Privacy Policy
Effective 17 July 2026 · Version 2.0 · Applies to qrcandy.co and the QRCandy Service
This policy explains, in practical terms, what personal data QRCandy handles, where it comes from, why it is used, who receives it, how long it is kept, and the choices and rights available under the GDPR and Swedish law.
Controller identity incomplete
Replace the bracketed values in src/lib/legal.ts with the actual legal entity, Swedish organisation number, VAT number, and registered address before collecting orders or account data.
1. Identity and Privacy Roles
For qrcandy.co, accounts, orders, support, the partner programme, and QRCandy's own service security, the following company is the data controller:
Swedish organisation number: [Swedish organisation number]
Registered address: [Registered postal address, Sweden]
Email: hello@qrcandy.co
Website: qrcandy.co
QR analytics roles
A QRCandy customer normally decides why its campaign QR code is used, where it redirects, and how campaign analytics are used. That customer is the controller for scanner data used for its campaign, and QRCandy is its processor. The data processing agreement is Section 11 of our Terms of Sale and Service.
QRCandy is a separate controller for limited processing needed to protect the QR routing infrastructure, prevent abuse and duplicate event inflation, meet legal obligations, and understand the operation of its own Service. Section 4 explains this split. If you scanned a customer's code, the brand identified on the wrapper or destination should give you its own campaign notice. You can also contact us and we will help identify or reach the relevant customer where possible.
We have not appointed a data protection officer because the current processing does not require one. Privacy questions and rights requests go to hello@qrcandy.co with the subject Privacy Request.
2. Data We Handle
Account, authentication, and communications
Email address, display name, account identifier, password hash and authentication records managed by Supabase Auth, role and account settings, sign-in/session data, and messages you send to support. QRCandy does not receive your raw password and does not currently offer Google sign-in.
Orders, delivery, and design
Customer name, email, delivery address, optional phone number and notes, products, quantities, prices, currency, discounts, order and fulfilment status, carrier and tracking information, destination URLs, wrapper text, colours, fonts, logos, artwork, previews, and print specifications. If you order for an organisation, this may include your work contact details and employer.
Payments and refunds
Stripe checkout/session and transaction identifiers, payment status, amount, currency, VAT charged, discount, refund, and dispute information. If a business VAT number is entered at checkout, we receive it with the payment confirmation and keep it with the order for tax and invoicing records. Full card numbers, CVCs, and other payment credentials are entered on Stripe's hosted checkout and are not stored by QRCandy.
QR scans and technical use
QR campaign and destination identifiers, scan time, resolved URL, user-agent and device/browser indicators, referring URL when supplied, country code derived by hosting/CDN infrastructure, and a short-lived deduplication fingerprint. Web and security logs may also contain IP address, request time, route, user-agent, response/error information, and rate-limit identifiers. Section 4 gives the exact scan-event treatment.
Partner and referral records
Partner name, contact email, account identifier, referral codes and settings, attribution window, the code attached to an order, eligible net order value, commission entries, payout status, and related correspondence. Partners do not receive a referred buyer's delivery address or payment credentials through the partner dashboard.
Optional brand discovery
When you ask QRCandy to discover a brand from a domain, we process the domain, public website response and metadata, public logos/icons, colours, descriptions, slogans, search snippets, and generated suggestions. The feature may fetch the public site and use Brandfetch, favicon services, Bing search results, and the Lovable AI Gateway with a Google model. We do not intentionally include your account, order, payment, or delivery data in the AI prompt.
Browser-held data
The site stores functional preferences, authentication state, cart and design drafts, checkout details, help-note choices, and referral codes in cookies or local storage on your device. Section 9 lists purposes and durations.
Data comes from you, people acting for your organisation, a scanner's browser or device, QRCandy customers and partners, payment and delivery providers, our hosting and security systems, and public websites or brand sources when you use discovery.
3. Purposes and Legal Bases
The table states our purposes and GDPR Article 6 legal bases when QRCandy acts as controller. If you act for a company, contract performance may be the company's contract rather than a contract with you personally; in that case we normally rely on our and the company's legitimate interests in administering that relationship.
