Privacy Policy
Last updated: April 16, 2026
CreateQR lets you build, host, and track QR codes. Running that service means handling some personal information, both about the people who sign up with us and about the people who scan the codes our customers create. This notice sets out what we collect, why we collect it, who we share it with, how long we keep it, and the choices you have. It sits alongside our Terms & Conditions and should be read together with them.
In this notice, “CreateQR,” “we,” and “us” refer to REM Vision LTD, the entity that decides how and why your information is processed (the data controller). If you have a privacy question, or you want to exercise any of the rights described below, write to us at support@create-qr.com.
We designed these practices to line up with the EU and UK General Data Protection Regulations (GDPR and UK GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and comparable laws elsewhere. This notice applies wherever you are. Using the Services means you understand the practices set out here; if you are not comfortable with them, please do not use the Services.
Who and what this notice covers
Two groups of people show up in this notice, and it is worth separating them up front.
- Account holders. People who create an account, subscribe, build QR codes, or contact support. Most of the sections below are about you.
- People who scan a QR code. A QR code lives in the physical world, so anyone can scan one. When a code redirects through our servers, we process a small amount of technical data about that scan. The section on scan data explains exactly what and why.
What we collect
Information you give us
You hand information to us directly when you set up and use an account:
- Account details: your email address and the name you enter, plus a billing address where one is needed for a transaction.
- Sign-in credentials: one-time codes and secure login links we send to your email address so you can access your account without a stored password.
- Payment details: your card or payment-method information, which is collected and handled by our payment processor. We never see or store your full card number.
- The content of your QR codes: destination links, text, and the settings that make up each code, together with any files you upload (for example a PDF, image, or video), profile photos, logos, and the colors, frames, and styling you choose.
- What you send to support: the messages, questions, and any attachments you share when you reach out to us.
Information we gather as you use the Services
Some information is generated automatically while you browse and work in the product:
- Technical and device signals: your IP address, browser, operating system, and device type, drawn from your connection and the details your browser reports.
- Activity in the product: the pages and features you open, the actions you take while building and managing codes, and diagnostic logs that help us find and fix problems.
- Approximate location: a country- and city-level estimate derived from your IP address, which we use for analytics and to help keep the platform secure.
Information from QR code scans
This part is about the people who scan a code, who are often not CreateQR account holders themselves. When a code that redirects through our servers is scanned, our redirect service records a short technical snapshot so the code’s owner can see how it is performing and so we can keep the service running and free of abuse. That snapshot can include:
- the country, region, and city inferred from the scanning device’s network connection
- the device type, browser, and operating system, read from the device’s user-agent
- the date and time of the scan
The person who created the code sees this data as counts and summaries in their dashboard, not as a way to identify individual scanners. We rely on our own legitimate interest in operating and protecting the redirect service, and on the creator’s legitimate interest in measuring their codes. How long we hold this data is covered in the retention section.
Information we receive from others
A limited amount of information reaches us through the third parties that help us run the Services:
- Google sign-in, if you choose it: your email address, your name where Google supplies it, and the tokens needed to start your session.
- Our payment processor: confirmations that a payment went through, billing-status updates, failed-charge notices, and chargeback or dispute information.
Aggregated and de-identified data
We may combine or strip identifiers from the information above so that it can no longer reasonably be tied to a particular person. Once data reaches that state it is no longer personal information under applicable law, and we may use and disclose it freely, for example to understand overall product trends.
Why we use your information
We only use personal information for defined purposes. The note in parentheses is the legal basis we rely on for people in the EEA, UK, and Switzerland; the section on legal bases explains those terms.
- To run the Services: create and maintain your account, generate your codes, serve the redirects, produce your analytics, and keep the platform working (performance of our contract with you).
- To handle billing: take subscription payments, issue receipts, process refunds and disputes, and track billing status (performance of contract, legal obligation).
- To sign you in and keep accounts safe: verify you through email login codes and links, detect and prevent fraud and abuse, and enforce our Terms (legitimate interests, legal obligation).
- To support you: answer questions, investigate issues, and provide technical help (performance of contract, legitimate interests).
- To understand and improve the product: measure how features are used, find bugs, and decide what to build next (legitimate interests).
- To communicate with you: send account, billing, and service messages you need to receive, and, where the law allows, occasional product news you can opt out of at any time (performance of contract; consent or legitimate interests for marketing).
- To measure our advertising: understand which campaigns bring people to CreateQR and whether they subscribe, so we can spend our marketing budget sensibly (legitimate interests, or consent where required).
- To meet legal duties and protect our rights: comply with the law, respond to lawful requests, keep records required by tax and financial rules, and defend legal claims (legal obligation, legitimate interests).
We do not make decisions with legal or similarly significant effects on you through automated means alone.
Legal bases (EEA, UK, and Switzerland)
If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your information on one or more of these bases under Article 6 of the GDPR, the UK GDPR, and the Swiss FADP:
- Contract: to deliver the Services you signed up for, run your account, and process your payments.
