Privacy Policy
Last updated: April 2026
§1 — Who we are
QR Share is operated by Sergey Royz, a sole trader based in Prague, Czech Republic. For the purposes of the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), we are the data controller for the personal data described in this policy.
You can reach us at [email protected].
§2 — What we collect and why
We collect only what is needed to run the service. Each category has a specific purpose and a legal basis under GDPR Article 6.
| Data | Purpose | Lawful basis |
|---|---|---|
| Email address | Account creation, login, service notifications | Contract (Art. 6(1)(b)) |
| Uploaded files (incl. filename, size, MIME type) | Delivering the file-sharing service | Contract (Art. 6(1)(b)) |
| IP address, user-agent (server logs) | Security, abuse prevention, debugging | Legitimate interest (Art. 6(1)(f)) |
Google Analytics cookies (_ga, _ga_*) | Understanding aggregate usage | Consent (Art. 6(1)(a)) |
§3 — How long we keep data
- Uploaded files: on the Free plan, files are deleted 1 hour after upload. Paid plans may extend this retention; the exact value is [TBD — will be published before paid plans launch]. After expiry, files are deleted from storage; database records are marked deleted within 24 hours.
- Account email: kept until you delete your account or request erasure.
- Server logs: rolling 30 days, then automatically removed.
- Google Analytics data: retained by Google under our GA4 configuration (default: 14 months).
- Email delivery logs (at Resend):approximately 30 days, governed by Resend's retention policy.
§4 — Who we share data with
We use a small number of trusted processors to run the service. They act only on our instructions and are contractually bound to protect your data.
- Google LLC (United States)— Google Sign-In for account authentication and Google Analytics for aggregate usage insights (only after you consent). Transfers to the US rely on Google's certification under the EU-US Data Privacy Framework.
- Resend (United States) — transactional email provider that delivers login and verification emails. Transfers are covered by Standard Contractual Clauses.
- Hukot.cz (Czech Republic) — our hosting provider. Our application servers, database, and object storage run on their infrastructure inside the EU, so no international transfer occurs.
We do not sell your personal data, share it with advertisers, or transfer it to data brokers.
§5 — Cookies and analytics
QR Share does notuse cookies for authentication — your login session is stored in your browser's localStorage, not in a cookie. That means the service sets no "strictly necessary" cookies.
The only cookies we use are set by Google Analytics (_ga, _ga_*) and they load only after you give explicit consent via the banner. If you decline, no analytics scripts are loaded. You can change your choice at any time by clicking Cookie settings in the footer of any page.
§6 — International data transfers
- Files and account data are stored inside the European Union (Czech Republic).
- Google Analytics and Google Sign-In involve data transfers to the United States under the EU-US Data Privacy Framework.
- Email delivery via Resend involves transfers to the United States under Standard Contractual Clauses.
§7 — Your rights
Under GDPR Articles 15–22 you have the right to:
- Access — ask what personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure — ask us to delete your account and associated data.
- Portability — ask for a machine-readable export of your data.
- Objection — object to processing based on legitimate interest (e.g., our security logging).
- Withdraw consent— disable analytics at any time via "Cookie settings".
- Restriction — ask us to pause processing while a dispute is being resolved.
To exercise any of these rights, email [email protected]. We respond within 30 days (the GDPR deadline). Requests are free unless they are manifestly unfounded or excessive.
§8 — Right to lodge a complaint
If you believe we have mishandled your personal data, you have the right to complain to a data protection authority. In the Czech Republic, this is:
- Úřad pro ochranu osobních údajů (ÚOOÚ)
- pplk. Sochora 27, 170 00 Praha 7, Czech Republic
- [email protected] · www.uoou.cz
If you live elsewhere in the EU, you may contact your national data protection authority instead.
§9 — Security
We serve all traffic over TLS, restrict administrative access to authenticated operators, and keep our dependencies up to date. No system can be guaranteed perfectly secure; we handle your data with reasonable care, but not with unlimited liability.
§10 — Children
QR Share is not directed at users under 16 years of age and we do not knowingly collect personal data from them. If you believe a minor has registered, please email us and we will delete the account.
§11 — Changes to this policy
We may update this policy from time to time. Material changes will bump the cookie-consent version and re-prompt everyone via the banner. The revision date at the top of this page will also be updated.
§12 — Contact
For anything related to this policy, GDPR requests, takedowns, or general questions, email [email protected].