Skip to content
Start free
Legal · updated 2026-05-02

Privacy Policy (US)

Plain-English version. Your jurisdiction-specific terms appear at the bottom of the document. Switch jurisdictions if you'd prefer different rules.

UK EU US Canada

Plain-English drafts. These pages are written for clarity, not as substitute legal advice. For binding interpretation, the version executed via dpo@qrnfctap.com on letterhead controls.

Privacy Policy

Last updated: 2026-05-02

This Privacy Policy explains what personal data Quantum AI Webapps Ltd (trading as "QR NFC Tap", "we", "us") collects when you use qrnfctap.com and our products, why we collect it, how we keep it safe, and what rights you have over it. It is written in plain English; the legal basis sits underneath every paragraph.

QR NFC Tap is one product line of Quantum AI Webapps Ltd. The same Privacy Policy applies across all Quantum AI Webapps products unless a specific product Policy is published separately.

⚠️ This is a draft generated for review. Have your solicitor verify before publishing as the binding policy. Where we use specific words like "data controller", "processor", "lawful basis", these have specific legal meanings under your jurisdiction's privacy laws.

1. Who we are

Quantum AI Webapps Ltd — a private company limited by shares, registered in England & Wales, registered office in London, United Kingdom. Trading as QR NFC Tap for the purposes of this product. Companies House number and ICO registration provided on written request. QR NFC Tap is one of several SaaS product lines we operate.

Contact for any privacy question:

  • General: support@qrnfctap.com
  • Data Protection Officer / DSAR: dpo@qrnfctap.com
  • Abuse / takedown: abuse@qrnfctap.com
  • Postal: Quantum AI Webapps Ltd, Data Protection, London, United Kingdom (full registered-office address available on written request)

For our jurisdiction-specific representative (EU Article 27, etc.) see the jurisdiction section at the bottom of this document.

2. Data we collect

We collect the minimum data needed to run the service. Categories:

Category What Why
Account name, email, password (hashed via bcrypt), phone (optional) Identify you, contact you, secure your account
Billing Stripe customer ID, last-4 of card, billing address, VAT/GST number (B2B) Process payment; meet tax/accounting obligations
QR scan analytics scanner's IP (truncated after country resolution), country, region, city (where available), device + OS + browser, referrer, scan time, UTM params, language Provide the product; produce analytics dashboards; abuse detection
Wallet pass identifiers Apple/Google Wallet pass authentication tokens Push pass updates over the air
Cookies + local storage session ID, CSRF token, preference flags, cookie-consent state Keep you signed in; prevent CSRF; remember your preferences
Support tickets the contents of any email or message you send us Reply to your message; product improvement (anonymised)
Server logs request URL, response code, timestamp, user-agent, requesting IP Debug, security, fraud prevention

We do not collect: payment-card details (Stripe stores those; we only see the last 4 digits + brand), biometric data, special-category data (health, religion, etc.) unless you explicitly put it in a QR profile.

3. Lawful bases for processing

Under GDPR / UK GDPR Article 6, every processing operation needs a lawful basis. Ours per category:

  • Account, billing, support, server logscontract. We need this data to provide the service you signed up for.
  • QR scan analyticslegitimate interest (running an analytics-dependent product is impossible without it) AND contract (showing you scan stats is part of what you bought).
  • Cookies (necessary)contract / legitimate interest.
  • Cookies (preferences/statistics/marketing)consent, given via the cookie banner. You can withdraw at any time at /cookies.
  • Marketing emails to existing customerslegitimate interest with an unsubscribe link in every message (PECR compliant for soft opt-in).
  • Marketing to non-customersconsent. We never email people who haven't asked.
  • Sub-processor disclosureslegal obligation + contract.

Where the basis is consent, you may withdraw at any time without affecting prior processing.

4. Retention

We keep data only as long as we need it.

Category Retention Why
Account Until you close the account, plus 30 days for backups, then deletion Allow you to reactivate accidentally-closed accounts
Billing / invoices 7 years Statutory tax/audit requirement
QR scan analytics 30 days (Free) / 365 days (Pro) / unlimited (Business+) Tier benefit; older data summarised, not stored line-by-line
Wallet pass tokens Until you delete the pass Required to push updates
Support tickets 3 years Most disputes resolve within 24 months; 3 yrs covers the tail
Server logs 14 days Security investigations; longer if a specific incident is open
Cookie state As marked in our cookie table at /cookies

When the retention period ends, the data is deleted or anonymised.

