Privacy Policy
This Privacy Policy describes how QRZone.io (A Product of Quick Code FZE) collects, uses, stores, and protects information when you use our platform and services. This policy applies to all users worldwide, with additional disclosures for California residents under the CCPA/CPRA.
Last updated: March 2026
1. Information We Collect
Under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), "personal information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. QRZone collects the following categories of personal information:
1.1 Account Information (Identifiers)
When you create a QRZone account, we collect your name, email address, organization name, phone number (optional), and billing/payment information. This information is necessary to provide our services and manage your subscription.
1.2 QR Code Scan Data (Geolocation & Device Data)
When someone scans a QR code created with QRZone, we collect scan metadata including:
- Approximate geographic location (city-level, derived from IP address) -- classified as geolocation data under CCPA
- Device type and model (e.g., iPhone 15, Samsung Galaxy S24)
- Operating system and version (e.g., iOS 18.3, Android 15)
- Browser type and version (e.g., Chrome 124, Safari 18)
- IP address (truncated after geolocation lookup; full IP is not stored long-term)
- Scan timestamp (date and time of scan event)
- Referrer URL (the page or app that triggered the scan, if available)
- Language/locale (browser or device language setting)
Under CCPA, this scan metadata constitutes personal information because it includes geolocation data, internet activity information, and electronic network activity information that can be reasonably linked to a device and, by extension, a consumer. QRZone treats all scan data as personal information and applies the protections described in this policy accordingly.
1.3 Usage Data (Internet Activity Information)
We collect information about how you interact with our platform, including pages visited, features used, QR codes created, campaign configurations, clickstream data, and session duration. Under CCPA, this constitutes "internet or other electronic network activity information."
1.4 Inferences
We may derive inferences from the data above to power smart routing (e.g., routing a scanner to a language-specific page based on device locale, or to an app store based on device type). These inferences are functional, not profiling for advertising.
2. How We Use Your Information
We use collected personal information for the following business purposes:
- Provide, maintain, and improve QRZone services (contract performance)
- Process QR code scan events and deliver analytics dashboards
- Enable smart routing, A/B testing, and dynamic content delivery
- Send service-related communications, invoices, and security alerts
- Detect and prevent fraud, abuse, bot traffic, and security incidents
- Perform internal research and product improvement
- Comply with legal obligations, including responding to lawful requests
3. Data Sharing and Disclosure
3.1 No Sale of Personal Information
QRZone does not sell personal information. We have not sold personal information in the preceding 12 months and have no plans to do so. For purposes of CCPA/CPRA, "sale" means disclosing personal information to a third party for monetary or other valuable consideration.
3.2 No Sharing for Cross-Context Behavioral Advertising
QRZone does not share personal information for cross-context behavioral advertising as defined under CPRA. We do not use third-party advertising trackers, retargeting pixels, or data brokers.
3.3 Service Providers
We disclose personal information to service providers who assist in operating our platform (hosting, payment processing, email delivery, error monitoring). These service providers are contractually bound to use personal information only for the services they provide to us, and are prohibited from selling or sharing it. See our Subprocessors page for a current list.
3.4 Legal Disclosures
We may disclose personal information when required by law, subpoena, court order, or government regulation, or when we believe disclosure is necessary to protect our legal rights, enforce our Terms of Service, or protect user safety.
4. CCPA/CPRA Rights for California Residents
If you are a California resident, you have the following rights under the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.) as amended by the CPRA:
4.1 Right to Know
You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
4.2 Right to Delete
You may request deletion of your personal information. We will comply unless an exception applies (e.g., completing a transaction, detecting security incidents, complying with a legal obligation, or using the information for internal purposes reasonably aligned with your expectations).
4.3 Right to Correct
You may request that we correct inaccurate personal information, taking into account the nature of the information and the purposes of processing.
4.4 Right to Opt Out of Sale/Sharing
QRZone does not sell or share your personal information. However, if this ever changes, you will be able to opt out via a "Do Not Sell or Share My Personal Information" link.
4.5 Right to Limit Use of Sensitive Personal Information
QRZone collects precise geolocation data only at the city level via IP address lookup. We do not collect precise GPS coordinates, biometric data, health data, financial account credentials, or other categories of sensitive personal information as defined under CPRA. If we expand our collection to include sensitive personal information, we will provide a mechanism to limit its use.
4.6 Right to Non-Discrimination
We will not discriminate against you for exercising any CCPA/CPRA rights. You will not receive a different level of service or pricing for exercising your privacy rights.
