Privacy Policy

Last updated: 2026-05-02

This Privacy Policy explains what personal data Quantum AI Webapps Ltd (trading as "QR NFC Tap", "we", "us") collects when you use qrnfctap.com and our products, why we collect it, how we keep it safe, and what rights you have over it. It is written in plain English; the legal basis sits underneath every paragraph.

QR NFC Tap is one product line of Quantum AI Webapps Ltd. The same Privacy Policy applies across all Quantum AI Webapps products unless a specific product Policy is published separately.

⚠️ This is a draft generated for review. Have your solicitor verify before publishing as the binding policy. Where we use specific words like "data controller", "processor", "lawful basis", these have specific legal meanings under your jurisdiction's privacy laws.

1. Who we are

Quantum AI Webapps Ltd — a private company limited by shares, registered in England & Wales, registered office in London, United Kingdom. Trading as QR NFC Tap for the purposes of this product. Companies House number and ICO registration provided on written request. QR NFC Tap is one of several SaaS product lines we operate.

Contact for any privacy question:

• General: support@qrnfctap.com
• Data Protection Officer / DSAR: dpo@qrnfctap.com
• Abuse / takedown: abuse@qrnfctap.com
• Postal: Quantum AI Webapps Ltd, Data Protection, London, United Kingdom (full registered-office address available on written request)

For our jurisdiction-specific representative (EU Article 27, etc.) see the jurisdiction section at the bottom of this document.

2. Data we collect

We collect the minimum data needed to run the service. Categories:

Category	What	Why
Account	name, email, password (hashed via bcrypt), phone (optional)	Identify you, contact you, secure your account
Billing	Stripe customer ID, last-4 of card, billing address, VAT/GST number (B2B)	Process payment; meet tax/accounting obligations
QR scan analytics	scanner's IP (truncated after country resolution), country, region, city (where available), device + OS + browser, referrer, scan time, UTM params, language	Provide the product; produce analytics dashboards; abuse detection
Wallet pass identifiers	Apple/Google Wallet pass authentication tokens	Push pass updates over the air
Cookies + local storage	session ID, CSRF token, preference flags, cookie-consent state	Keep you signed in; prevent CSRF; remember your preferences
Support tickets	the contents of any email or message you send us	Reply to your message; product improvement (anonymised)
Server logs	request URL, response code, timestamp, user-agent, requesting IP	Debug, security, fraud prevention

We do not collect: payment-card details (Stripe stores those; we only see the last 4 digits + brand), biometric data, special-category data (health, religion, etc.) unless you explicitly put it in a QR profile.

3. Lawful bases for processing

Under GDPR / UK GDPR Article 6, every processing operation needs a lawful basis. Ours per category:

• Account, billing, support, server logs — contract. We need this data to provide the service you signed up for.
• QR scan analytics — legitimate interest (running an analytics-dependent product is impossible without it) AND contract (showing you scan stats is part of what you bought).
• Cookies (necessary) — contract / legitimate interest.
• Cookies (preferences/statistics/marketing) — consent, given via the cookie banner. You can withdraw at any time at /cookies.
• Marketing emails to existing customers — legitimate interest with an unsubscribe link in every message (PECR compliant for soft opt-in).
• Marketing to non-customers — consent. We never email people who haven't asked.
• Sub-processor disclosures — legal obligation + contract.

Where the basis is consent, you may withdraw at any time without affecting prior processing.

4. Retention

We keep data only as long as we need it.

Category	Retention	Why
Account	Until you close the account, plus 30 days for backups, then deletion	Allow you to reactivate accidentally-closed accounts
Billing / invoices	7 years	Statutory tax/audit requirement
QR scan analytics	30 days (Free) / 365 days (Pro) / unlimited (Business+)	Tier benefit; older data summarised, not stored line-by-line
Wallet pass tokens	Until you delete the pass	Required to push updates
Support tickets	3 years	Most disputes resolve within 24 months; 3 yrs covers the tail
Server logs	14 days	Security investigations; longer if a specific incident is open
Cookie state	As marked in our cookie table at /cookies

When the retention period ends, the data is deleted or anonymised.

5. Sub-processors

We use a small set of carefully-chosen vendors. Updates posted at this URL.

Sub-processor	Purpose	Country	DPA / SCCs
Stripe Payments Europe Ltd	Payment processing	Ireland (EU) + US (group)	DPA, SCCs
Cloudflare, Inc.	CDN, DNS, WAF	US (with EU regional data)	DPA, SCCs, DPF certified
Hostinger International Ltd	Application + DB hosting	EU (Lithuania) + Netherlands	DPA
Mailgun (Sinch)	Transactional + support email	US	DPA, SCCs
MaxMind, Inc.	Country-from-IP lookup	US	DPA, SCCs
Google LLC (Fonts)	Web font delivery	US	DPA, SCCs, DPF certified
OpenAI, Inc.	AI QR-art generation (paid tier opt-in)	US	DPA, SCCs
Anthropic, PBC	AI customer-card scanner (paid tier opt-in)	US	DPA, SCCs

If you object to a sub-processor, tell us at dpo@qrnfctap.com. We can usually offer an alternative, but for some categories (e.g. payments) the choice is binary — keep the service or close your account.

6. International transfers

Some of our sub-processors are outside your home jurisdiction. We rely on:

• Standard Contractual Clauses (SCCs) — the EU Commission's 2021 controller-to-processor SCCs, with UK addendum where the data subject is in the UK.
• Adequacy decisions — for transfers to countries the Commission has deemed adequate.
• EU-US Data Privacy Framework — for vendors who are DPF-certified (Cloudflare, Google).
• Transfer Impact Assessments — completed for high-volume sub-processors; available on written request.

