Privacy policy
qrpage.co is built for minimum data collection. This page explains what we store, why, and for how long.
Last updated: 29 May 2026
1. Data controller
Caspar von WredeGoethestr. 32
14163 Berlin, Germany
Email: hi@qrpage.co
A Data Protection Officer is not legally required for us: we do not regularly employ more than 20 people on automated personal-data processing, nor do we carry out processing that would require a data protection impact assessment.
2. What we process
- Email address — when you publish a mini website, so we can email you the magic links to confirm, edit, and delete it. There are no accounts and no passwords.
- Mini-website content — text, photos, location info you enter yourself. Published under the slug URL we assign.
- Location data — an address you type is sent to the Photon geocoder (see below) so we can resolve it to coordinates and show a map.
- IP address + user agent — processed transiently by Cloudflare and by our platform for delivery, abuse protection, and rate limiting (kept in logs for at most 7 days).
- View counter — per mini website we count anonymous views (no IP storage) so the creator can see how many people scanned the QR.
- Waitlist signups — if you join the waitlist, we store your email and the templates you ticked, until you unsubscribe or we have notified you that the last template is live.
3. Legal bases
- Art. 6(1)(b) GDPR — contract performance (providing the service, sending magic links, storing your mini website).
- Art. 6(1)(f) GDPR — legitimate interest in security, abuse prevention, rate limiting, and aggregate, cookieless analytics.
- Art. 6(1)(a) GDPR — consent, when you actively join the waitlist.
4. Cookies
qrpage.co does not set any tracking cookies of its own, and does not load any consent-requiring third-party cookies. No cookie banner is therefore required under § 25 TTDSG (Germany's implementation of the ePrivacy Directive).
Cloudflare may set a strictly necessary cookie (__cf_bm) for bot detection. That
cookie serves only security and service functionality and is exempt from consent under
§ 25(2)(2) TTDSG.
5. Recipients / processors
We use the following processors, with Data Processing Agreements (DPAs) and EU Standard Contractual Clauses (SCCs) in place where applicable:
- DigitalOcean (application hosting, EU region Frankfurt). Privacy policy
- Cloudflare, Inc. (CDN, WAF, DDoS protection). Processes IP addresses transiently for delivery and security. Privacy policy
- Amazon Web Services (AWS S3) (photo storage). Bucket region: EU. Privacy policy
- Twilio SendGrid (transactional email: magic links for confirm, edit, delete). Privacy policy
- Photon (Komoot GmbH) — address autocomplete and geocoding. The search string you type is sent to Photon. About Photon
- OpenStreetMap Foundation — map tiles for the map preview on a mini website. Loading the tiles transmits the visitor's IP address to OSM. Privacy policy
- Fathom Analytics — cookieless, privacy-friendly traffic measurement. No cookies, no personal profiling. Privacy / compliance
- Ahrefs Analytics — cookieless SEO analytics (complementary to Fathom). No cookies. Privacy policy
6. International data transfers
Some processors listed above (Cloudflare, AWS, SendGrid, Fathom, Ahrefs) may process data in the United States. We rely on the EU Standard Contractual Clauses and, where applicable, the European Commission's adequacy decision under the EU–U.S. Data Privacy Framework.
7. Retention
- Mini websites: kept while published. Deleting one via its delete link removes the content and all associated photos immediately.
- Email address: we do not store your email address in clear text. When you publish, we keep only a non-reversible hash of it (for spam and abuse prevention); the clear-text address is used once to send the magic links and is not stored.
- Server and security logs: at most 7 days.
- Waitlist: until you unsubscribe, or until we have shipped every template you ticked (then deleted).
8. Your rights
Under the GDPR you have, in particular, the following rights:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR) — every mini website is self-deletable from the link in the confirmation email
- Right to restriction (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
- Right to withdraw consent (Art. 7(3) GDPR)
To exercise these rights, email us at hi@qrpage.co.
9. Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority. Our lead authority is:
Berlin Commissioner for Data Protection and Freedom of InformationFriedrichstr. 219, 10969 Berlin, Germany
www.datenschutz-berlin.de
10. Security
Traffic is encrypted with TLS. We apply security updates promptly, run regular backups, and restrict internal access to personal data.
11. Changes to this policy
If we make material changes, we will update the date above and, where relevant, notify users in the app.