QRChat logo
  • EN English
  • RU Русский
  • DE Deutsch
  • ES Español
  • FR Français
  • BG Български
  • RO Română
  • AR العربية
  • UK Українська
  • ZH 中文
  • VI Tiếng Việt

Privacy Policy

Effective Date: July 7, 2026
Data Controller: RMX Tec Ltd, a company registered in Bulgaria
Contact: info@qrchat.eu

This Privacy Policy explains how QRChat.eu ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our website and services. We are committed to processing your data in compliance with the General Data Protection Regulation (GDPR) and applicable Bulgarian data protection legislation.

1. Data We Collect

1.1 Account Data

When you register, we collect your email address, a securely hashed password, and display name. If you sign in with Google, we receive your name, email address, and Google account identifier from Google. If you connect Telegram for notifications, we store your Telegram chat ID.

1.2 Chat Data

Messages, files (up to 10 MB each), and other content exchanged in QR chat sessions are stored in our database for the lifetime of the associated QR code or account. Chat data is stored until the QR code owner deletes the code, clears the conversation, or deletes their account. Do not share sensitive personal data (e.g. health, political or religious beliefs) in chats; we do not request such data and process it only incidentally as part of message content.

1.3 Notification Data

If you enable notifications, we store the data necessary to deliver them: push notification endpoints and keys, Telegram chat IDs, or email addresses. Notification preferences are stored per QR code link.

1.4 Payment Data

Payments are processed by third-party providers (Stripe). We do not store your credit card details. We retain transaction records (amount, date, credits purchased) for accounting purposes.

1.5 Technical Data

We automatically collect IP addresses, browser type and version, device type, pages visited, and access timestamps. QR code scans record the scanner's IP address, user agent, and timestamp for notification and security purposes. To protect forms against automated abuse we use Google reCAPTCHA, which may process your IP address and browser characteristics; this processing is based on our legitimate interest in protecting the Service.

1.6 Content Moderation Data

When automated moderation flags or blocks content (see Section 3), we record a cryptographic hash of the content (not the content itself), a hashed identifier derived from the sender's IP address, the session identifier, the affected QR code, the decision, and the reason category. We also maintain temporary block records for repeated violations.

1.7 Cookies

We use essential cookies required for the Service to function and — only with your prior consent — analytics and marketing cookies. See the Cookie Table below and Section 5 for details. You can change your choice at any time via "Cookie settings" in the footer.

2. How We Use Your Data

  • Providing the Service: Delivering messages, sending notifications, processing QR code scans, and managing your account.
  • Safety and moderation: Automatically screening messages and images for prohibited content, preventing abuse, and enforcing our Terms of Use.
  • Security: Detecting abuse, preventing fraud and automated attacks, and protecting the integrity of the Service.
  • Communication: Sending service-related announcements such as security alerts, terms updates, and billing notifications.
  • Improvement: Analyzing aggregated, anonymized usage data to improve the Service and develop new features.
  • Analytics and marketing (only with your consent): Measuring website usage and advertising performance as described in Section 5.

3. Automated Content Moderation and AI

To keep chats safe, we use automated moderation. Text messages are checked against keyword lists on our servers and may be submitted to OpenAI's moderation API for classification. Uploaded images may be submitted to Google's Gemini API for classification. These providers process the submitted content on our behalf for the sole purpose of content-safety classification; we do not permit its use for other purposes, and we do not send your name, email address, or account identifiers along with the content.

Based on the classification, content may be automatically blocked, and a device or network identifier that repeatedly sends blocked content may be automatically restricted for up to 24 hours. This constitutes automated decision-making with limited effect; it is based on our legitimate interest (and legal responsibility) in preventing the distribution of illegal and harmful content. You have the right to contest any automated moderation decision and obtain human review by contacting info@qrchat.eu. We store only hashes of moderated content in moderation logs, never the plain content (see Section 1.6).

4. Legal Basis for Processing (GDPR)

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service you signed up for (account data, chat data, notifications, payments).
  • Legitimate interest (Art. 6(1)(f)): Security monitoring, fraud prevention, automated content moderation, abuse prevention (including reCAPTCHA), and service improvement.
  • Consent (Art. 6(1)(a)): Optional notifications via Telegram, email, or push; analytics and marketing cookies. You can withdraw consent at any time with effect for the future.
  • Legal obligation (Art. 6(1)(c)): Retaining transaction records for tax and accounting compliance and responding to lawful requests from authorities.

5. Analytics and Advertising Tools

We may use Google Analytics 4 (Google Ireland Ltd) to understand how visitors use our website and the Meta Pixel (Meta Platforms Ireland Ltd) to measure the performance of our advertising. These tools set cookies and collect data such as pages visited, approximate location, device information, and online identifiers, and may transfer data to Google LLC and Meta Platforms Inc. in the United States (see Section 8).

