Privacy Policy

Last updated: 2026-05-02

This Privacy Policy explains what personal data Quantum AI Webapps Ltd (trading as "QR NFC Tap", "we", "us") collects when you use qrnfctap.com and our products, why we collect it, how we keep it safe, and what rights you have over it. It is written in plain English; the legal basis sits underneath every paragraph.

QR NFC Tap is one product line of Quantum AI Webapps Ltd. The same Privacy Policy applies across all Quantum AI Webapps products unless a specific product Policy is published separately.

⚠️ This is a draft generated for review. Have your solicitor verify before publishing as the binding policy. Where we use specific words like "data controller", "processor", "lawful basis", these have specific legal meanings under your jurisdiction's privacy laws.

1. Who we are

Quantum AI Webapps Ltd — a private company limited by shares, registered in England & Wales, registered office in London, United Kingdom. Trading as QR NFC Tap for the purposes of this product. Companies House number and ICO registration provided on written request. QR NFC Tap is one of several SaaS product lines we operate.

Contact for any privacy question:

• General: support@qrnfctap.com
• Data Protection Officer / DSAR: dpo@qrnfctap.com
• Abuse / takedown: abuse@qrnfctap.com
• Postal: Quantum AI Webapps Ltd, Data Protection, London, United Kingdom (full registered-office address available on written request)

For our jurisdiction-specific representative (EU Article 27, etc.) see the jurisdiction section at the bottom of this document.

2. Data we collect

We collect the minimum data needed to run the service. Categories:

Category	What	Why
Account	name, email, password (hashed via bcrypt), phone (optional)	Identify you, contact you, secure your account
Billing	Stripe customer ID, last-4 of card, billing address, VAT/GST number (B2B)	Process payment; meet tax/accounting obligations
QR scan analytics	scanner's IP (truncated after country resolution), country, region, city (where available), device + OS + browser, referrer, scan time, UTM params, language	Provide the product; produce analytics dashboards; abuse detection
Wallet pass identifiers	Apple/Google Wallet pass authentication tokens	Push pass updates over the air
Cookies + local storage	session ID, CSRF token, preference flags, cookie-consent state	Keep you signed in; prevent CSRF; remember your preferences
Support tickets	the contents of any email or message you send us	Reply to your message; product improvement (anonymised)
Server logs	request URL, response code, timestamp, user-agent, requesting IP	Debug, security, fraud prevention

We do not collect: payment-card details (Stripe stores those; we only see the last 4 digits + brand), biometric data, special-category data (health, religion, etc.) unless you explicitly put it in a QR profile.

3. Lawful bases for processing

Under GDPR / UK GDPR Article 6, every processing operation needs a lawful basis. Ours per category:

• Account, billing, support, server logs — contract. We need this data to provide the service you signed up for.
• QR scan analytics — legitimate interest (running an analytics-dependent product is impossible without it) AND contract (showing you scan stats is part of what you bought).
• Cookies (necessary) — contract / legitimate interest.
• Cookies (preferences/statistics/marketing) — consent, given via the cookie banner. You can withdraw at any time at /cookies.
• Marketing emails to existing customers — legitimate interest with an unsubscribe link in every message (PECR compliant for soft opt-in).
• Marketing to non-customers — consent. We never email people who haven't asked.
• Sub-processor disclosures — legal obligation + contract.

Where the basis is consent, you may withdraw at any time without affecting prior processing.

4. Retention

We keep data only as long as we need it.

Category	Retention	Why
Account	Until you close the account, plus 30 days for backups, then deletion	Allow you to reactivate accidentally-closed accounts
Billing / invoices	7 years	Statutory tax/audit requirement
QR scan analytics	30 days (Free) / 365 days (Pro) / unlimited (Business+)	Tier benefit; older data summarised, not stored line-by-line
Wallet pass tokens	Until you delete the pass	Required to push updates
Support tickets	3 years	Most disputes resolve within 24 months; 3 yrs covers the tail
Server logs	14 days	Security investigations; longer if a specific incident is open
Cookie state	As marked in our cookie table at /cookies

When the retention period ends, the data is deleted or anonymised.

5. Sub-processors

We use a small set of carefully-chosen vendors. Updates posted at this URL.

Sub-processor	Purpose	Country	DPA / SCCs
Stripe Payments Europe Ltd	Payment processing	Ireland (EU) + US (group)	DPA, SCCs
Cloudflare, Inc.	CDN, DNS, WAF	US (with EU regional data)	DPA, SCCs, DPF certified
Hostinger International Ltd	Application + DB hosting	EU (Lithuania) + Netherlands	DPA
Mailgun (Sinch)	Transactional + support email	US	DPA, SCCs
MaxMind, Inc.	Country-from-IP lookup	US	DPA, SCCs
Google LLC (Fonts)	Web font delivery	US	DPA, SCCs, DPF certified
OpenAI, Inc.	AI QR-art generation (paid tier opt-in)	US	DPA, SCCs
Anthropic, PBC	AI customer-card scanner (paid tier opt-in)	US	DPA, SCCs

If you object to a sub-processor, tell us at dpo@qrnfctap.com. We can usually offer an alternative, but for some categories (e.g. payments) the choice is binary — keep the service or close your account.