5. Sub-processors

We use a small set of carefully-chosen vendors. Updates posted at this URL.

Sub-processor Purpose Country DPA / SCCs
Stripe Payments Europe Ltd Payment processing Ireland (EU) + US (group) DPA, SCCs
Cloudflare, Inc. CDN, DNS, WAF US (with EU regional data) DPA, SCCs, DPF certified
Hostinger International Ltd Application + DB hosting EU (Lithuania) + Netherlands DPA
Mailgun (Sinch) Transactional + support email US DPA, SCCs
MaxMind, Inc. Country-from-IP lookup US DPA, SCCs
Google LLC (Fonts) Web font delivery US DPA, SCCs, DPF certified
OpenAI, Inc. AI QR-art generation (paid tier opt-in) US DPA, SCCs
Anthropic, PBC AI customer-card scanner (paid tier opt-in) US DPA, SCCs

If you object to a sub-processor, tell us at dpo@qrnfctap.com. We can usually offer an alternative, but for some categories (e.g. payments) the choice is binary — keep the service or close your account.

6. International transfers

Some of our sub-processors are outside your home jurisdiction. We rely on:

  • Standard Contractual Clauses (SCCs) — the EU Commission's 2021 controller-to-processor SCCs, with UK addendum where the data subject is in the UK.
  • Adequacy decisions — for transfers to countries the Commission has deemed adequate.
  • EU-US Data Privacy Framework — for vendors who are DPF-certified (Cloudflare, Google).
  • Transfer Impact Assessments — completed for high-volume sub-processors; available on written request.

7. Your rights

GDPR / UK GDPR give you eight rights. We take them seriously.

  1. Right of access — get a copy of every piece of personal data we hold on you. Email dpo@qrnfctap.com. Free, 30-day SLA.
  2. Right to rectification — correct anything wrong. Most fields are self-serve in your dashboard; for the rest, email us.
  3. Right to erasure ("right to be forgotten") — close your account and we delete it within 30 days. Some data we must keep (billing, fraud) for the periods stated above.
  4. Right to restriction — ask us to pause processing while you challenge it.
  5. Right to data portability — download your account + QR data in a structured machine-readable format. Self-serve in your dashboard or via API.
  6. Right to object — to processing based on legitimate interest (analytics) or to direct marketing (always honoured immediately).
  7. Rights about automated decision-making — we don't use automated decision-making with legal/significant effects, so this rarely applies. If we ever do, we'll tell you.
  8. Right to withdraw consent — for any consent-based processing, at any time. Visit /cookies or email us.

To exercise: email dpo@qrnfctap.com. We respond within 30 calendar days, or 90 days for complex requests (we'll tell you if so within 30 days).

8. How we keep your data safe

  • TLS 1.3 in transit; AES-256 at rest.
  • Passwords hashed with bcrypt (cost ≥ 12).
  • API tokens hashed; never logged in plaintext.
  • Sub-processors selected for SOC 2 / ISO 27001 certifications.
  • Audit logs kept for security-relevant events.
  • Quarterly access review for staff with production credentials.
  • Annual penetration test by a CREST-certified firm.
  • Multi-factor authentication mandatory for all staff.
  • Bug bounty programme — disclose at security@qrnfctap.com.

9. Breach notification

If we suffer a personal-data breach that meets the notification threshold under your jurisdiction's law, we will notify the relevant supervisory authority within 72 hours of becoming aware (UK GDPR / EU GDPR Article 33), and notify you directly without undue delay where the breach is likely to result in a high risk to your rights and freedoms (Article 34).

10. Children

The QR NFC Tap service is not directed at children under 16. We do not knowingly collect personal data from anyone under 13 (under COPPA, US users) or 16 (UK GDPR digital services). If you believe a child has given us data, email dpo@qrnfctap.com and we will delete it.

