Skip to content
Start free
Legal · updated 2026-05-02

Privacy Policy (UK)

Plain-English version. Your jurisdiction-specific terms appear at the bottom of the document. Switch jurisdictions if you'd prefer different rules.

UK EU US Canada

Plain-English drafts. These pages are written for clarity, not as substitute legal advice. For binding interpretation, the version executed via dpo@qrnfctap.com on letterhead controls.

Privacy Policy

Last updated: 2026-05-02

This Privacy Policy explains what personal data Quantum AI Webapps Ltd (trading as "QR NFC Tap", "we", "us") collects when you use qrnfctap.com and our products, why we collect it, how we keep it safe, and what rights you have over it. It is written in plain English; the legal basis sits underneath every paragraph.

QR NFC Tap is one product line of Quantum AI Webapps Ltd. The same Privacy Policy applies across all Quantum AI Webapps products unless a specific product Policy is published separately.

⚠️ This is a draft generated for review. Have your solicitor verify before publishing as the binding policy. Where we use specific words like "data controller", "processor", "lawful basis", these have specific legal meanings under your jurisdiction's privacy laws.

1. Who we are

Quantum AI Webapps Ltd — a private company limited by shares, registered in England & Wales, registered office in London, United Kingdom. Trading as QR NFC Tap for the purposes of this product. Companies House number and ICO registration provided on written request. QR NFC Tap is one of several SaaS product lines we operate.

Contact for any privacy question:

  • General: support@qrnfctap.com
  • Data Protection Officer / DSAR: dpo@qrnfctap.com
  • Abuse / takedown: abuse@qrnfctap.com
  • Postal: Quantum AI Webapps Ltd, Data Protection, London, United Kingdom (full registered-office address available on written request)

For our jurisdiction-specific representative (EU Article 27, etc.) see the jurisdiction section at the bottom of this document.

2. Data we collect

We collect the minimum data needed to run the service. Categories:

Category What Why
Account name, email, password (hashed via bcrypt), phone (optional) Identify you, contact you, secure your account
Billing Stripe customer ID, last-4 of card, billing address, VAT/GST number (B2B) Process payment; meet tax/accounting obligations
QR scan analytics scanner's IP (truncated after country resolution), country, region, city (where available), device + OS + browser, referrer, scan time, UTM params, language Provide the product; produce analytics dashboards; abuse detection
Wallet pass identifiers Apple/Google Wallet pass authentication tokens Push pass updates over the air
Cookies + local storage session ID, CSRF token, preference flags, cookie-consent state Keep you signed in; prevent CSRF; remember your preferences
Support tickets the contents of any email or message you send us Reply to your message; product improvement (anonymised)
Server logs request URL, response code, timestamp, user-agent, requesting IP Debug, security, fraud prevention

We do not collect: payment-card details (Stripe stores those; we only see the last 4 digits + brand), biometric data, special-category data (health, religion, etc.) unless you explicitly put it in a QR profile.

3. Lawful bases for processing

Under GDPR / UK GDPR Article 6, every processing operation needs a lawful basis. Ours per category:

  • Account, billing, support, server logscontract. We need this data to provide the service you signed up for.
  • QR scan analyticslegitimate interest (running an analytics-dependent product is impossible without it) AND contract (showing you scan stats is part of what you bought).
  • Cookies (necessary)contract / legitimate interest.
  • Cookies (preferences/statistics/marketing)consent, given via the cookie banner. You can withdraw at any time at /cookies.
  • Marketing emails to existing customerslegitimate interest with an unsubscribe link in every message (PECR compliant for soft opt-in).
  • Marketing to non-customersconsent. We never email people who haven't asked.
  • Sub-processor disclosureslegal obligation + contract.

Where the basis is consent, you may withdraw at any time without affecting prior processing.

4. Retention

We keep data only as long as we need it.

Category Retention Why
Account Until you close the account, plus 30 days for backups, then deletion Allow you to reactivate accidentally-closed accounts
Billing / invoices 7 years Statutory tax/audit requirement
QR scan analytics 30 days (Free) / 365 days (Pro) / unlimited (Business+) Tier benefit; older data summarised, not stored line-by-line
Wallet pass tokens Until you delete the pass Required to push updates
Support tickets 3 years Most disputes resolve within 24 months; 3 yrs covers the tail
Server logs 14 days Security investigations; longer if a specific incident is open
Cookie state As marked in our cookie table at /cookies

When the retention period ends, the data is deleted or anonymised.

5. Sub-processors

We use a small set of carefully-chosen vendors. Updates posted at this URL.

Sub-processor Purpose Country DPA / SCCs
Stripe Payments Europe Ltd Payment processing Ireland (EU) + US (group) DPA, SCCs
Cloudflare, Inc. CDN, DNS, WAF US (with EU regional data) DPA, SCCs, DPF certified
Hostinger International Ltd Application + DB hosting EU (Lithuania) + Netherlands DPA
Mailgun (Sinch) Transactional + support email US DPA, SCCs
MaxMind, Inc. Country-from-IP lookup US DPA, SCCs
Google LLC (Fonts) Web font delivery US DPA, SCCs, DPF certified
OpenAI, Inc. AI QR-art generation (paid tier opt-in) US DPA, SCCs
Anthropic, PBC AI customer-card scanner (paid tier opt-in) US DPA, SCCs

If you object to a sub-processor, tell us at dpo@qrnfctap.com. We can usually offer an alternative, but for some categories (e.g. payments) the choice is binary — keep the service or close your account.

