GDPR Compliance
QR Forge is committed to full compliance with the General Data Protection Regulation (GDPR) and other international data protection laws. We understand that your privacy is fundamental, and we've designed our service with data protection principles at the forefront. Learn how we handle your personal data and the rights you have as a data subject under GDPR.
Your Rights under GDPR
As a data subject in the EU or interacting with our EU-based services, you have comprehensive rights under GDPR that we fully respect and support. You have the right to access your personal data—we will provide you with a copy of any information we hold about you in a clear, understandable format. You have the right to rectification of inaccurate or incomplete data—if information we hold is wrong or incomplete, you can request we correct it immediately. You have the right to erasure, also known as the "right to be forgotten," which allows you to request deletion of your data in certain circumstances, particularly when the data is no longer necessary for the purposes we collected it. You have the right to restrict processing of your data, which allows you to pause our use of your information without requiring deletion. You have the right to data portability, meaning you can request your data in a structured, commonly-used format suitable for transfer to another service. You have the right to object to processing, including automated decision-making and profiling. You also have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated. We encourage you to contact us first so we can address any concerns before escalating to authorities.
Legal Basis for Processing
GDPR requires that data processing is based on a valid legal foundation. QR Forge processes personal data based on several lawful bases, each applied appropriately to the type of data and processing activity: Your explicit consent, where required, particularly for non-essential cookies and marketing communications. The necessity to perform our contract with you and provide the services you've requested. Compliance with legal obligations that apply to us, including maintaining records required by law. The protection of vital interests—personal safety and security of users and others. The performance of tasks in the public interest or official authority. Our legitimate interests in improving, securing, and operating our service efficiently and effectively. We carefully balance these bases to ensure we only process data when we have valid justification. For any processing activity, you can request information about which legal basis applies. We do not process data on any basis without clear, valid legal justification, and we regularly review our processing activities to ensure ongoing compliance.
Data Subject Requests
GDPR gives you powerful rights to control your data through formal requests. You have the right to request a copy of your personal data in a portable, structured format. You can request corrections or updates to ensure your information is accurate and complete. You can request restriction of processing to pause our use of your data while you address concerns or wait for corrections. You can request deletion of your data, subject to certain exceptions where we have legal obligation to retain it. To exercise these rights, please contact our Data Protection Officer using the contact information provided in our Privacy Policy and on this site. We take these requests very seriously and will respond to all legitimate requests within the timeframe required by GDPR. In most cases, we will respond within 30 days of receiving a valid request. If your request is complex or requires additional information, we may request a reasonable extension (typically up to 90 days total) and will inform you of any extension. We will not charge you for these requests in most cases. If requests are manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act, but we will inform you of our reasons. We maintain records of all data subject requests to ensure transparency and accountability.
Data Transfers
Your data protection rights don't end at borders. If your data is transferred outside the EU/EEA for any reason, we ensure appropriate legal safeguards are in place. We may use Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection. We may rely on adequacy decisions from the European Commission confirming that certain countries provide adequate data protection. We may obtain your explicit consent for specific transfers where other mechanisms aren't available. We do not transfer personal data to countries without an adequate level of data protection unless you have given explicit informed consent or other established legal mechanisms apply. All third parties receiving your data are bound by strict data protection agreements. We regularly assess the legal landscape regarding international data transfers and update our practices to ensure compliance with evolving requirements, including recent court decisions affecting standard contractual clauses.
Data Protection Officer
QR Forge has appointed a Data Protection Officer (DPO) to ensure compliance with GDPR and oversee our data protection practices. Our DPO is responsible for monitoring our compliance, providing guidance on data protection obligations, handling data subject requests, and serving as your point of contact for privacy concerns. If you have any concerns about how your data is being processed, questions about our privacy practices, or wish to exercise your data rights, you can contact our DPO directly through the contact information provided on this site. Our DPO is independent and impartial, and their role is to protect your rights while helping us maintain compliant practices. We encourage you to reach out with any privacy concerns—our DPO is here to help ensure your rights are protected.
Privacy by Design
We implement privacy by design principles throughout every aspect of QR Forge, treating data protection as an integral part of our service rather than an afterthought. This means we minimize data collection from the start, collecting only what is necessary for specific, legitimate purposes. We implement privacy-enhancing technologies to protect your information and provide tools that give you control over your data. We design our systems with security built-in, using encryption and other protective measures. We conduct regular Data Protection Impact Assessments (DPIAs) for any high-risk processing activities to identify and mitigate potential risks to your privacy. Our product development process includes privacy reviews at every stage. We train our staff on data protection and privacy principles. We maintain documentation of our processing activities and decisions, ensuring transparency and accountability. Privacy by design means your protection is considered in everything we do.
Data Retention and Deletion
We don't retain data longer than necessary. Personal data is retained only for the period needed to fulfill the purpose it was collected for, and then securely deleted. QR codes you generate are not stored on our servers unless you explicitly choose to save them—in most cases, generation happens locally on your device. Analytics data is retained for limited periods, typically 12 months, before being automatically deleted. Support inquiries and communications are retained for 2 years to resolve disputes and maintain service quality. If you request deletion, we will delete your data within 30 days except where legal obligations require longer retention. Even when we're required by law to retain data, we implement technical and organizational measures to minimize processing and protect the data. You can request deletion of your data at any time by contacting us, and we will honor these requests unless we have a legal basis to retain the information.
International Privacy Standards
Beyond GDPR, QR Forge respects privacy regulations worldwide. Our practices comply with GDPR in Europe, CCPA in California, PIPEDA in Canada, and other regional data protection laws. Different regions may have different standards and requirements, and we implement the highest applicable standards for all users regardless of location. If you're subject to specific privacy regulations in your region, we ensure our practices meet those requirements. If you have concerns about how our practices comply with your local privacy laws, please contact us.