| Purpose | Main data | Legal basis |
|---|---|---|
| Create and manage an individual account; provide requested Service features | Account, authentication, settings, brand and campaign data | Contract · Art. 6(1)(b); legitimate interests for organisation users · Art. 6(1)(f) |
| Quote, take payment, produce, deliver, support, refund, and administer an order | Contact, delivery, order, design, payment-status and fulfilment data | Contract · Art. 6(1)(b); legitimate interests for B2B contacts · Art. 6(1)(f) |
| Accounting, tax, product safety, consumer, sanctions, and other legal duties | Order, transaction, customer, traceability and complaint records | Legal obligation · Art. 6(1)(c) |
| Transactional account, security, order, delivery, and partner messages | Email, name, order/account status and message content | Contract · Art. 6(1)(b); legal obligation · Art. 6(1)(c); legitimate interests · Art. 6(1)(f) |
| Operate and secure QR routing; prevent abuse and duplicate count inflation | Request, campaign, scan, device, country, fingerprint and security data | Legitimate interests · Art. 6(1)(f); customer instructions where QRCandy is processor |
| Provide customer-controlled QR analytics | Scan-event and campaign data | QRCandy acts as processor; the customer determines the Art. 6 basis |
| Run optional brand discovery requested by the user | Entered domain and public brand/site material | Contract/requested Service · Art. 6(1)(b); legitimate interests for organisation users · Art. 6(1)(f) |
| Validate referrals, administer partners, calculate commission, and prevent fraud | Partner, code, attribution, order-reference and commission data | Contract · Art. 6(1)(b); legitimate interests · Art. 6(1)(f); legal obligation · Art. 6(1)(c) |
| Diagnose errors, defend claims, and protect QRCandy, customers, and scanners | Technical logs, route/error context, account, order and communications data | Legitimate interests · Art. 6(1)(f); legal obligation where applicable · Art. 6(1)(c) |
Our legitimate interests include operating and improving a secure storefront, fulfilling business orders, preventing fraud and abuse, keeping accurate campaign counts, supporting customers, and managing partner relationships. We balance those interests against the person's rights, minimise the data, and provide a right to object. Where we rely on consent, it can be withdrawn without affecting earlier lawful processing.
Required checkout fields are needed to form, pay for, or deliver the order. Without them we cannot complete that transaction. Optional fields are labelled or can be omitted. We do not use personal data for third-party advertising and do not make solely automated decisions about people that produce legal or similarly significant effects. AI-assisted brand suggestions are optional and remain for you to review.
4. QR Scan Data
For each accepted scan request, the application may record:
- timestamp, QR campaign/batch, destination, and resolved URL;
- HTTP user-agent and derived device/browser information;
- referring URL, if the scanner's app or browser supplies one;
- a two-letter country code supplied by hosting/CDN infrastructure; and
- a SHA-256 fingerprint made from the QR slug, request IP address, and user-agent to avoid counting immediate repeats as separate scans.
The application processes the request IP address transiently to route, secure, rate-limit, geolocate at country level, and build the fingerprint. It does not write the raw IP address into the QRCandy scan-event table. Hosting, CDN, or security logs may process IP addresses under their configured log-retention controls. A hash is pseudonymous personal data, not anonymous data.
The fingerprint is used for a five-minute deduplication window and is automatically removed from the event row after seven days. The remaining scan-event row is automatically deleted after 24 months. The relevant customer can see its campaign analytics; authorised QRCandy staff may access data only for support, security, compliance, or service operation.
As processor, QRCandy relies on the customer's documented instructions and the customer must identify its own legal basis. As independent controller for abuse prevention, count integrity, and QR infrastructure security, QRCandy relies on legitimate interests. You may object to that controller processing as explained in Section 8.
5. Recipients and Service Providers
We do not sell personal data. We disclose only the data needed for the relevant service, and use processor agreements where the recipient processes on our behalf. Some recipients, especially payment providers and carriers, also act as independent controllers for their own legal, security, and operational purposes.
| Recipient/category | Purpose and data |
|---|---|
| Supabase | Managed database, authentication, storage, and backend infrastructure: account, order, design, partner, and QR data. |
| Stripe and payment-network participants | Hosted checkout, payment processing, fraud prevention, refunds, disputes, and reconciliation: email, order total/currency, transaction and related checkout data. Stripe independently receives payment credentials. |
| Resend | Transactional account, order, fulfilment, security, and partner email: recipient address, name where used, subject, message content, and delivery events. |
| Lovable and hosting/CDN/infrastructure providers | Application hosting, delivery, deployment, request security, country signal, and optional error capture: requests, IP/user-agent, route, error context, and application data needed to operate the Service. |
| Production, print, fulfilment, and delivery partners | Manufacture and deliver the order: recipient and delivery details, order lines, artwork, print files, product specifications, and tracking data. A carrier may act as its own controller. |
| Brand-discovery providers (only when requested) | Brandfetch, the entered public website, icon.horse, DuckDuckGo and Google favicon services, Bing search, and Lovable AI Gateway/Google model services may receive the entered domain or public brand evidence needed to return assets and suggestions. |
| The relevant QRCandy customer | Authorised users of that customer can view its campaign-level scan analytics and manage its destination. Other customers cannot access those rows. |
We may also disclose data to professional advisers, insurers, auditors, authorities, courts, or law enforcement where necessary and lawful; to protect people, rights, and the Service; or in a merger, financing, reorganisation, or sale subject to confidentiality and continuity of privacy protection.