11. Changes to this Policy

We post the full text at this URL with a "Last updated" date at the top. Material changes (e.g. new sub-processor categories, new lawful bases) are notified to active users by email at least 30 days before they take effect. Non-material changes (typo fixes, formatting) are not notified.

You can always see the full revision history of this Policy by emailing dpo@qrnfctap.com.

12. Right to complain

If you think we have mishandled your data, please write to us first — dpo@qrnfctap.com. We respond within 30 days. If you are still unhappy, you have a statutory right to complain to the supervisory authority listed in the jurisdiction-specific section below.

This Policy is governed by the laws of England & Wales unless you are entitled by your local mandatory laws to the protection of those laws (e.g. EU consumers under Rome I).

Jurisdiction-specific provisions follow.

United States — additional terms

This section applies if you are a US resident. Different US states have different privacy laws; we comply with the most stringent baseline so the same protections apply nationwide.

California — CCPA / CPRA rights

Under the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.) as amended by the California Privacy Rights Act, California residents have the following rights:

  1. Right to know — what personal information we collect, the sources, the purposes, the categories of third parties we share with.
  2. Right to delete — request deletion of your personal information.
  3. Right to correct — request that we correct inaccurate personal information.
  4. Right to opt-out of sale or sharing — though we do not sell or share your personal information for cross-context behavioural advertising, this Policy includes the mandatory "Do Not Sell or Share My Personal Information" link in our footer for full statutory compliance.
  5. Right to limit use of sensitive personal information — we collect minimal sensitive data; what we do collect (account credentials) is used only for the purpose of providing the service.
  6. Right to non-discrimination — we will not deny you the service, charge you a different price, or provide a different level of quality because you exercised your CCPA rights.

To exercise these rights, email dpo@qrnfctap.com or use the form at /contact. We will verify your identity and respond within 45 calendar days (extendable to 90 days for complex requests).

Categories of personal information collected (CCPA disclosure)

Per CCPA § 1798.110(c), in the past 12 months we have collected the following categories:

  • Identifiers — name, email, account ID, IP (truncated)
  • Customer records — billing address, phone (optional)
  • Commercial information — products purchased, transaction history
  • Internet activity — pages visited on qrnfctap.com, scan logs for QRs you create
  • Geolocation — country/region from IP (not precise location)
  • Inferences — basic usage patterns for product analytics

Sources: directly from you, from your device when you visit our site, from our payment processor.

Purposes: providing the service, billing, fraud prevention, product improvement, legal compliance.

Categories of third parties we disclose to: our sub-processors listed in section 5 above.

Virginia, Colorado, Connecticut, Utah, and other state laws

For residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other US states with comprehensive privacy laws, you have rights substantially similar to the CCPA: access, deletion, correction (where applicable), opt-out of targeted advertising and "sale", and a right to non-discrimination. Email dpo@qrnfctap.com to exercise any state-law right.

COPPA — children's data

The Children's Online Privacy Protection Act (15 U.S.C. § 6501) protects under-13s. QR NFC Tap is not directed at children under 13 and we do not knowingly collect their personal information. If you become aware that a child under 13 has provided personal information without verifiable parental consent, please email dpo@qrnfctap.com and we will delete it.

"Do Not Track"

Most browsers offer a "Do Not Track" (DNT) signal. Because there is no industry consensus on how to honor DNT, our service does not change behavior in response to a DNT signal. We do, however, honor the Global Privacy Control (GPC) signal, treating it as an opt-out of "sale" or "sharing" for CCPA purposes (we do not sell or share regardless, but we honour the signal).

Governing law

US users: QR NFC Tap's Terms of Service are governed by the laws of England & Wales unless mandatory US consumer-protection law in your state applies and overrides the choice. Disputes may be resolved by binding arbitration in England before the London Court of International Arbitration where allowed; mandatory US small-claims-court rights are preserved.

Need anything else?

Contact options.

Privacy / DSAR Access, deletion, correction dpo@qrnfctap.com →
Abuse / takedown Phishing, IP, illegal content abuse@qrnfctap.com →
Security disclosure Responsible-disclosure programme security@qrnfctap.com →
DPA (B2B Article 28) Sign for your company View DPA template →
Start free Shop cards