Privacy Policy
Last updated: March 1, 2025 | Version 1.0
1. Data Controller
The data controller for your personal data is the owner of the QRKontakt service, operating as a sole proprietor, based in Poland, reachable at: kontakt@qrkontakt.com.
Service available at: qrkontakt.com
2. Data Protection Officer
Due to the scale of processing, the controller is not required to appoint a Data Protection Officer (DPO). For data protection inquiries, contact us directly at: privacy@qrkontakt.com.
3. Personal Data We Collect
3.1. Registration Data
- Email address
- First name and last name
- Password (stored only as a bcrypt hash — never in plain text)
3.2. OAuth Login Data (Google / Apple)
- Email address verified by the provider
- Name from the provider profile
- Encrypted access token (sodium_crypto_secretbox encryption)
3.3. Contact Form Data
- Sender's name
- Sender's email address
- Phone number (optional)
- Message content
- File attachments uploaded by the sender
3.4. QR Sticker Data
- 16-character QR code assigned to the user's account
- Scan data: timestamp + pseudonymised IP hash (SHA-256 with APP_SECRET) — raw IP addresses are never stored
3.5. Payment Data
- Transaction data (amount, date, status) stored on our side
- Card and bank account data is processed exclusively by Stripe Inc. and PayNow (mBank S.A.) — we do not store it on our servers
3.6. Shipping Address Data
- Recipient's full name
- Delivery address (street, postcode, city, country)
- Contact phone number (for the courier)
3.7. Technical Data
- User sessions stored in Redis (session cookies)
- IP hashes for rate limiting — no raw IP addresses
- Error logs (Sentry) — pseudonymised identifiers, no PII
- Push subscriptions: browser VAPID endpoint (for web push notifications)
- Referral codes: 8-character code linked to the user's account
4. Legal Basis and Purposes of Processing
| Purpose | Legal Basis (Art. 6 GDPR) |
|---|---|
| User account management | Art. 6(1)(b) — performance of a contract |
| Order fulfilment and payments | Art. 6(1)(b) — performance of a contract |
| Contact form (anonymous messages) | Art. 6(1)(b) — contract / Art. 6(1)(f) — legitimate interest |
| QR sticker delivery | Art. 6(1)(b) — performance of a contract |
| Web push notifications | Art. 6(1)(a) — consent |
| Email marketing | Art. 6(1)(a) — consent |
| Security and abuse prevention (rate limiting) | Art. 6(1)(f) — legitimate interest |
| Tax and accounting obligations | Art. 6(1)(c) — legal obligation |
| Establishing or defending legal claims | Art. 6(1)(f) — legitimate interest |
5. Data Retention Periods
- User account:For the duration of the contract + 3 years after termination (limitation period for claims)
- Transaction data:5 years from the end of the tax year (tax obligations / Accounting Act)
- Contact form messages:12 months from the date of sending, unless the user requests earlier deletion
- QR scan data:12 months from the scan date
- Sessions and cookies:30 days (remember_me cookie), browser session (session cookie)
- Push subscriptions:Until consent is withdrawn or the browser unregisters the subscription
- Rate limiting logs:24 hours
6. Recipients and Data Transfers
Your data may be shared with the following third parties (only to the extent necessary to provide the service):
Stripe Inc.
Card payment processing. Data protected under PCI-DSS. USA — transfers under Standard Contractual Clauses (SCC). Stripe Privacy Policy
mBank S.A. (PayNow)
BLIK and online bank transfer processing. Poland (domestic entity). PayNow Privacy Policy
Furgonetka.pl (Apaczka S.A.)
Courier and delivery services for stickers. Name and delivery address are shared to arrange shipment. Poland.
Google LLC (Google OAuth)
Sign in with Google. USA — transfers under SCC. Google Privacy Policy
Apple Inc. (Sign in with Apple)
Sign in with Apple. USA — transfers under SCC. Apple Privacy Policy
Sentry (Functional Software, Inc.)
Application error monitoring (if configured). Data is pseudonymised. USA — transfers under SCC.
Hosting Provider
Server infrastructure and database hosted within the European Union.
The controller does not sell or share personal data with third parties for marketing purposes.
7. Your Rights
Under GDPR, you have the following rights:
Right of access (Art. 15)
You can find out what data we process about you and receive a copy.
Right to rectification (Art. 16)
You can request correction of inaccurate or completion of incomplete data.
Right to erasure (Art. 17)
You can request deletion of your data when it is no longer needed or you withdraw consent.
Right to restriction (Art. 18)
You can request that processing of your data be suspended in certain circumstances.
Right to portability (Art. 20)
You can receive your data in a structured, machine-readable format (CSV/JSON).
Right to object (Art. 21)
You can object to processing based on legitimate interest.
Right to withdraw consent
You can withdraw consent at any time without affecting the lawfulness of prior processing.
Right to lodge a complaint
You can lodge a complaint with the Polish supervisory authority (UODO), ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl.
To exercise any of these rights, contact us at: privacy@qrkontakt.com. We will respond without undue delay and no later than 30 days.
8. Cookies Policy
We use the following categories of cookies:
8.1. Strictly Necessary Cookies (no consent required)
| Name | Purpose | Duration |
|---|---|---|
| PHPSESSID | User session (login state) | Browser session |
| REMEMBERME | "Remember me" functionality | 30 days |
| _csrf_token | CSRF attack protection | Browser session |
8.2. Functional Cookies (with consent)
| Name | Purpose | Duration |
|---|---|---|
| cookie_consent | Stores your cookie preference (localStorage) | Persistent (localStorage) |
You can manage cookies through your browser settings. Blocking strictly necessary cookies may prevent the service from functioning correctly.
9. Security Measures
We apply the following technical and organisational measures to protect your data:
- ✓TLS 1.2+ encryption for all connections
- ✓Passwords stored exclusively as bcrypt hashes (cost 13)
- ✓OAuth tokens encrypted with XSalsa20-Poly1305 (libsodium)
- ✓IP addresses never stored in plain form — only pseudonymised SHA-256 hashes
- ✓Redis database isolation (cache, sessions, rate limiting in separate DBs)
- ✓HTTP security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)
- ✓CSRF protection on all forms
- ✓Rate limiting to prevent brute-force attacks
- ✓Payment card data processed exclusively by PCI-DSS certified processors
10. Contact
For data protection matters, please contact us at:
- Email: privacy@qrkontakt.com
- General contact: kontakt@qrkontakt.com
- Website: qrkontakt.com
11. Changes to This Policy
The controller reserves the right to update this Privacy Policy. We will notify you of significant changes by email or through a prominent notice on the service at least 14 days before they take effect.
The current version of the Privacy Policy is always available at qrkontakt.com/privacy.