6. International Transfers
Providers may process data in Sweden, elsewhere in the EEA, or in countries outside the EEA. The location depends on the selected service, hosting region, support path, and the provider's own infrastructure. We do not describe every provider as “US-based” because their contracting entities and processing locations differ.
For a restricted transfer, we use an available lawful mechanism such as an European Commission adequacy decision (including the EU-US Data Privacy Framework where the recipient and transfer are covered), the European Commission's Standard Contractual Clauses, and supplementary technical, organisational, or contractual measures where appropriate. Processor transfer obligations also appear in Section 11 of the Terms.
Email hello@qrcandy.co to ask about the mechanism relevant to your data or for a copy of applicable safeguards, subject to protection of confidential and security information.
7. Retention and Account Deletion
We keep identifiable data only while needed for the purpose, an active relationship, legal obligations, or a genuine claim or security need. The current application uses these periods or criteria:
| Data | Retention |
|---|---|
| Account and authentication data | While the account exists. On deletion, personal profile/authentication fields are removed or neutralised; a de-identified blocked auth tombstone may remain to preserve retained records. |
| Order, delivery, and design data | While needed to produce, deliver, support, and manage the order and while the account keeps its order history. On eligible account deletion, contact/address/note fields are anonymised; legal and non-personal transaction records remain as required. |
| Accounting and transaction records | Through the end of the seventh year after the calendar year in which the relevant financial year ended, or longer where another binding rule or legal hold applies. |
| QR scan-event rows | 24 months from each scan. The request fingerprint is removed after 7 days; raw IP is not stored in the application scan-event row. |
| Brand discovery cache and rate-limit events | Successful discovery results expire after 7 days and failed lookups after 6 hours, then stale cache rows are purged within a further 7 days. Rate-limit events are purged after 2 days. |
| Account-linked brand settings and logos | Until replaced, removed, or the account is deleted. A content-addressed public logo object may remain after its account reference is deleted until unused-object cleanup. |
| Support, complaint, and legal correspondence | Normally up to 3 years after the matter closes, and longer where needed for a legal duty, limitation period, unresolved complaint, or claim. |
| Partner, referral, commission, and payout records | For the programme relationship and then as needed for reconciliation, fraud prevention, claims, and applicable accounting/tax retention. |
| Security, hosting, email-delivery, and processor logs | For the shortest provider-configured period reasonably needed to deliver, diagnose, secure, and evidence the Service, subject to incident or legal holds. Contact us for the current setting relevant to a request. |
What account deletion does
Self-service deletion is paused while a paid order still needs fulfilment because the delivery details remain necessary. After completion, deletion removes the profile and account-linked brand record, strips personal contact, address, and note fields from retained orders, deactivates and scrubs QR campaigns, and replaces the authentication identity with a de-identified blocked tombstone so retained financial records are not cascaded away. The old email is released for a fresh account.
Uploaded logos are stored under content-derived names and may be shared when the exact same file is uploaded more than once. Deleting the account removes its reference, but an unreferenced public object may remain until storage cleanup. Do not upload confidential material as a logo. You may ask us to investigate and remove an unused object where feasible.
We may retain data longer if law requires it, a legal hold applies, or it is needed for a live complaint, chargeback, fraud investigation, or claim. When the exception ends, the ordinary period resumes. Anonymous aggregate statistics that no longer relate to a person may be kept.
8. Your Rights
Depending on the processing and applicable exceptions, GDPR gives you the following rights:
Article 15
Access
Obtain confirmation, a copy of your data, and information about its use.
Article 16
Rectification
Correct inaccurate data and complete data that is incomplete.
Article 17
Erasure
Ask for deletion where no overriding legal ground requires continued processing.
Article 18
Restriction
Temporarily limit use of data in the circumstances set out in GDPR.
Article 20
Portability
Receive qualifying data you provided in a structured, commonly used format.
Article 21
Object
Object to processing based on legitimate interests and to direct marketing.
Article 7
Withdraw consent
Withdraw consent at any time where consent is the legal basis.
Article 77
Complain
Complain to IMY or another competent EEA supervisory authority.