4.7 How to Submit a Request
To exercise your CCPA/CPRA rights:
- Email: privacy@qrzone.io with subject line "CCPA Request"
- Through your QRZone account: Settings > Privacy > Data Requests
- Via our contact page
We will verify your identity before processing requests. For account holders, we verify via your authenticated session. For non-account holders (e.g., QR code scanners), we verify using information you provide that matches our records. We respond to verified requests within 45 days. If we need additional time, we will notify you and may take up to an additional 45 days (90 days total).
4.8 Authorized Agent
You may designate an authorized agent to submit requests on your behalf. The agent must provide proof of authorization (a signed written permission or power of attorney). We may still verify your identity directly.
4.9 Financial Incentive Disclosure
QRZone does not offer financial incentives or price differences in exchange for the retention or sale of personal information.
5. Categories of Personal Information Collected (CCPA Table)
The following table summarizes the categories of personal information we collect, as defined by CCPA § 1798.140(v):
| Category | Examples | Collected | Sold/Shared |
|---|---|---|---|
| A. Identifiers | Name, email, IP address, account ID | Yes | No |
| B. Personal information under Cal. Civ. Code 1798.80(e) | Name, billing address, payment card (via processor) | Yes | No |
| D. Commercial information | Subscription plan, purchase history, invoices | Yes | No |
| F. Internet/electronic network activity | Scan events, device type, OS, browser, referrer URL, clickstream | Yes | No |
| G. Geolocation data | City-level location derived from IP address | Yes | No |
| K. Inferences | Device type routing, language-based routing | Yes | No |
We do not collect: protected classification characteristics (C), biometric information (E), sensory data (H), professional/employment data (I), education information (J), or sensitive personal information as defined under CPRA.
6. Data Retention
We retain personal information only as long as reasonably necessary for the purposes described in this policy. Specific retention periods by data type and plan tier:
- Account data: Duration of active subscription + 90 days after account closure
- Billing records: 7 years (US tax compliance requirements)
- Scan analytics (Starter): 14 days
- Scan analytics (Plus): 6 months
- Scan analytics (Pro): 12 months
- Scan analytics (Nexus Zone): 24 months
- Scan analytics (Scale Zone): 36 months
- Scan analytics (Apex Zone): 5+ years (configurable)
- Security/audit logs: 24 months
- System/API logs: 12 months
- Support tickets: 24 months after resolution
After expiration, data is permanently deleted within 30 days. Aggregated, anonymized data that cannot reasonably identify any consumer may be retained indefinitely for benchmarking and trend analysis. See our Data Retention Policy for full details.
7. Additional State Law Disclosures
7.1 California "Shine the Light" (Cal. Civ. Code § 1798.83)
California residents may request a list of third parties to whom we have disclosed personal information for direct marketing purposes. QRZone does not disclose personal information to third parties for their direct marketing purposes.
7.2 Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and Other US State Laws
If you reside in a US state with a comprehensive privacy law, you may have rights similar to those described in Section 4, including the right to access, delete, correct, and opt out of targeted advertising and profiling. QRZone does not engage in targeted advertising or profiling. To exercise your rights, contact us at privacy@qrzone.io.
8. Cookies and Tracking Technologies
QRZone uses essential cookies for platform functionality and optional analytics cookies to improve our services. We do not use third-party advertising cookies or cross-site tracking pixels. You can manage cookie preferences through your browser settings. See our Cookie Policy for a detailed inventory of cookies used and their retention periods.
9. Children's Privacy
QRZone is not directed to children under 16. We do not knowingly collect personal information from children. If you believe we have collected personal information from a child under 16, contact us immediately at privacy@qrzone.io and we will delete it.
10. International Data Transfers
QRZone's primary infrastructure is hosted in the United States. If you are accessing QRZone from outside the US, your personal information will be transferred to and processed in the United States. For EU/EEA/UK users, we use Standard Contractual Clauses (SCCs) as our transfer mechanism. For other jurisdictions, we apply appropriate safeguards as required by local law.
11. Security
We implement industry-standard security measures including AES-256 encryption at rest, TLS 1.3 encryption in transit, role-based access controls, multi-factor authentication, audit logging, and regular security assessments and penetration testing. See our Security page for details.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email, in-platform notification, or a prominent notice on our website at least 30 days before the changes take effect. Continued use of QRZone after the effective date constitutes acceptance of the updated policy.
13. Contact
For privacy-related inquiries:
- Data Protection Officer: privacy@qrzone.io
- Mailing address: QRZone.io, Attn: Privacy Team, United States
- Contact page: www.qrzone.io/contact