7. Your rights

GDPR / UK GDPR give you eight rights. We take them seriously.

1. Right of access — get a copy of every piece of personal data we hold on you. Email dpo@qrnfctap.com. Free, 30-day SLA.
2. Right to rectification — correct anything wrong. Most fields are self-serve in your dashboard; for the rest, email us.
3. Right to erasure ("right to be forgotten") — close your account and we delete it within 30 days. Some data we must keep (billing, fraud) for the periods stated above.
4. Right to restriction — ask us to pause processing while you challenge it.
5. Right to data portability — download your account + QR data in a structured machine-readable format. Self-serve in your dashboard or via API.
6. Right to object — to processing based on legitimate interest (analytics) or to direct marketing (always honoured immediately).
7. Rights about automated decision-making — we don't use automated decision-making with legal/significant effects, so this rarely applies. If we ever do, we'll tell you.
8. Right to withdraw consent — for any consent-based processing, at any time. Visit /cookies or email us.

To exercise: email dpo@qrnfctap.com. We respond within 30 calendar days, or 90 days for complex requests (we'll tell you if so within 30 days).

8. How we keep your data safe

• TLS 1.3 in transit; AES-256 at rest.
• Passwords hashed with bcrypt (cost ≥ 12).
• API tokens hashed; never logged in plaintext.
• Sub-processors selected for SOC 2 / ISO 27001 certifications.
• Audit logs kept for security-relevant events.
• Quarterly access review for staff with production credentials.
• Annual penetration test by a CREST-certified firm.
• Multi-factor authentication mandatory for all staff.
• Bug bounty programme — disclose at security@qrnfctap.com.

9. Breach notification

If we suffer a personal-data breach that meets the notification threshold under your jurisdiction's law, we will notify the relevant supervisory authority within 72 hours of becoming aware (UK GDPR / EU GDPR Article 33), and notify you directly without undue delay where the breach is likely to result in a high risk to your rights and freedoms (Article 34).

10. Children

The QR NFC Tap service is not directed at children under 16. We do not knowingly collect personal data from anyone under 13 (under COPPA, US users) or 16 (UK GDPR digital services). If you believe a child has given us data, email dpo@qrnfctap.com and we will delete it.

11. Changes to this Policy

We post the full text at this URL with a "Last updated" date at the top. Material changes (e.g. new sub-processor categories, new lawful bases) are notified to active users by email at least 30 days before they take effect. Non-material changes (typo fixes, formatting) are not notified.

You can always see the full revision history of this Policy by emailing dpo@qrnfctap.com.

12. Right to complain

If you think we have mishandled your data, please write to us first — dpo@qrnfctap.com. We respond within 30 days. If you are still unhappy, you have a statutory right to complain to the supervisory authority listed in the jurisdiction-specific section below.

This Policy is governed by the laws of England & Wales unless you are entitled by your local mandatory laws to the protection of those laws (e.g. EU consumers under Rome I).

---

Jurisdiction-specific provisions follow.

---

European Union / EEA — additional terms

This section applies if you are based in an EU/EEA member state.

Legal framework

QR NFC Tap Ltd is the data controller. Processing is governed by Regulation (EU) 2016/679 ("EU GDPR") and the EU ePrivacy Directive (2002/58/EC, as amended), as transposed into your member-state law.

Article 27 representative (EU)

QR NFC Tap is established outside the EU. We have appointed an EU representative under GDPR Article 27 for matters relating to EU data subjects:

VeraSafe Ireland Ltd Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork T23 AT2P, Ireland Online enquiry form: https://verasafe.com/public-resources/contact-data-protection-representative

You may contact our representative directly for any GDPR matter; otherwise email dpo@qrnfctap.com.

Lead supervisory authority

Because we have no EU establishment, there is no "lead authority" under the one-stop-shop. You may complain to the supervisory authority of your member state of residence. A list is at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

For Ireland (where most EU customers' contracts will be governed via Stripe Ireland for payments): the Data Protection Commission (DPC), https://www.dataprotection.ie.

Cookies and ePrivacy

Cookies are governed by the ePrivacy Directive + your member state's transposing law. Effect: consent is required before setting any non-strictly-necessary cookie, and consent must be explicit, granular, and as easy to withdraw as it was to give. The cookie banner at /cookies meets these requirements.

International transfers — supplementary measures

Where data is transferred outside the EEA to a country without an adequacy decision, we rely on:

• EU Standard Contractual Clauses (Module 2: controller-to-processor, June 2021).
• EU-US Data Privacy Framework for DPF-certified vendors (Cloudflare, Google).
• Transfer Impact Assessments (TIAs) for high-volume sub-processors in third countries — available on written request to dpo@qrnfctap.com.
• Supplementary technical measures (encryption in transit + at rest, pseudonymisation where feasible).

Governing law and jurisdiction (EU consumers)

Where you are a consumer in the EEA, the mandatory consumer-protection rules of your country of residence apply, regardless of the choice-of-law clause in our Terms of Service. You may bring proceedings in the courts of your country of residence; we may bring proceedings against you only in those courts.

Age of digital consent

Most EU member states set the age of digital consent at 16. Some (e.g. Germany, Italy, Spain at 14; Sweden, France at 15) are lower. QR NFC Tap is not directed at users under 16 across the EU.