- Legitimate interests: to operate, secure, analyze, and improve the Services, prevent fraud and abuse, measure our advertising, and market to existing customers where permitted. We have weighed these interests against your rights; if you would like more detail on that assessment, contact support@create-qr.com.
- Consent: where the law requires it, such as certain marketing. You can withdraw consent at any time, which does not affect processing that already took place.
- Legal obligation: to comply with laws, respond to authorities, and keep records required by tax and financial rules.
- Vital interests: in rare cases, to protect someone’s safety, such as during a serious security incident.
We do not seek out special categories of data such as health or biometric information in the ordinary course of running the Services. If you choose to put such data into content you create, you are responsible for having a lawful basis to do so.
Cookies and similar technologies
CreateQR keeps its use of cookies and similar storage deliberately narrow. We rely on them mainly to keep you signed in and to keep the product secure, rather than to build advertising profiles.
- Essential cookies: a signed session cookie that keeps you logged in, and, where a code is password-protected, a short-lived cookie that remembers you entered the correct password for that specific code. These are required for the Services to work and cannot be turned off without breaking core features.
- Analytics and measurement: first-party identifiers used to understand traffic, product usage, and which marketing brought you to us. These help us improve the product and measure our advertising.
You can block or delete cookies through your browser settings, though the Services may stop working correctly if you remove the essential ones. Because there is still no shared industry standard for Do Not Track, we do not respond to DNT browser signals; we do honor Global Privacy Control (GPC) signals where the law treats them as a valid opt-out.
Who we share information with
We do not sell your personal information, and we do not share it for cross-context behavioral advertising as California law defines those terms. We disclose information only in the situations below.
Providers that run the Services for us
We use a small set of vendors to operate CreateQR. Each processes personal information only on our instructions and under a contract that requires it to protect that information. The main ones are:
- Vercel: hosting and delivery of the website and app, and storage of the files you upload (such as images, PDFs, and videos) and QR assets.
- Neon: the managed PostgreSQL database where account records, QR codes, and scan analytics are stored.
- Stripe: payment processing, subscription billing, and related fraud checks. Card details go directly to Stripe; we do not store full card numbers.
- SendGrid: delivery of transactional email, including login codes, links, receipts, and account notices.
- Google: optional sign-in, when you choose to log in with your Google account.
Analytics and advertising partners
To understand product usage and measure our marketing, we work with our analytics provider (Insightics) and with Google Ads, to which we report conversions such as a completed purchase so we can judge how well a campaign performed. Our advertising integration for Meta (Facebook) is not active; no data is sent to Meta unless and until we turn that integration on, at which point we will update this notice.
Legal, safety, and business transfers
- Legal and safety recipients: courts, regulators, law enforcement, and other authorities when the law requires it or when disclosure is needed to protect our rights, our users, or the public.
- A future owner: if the business is involved in a merger, acquisition, financing, reorganization, or sale of assets, personal information may pass to the party involved. We will tell affected users where such a transfer changes how their information is handled.
We may also share aggregated or de-identified information that cannot reasonably be linked to a person for research, benchmarking, or product development.
How long we keep information
We hold personal information only as long as we need it to run the Services, meet our legal obligations, and protect our interests. In practice:
- Account information: kept while your account is open and for a limited period afterward to handle recovery and disputes, then deleted or anonymized.
- QR codes and their settings: kept while your account is open; the redirects behind a code may stop working once the account is closed.
- Scan analytics: kept for a limited period, after which it is aggregated or deleted.
- Billing and payment records: kept for as long as tax and financial law requires, which is typically several years.
- Support correspondence: kept for a reasonable period after your issue is resolved.
- System and security logs: kept for a limited period unless a security or legal matter requires holding them longer.
Where we cannot delete something immediately because it sits in a backup, we remove it from everyday use and let it age out under our normal backup rotation. Aggregated or de-identified data may be kept indefinitely.
How we protect information
We use administrative, technical, and organizational safeguards intended to protect personal information against unauthorized access, disclosure, change, or loss. These include encrypting data in transit with HTTPS and modern TLS, limiting access to production systems to staff who need it, and logging sensitive operations for review. No online service can promise perfect security, so please keep the email account tied to your login secure, since it receives your login codes and links, and tell us at support@create-qr.com right away if you think someone has gained access to your account.
If a breach occurs that is likely to put your rights at risk, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours, in line with Article 33 of the GDPR. Where the risk to affected people is high, we will also tell those people directly, as Article 34 requires, and we will follow the equivalent rules in other jurisdictions.
International data transfers
Your information is processed in the United States and in other countries where our providers operate. If you are in the EEA, the UK, or Switzerland, that means your information may be transferred to countries whose data-protection rules differ from your own. When we move personal information out of those regions, we rely on lawful transfer tools such as the European Commission’s Standard Contractual Clauses (with the UK International Data Transfer Addendum for UK transfers), adequacy decisions where they exist, or another mechanism the law allows. To ask about the specific safeguards we use, contact support@create-qr.com.
