Privacy Policy
Effective date: 26 June 2026 · Applies to qrcandy.co and all QRCandy services.
This policy explains what personal data we collect, why we collect it, and your rights under the EU General Data Protection Regulation (GDPR) and Swedish law.
Action required before publishing
Search for [UPDATE: in this file and replace each placeholder with your actual company registration details and registered address. Remove this notice afterwards.
In this document
1. Who We Are
QRCandy is the data controller responsible for the personal data collected through qrcandy.co. As data controller, we determine what data is collected, why, and how it is handled.
Registration number: [UPDATE: organisationsnummer], Sweden
Registered address: [UPDATE: Street, Postcode, City, Sweden]
Email: hello@qrcandy.co
For privacy-related questions or to exercise your rights, please email us at hello@qrcandy.co with the subject line Privacy Request. We aim to respond within 30 days.
2. Data We Collect
Account data
When you create an account, we collect your email address and display name. If you sign up using Google OAuth, we receive your name, email address, and profile picture from Google. Passwords are hashed and managed by Supabase Auth; we do not have access to your raw password.
Order data
When you place an order, we collect your full name, delivery address, email address, and optionally a phone number and order notes. We also store the contents of your order: product types, quantities, and design specifications (destination URL, logo, colors, wrapper text).
Payment data
Payment is processed by Stripe Payments Europe, Ltd. We receive only a payment confirmation (success or failure) and a transaction reference. We do not see, store, or process your card number, CVC, or other sensitive payment details. Those are handled entirely by Stripe.
QR scan analytics
A core feature of QRCandy is that every product contains a QR code. When a recipient of your branded candy scans that code, our system records a scan event. For each scan event we collect:
- Timestamp of the scan
- Destination URL the QR code points to
- Device type and browser (from the HTTP User-Agent header)
- Referring URL, if present (the page or app that triggered the scan)
- Country of the scan, provided by our CDN infrastructure (Cloudflare or Vercel) based on IP geolocation. We receive only the two-letter country code, not the raw IP address
- A one-way fingerprint (SHA-256 hash of the QR code slug, IP address, and user-agent) used solely to deduplicate repeated scans from the same device. The raw IP address is not stored
This data is processed on behalf of the QRCandy customer who ordered the products. If you are someone who scanned a QR code on a product and have questions about that data, please contact the brand whose candy you scanned.
Support communications
If you contact us by email, we retain that correspondence to handle your request and for our records.
3. Why We Process Your Data
We only process personal data for specific, legitimate purposes and always with a valid legal basis under GDPR Article 6.
| Purpose | Data used | Legal basis |
|---|---|---|
| Creating and managing your account | Email, display name | Contract · Art. 6(1)(b) |
| Processing and fulfilling your order | Name, delivery address, email, order contents | Contract · Art. 6(1)(b) |
| Processing payment | Email, order total (passed to Stripe) | Contract · Art. 6(1)(b) |
| Providing QR scan analytics | Scan timestamp, user-agent, referer, country code, deduplication fingerprint | Legitimate interest · Art. 6(1)(f) |
| Sending order confirmations and account emails | Email address | Contract · Art. 6(1)(b) |
| Legal and accounting obligations | Order and payment records | Legal obligation · Art. 6(1)(c) · 7 years per Bokföringslagen |
| Fraud prevention and platform security | Account, order, and usage data | Legitimate interest · Art. 6(1)(f) |
Art. references are to GDPR Regulation (EU) 2016/679.
5. International Data Transfers
Both Stripe and Supabase are US-based companies. When personal data is transferred from the EEA to the United States or other third countries, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal basis for that transfer. Stripe is also certified under the EU-US Data Privacy Framework.
You may request information about the specific transfer mechanisms in place by emailing us at hello@qrcandy.co.
6. How Long We Keep Data
| Data category | Retention period |
|---|---|
| Account data | Until you delete your account, or after 3 years of account inactivity |
| Order data (financial records) | 7 years from order date, required by Swedish Bokföringslagen |
| QR scan analytics | 24 months from the date of each scan |
| Support communications | 3 years from the date of last contact |
| Session cookies | Until sign-out or session expiry (managed by Supabase Auth) |
Order records are retained for seven years even after account deletion to comply with Swedish accounting law (Bokföringslagen 1999:1078). All other data is deleted or anonymised when the retention period expires.
7. Your Rights
Under GDPR, you have the following rights regarding your personal data. To exercise any of them, email hello@qrcandy.co with the subject Privacy Request. We will respond within 30 days, and at no charge.
Art. 15
Right of access
Request a copy of all personal data we hold about you, including how it is used and with whom it is shared.
Art. 16
Right to rectification
Ask us to correct inaccurate personal data or complete incomplete data.
Art. 17
Right to erasure (“right to be forgotten”)
Ask us to delete your personal data. This right is subject to legal retention obligations. For example, order records must be kept for 7 years under accounting law.
Art. 18
Right to restriction of processing
Ask us to limit how we use your data. For example, while a complaint is being resolved.
Art. 20
Right to data portability
Receive the personal data you have provided to us in a structured, machine-readable format.
Art. 21
Right to object
Object to processing based on legitimate interest, including for direct marketing purposes.
Where processing is based on legitimate interest (Art. 6(1)(f)), you have the right to object at any time. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects.
9. Children
Our services are intended for use by businesses and individuals aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. If you believe we have inadvertently received data from a child, please contact us immediately and we will delete it promptly.
10. Changes to This Policy
We may update this policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify registered users by email at least 14 calendar days before the changes take effect. The effective date at the top of this page will always reflect the current version.
The current version of this policy is always available at qrcandy.co/privacy.
11. Contact and Complaints
For questions about this policy or to exercise your rights, contact us at:
You also have the right to lodge a complaint with the Swedish supervisory authority for data protection:
We encourage you to contact us first; we aim to resolve privacy concerns fairly and promptly.
See also our Terms of Service for the rules that govern use of our services.