Privacy Policy

Last updated: June 2026.

QR Plus respects the privacy of visitors, users, customers and people who interact with QR Codes created on our platform. This Privacy Policy explains which data we may process, for what purposes, with whom it may be shared, how long it may be kept and which rights data subjects may exercise.

This Policy applies to the websites, tools, pages, generators, decoders, scanners, dashboard, APIs, integrations and other services related to the creation, customization, management, redirection and analysis of QR Codes offered by QR Plus.

By accessing or using our services, you acknowledge that your personal data will be processed according to this Policy and applicable law, especially the Brazilian General Data Protection Law (LGPD). The Brazilian Portuguese version is the official version of this Policy; translations into other languages are provided to make it easier to understand.

1. Roles of QR Plus and the User

For purposes of this Policy, QR Plus acts as controller of personal data processed for registration, authentication, account administration, support, security, billing, communication, abuse prevention, platform operation and service improvement.

In some cases, the User who creates QR Codes, pages, files, links, forms, vCards, integrations or campaigns may act as controller of the personal data they decide to insert, collect or make available through the platform. In such cases, QR Plus may act as processor or technical provider, processing data according to the User's instructions and the limits of the contracted service.

Questions, data subject requests and privacy matters may be sent through the channel available on the website or by email at dpo@qrplus.com.br, with the subject "Privacy/LGPD".

2. Data we may collect

We may collect data provided directly by you, data generated during use of the services and data received from third parties necessary for platform operation.

• Account and registration data: name, email, phone, company, password protected by security mechanisms, internal identifiers, language preferences, plan, permissions and access information.
• Authentication data: tokens, session cookies, refresh tokens, IP address, login date/time, social login provider and identifiers returned by providers such as Google, when used.
• QR Code and content data: URLs, texts, contact details, addresses, phone numbers, messages, Pix keys, Wi-Fi data, event data, menus, links, files, images, logos, PDFs, audio, videos, descriptions, landing pages and other information you insert or send.
• Form, lead and vCard data: when the User configures features to receive contacts, responses or requests, we may process name, email, phone, company, role, message, consents, technical metadata and other fields defined by the User.
• Scan, redirect and analytics data: QR Code identifier, access date and time, scan counters, destination accessed, technical request data, IP address, browser, operating system, device type, approximate origin and other technical signals necessary for statistics, security and abuse prevention, when available.
• Support and communication data: name, email, phone, message, request source, attachments, support history, responses and records needed to resolve questions or incidents.
• API and integration data: keys, tokens, scopes, permissions, authorized domains, technical logs, calls made, errors, limits, integrated system identifiers and security events.
• Technical, cookie and usage data: cookies, IP address, pages accessed, browsing events, logs, preferences, language, device, browser, access time, requested files, errors and information necessary for security and service operation.
• Payment and plan data: subscribed plan, subscription status, amounts, dates, payment method, transaction identifiers and information returned by payment providers. Complete card data may be processed directly by the payment provider according to its own policy.

When inserting third-party personal data into QR Plus, the User states that they have authorization, legal basis or valid justification to do so and remains responsible for the content, privacy notices and instructions provided to the platform.

3. Processing purposes

We process personal data for legitimate, specific purposes compatible with the services offered, including:

• creating, authenticating and administering accounts;
• generating, customizing, storing, editing, redirecting and displaying QR Codes;
• hosting files, images, pages, vCards, forms and content associated with QR Codes;
• providing dynamic QR Codes, short links, redirects, intermediate pages, notice pages and security pages;
• measuring scans, clicks, opens, performance and statistics when the feature is available;
• processing payments and managing plans, limits, billing, cancellations and commercial support;
• sending transactional emails, confirmations, password recovery, operational notices and service-related communications;
• validating reCAPTCHA and combating spam, fraud, phishing, abuse, attacks, improper automation and malicious use;
• operating APIs, keys, integrations, allowed domains, rate limits and technical logs;
• providing support, responding to requests and investigating incidents;
• complying with legal, regulatory, tax, accounting, contractual obligations and authority requests;
• improving platform security, stability, usability, performance and quality;
• exercising rights of QR Plus, users or third parties in administrative, judicial or extrajudicial proceedings.

4. Legal bases

Depending on the context, processing may occur based on contract performance or preliminary procedures, compliance with legal or regulatory obligations, regular exercise of rights, legitimate interest, consent, fraud prevention and security, credit protection or other bases provided by the LGPD.

When processing depends on consent, you may revoke it through the available channels, subject to processing that must continue under another legal basis, applicable obligation or regular exercise of rights.

5. Cookies, pixels and similar technologies

We may use cookies, local storage, pixels, tags, identifiers and similar technologies to maintain sessions, remember preferences, protect forms, apply reCAPTCHA, understand website use, measure performance, improve navigation, prevent abuse and enable essential features.

Necessary cookies are used for operation, security, authentication, anti-fraud and basic preferences. Analytical, functional, advertising or third-party cookies may depend on specific configuration, consent when required or controls available in the browser.

