Skip to main content

Privacy Policy

Version 1.0Last updated: April 19, 2026

1. Who We Are

Query OÜ ("Query OÜ," "QR First," "we," "our," or "us") operates QR First, a QR code management platform available through our websites, web application, APIs, and short-link infrastructure, including qrfirst.com, app.qrfirst.com, api.qrfirst.com, and q02.eu (together, the "Service").

For the personal data described in this Privacy Policy, Query OÜ is the data controller, except where Section 2 explains that a business customer may act as the controller for content it uploads to the Service.

  • Company: Query OÜ.
  • Registered address: Teeveere tee 11, Vääna-Jõesuu küla, 76909 Harku vald, Harju maakond, Estonia.
  • Contact email: info@qrfirst.com.

2. Scope and Data Protection Roles

This Privacy Policy explains how we collect, use, disclose, store, and protect personal data when you use the Service, contact us, create an account, manage QR codes and groups, or scan a QR First short link.

In most cases, Query OÜ acts as the data controller for account, authentication, billing, support, and technical data relating to the operation of the Service.

If you use QR First on behalf of a business or organisation and you upload or manage personal data about other people inside QR content, groups, files, or shared workspaces, you may act as the data controller for that content and Query OÜ may act as your processor or service provider for hosting and making that content available in accordance with your instructions. EU business customers may request our Data Processing Agreement (DPA) at info@qrfirst.com.

3. Personal Data We Collect

3.1 Account and Contact Data

  • Email address used for registration, login, verification, and service communications.
  • Account details such as internal account identifiers, settings, preferences, and subscription status.

3.2 Service Content and Collaboration Data

  • QR code data such as titles, destinations, content, and configuration choices.
  • Group data such as group names, membership, sharing settings, and member roles.
  • Uploaded files and field data such as photos, text, and other content you attach to QR codes.

3.3 Technical, Device, and Log Data

Our infrastructure automatically records technical information when the Service is used, including when a person scans a QR First short link hosted on q02.eu.

  • IP address.
  • User-agent string and basic browser or device information.
  • Timestamp, requested URL or path, HTTP method, and response status.
  • Referrer header, if one is provided by the browser.

We do not currently maintain separate product analytics for QR code scans in the application database. A scan of a QR First short link results only in normal server-side logging needed to deliver and secure the service.

3.4 Communications Data

  • Emails you send to us for support, billing, legal, or privacy matters.
  • Any information you include in support tickets, deletion requests, or GDPR rights requests.

3.5 Cookies and Similar Technical Identifiers

We currently use the following cookies that are strictly necessary to operate the Service:

  • jwt_token: a 30-day HttpOnly, Secure authentication cookie containing a signed token associated with your account session. It is not readable by JavaScript and is required for login.
  • node: a 30-day routing cookie used to route requests to the correct backend node. It is required for the Service architecture to function.

We do not currently use advertising cookies or third-party analytics cookies. If we introduce any non-essential cookies in the future, we will update this Privacy Policy and request consent where required.

3.6 Billing Data

If and when paid subscriptions are activated, we and our payment provider may process billing-related data such as billing contact details, VAT or tax information, subscription status, invoice details, and payment transaction metadata. We do not intend to store full payment card numbers ourselves.

4. Why We Use Personal Data and Our Legal Bases

Under GDPR, we must have a lawful basis for processing personal data. The main legal bases we rely on are: performance of a contract, legitimate interests, legal obligation, and, where applicable, consent.

  • Account creation, login, authentication, and account administration — processed under Article 6(1)(b) GDPR (performance of a contract).
  • Hosting groups, QR codes, uploaded content, sharing features, and short-link resolution — processed under Article 6(1)(b) GDPR (performance of a contract).
  • Transactional emails, support responses, and service notices — processed under Article 6(1)(b) GDPR where necessary to provide the Service, and in some cases under Article 6(1)(f) GDPR (our legitimate interest in supporting users and operating the Service).
  • Security monitoring, abuse prevention, incident investigation, and infrastructure logging — processed under Article 6(1)(f) GDPR (our legitimate interest in securing the Service and protecting our users).
  • Retention of accounting and compliance records, and responses to lawful requests from authorities — processed under Article 6(1)(c) GDPR (legal obligation).
  • Non-essential cookies or optional future analytics or marketing tools — if introduced, would be processed under Article 6(1)(a) GDPR (consent), where required.

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR.

5. Sharing of Personal Data

5.1 Sharing Within the Service

If you share a group with another user, the members of that group can access the content and metadata that you make available through the permissions and roles configured for that group.

