Legal

Privacy Policy

Effective date: 26 June 2026 · Applies to qrcandy.co and all QRCandy services.

This policy explains what personal data we collect, why we collect it, and your rights under the EU General Data Protection Regulation (GDPR) and Swedish law.

Action required before publishing

Search for [UPDATE: in this file and replace each placeholder with your actual company registration details and registered address. Remove this notice afterwards.

1. Who We Are

QRCandy is the data controller responsible for the personal data collected through qrcandy.co. As data controller, we determine what data is collected, why, and how it is handled.

[UPDATE: Company legal name]
Registration number: [UPDATE: organisationsnummer], Sweden
Registered address: [UPDATE: Street, Postcode, City, Sweden]
Email: hello@qrcandy.co

For privacy-related questions or to exercise your rights, please email us at hello@qrcandy.co with the subject line Privacy Request. We aim to respond within 30 days.

2. Data We Collect

Account data

When you create an account, we collect your email address and display name. If you sign up using Google OAuth, we receive your name, email address, and profile picture from Google. Passwords are hashed and managed by Supabase Auth; we do not have access to your raw password.

Order data

When you place an order, we collect your full name, delivery address, email address, and optionally a phone number and order notes. We also store the contents of your order: product types, quantities, and design specifications (destination URL, logo, colors, wrapper text).

Payment data

Payment is processed by Stripe Payments Europe, Ltd. We receive only a payment confirmation (success or failure) and a transaction reference. We do not see, store, or process your card number, CVC, or other sensitive payment details. Those are handled entirely by Stripe.

QR scan analytics

A core feature of QRCandy is that every product contains a QR code. When a recipient of your branded candy scans that code, our system records a scan event. For each scan event we collect:

  • Timestamp of the scan
  • Destination URL the QR code points to
  • Device type and browser (from the HTTP User-Agent header)
  • Referring URL, if present (the page or app that triggered the scan)
  • Country of the scan, provided by our CDN infrastructure (Cloudflare or Vercel) based on IP geolocation. We receive only the two-letter country code, not the raw IP address
  • A one-way fingerprint (SHA-256 hash of the QR code slug, IP address, and user-agent) used solely to deduplicate repeated scans from the same device. The raw IP address is not stored

This data is processed on behalf of the QRCandy customer who ordered the products. If you are someone who scanned a QR code on a product and have questions about that data, please contact the brand whose candy you scanned.

Support communications

If you contact us by email, we retain that correspondence to handle your request and for our records.

3. Why We Process Your Data

We only process personal data for specific, legitimate purposes and always with a valid legal basis under GDPR Article 6.

PurposeData usedLegal basis
Creating and managing your accountEmail, display nameContract · Art. 6(1)(b)
Processing and fulfilling your orderName, delivery address, email, order contentsContract · Art. 6(1)(b)
Processing paymentEmail, order total (passed to Stripe)Contract · Art. 6(1)(b)
Providing QR scan analyticsScan timestamp, user-agent, referer, country code, deduplication fingerprintLegitimate interest · Art. 6(1)(f)
Sending order confirmations and account emailsEmail addressContract · Art. 6(1)(b)
Legal and accounting obligationsOrder and payment recordsLegal obligation · Art. 6(1)(c) · 7 years per Bokföringslagen
Fraud prevention and platform securityAccount, order, and usage dataLegitimate interest · Art. 6(1)(f)

Art. references are to GDPR Regulation (EU) 2016/679.

4. Who We Share Data With

We do not sell your personal data. We share data only with the following sub-processors, each of whom is bound by appropriate data processing agreements:

Stripe Payments Europe, Ltd.

Processes payment transactions. Stripe receives your email address and order total to create a payment session. Card details are entered directly on Stripe's hosted page. Stripe Privacy Policy →

Supabase Inc.

Provides our database, authentication, and backend infrastructure. All account data, order data, and QR scan data are stored on Supabase-managed infrastructure. Supabase Privacy Policy →

We may also disclose data when required by law, court order, or regulatory authority, or to protect the rights, safety, or property of QRCandy or others.

5. International Data Transfers

Both Stripe and Supabase are US-based companies. When personal data is transferred from the EEA to the United States or other third countries, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal basis for that transfer. Stripe is also certified under the EU-US Data Privacy Framework.

You may request information about the specific transfer mechanisms in place by emailing us at hello@qrcandy.co.

6. How Long We Keep Data

Data categoryRetention period
Account dataUntil you delete your account, or after 3 years of account inactivity
Order data (financial records)7 years from order date, required by Swedish Bokföringslagen
QR scan analytics24 months from the date of each scan
Support communications3 years from the date of last contact
Session cookiesUntil sign-out or session expiry (managed by Supabase Auth)

Order records are retained for seven years even after account deletion to comply with Swedish accounting law (Bokföringslagen 1999:1078). All other data is deleted or anonymised when the retention period expires.

7. Your Rights

Under GDPR, you have the following rights regarding your personal data. To exercise any of them, email hello@qrcandy.co with the subject Privacy Request. We will respond within 30 days, and at no charge.

Art. 15

Right of access

Request a copy of all personal data we hold about you, including how it is used and with whom it is shared.

Art. 16

Right to rectification

Ask us to correct inaccurate personal data or complete incomplete data.

Art. 17

Right to erasure (“right to be forgotten”)

Ask us to delete your personal data. This right is subject to legal retention obligations. For example, order records must be kept for 7 years under accounting law.

Art. 18

Right to restriction of processing

Ask us to limit how we use your data. For example, while a complaint is being resolved.

Art. 20

Right to data portability

Receive the personal data you have provided to us in a structured, machine-readable format.

Art. 21

Right to object

Object to processing based on legitimate interest, including for direct marketing purposes.

Where processing is based on legitimate interest (Art. 6(1)(f)), you have the right to object at any time. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects.

8. Cookies and Local Storage

Session cookies

We use a strictly necessary session cookie set by Supabase Auth to keep you logged in between page loads. This cookie is essential for the service to function; it cannot be disabled without signing you out. It expires when you sign out or after a period of inactivity.

Browser local storage

To make checkout more convenient, we store your shipping address and email address in your browser's local storage so you do not have to re-enter them on a return visit. This data is stored locally on your device and is not transmitted to our servers until you begin checkout. You can clear it at any time through your browser settings.

Third-party cookies

Stripe may set cookies on its payment pages for fraud prevention and performance purposes. These are governed by Stripe's own cookie policy and only apply on Stripe-hosted payment pages (checkout.stripe.com), not on qrcandy.co.

We do not use advertising, retargeting, or behavioural tracking cookies.

9. Children

Our services are intended for use by businesses and individuals aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. If you believe we have inadvertently received data from a child, please contact us immediately and we will delete it promptly.

10. Changes to This Policy

We may update this policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify registered users by email at least 14 calendar days before the changes take effect. The effective date at the top of this page will always reflect the current version.

The current version of this policy is always available at qrcandy.co/privacy.

11. Contact and Complaints

For questions about this policy or to exercise your rights, contact us at:

QRCandy: Privacy
[UPDATE: registered address]
Email: hello@qrcandy.co (subject: Privacy Request)

You also have the right to lodge a complaint with the Swedish supervisory authority for data protection:

Integritetsskyddsmyndigheten (IMY)
Box 8114, 104 20 Stockholm, Sweden
www.imy.se
+46 8 657 61 00

We encourage you to contact us first; we aim to resolve privacy concerns fairly and promptly.

See also our Terms of Service for the rules that govern use of our services.