Privacy Policy

Create QR is a service operated by BellSoft India (OPC) Private Limited, a One Person Company incorporated in India, with its registered office at 1471, Rani Bagh, Delhi 110034, India.

For the purposes of the Digital Personal Data Protection Act, 2023 (“DPDP Act”) we are a Data Fiduciary. For the purposes of the EU/UK General Data Protection Regulation we are a Data Controller of the personal data we collect from visitors and account holders in those regions.

We collect the minimum data needed to run the product. Specifically:

• Account data (only if you sign in): your Google profile name, email address and profile photo URL passed from Google’s OAuth response. We do not receive your Google password.
• QR code data you create: the destination URL, label, design preferences and (for dynamic QRs) the linked saved-design metadata. This data is stored in our database so we can serve your QR redirects and let you edit them later.
• Dynamic QR scan analytics (only for scans of QRs you have created): per scan we record an approximate scan time, the visitor’s country and city (derived from IP via Cloudflare’s edge geolocation), device class (mobile / tablet / desktop), browser language and an anonymous daily-rotated SHA-256 hash of (IP + User-Agent + daily salt) so we can deduplicate unique viewers. We do not store the raw IP address, GPS coordinates, phone number, email, or any other personal identifier of the scanner.
• Basic site analytics: aggregated page views, referrer and approximate region so we can improve the product. No third-party advertising trackers.
• Cookies + local storage: a session cookie for authentication and a small amount of local storage for your editor preferences. No advertising or cross-site tracking cookies.

We use the data above strictly to:

• Operate the QR generator, the dynamic-QR redirect service and the editor
• Show you the analytics dashboard for QRs you have created
• Send transactional emails (password / sign-in confirmations, account notifications)
• Detect abuse, fraud and security incidents (rate limits, unusual scan patterns)
• Comply with applicable law, court orders and government requests
• Improve the product based on aggregated, non-identifying usage trends

We do not sell your personal data, share it with advertisers, or use it to train AI models.

Under the DPDP Act and GDPR we rely on the following lawful grounds:

• Consent — when you sign up for an account or opt into marketing emails.
• Contract — to deliver the QR service you have asked for (e.g. resolving a dynamic-QR redirect).
• Legitimate interest — for security, abuse prevention and aggregated analytics. We have run a balancing test and believe these uses do not override your rights.
• Legal obligation — to comply with tax, accounting and other Indian / international laws applicable to our operations.

We share data with a small set of carefully chosen processors that help us operate Create QR:

• Cloudflare (USA / global edge) — hosting, edge compute, DDoS protection and CDN. Acts as data processor.
• Cloudflare D1 + R2 — primary database and object storage. Data stays within Cloudflare’s network.
• Google Identity — only when you sign in with Google. Google’s own privacy policy applies to that exchange.

We will disclose your data when required by law (valid court order, Indian government request under the IT Act, GDPR-compliant request from an EU member-state authority). We do not share data with advertisers, data brokers, or marketing networks.

In the unlikely event of a merger, acquisition or asset sale, your data may be transferred to the successor entity, who must honour this Privacy Policy.

• Account data: retained while your account is active. Deleted within 30 days of you closing your account, except where we are legally required to retain it longer (e.g. tax records for 7 years).
• QR codes you create: retained until you delete them. When you delete a dynamic QR, all associated scan analytics are deleted at the same time (cascade delete).
• Scan analytics: dynamic-QR scan rows persist as long as the underlying QR exists. They contain no PII.
• Server access logs: 30 days, then automatically purged.
• Backups: encrypted backups retained for up to 90 days.

Subject to applicable law, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Delete your account and associated data (the “right to be forgotten” under GDPR and the “right to erasure” under the DPDP Act)
• Restrict or object to certain processing
• Port your data to another service (machine-readable export)
• Withdraw consent at any time where processing is based on consent
• Nominate another individual to exercise your DPDP Act rights in case of your death or incapacity
• Lodge a complaint with the Data Protection Board of India (after our 30-day SLA) or your local EU data protection authority

To exercise any of these rights, email us at [email protected] from the email address linked to your account. We will respond within 30 days.

Create QR is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please email us at [email protected] and we will delete it.

We apply industry-standard technical and organisational safeguards: TLS 1.3 in transit, AES-256 at rest, principle-of-least-privilege access for our team, daily encrypted backups, and continuous monitoring for unusual activity.

No system is 100% secure. If we ever experience a personal-data breach that is likely to result in risk to your rights and freedoms, we will notify you and the relevant authorities within 72 hours, as required by the DPDP Act and GDPR.

Create QR is hosted on Cloudflare’s global edge network. Your data may be stored or processed in data centres outside India and outside the European Economic Area. Where this happens, we rely on the appropriate safeguards (Standard Contractual Clauses, Cloudflare’s DPA, and equivalent measures under the DPDP Act). All transfers use TLS encryption in transit.

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page will change. For material changes, we will additionally notify you via email (if you have an account) or via a prominent banner on the site at least 14 days before the change takes effect.

For any questions, complaints, or requests relating to this Privacy Policy or your personal data, please contact our designated Grievance Officer (required by Rule 5(9) of the Information Technology (Reasonable Security Practices & Procedures and Sensitive Personal Data or Information) Rules, 2011 and Section 8 of the DPDP Act, 2023):