Some plans or integrations may allow the User to configure pixels, tags, campaign parameters, analytics tools or third-party scripts on pages, links or campaigns under the User's responsibility. In such cases, the User is responsible for informing data subjects, obtaining consents when necessary and complying with applicable laws.

You may block or delete cookies in browser settings, but some features may stop working properly, such as login, token generation, preferences, protected forms, session reading and security features.

6. QR Code analytics and accuracy

Scan and redirect statistics, when available, are technical estimates. They may use data such as time, IP, device, browser, operating system, approximate origin and QR Code identifier, but may be affected by cache, VPNs, blockers, bots, automatic previews, in-app readers and limitations of geolocation providers.

Not all QR Code types collect statistics. Some data may be aggregated or anonymized for reporting, security, service improvement and abuse prevention.

7. Data sharing

We may share personal data only when necessary and according to applicable law, including with:

• hosting, database, cloud storage, CDN, queue, cache, monitoring and infrastructure providers;
• email, authentication, reCAPTCHA, map, analytics, payment, support and communication providers;
• technical providers, consultants, accountants, lawyers, auditors and partners necessary for QR Plus operations;
• public, judicial, administrative or regulatory authorities when there is a legal obligation, valid order or need to defend rights;
• third parties involved in investigation of fraud, security, abuse, incidents, rights infringement or misuse of the platform;
• companies involved in corporate reorganization, merger, acquisition, investment, asset sale or similar transaction, with reasonable safeguards.

QR Plus does not sell personal data. Data from public QR Codes, landing pages or information that the User decides to publish may be accessible to anyone who scans or receives the corresponding link.

8. Subprocessors and data processing agreement

When QR Plus acts as processor on behalf of a User or enterprise customer, we may process data according to the controller's instructions, these Terms, the Privacy Policy and any applicable contract, addendum or data processing agreement.

QR Plus may use subprocessors and technical providers necessary to deliver the services. Information about provider categories, security measures or specific contractual needs may be requested through the contact channels.

9. International transfer

Some providers used by QR Plus may process or store data outside Brazil. When this occurs, we will adopt measures compatible with the LGPD and seek to use providers that offer appropriate contractual, technical and organizational safeguards.

10. Security and sensitive data

We adopt technical and organizational measures to protect personal data against unauthorized access, loss, alteration, improper disclosure, abuse and incidents. These measures may include access control, encryption in transit, environment segregation, logs, rate limits, validations, backups, monitoring and secure development practices.

No system is absolutely secure. The User must protect their password, tokens, API keys, devices, emails and integrations, and avoid inserting unnecessary or sensitive data into public QR Codes.

The services were not designed to store or collect health data, biometrics, confidential documents, children's data, credentials, regulated financial data, emergency information or other highly sensitive data without a specific contract, risk assessment and additional controls.

11. Retention and deletion

We will keep personal data for as long as necessary to fulfill the purposes described in this Policy, provide services, maintain accounts and plans, comply with legal obligations, resolve disputes, prevent fraud, preserve security, exercise rights and keep operational records.

Account data, QR Codes, files, logs, analytics, API keys, emails and payment records may have different retention periods according to their purpose. After cancellation, expiration or inactivity, data related to dynamic features may be kept for a reasonable period for reactivation, audit, abuse prevention, legal obligations or exercise of rights.

Backups and security logs may be preserved for an additional period and deleted according to technical cycles. When there is no longer a purpose or legal basis for retention, data will be deleted, anonymized or aggregated, as applicable.

12. Data subject rights

Under the LGPD, data subjects may request confirmation of processing, access, correction, anonymization, blocking, deletion, portability, information about sharing, information about the possibility of not consenting, revocation of consent and review of automated decisions when applicable.

Requests may be sent through the channel available on the website or by email at dpo@qrplus.com.br. We may request additional information to confirm identity, protect account security and prevent improper access to third-party data.

Some requests may not be fully fulfilled when there is a legal obligation, trade secret, fraud prevention, security, regular exercise of rights, anonymized data, technical impossibility or third-party rights.

13. Public content and shared QR Codes

QR Codes, pages, files, links and redirects created by the User may be shared publicly. Anyone who has access to the QR Code or link may view the configured content, unless a specific restriction mechanism is available and correctly configured.

QR Plus does not control data processing carried out by websites, applications, digital wallets, social networks, external platforms, payment providers or destination pages configured by the User.

14. Emails and message tracking

Emails sent by QR Plus may contain technical mechanisms to record sending, opening or clicking when necessary for security, delivery, support, audit or communication improvement. The User may contact us with questions about communications received.

15. Children and teenagers' data

QR Plus services are not directed to children. Minors must use the services only with authorization and supervision from a legal guardian. If we identify improper processing of children's or teenagers' data, we may restrict, delete or block the data and the related account.

16. Changes to this Policy

We may update this Policy to reflect legal, technical, operational or commercial changes. The current version will be published on this page. Relevant changes may be communicated by notice on the website, email, dashboard or another reasonable channel.

17. Contact

For questions, requests or complaints related to privacy and data protection, contact us through the channel available on the website or by email at dpo@qrplus.com.br, with the subject "Privacy/LGPD".