6. International transfers

Some of our sub-processors are outside your home jurisdiction. We rely on:

• Standard Contractual Clauses (SCCs) — the EU Commission's 2021 controller-to-processor SCCs, with UK addendum where the data subject is in the UK.
• Adequacy decisions — for transfers to countries the Commission has deemed adequate.
• EU-US Data Privacy Framework — for vendors who are DPF-certified (Cloudflare, Google).
• Transfer Impact Assessments — completed for high-volume sub-processors; available on written request.

7. Your rights

GDPR / UK GDPR give you eight rights. We take them seriously.

1. Right of access — get a copy of every piece of personal data we hold on you. Email dpo@qrnfctap.com. Free, 30-day SLA.
2. Right to rectification — correct anything wrong. Most fields are self-serve in your dashboard; for the rest, email us.
3. Right to erasure ("right to be forgotten") — close your account and we delete it within 30 days. Some data we must keep (billing, fraud) for the periods stated above.
4. Right to restriction — ask us to pause processing while you challenge it.
5. Right to data portability — download your account + QR data in a structured machine-readable format. Self-serve in your dashboard or via API.
6. Right to object — to processing based on legitimate interest (analytics) or to direct marketing (always honoured immediately).
7. Rights about automated decision-making — we don't use automated decision-making with legal/significant effects, so this rarely applies. If we ever do, we'll tell you.
8. Right to withdraw consent — for any consent-based processing, at any time. Visit /cookies or email us.

To exercise: email dpo@qrnfctap.com. We respond within 30 calendar days, or 90 days for complex requests (we'll tell you if so within 30 days).

8. How we keep your data safe

• TLS 1.3 in transit; AES-256 at rest.
• Passwords hashed with bcrypt (cost ≥ 12).
• API tokens hashed; never logged in plaintext.
• Sub-processors selected for SOC 2 / ISO 27001 certifications.
• Audit logs kept for security-relevant events.
• Quarterly access review for staff with production credentials.
• Annual penetration test by a CREST-certified firm.
• Multi-factor authentication mandatory for all staff.
• Bug bounty programme — disclose at security@qrnfctap.com.

9. Breach notification

If we suffer a personal-data breach that meets the notification threshold under your jurisdiction's law, we will notify the relevant supervisory authority within 72 hours of becoming aware (UK GDPR / EU GDPR Article 33), and notify you directly without undue delay where the breach is likely to result in a high risk to your rights and freedoms (Article 34).

10. Children

The QR NFC Tap service is not directed at children under 16. We do not knowingly collect personal data from anyone under 13 (under COPPA, US users) or 16 (UK GDPR digital services). If you believe a child has given us data, email dpo@qrnfctap.com and we will delete it.

11. Changes to this Policy

We post the full text at this URL with a "Last updated" date at the top. Material changes (e.g. new sub-processor categories, new lawful bases) are notified to active users by email at least 30 days before they take effect. Non-material changes (typo fixes, formatting) are not notified.

You can always see the full revision history of this Policy by emailing dpo@qrnfctap.com.

12. Right to complain

If you think we have mishandled your data, please write to us first — dpo@qrnfctap.com. We respond within 30 days. If you are still unhappy, you have a statutory right to complain to the supervisory authority listed in the jurisdiction-specific section below.

This Policy is governed by the laws of England & Wales unless you are entitled by your local mandatory laws to the protection of those laws (e.g. EU consumers under Rome I).

---

Jurisdiction-specific provisions follow.

---

Canada — additional terms

This section applies if you are a Canadian resident.

Legal framework

QR NFC Tap complies with the Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000 c. 5) for personal information collected in the course of commercial activities.

Where you are a resident of a province with substantially-similar legislation (Alberta — PIPA, British Columbia — PIPA, Quebec — Law 25 / Bill 64), the provincial law applies in addition.

Quebec residents — Law 25 (Bill 64)

If you reside in Quebec:

• We have appointed a person in charge of personal data protection: dpo@qrnfctap.com (or write to: QR NFC Tap Ltd, Data Protection, London, United Kingdom).
• You have the right to receive your personal information in a structured, commonly used, technological format (data portability) — self-serve via your dashboard or by writing to us.
• You have the right to request that we stop disseminating your personal information or to de-index it where the information causes you serious injury that outweighs the public interest in its dissemination.
• We will notify the Commission d'accès à l'information du Québec (CAI) of any confidentiality incident that presents a risk of serious injury, in addition to notifying you directly. CAI: https://www.cai.gouv.qc.ca.
• French-language version of this Policy is available on request to dpo@qrnfctap.com. Bill 64's draft regulations are evolving; we'll publish a permanent French version once stable.

CASL — anti-spam

Marketing email or SMS to Canadian residents requires express or implied consent under the Canada Anti-Spam Legislation (S.C. 2010 c. 23). We:

• Always include a working unsubscribe link
• Identify ourselves clearly in every message
• Honour unsubscribe requests within 10 business days

Right to complain

The federal supervisory authority is the Office of the Privacy Commissioner of Canada (OPC):

• Web: https://www.priv.gc.ca
• Phone: 1-800-282-1376

Provincial commissioners (Alberta OIPC, BC OIPC, CAI Quebec) have jurisdiction over their respective provincial laws. We respectfully ask you to write to us first at dpo@qrnfctap.com.

Cross-border transfers

PIPEDA does not require data localisation but does require transparency. Personal information from Canadian residents may be processed in the United Kingdom (our base), the European Union (Hostinger hosting), and the United States (Stripe, Cloudflare, Mailgun). Equivalent contractual protections (DPAs, SCCs) apply.