Privacy Policy

Effective Date: April 15, 2026
Data Controller: RMX Tec Ltd, a company registered in Bulgaria
Contact: info@qrchat.eu

This Privacy Policy explains how QRChat.eu ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our website and services. We are committed to processing your data in compliance with the General Data Protection Regulation (GDPR) and applicable Bulgarian data protection legislation.

1. Data We Collect

1.1 Account Data

When you register, we collect your email address and display name. If you connect Telegram for notifications, we store your Telegram chat ID.

1.2 Chat Data

Messages, files (up to 10 MB each), and other content exchanged in QR chat sessions are stored in our database for the lifetime of the associated QR code or account. Chat data is stored permanently until the QR code owner deletes the code, clears the conversation, or deletes their account.

1.3 Notification Data

If you enable notifications, we store the data necessary to deliver them: push notification endpoints and keys, Telegram chat IDs, or email addresses. Notification preferences are stored per QR code link.

1.4 Payment Data

Payments are processed by third-party providers (Stripe). We do not store your credit card details. We retain transaction records (amount, date, credits purchased) for accounting purposes.

1.5 Technical Data

We automatically collect IP addresses, browser type and version, device type, pages visited, and access timestamps. QR code scans record the scanner's IP address, user agent, and timestamp for notification and analytics purposes.

1.6 Cookies

We use only essential cookies required for the Service to function. See the Cookie Table below for details. We do not use tracking or advertising cookies.

2. How We Use Your Data

  • Providing the Service: Delivering messages, sending notifications, processing QR code scans, and managing your account.
  • Security: Detecting abuse, preventing fraud, and protecting the integrity of the Service.
  • Communication: Sending service-related announcements such as security alerts, terms updates, and billing notifications.
  • Improvement: Analyzing aggregated, anonymized usage data to improve the Service and develop new features.

3. Legal Basis for Processing (GDPR)

  • Contract performance: Processing necessary to provide the Service you signed up for (account data, chat data, notifications).
  • Legitimate interest: Security monitoring, fraud prevention, and service improvement.
  • Consent: Optional notifications via Telegram, email, or push. You can withdraw consent at any time in your notification settings.
  • Legal obligation: Retaining transaction records for tax and accounting compliance.

4. Data Sharing

We do not sell, rent, or trade your personal data. We may share data with:

  • Service providers: Hosting (server infrastructure), email delivery (Resend), payment processing (Stripe), and notification delivery (Telegram Bot API, web push). These providers process data only on our behalf and under contractual obligations.
  • Legal authorities: When required by law, court order, or governmental request.
  • Business transfer: In the event of a merger, acquisition, or asset sale, your data may be transferred to the successor entity.

5. Data Retention

  • Account data: Retained for as long as your account is active. Deleted upon account deletion request.
  • Chat messages and files: Stored permanently until the QR code owner deletes the code, clears the chat, or deletes their account.
  • Notification subscriptions: Retained until you unsubscribe or the linked QR code is deleted.
  • Technical logs: Retained for up to 90 days for security and troubleshooting purposes.
  • Payment records: Retained for the period required by applicable tax and accounting laws.

6. International Data Transfers

Our servers are located within the European Union. If data is transferred outside the EU (for example, to third-party notification providers), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

7. Your Rights (GDPR)

Under the GDPR, you have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate data.
  • Erasure: Request deletion of your personal data ("right to be forgotten").
  • Restriction: Request that we limit the processing of your data in certain circumstances.
  • Portability: Request your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interest.
  • Withdraw consent: Withdraw consent at any time for consent-based processing.

To exercise these rights, contact us at info@qrchat.eu. We will respond within 30 days.

8. Data Security

We implement appropriate technical and organizational measures to protect your data, including encrypted connections (HTTPS/TLS), secure password hashing, CSRF protection, and rate limiting. However, no system is 100% secure, and we cannot guarantee absolute security.

9. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect personal data from minors. If we learn that we have collected data from a user under 18, we will take steps to delete that data promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through a notice on the Service. The "Effective Date" at the top reflects the latest revision.

11. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Commission for Personal Data Protection of Bulgaria (CPDP) at www.cpdp.bg, or with the supervisory authority in your country of residence.

12. Contact

For any questions about this Privacy Policy or your personal data, contact us at info@qrchat.eu.

Cookies

This site uses the following cookies:

Cookie name Purpose Type Duration
PHPSESSID User authentication Essential Browser session
lang Interface language Essential 1 year
qrchat_guest_id Anonymous user identification in chat Essential 1 year
consent_choice Stores your cookie consent choice Essential 1 year