6. International transfers

Some of our sub-processors are outside your home jurisdiction. We rely on:

  • Standard Contractual Clauses (SCCs) — the EU Commission's 2021 controller-to-processor SCCs, with UK addendum where the data subject is in the UK.
  • Adequacy decisions — for transfers to countries the Commission has deemed adequate.
  • EU-US Data Privacy Framework — for vendors who are DPF-certified (Cloudflare, Google).
  • Transfer Impact Assessments — completed for high-volume sub-processors; available on written request.

7. Your rights

GDPR / UK GDPR give you eight rights. We take them seriously.

  1. Right of access — get a copy of every piece of personal data we hold on you. Email dpo@qrnfctap.com. Free, 30-day SLA.
  2. Right to rectification — correct anything wrong. Most fields are self-serve in your dashboard; for the rest, email us.
  3. Right to erasure ("right to be forgotten") — close your account and we delete it within 30 days. Some data we must keep (billing, fraud) for the periods stated above.
  4. Right to restriction — ask us to pause processing while you challenge it.
  5. Right to data portability — download your account + QR data in a structured machine-readable format. Self-serve in your dashboard or via API.
  6. Right to object — to processing based on legitimate interest (analytics) or to direct marketing (always honoured immediately).
  7. Rights about automated decision-making — we don't use automated decision-making with legal/significant effects, so this rarely applies. If we ever do, we'll tell you.
  8. Right to withdraw consent — for any consent-based processing, at any time. Visit /cookies or email us.

To exercise: email dpo@qrnfctap.com. We respond within 30 calendar days, or 90 days for complex requests (we'll tell you if so within 30 days).

8. How we keep your data safe

  • TLS 1.3 in transit; AES-256 at rest.
  • Passwords hashed with bcrypt (cost ≥ 12).
  • API tokens hashed; never logged in plaintext.
  • Sub-processors selected for SOC 2 / ISO 27001 certifications.
  • Audit logs kept for security-relevant events.
  • Quarterly access review for staff with production credentials.
  • Annual penetration test by a CREST-certified firm.
  • Multi-factor authentication mandatory for all staff.
  • Bug bounty programme — disclose at security@qrnfctap.com.

9. Breach notification

If we suffer a personal-data breach that meets the notification threshold under your jurisdiction's law, we will notify the relevant supervisory authority within 72 hours of becoming aware (UK GDPR / EU GDPR Article 33), and notify you directly without undue delay where the breach is likely to result in a high risk to your rights and freedoms (Article 34).

10. Children

The QR NFC Tap service is not directed at children under 16. We do not knowingly collect personal data from anyone under 13 (under COPPA, US users) or 16 (UK GDPR digital services). If you believe a child has given us data, email dpo@qrnfctap.com and we will delete it.

11. Changes to this Policy

We post the full text at this URL with a "Last updated" date at the top. Material changes (e.g. new sub-processor categories, new lawful bases) are notified to active users by email at least 30 days before they take effect. Non-material changes (typo fixes, formatting) are not notified.

You can always see the full revision history of this Policy by emailing dpo@qrnfctap.com.

12. Right to complain

If you think we have mishandled your data, please write to us first — dpo@qrnfctap.com. We respond within 30 days. If you are still unhappy, you have a statutory right to complain to the supervisory authority listed in the jurisdiction-specific section below.

This Policy is governed by the laws of England & Wales unless you are entitled by your local mandatory laws to the protection of those laws (e.g. EU consumers under Rome I).

Jurisdiction-specific provisions follow.

United Kingdom — additional terms

This section applies if you are based in the United Kingdom.

Legal framework

QR NFC Tap Ltd is the data controller for your personal data. Processing is governed by the UK GDPR (the retained version of Regulation (EU) 2016/679) and the Data Protection Act 2018 (DPA 2018).

Supervisory authority

The UK supervisory authority is the Information Commissioner's Office (ICO):

  • Web: https://ico.org.uk
  • Helpline: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

You have a statutory right to lodge a complaint with the ICO if you believe we have processed your data unlawfully. We respectfully ask you to contact us first at dpo@qrnfctap.com — most concerns are resolvable in days, not months.

PECR (cookies + electronic marketing)

Cookies on UK visits are governed by the Privacy and Electronic Communications Regulations 2003. Practical effect: we ask for consent before setting any non-essential cookies (the cookie banner). Essential cookies (session, CSRF, cookie-state) are exempt.

Electronic marketing to non-customers (cold email, SMS) is consent-only. Soft opt-in to existing customers (about products similar to those purchased) is allowed under PECR with an unsubscribe link in every message — which we always include.

Governing law and jurisdiction

This Privacy Policy and any dispute arising under it are governed by the laws of England & Wales and subject to the exclusive jurisdiction of the courts of England & Wales — except where you are a UK consumer entitled to bring a claim in your local courts under mandatory consumer-protection law.

Children's data

In the UK, the age of digital consent is 13 (per the DPA 2018, lower than the EU baseline of 16). QR NFC Tap does not knowingly target users under 13. If a parent identifies that we hold data on their child under 13, we will delete it on request to dpo@qrnfctap.com.

Need anything else?

Contact options.

Privacy / DSAR Access, deletion, correction dpo@qrnfctap.com →
Abuse / takedown Phishing, IP, illegal content abuse@qrnfctap.com →
Security disclosure Responsible-disclosure programme security@qrnfctap.com →
DPA (B2B Article 28) Sign for your company View DPA template →
Start free Shop cards