sent to us. We don't know who you are.
- Server-side preview fallback. If your browser can't render the styled preview, the encoded string is sent to us once to render a PNG. We log the request with an IP + user-agent for spam-prevention purposes and discard both after 30 days. The encoded content is not stored.
If you create an account
- Email + password hash. Used to log you in and to reach you if you lose access. Password is bcrypt-hashed; we never see your plaintext.
- OAuth identifier (if you signed up with Google or Facebook). The provider's user-id only; we never request your contacts, photos, or anything else.
- QR codes you save. Their content, design, name, and the dynamic-redirect target if it's a dynamic code.
Scan events on your dynamic codes
Every time someone scans a dynamic QR code you own, we record one row containing:
- The QR code id (so we know it's yours).
- Timestamp.
- Country code, device type (phone / tablet / desktop), and OS family — derived from the scanner's user-agent + IP, not stored as the raw IP itself. We use a coarse IP-to-country lookup and discard the IP immediately.
We do not store the scanner's IP address, exact location, browser fingerprint, ad-id, or any cross-site identifier. The dashboard analytics you see are aggregated from this data.
If you pay for a plan
- Payment metadata. Plan code, amount, transaction status, and the NowPayments invoice id. We do not see your wallet address, balance, or transaction history beyond the specific invoice you paid.
- No card data. qr-cow is crypto-only, so there's no card number to mishandle.
What we do with it
- Run your account.
- Render and serve your QR codes.
- Show you analytics for your dynamic codes.
- Send you transactional email — sign-up confirmation, password reset, payment receipt. There is no marketing list to opt out of because we don't send marketing email.
- Diagnose abuse and failed payments. Bounce-protection on auth uses a short-lived rate-limit signal that is discarded after a minute.
What we don't do
- No third-party trackers. We run our own self-hosted analytics. No Google Analytics, no Meta Pixel, no Hotjar, no Sentry, no LinkedIn Insight.
- No data sales. Your scan stats stay between you and us. We don't sell aggregate "industry data" either.
- No AI training. Your QR content, scan data, and account data are not used to train any machine-learning model — ours or anyone else's.
- No undisclosed sub-processors. The list below is the entire list.
Who else gets the data
Four named sub-processors, full stop:
- Cloudflare — DNS, CDN, DDoS protection. Sees request metadata in transit. Privacy: cloudflare.com/privacypolicy.
- NowPayments — crypto checkout. Sees the invoice id, amount, and the wallet you pay from. Privacy: nowpayments.io/privacy.
- Google / Facebook OAuth (only if you choose to sign in with them) — sees that you logged into qr-cow. Their respective privacy policies apply.
- Brevo (or our SMTP provider) — sees the recipient address + subject line of transactional emails. The body is the standard template above; nothing sensitive is in the subject.
Cookies + local storage
- Auth tokens (qc.access, qc.refresh) — kept in localStorage so you stay signed in across reloads. JWT-based; logging out wipes both.
- Theme preference (qc.theme) — light/dark mode, set once when you toggle the switch. Stays on your device.
- Cloudflare turnstile — an anti-bot cookie set on login + register only. Discarded by Cloudflare after the request.
No advertising cookies. No analytics cookies. There is no "Reject all" banner because there is nothing to reject.
How long we keep it
- Account data: as long as your account exists. Delete the account in your dashboard and it's gone within 24 hours.
- Scan events: kept for the lifetime of the dynamic QR code, then deleted when you delete the code. Soft-deleted codes are purged after 30 days.
- Server-side preview logs: 30 days, then rotated out.
- Payment records: 7 years. Required to comply with EU tax law (it's not a choice we'd otherwise make).
- Backups: snapshotted nightly, retained 30 days, then rotated. Deletion takes effect on backups within that window.
Your rights
Under GDPR (EU/UK), CCPA (California), and the equivalents elsewhere, you can:
- Access — request a JSON export of everything we have about you. Same data the dashboard already shows.
- Correct — change your email, full name, or QR content directly in the dashboard.
- Delete — one button in Dashboard → Account. Hard-deletes within 24 hours; backups rotate out within 30 days.
- Object to any processing you think is unjustified. Email us; we'll either explain why, or stop.
- Lodge a complaint with your local supervisory authority if you think we've messed up.
Email [email protected] to exercise any of these. We aim to respond within 7 days; the legal deadline is 30.
Where the data lives
Primary database is in the EU. Cloudflare proxies traffic globally and caches static assets. NowPayments runs in the jurisdiction declared on their site. If your jurisdiction requires explicit cross-border-transfer language, our standard-contractual-clauses-equivalent is in effect with each sub-processor above.
Children
qr-cow isn't designed for users under 13. If you're a parent and your child created an account, email us; we'll delete it.
Changes
Material changes are emailed to every account-holder at least 14 days before they take effect, and the "Last updated" date above moves forward. Non-material edits (typo fixes, link updates) just get a quiet date bump.
Contact
[email protected] for anything privacy-related, or [email protected] for general questions. We read everything; expect a reply within a few working days.

