Privacy Policy for QR Code Scanning

(v1.0, GDPR-compliant)

Last updated: 23.01.2026

1. Introduction

This Privacy Policy explains how we collect, use, store, and protect personal data when a user scans a QR code generated or hosted by ME-QR (“we”, “us”, “our”).

It applies only to data processed during the act of scanning a QR code and viewing its associated content.

If you are a registered user of our platform (e.g., you create and manage QR codes), please refer to our main Privacy Policy:

2. Data Controller

In most cases, ME-QR acts as a Data Processor, and the creator of the QR code (“QR Owner”) acts as the Data Controller, because they decide what content is shown and why the scan is tracked.

However, ME-QR may act as the Data Controller for:

security and anti-abuse monitoring
preventing fraud
platform analytics and performance optimization

Details are provided in Section 5.

3. What Data We Collect When a QR Code Is Scanned

When a user scans a QR code that leads to ME-QR-hosted content, we may automatically collect the following data:

3.1. Technical Data

IP address (may be used to derive approximate region/country)
Date and time of the scan
Device type (mobile, tablet, desktop)
Operating system and browser information (User-Agent)
Language settings
Network information (e.g., carrier, ISP)

3.2. Interaction Data

Whether the content was opened successfully
The type of content (URL, PDF, image, text, menu, etc.)
Engagement events (e.g., clicks inside the landing page, if applicable)

3.3. Location Data (approximate only)

We do not collect precise GPS location.

Approximate geolocation may be derived from the IP address (country/region/city level).

3.4. No Special Categories of Data

We do not intentionally collect sensitive data (health, political views, biometrics, etc.).

4. Purposes of Processing

We process scan-related data for the following purposes:

4.1. To Provide the QR Code Service

Display content linked to the QR code
Ensure compatibility across devices and browsers

4.2. Analytics for the QR Owner (Data Controller)

Counting the number of scans
Showing statistics such as device type, country, date/time
Providing performance metrics to the QR Owner

4.3. Security, Fraud Prevention & Abuse Monitoring

Detecting malicious activity
Blocking harmful or automated scans
Ensuring service stability and uptime

4.4. Service Improvements

Understanding aggregated usage patterns
Enhancing platform performance
Your data is never used for profiling or automated decision-making that produces legal effects.

5. Legal Basis for Processing (GDPR)

Depending on the party responsible for the QR code, the legal basis may vary.

5.1. ME-QR as Data Processor

The QR Owner (Controller) determines the legal basis, typically:

Legitimate Interest (Art. 6(1)(f)), or
Consent (if required by local law)

5.2. ME-QR as Data Controller

We rely on:

Legitimate Interest to ensure security and prevent abuse
Performance of a Contract to deliver the QR scanning functionality

6. Data Retention

Scan data is retained as follows:

Raw logs: up to 12 months (for security)
Aggregated analytics visible to the QR Owner: as long as the QR code remains active, or until deleted by the Owner
IP addresses: may be anonymized or aggregated after initial processing

QR Owners may also manually delete all scan data from their accounts.