Privacy Policy

How qree.app processes personal data.

1. Controller (Art. 4 GDPR)

Alex Kay
60 Trần Phú Street
Nha Trang, Khánh Hòa 650000, Vietnam
Email: legal@qree.app

2. What we process

Server access logs

The web server records: IP address, timestamp, requested URL, HTTP status, referrer and user agent. Access logs are rotated daily and the most recent 14 days are kept. Legal basis: Art. 6(1)(f) GDPR.

Google sign-in (OAuth)

When you sign in with Google, Google LLC (Mountain View, USA) transmits your email, name, avatar URL and a profile identifier. We store these to identify your account. Legal basis: Art. 6(1)(a) GDPR (consent) plus (b) (contract). Transfer to Google in the USA relies on the EU-U.S. Data Privacy Framework (C(2023) 4745).

QR code data

We store the destination URLs you enter, design settings (colors, logo) and a short code used for tracking. Legal basis: Art. 6(1)(b) GDPR.

Scan analytics

When someone scans one of your QR codes we collect: scanner IP, user agent, referrer URL and timestamp. The IP is used for GeoIP lookup to derive approximate country/city. Aggregated stats are shown in your dashboard. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating the analytics function which is the core of the service).

Welcome email (Maileroo)

On first sign-up we send a welcome email via Maileroo Inc. as our processor (Art. 28 GDPR). We do not send marketing emails.

Analytics (Umami, self-hosted)

We use a self-hosted, cookieless instance of Umami Analytics. Aggregated data only. Legal basis: Art. 6(1)(f) GDPR.

Error tracking (Sentry / GlitchTip)

Self-hosted GlitchTip at errors.alexkay.dev. Stack trace, request URL, IP and (if signed in) user email may be transmitted. Retention 90 days. Legal basis: Art. 6(1)(f) GDPR.

3. Third-country transfers

Service runs on a VPS outside the EU. Operator based in Vietnam. Transfers rely on Art. 49(1)(b) GDPR.

4. Your rights (Art. 15-22 GDPR)

Access (Art. 15), Rectification (Art. 16), Erasure (Art. 17), Restriction (Art. 18), Portability (Art. 20), Objection (Art. 21), Withdraw consent at any time

Email legal@qree.app. You may also lodge a complaint with a supervisory authority (Art. 77 GDPR).

5. Retention

Server logs: 14 days. QR codes and scan data: until you delete them. Account data: until account deletion. Analytics: 12 months. Error events: 90 days.

6. Cookies

No tracking cookies. Only a strictly-necessary session cookie (consent-exempt under § 25(2) TTDSG / EU ePrivacy Directive).

Last updated: June 2026