Privacy Policy
Last updated: April 18, 2026
This English version is provided for convenience. The French version (available at /fr/privacy) prevails in case of discrepancy.
codes-qr.com (the "Service") respects your privacy. This policy describes what data we collect, why, and how you can exercise your rights in accordance with the GDPR (EU 2016/679) and the French Data Protection Act (Loi Informatique et LibertΓ©s).
1. Data controller
The data controller is the publisher of codes-qr.com.
Contact: contact@codes-qr.com
Full details available in the legal information.
2. Data collected
On the website (codes-qr.com)
- Email address β for magic-link login and to link your paid account.
- Session cookie (
codes_qr_session) β HttpOnly, Secure, SameSite=Lax, 30-day duration. Used solely to keep you logged in. No tracking cookie.
- QR codes you create (target URL, label, type, colors) β stored on our servers in France.
- Scan statistics β for dynamic QR codes only: date, approximate country (via IP), device type (iOS/Android/Desktop), referrer. The IP address is never stored in plaintext: it is immediately hashed (SHA-256) before being written to the database.
- Payment data β handled by our subprocessor Stripe (see section 5). We do not store any credit card numbers.
On the Chrome extension
- Local anonymous identifier (UUID generated in your browser) β to identify your device without collecting personal data.
- Daily usage quota β to enforce the free limit (10 generations/day).
- Email (optional) β only if you voluntarily enter it to sync with your web account.
3. Purposes and legal bases
- Service delivery (QR creation/editing, dynamic redirects) β performance of contract (art. 6.1.b GDPR).
- Minimal audience measurement (scan statistics) β legitimate interest (art. 6.1.f GDPR), with pseudonymized data.
- Billing (Stripe payments) β performance of contract + legal accounting obligation.
- Transactional email (magic login link) β performance of contract.
We do no direct marketing, send no newsletter, and resell no data.
4. Retention period
- User account: as long as you use it. Deletion on simple request to contact@codes-qr.com.
- QR codes and statistics: as long as the account exists. Immediate deletion with the account.
- Magic links: 30 minutes (then purged).
- Sessions: 30 days (then expired).
- Server logs (nginx): 30 days, then purged. Contain IP + User-Agent.
- Invoices (accounting obligation): 10 years.
5. Subprocessors
- Stripe Payments Europe Ltd (payment) β data: email, amount, currency, last 4 digits of card. GDPR-compliant via Standard Contractual Clauses. Stripe policy.
- OVH SAS (VPS hosting, France) β data: all database content. EU-sovereign hosting.
- o2switch SARL (DNS and SMTP hosting, France) β data: sending login emails only.
- ip-api.com (server-side IP geolocation, on-the-fly, without storing the raw IP) β to infer the approximate country of a scan.
6. Cookies
We use a single cookie: codes_qr_session (technical, essential for operation). No advertising cookie, no third-party tracking cookie (Google Analytics, Facebook Pixel, etc.). No consent banner is required under the ePrivacy Directive.
7. Your rights
Under the GDPR, you have the rights of access, rectification, erasure, portability, objection and restriction. To exercise them, write to contact@codes-qr.com. Response within 30 days maximum.
You may also lodge a complaint with the French data protection authority (CNIL) or your local EU supervisory authority.
8. Security
Mandatory HTTPS (TLS 1.2+), HttpOnly+Secure+SameSite cookies, no passwords (magic-link auth only), hashed scan IPs, SSH access by key only.
9. Changes
Any change to this policy will be published on this page with the update date. For substantial changes, you will be notified by email.