Send a request to hello@qrcandy.co with enough information for us to locate the data. We may verify identity and authority before disclosing or changing data. We normally respond within one month. For a complex request or several requests, GDPR allows up to two additional months and we will explain the extension within the first month. Requests are normally free; a reasonable fee or refusal is permitted only where the law allows, such as manifestly unfounded or excessive requests.
For Scan Data controlled by a QRCandy customer, contact the brand/customer shown on the product or destination first. QRCandy will assist that controller and will also handle any part for which QRCandy is controller. Rights are not absolute: for example, erasure does not override accounting retention or the establishment, exercise, or defence of legal claims.
9. Cookies and Browser Storage
Cookies and local storage both save or read information on your device and are subject to Swedish electronic-communications rules as well as GDPR when personal data is involved. QRCandy currently uses no third-party advertising, retargeting, or behavioural analytics on qrcandy.co.
| Name/type | Purpose | Duration |
|---|---|---|
| qrc_locale and qrc_currency · first-party cookies | Remember the language and presentment currency you select. | 1 year |
| sidebar_state · first-party cookie | Remember whether the authenticated dashboard sidebar is open. | 7 days |
| Supabase authentication token · local storage | Keep an authenticated account signed in and refresh its session securely. | Until sign-out, session invalidation/expiry, or browser data is cleared |
| qrcandy:cart, product drafts, brand settings, and QR call-to-action · local storage | Keep the cart and customer-requested design work across pages and return visits. | Until removed, replaced, account data takes over, or browser data is cleared |
| qrcandy:checkout:address, :email, and :attempt · local storage | Prefill checkout and safely reconcile/retry the current Stripe checkout attempt. | Until edited, successful checkout removes the attempt, or browser data is cleared |
| qrcandy:help-dismissed:* · local storage | Remember that you dismissed a one-time help note. | Until browser data is cleared |
| qrcandy:referral · local storage | Remember a followed or applied referral/discount code and its capture time for checkout attribution. | 30 days by default; the configured code window may be 1–365 days; removal at expiry or when you clear the code |
Functional storage is used to provide a feature you request, such as login, cart, checkout, language, currency, or an applied referral code. A referral link asks the browser to remember that code so it can follow you to checkout; the cart shows the code and lets you remove it. You can also clear site data in your browser, but doing so signs you out and removes saved carts, drafts, preferences, and referral codes.
Stripe may use cookies or similar technologies on its separately hosted payment pages for checkout, fraud prevention, security, and performance under Stripe's own notices. Those technologies are controlled on Stripe's domain, not qrcandy.co.
10. Security
We use measures proportionate to the nature and risk of the data, including HTTPS, hosted payment entry, hashed authentication credentials, role-based and row-level database access, separation of public and privileged server credentials, input and destination validation, rate limiting, short-lived deduplication identifiers, retention jobs, and restricted administrative access. Providers are selected and instructed with security and data-protection obligations appropriate to their role.
No online service can guarantee absolute security. Tell us immediately at hello@qrcandy.co if you suspect account compromise, an unsafe QR destination, or an unauthorised disclosure. We assess incidents and notify affected controllers, people, and authorities when the law requires.
11. Children
Accounts, ordering, and the partner programme are intended for people aged 18 or older acting for themselves or an organisation. We do not knowingly create accounts for children or ask QR scanners for age, name, or contact details.
A child may nevertheless scan candy distributed by a customer. The passive request metadata described in Section 4 may then be processed. Customers must consider the likely audience, avoid unlawful targeting, and provide age-appropriate notices where required. Contact us if you believe a child's data needs review or deletion.
12. Policy Changes
We update this policy when practices, providers, products, or law materially change. The effective date and version at the top identify the current text. Material changes will be brought to registered users' attention by email, dashboard notice, or another appropriate method before or when they take effect, depending on the nature and legal basis of the change.
We will seek fresh consent if a change requires it. An earlier version continues to describe processing that occurred while it applied; changing this notice does not create a new legal basis retroactively.
13. Contact and Complaints
For privacy questions, objections, or rights requests, contact:
Swedish organisation number: [Swedish organisation number]
Registered address: [Registered postal address, Sweden]
Email: hello@qrcandy.co
Website: qrcandy.co
You can lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY), particularly if you live or work in Sweden or believe the processing occurred here. You may also contact the competent supervisory authority in another EEA country where applicable.
You do not have to contact us before complaining, though we welcome the opportunity to resolve the concern. Our Terms of Sale and Service govern accounts, orders, QR services, and the processor relationship with customers.