These tools are loaded only if you give your prior consent via the cookie banner. If you decline, no analytics or marketing cookies are set and no data is shared with these providers. You can withdraw your consent at any time via "Cookie settings" in the footer. For details on how these providers process data, see the privacy policies of Google and Meta. Where data collection for advertising purposes is performed jointly with Meta, we and Meta act as joint controllers with respect to that collection under a joint controllership arrangement.

6. Data Sharing

We do not sell, rent, or trade your personal data. We share data only with:

  • Service providers (processors): Hosting (EU-based server infrastructure), email delivery (Resend), payment processing (Stripe), notification delivery (Telegram Bot API, web push services of your browser vendor), content moderation (OpenAI — text; Google — images), and abuse prevention (Google reCAPTCHA). These providers process data on our behalf and under data processing agreements, except where they act as independent controllers under their own terms (e.g. Telegram for your Telegram account, Stripe for payment compliance).
  • Analytics and advertising partners (only with your consent): Google Analytics, Meta Pixel (see Section 5).
  • Legal authorities: When required by law, court order, or governmental request, or to report content that endangers the safety of minors or others.
  • Business transfer: In the event of a merger, acquisition, or asset sale, your data may be transferred to the successor entity under equivalent safeguards; we will inform you of such a transfer.

7. Data Retention

  • Account data: Retained for as long as your account is active. Deleted upon account deletion request.
  • Chat messages and files: Stored until the QR code owner deletes the code, clears the chat, or deletes their account.
  • Notification subscriptions: Retained until you unsubscribe or the linked QR code is deleted.
  • Technical logs: Retained for up to 90 days for security and troubleshooting purposes.
  • Moderation logs and blocks: Hashed moderation records are retained for up to 12 months; automated blocks expire after at most 24 hours.
  • Payment records: Retained for the period required by applicable tax and accounting laws.

8. International Data Transfers

Our servers are located within the European Union. Some of our providers (e.g. OpenAI, Google, Meta, Stripe, Resend) may process data in the United States or other third countries. Where personal data is transferred outside the EU/EEA, we rely on an adequacy decision of the European Commission (including the EU–U.S. Data Privacy Framework for certified providers) or on Standard Contractual Clauses, supplemented by additional safeguards where necessary.

9. Your Rights (GDPR)

Under the GDPR, you have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate data.
  • Erasure: Request deletion of your personal data ("right to be forgotten").
  • Restriction: Request that we limit the processing of your data in certain circumstances.
  • Portability: Request your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interest, on grounds relating to your particular situation.
  • Withdraw consent: Withdraw consent at any time for consent-based processing, without affecting the lawfulness of prior processing.
  • Human review: Contest automated moderation decisions and obtain human intervention (see Section 3).

To exercise these rights, contact us at info@qrchat.eu. We will respond within one month. We may need to verify your identity before fulfilling a request.

10. Data Security

We implement appropriate technical and organizational measures to protect your data, including encrypted connections (HTTPS/TLS), secure password hashing, CSRF protection, rate limiting, hashing of identifiers in moderation logs, and access controls. However, no system is 100% secure, and we cannot guarantee absolute security.

11. Data Breach Notification

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where required, within 72 hours. If the breach is likely to result in a high risk to you, we will also inform you directly without undue delay.

12. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect personal data from minors. If we learn that we have collected data from a user under 18, we will take steps to delete that data promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through a notice on the Service. The "Effective Date" at the top reflects the latest revision.

14. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Commission for Personal Data Protection of Bulgaria (CPDP) at www.cpdp.bg, or with the supervisory authority in your country of residence.

15. Contact

For any questions about this Privacy Policy or your personal data, contact us at info@qrchat.eu.

Cookies

This site uses the following cookies:

Cookie name Purpose Type Duration
PHPSESSID User authentication Essential Browser session
lang Interface language Essential 1 year
qrchat_guest_id Anonymous user identification in chat Essential 1 year
consent_choice Stores your cookie consent choice Essential 1 year
_ga, _ga_* Google Analytics — anonymous visitor statistics Analytics 2 years
_fbp Meta Pixel — measuring advertising performance Marketing 3 months

Analytics and marketing cookies are set only after you give your consent. You can withdraw your consent at any time via “Cookie settings” in the page footer.

Terms & Conditions Privacy Policy Contact us
QRChat logo

Instant QR chats for creators, brands, teams, and real-world interactions.

We use cookies to operate this service. Essential cookies are always active. You can choose whether to allow analytics cookies. Privacy Policy

Essential Always on

Required for the site to function: session, language preference, guest ID, consent choice.

Analytics

Help us understand how the site is used to improve the experience.