Your privacy rights
Depending on where you live, you may have some or all of the rights below. We try to honor them for everyone where we reasonably can, even where the law does not strictly require it.
- Access: ask whether we hold information about you and get a copy of it.
- Correction: ask us to fix information that is wrong or incomplete.
- Deletion: ask us to delete your information, subject to what we must legally keep.
- Restriction and objection: ask us to pause certain processing, or object to processing we base on legitimate interests, including direct marketing.
- Portability: receive your information in a common, machine-readable format and, where feasible, have it sent elsewhere.
- Withdraw consent: where we rely on consent, withdraw it at any time without affecting earlier processing.
To use any of these rights, email support@create-qr.comfrom, or referencing, the address on your account. We will respond within the time the law allows, generally one month under the GDPR and UK GDPR and 45 days under the CCPA/CPRA, and we will tell you if a complex request needs longer. We may need to confirm your identity first. If you believe we have mishandled your information, you can also complain to your local data protection authority; EU residents can find their national authority at edpb.europa.eu, and UK residents can contact the Information Commissioner’s Office at ico.org.uk.
Closing your account
You can close your account whenever you like, through the cancellation page or by emailing support@create-qr.com. We may confirm your identity before we act on the request.
Closing an account cannot be undone. Once it is processed you lose access to your dashboard, the redirects behind your codes may stop working, and your content may be removed from our active systems, so export anything you want to keep first. Afterward we keep only what the retention section allows, such as billing records the law requires and backups that age out on their own. If you signed up with Google, closing your CreateQR account does not touch your Google account, which you manage separately with Google.
California residents
If you live in California, the CCPA as amended by the CPRA gives you the additional disclosures and rights below.
Over the past 12 months we have collected these categories of personal information: identifiers (such as your email, IP address, and device details), internet and network activity (how you use the Services), commercial information (your subscription and transactions), coarse geolocation inferred from your IP address, and inferences we draw to run and improve the product. We have not collected sensitive personal information as the CPRA defines it. We disclose these categories for business purposes to the providers described in the sharing section. We do not sell personal information for money, and we do not share it for cross-context behavioral advertising.
California residents have the right to know, correct, and delete their information, to opt out of sale or sharing, and not to be treated differently for exercising these rights. To make a request, email support@create-qr.comwith “California Privacy Request” in the subject line; an authorized agent may act for you, and we may verify both your identity and the agent’s authority. We treat a valid Global Privacy Control signal as an opt-out of sale and sharing where the law recognizes it.
Other US state privacy rights
Residents of states including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and Montana have privacy rights under their respective state laws, and we honor them for residents of those and other states with comparable laws. These generally include the right to access, correct, delete, and obtain a portable copy of your information, and in some states to opt out of targeted advertising, sale, or certain profiling. We do not engage in targeted advertising or the sale of personal information as those laws define them. To exercise a right, email support@create-qr.comwith your request and the state you live in; if we deny a request and your state allows an appeal, reply with “Appeal” in the subject line. Nevada residents may ask us not to sell certain information; we do not sell personal information as Nevada law defines it, and you can confirm this by writing to support@create-qr.com.
Other countries
In Canada, PIPEDA and provincial laws give you rights to access and correct your information. In Australia, the Privacy Act 1988 and the Australian Privacy Principles give you rights to access and correct your information and to complain to the Office of the Australian Information Commissioner. In Brazil, the LGPD gives you rights to access, correct, delete, and port your information and to object to processing. If you live somewhere else with a data protection law, you may have further rights; contact support@create-qr.com to exercise them.
Children
The Services are meant for adults. We do not knowingly collect personal information from anyone under 18, and our Terms require every user to be at least 18. If you are a parent or guardian and believe a minor in your care has given us information, email support@create-qr.comso we can look into it and delete it as the law requires. Because a QR code in the physical world can be scanned by anyone, a minor may scan a code another user created, so we encourage parents and guardians to supervise children’s use of QR codes generally.
Links and QR destinations
The Services link to outside websites, and every dynamic QR code sends the person who scans it to a destination the creator chose. Those destinations and sites run under their own privacy policies, which govern anything they collect. We do not control and are not responsible for their practices, so please review the privacy policy of any site you reach through a link or a QR code.
Changes to this notice
We may revise this notice as our practices, the Services, or the law change, and we will update the “Last updated” date at the top when we do. For changes that meaningfully affect how we handle your information or that reduce your rights, we will give notice by email or a prominent in-product message before they take effect, where practicable. Continuing to use the Services after a change means you accept the updated notice; if you do not, please stop using the Services and, where appropriate, close your account.
Contact us
REM Vision LTD
For any privacy question or request, reach us at support@create-qr.com. If you have a concern about how we handle your information, please contact us first so we can try to put it right; you may also complain to your local data protection authority at any time.