5.2 Service Providers and Recipients

We share personal data only where necessary to run the Service or comply with law. Relevant recipients may include:

  • Hetzner Cloud GmbH — hosting, servers, storage, networking, and backup infrastructure within the EU.
  • Query OÜ-operated infrastructure components — including our object storage and transactional email systems that we run as part of the QR First infrastructure.
  • Professional advisers such as accountants, auditors, lawyers, or insurers where reasonably necessary.
  • Authorities, courts, regulators, or law enforcement where disclosure is required by applicable law.
  • A future payment processor, if paid subscriptions are launched. We will update this Privacy Policy before that goes live.

We do not sell, rent, or trade personal data for monetary gain, and we do not currently use third-party advertising networks.

5.3 Business Transfers

If Query OÜ is involved in a merger, acquisition, financing transaction, reorganisation, or sale of assets, personal data may be transferred as part of that transaction. If that happens, we will provide notice where required by law.

6. International Data Transfers

Our primary hosting and infrastructure are located in the European Union. We do not routinely transfer personal data outside the EEA. If we need to transfer personal data outside the EEA in the future, we will use an approved transfer mechanism, such as the European Commission's Standard Contractual Clauses, and implement any required supplementary safeguards.

7. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy.

  • Account and contact data is retained while your account is active and for up to 30 daysafter account deletion or a verified deletion request, unless a longer retention period is required by law.
  • QR code content, groups, sharing data, and uploaded files are retained while your account is active and normally deleted within 30 days after account deletion.
  • Rolling backups are retained for up to 30 days. This means deleted data may remain in encrypted backup media until the relevant backup cycle expires.
  • Server access logs are rotated daily and retained for 14 days, including requests made when a QR First short link is scanned.
  • Support, legal, and privacy correspondence is retained for as long as reasonably necessary to handle the request, document the outcome, and establish, exercise, or defend legal claims.
  • Accounting and billing records are retained for up to 7 years where required by the Estonian Accounting Act or other applicable law.

8. Your Rights Under GDPR

If GDPR applies to you, you have the right to request access to, correction of, deletion of, restriction of, objection to, or portability of your personal data, subject to applicable legal exceptions.

  • Right of access — ask for a copy of the personal data we hold about you.
  • Right to rectification — ask us to correct inaccurate or incomplete personal data.
  • Right to erasure — ask us to delete your personal data where there is no overriding reason for us to keep it.
  • Right to restriction — ask us to limit processing in certain circumstances.
  • Right to data portability — ask for certain data in a structured, commonly used, machine-readable format.
  • Right to object — object to processing based on our legitimate interests.
  • Right to withdraw consent — where we rely on consent, you may withdraw it at any time.
  • Right to lodge a complaint — complain to your local supervisory authority, including the Estonian Data Protection Inspectorate.

To exercise your rights, email info@qrfirst.com with the subject line "GDPR Rights Request". We may ask you to verify your identity before responding. We aim to respond within one month, although this may be extended by up to two additional months for complex requests.

Estonian supervisory authority: Andmekaitse Inspektsioon, Tatari 39, 10134 Tallinn, Estonia. Website: www.aki.ee.

9. Security Measures

We use appropriate technical and organisational measures designed to protect personal data, including:

  • TLS or HTTPS encryption for data in transit.
  • Secure authentication architecture, including HttpOnly authentication cookies.
  • Access controls designed to limit internal access to authorised personnel.
  • Daily backups and infrastructure monitoring.
  • Segregation of application components and controlled hosting environments.

No system is completely secure. We cannot guarantee absolute security, but we will handle personal data breaches in accordance with applicable law, including GDPR Articles 33 and 34 where those provisions apply.

10. External Destinations and Third-Party Content

QR codes created through the Service may point to third-party websites or services selected by you. We do not control those third-party destinations and are not responsible for their privacy practices, content, or availability. If you scan a QR code and proceed to an external website, that website's own privacy policy will apply.

11. Children's Privacy

The Service is not directed to children under 16, and you must be at least 16 years old to create an account. We do not knowingly collect personal data directly from children under 16. If you believe a child has provided personal data to us, please contact us and we will investigate and, where appropriate, delete the data.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect legal, operational, or product changes. When we do, we will update the "Last updated" date on this page. If the changes are material, we will provide additional notice, such as by email or by notice within the Service, where required.

13. Contact Us

For privacy questions, GDPR rights requests, deletion requests, or DPA requests, contact Query OÜ at:

  • Email: info@qrfirst.com.
  • Postal address: Teeveere tee 11, Vääna-Jõesuu küla, 76909 Harku vald, Harju maakond, Estonia.
  • Suggested subject lines: "Privacy Policy Inquiry," "GDPR Rights Request," or "DPA Request."
Summary: We collect account data, QR and group content, files, and limited technical log data to operate and secure QR First. Query OÜ is the data controller for the Service, data is primarily hosted in the EU, we do not sell personal data, and you can exercise your GDPR rights by contacting info@qrfirst.com.