Effective Date: July 7, 2026
Data Controller: RMX Tec Ltd, a company registered in Bulgaria
Contact: info@qrchat.eu
This Privacy Policy explains how QRChat.eu ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our website and services. We are committed to processing your data in compliance with the General Data Protection Regulation (GDPR) and applicable Bulgarian data protection legislation.
When you register, we collect your email address, a securely hashed password, and display name. If you sign in with Google, we receive your name, email address, and Google account identifier from Google. If you connect Telegram for notifications, we store your Telegram chat ID.
Messages, files (up to 10 MB each), and other content exchanged in QR chat sessions are stored in our database for the lifetime of the associated QR code or account. Chat data is stored until the QR code owner deletes the code, clears the conversation, or deletes their account. Do not share sensitive personal data (e.g. health, political or religious beliefs) in chats; we do not request such data and process it only incidentally as part of message content.
If you enable notifications, we store the data necessary to deliver them: push notification endpoints and keys, Telegram chat IDs, or email addresses. Notification preferences are stored per QR code link.
Payments are processed by third-party providers (Stripe). We do not store your credit card details. We retain transaction records (amount, date, credits purchased) for accounting purposes.
We automatically collect IP addresses, browser type and version, device type, pages visited, and access timestamps. QR code scans record the scanner's IP address, user agent, and timestamp for notification and security purposes. To protect forms against automated abuse we use Google reCAPTCHA, which may process your IP address and browser characteristics; this processing is based on our legitimate interest in protecting the Service.
When automated moderation flags or blocks content (see Section 3), we record a cryptographic hash of the content (not the content itself), a hashed identifier derived from the sender's IP address, the session identifier, the affected QR code, the decision, and the reason category. We also maintain temporary block records for repeated violations.
We use essential cookies required for the Service to function and — only with your prior consent — analytics and marketing cookies. See the Cookie Table below and Section 5 for details. You can change your choice at any time via "Cookie settings" in the footer.
To keep chats safe, we use automated moderation. Text messages are checked against keyword lists on our servers and may be submitted to OpenAI's moderation API for classification. Uploaded images may be submitted to Google's Gemini API for classification. These providers process the submitted content on our behalf for the sole purpose of content-safety classification; we do not permit its use for other purposes, and we do not send your name, email address, or account identifiers along with the content.
Based on the classification, content may be automatically blocked, and a device or network identifier that repeatedly sends blocked content may be automatically restricted for up to 24 hours. This constitutes automated decision-making with limited effect; it is based on our legitimate interest (and legal responsibility) in preventing the distribution of illegal and harmful content. You have the right to contest any automated moderation decision and obtain human review by contacting info@qrchat.eu. We store only hashes of moderated content in moderation logs, never the plain content (see Section 1.6).
We may use Google Analytics 4 (Google Ireland Ltd) to understand how visitors use our website and the Meta Pixel (Meta Platforms Ireland Ltd) to measure the performance of our advertising. These tools set cookies and collect data such as pages visited, approximate location, device information, and online identifiers, and may transfer data to Google LLC and Meta Platforms Inc. in the United States (see Section 8).
These tools are loaded only if you give your prior consent via the cookie banner. If you decline, no analytics or marketing cookies are set and no data is shared with these providers. You can withdraw your consent at any time via "Cookie settings" in the footer. For details on how these providers process data, see the privacy policies of Google and Meta. Where data collection for advertising purposes is performed jointly with Meta, we and Meta act as joint controllers with respect to that collection under a joint controllership arrangement.
We do not sell, rent, or trade your personal data. We share data only with:
Our servers are located within the European Union. Some of our providers (e.g. OpenAI, Google, Meta, Stripe, Resend) may process data in the United States or other third countries. Where personal data is transferred outside the EU/EEA, we rely on an adequacy decision of the European Commission (including the EU–U.S. Data Privacy Framework for certified providers) or on Standard Contractual Clauses, supplemented by additional safeguards where necessary.
Under the GDPR, you have the right to:
To exercise these rights, contact us at info@qrchat.eu. We will respond within one month. We may need to verify your identity before fulfilling a request.
We implement appropriate technical and organizational measures to protect your data, including encrypted connections (HTTPS/TLS), secure password hashing, CSRF protection, rate limiting, hashing of identifiers in moderation logs, and access controls. However, no system is 100% secure, and we cannot guarantee absolute security.
If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where required, within 72 hours. If the breach is likely to result in a high risk to you, we will also inform you directly without undue delay.
The Service is not intended for users under 18 years of age. We do not knowingly collect personal data from minors. If we learn that we have collected data from a user under 18, we will take steps to delete that data promptly.
We may update this Privacy Policy from time to time. Material changes will be communicated via email or through a notice on the Service. The "Effective Date" at the top reflects the latest revision.
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Commission for Personal Data Protection of Bulgaria (CPDP) at www.cpdp.bg, or with the supervisory authority in your country of residence.
For any questions about this Privacy Policy or your personal data, contact us at info@qrchat.eu.
This site uses the following cookies:
| Cookie name | Purpose | Type | Duration |
|---|---|---|---|
| PHPSESSID | User authentication | Essential | Browser session |
| lang | Interface language | Essential | 1 year |
| qrchat_guest_id | Anonymous user identification in chat | Essential | 1 year |
| consent_choice | Stores your cookie consent choice | Essential | 1 year |
| _ga, _ga_* | Google Analytics — anonymous visitor statistics | Analytics | 2 years |
| _fbp | Meta Pixel — measuring advertising performance | Marketing | 3 months |
Analytics and marketing cookies are set only after you give your consent. You can withdraw your consent at any time via “Cookie settings” in the page footer.