GeoQR is operated by Bilfi ApS. This Privacy Policy explains how Bilfi ApS collects, uses, stores, and shares personal information in connection with the GeoQR marketing site and the GeoQR product.

It applies to people who visit our marketing site, create or use a GeoQR account, administer a workspace, act as a billing or support contact, or otherwise communicate with us. It also applies where GeoQR acts directly as the controller for personal information processed through our own operations.

Who We Are

The controller for personal information described in this Privacy Policy is:

Bilfi ApS
CVR 41643838
Vindingvej 34
7100 Vejle
Denmark
info@geoqr.io

Controller and Customer Roles

GeoQR is a business product for dynamic QR campaigns, redirect rules, branded destinations, and scan analytics. Because of that, the role we play depends on the data involved.

• Bilfi ApS / GeoQR acts as controller for marketing-site data, account registration, authentication, subscriptions, billing, support, security, service telemetry, and our direct business communications.
• GeoQR customers generally act as controllers for the campaign destinations, linked content, and business use of scan analytics connected to the QR campaigns they operate.
• GeoQR may act as a processor or service provider when handling campaign-related data on behalf of a customer. If you interact with a QR campaign run by one of our customers, that customer may be primarily responsible for the campaign-specific privacy notice that applies to you.

Information We Collect

Depending on how you interact with GeoQR, we may collect:

• Account and profile data: name, email address, username, password or passkey credentials, email-verification data, and related account settings.
• Organization and workspace data: organization names, membership roles, invitation records, billing contacts, and workspace configuration.
• QR configuration and campaign content: QR codes, redirect URLs, country-specific routing rules, custom domains, uploaded media, and other content managed through GeoQR.
• Billing and subscription data: plan, billing state, trial and subscription metadata, and customer or subscription identifiers returned by Stripe. Payment card details are processed by Stripe and are not stored by GeoQR.
• Transactional email data: message delivery data and the information required to send account verification, password reset, invitation, billing, and security emails through Resend.
• Session and security data: IP address, browser and device details, user agent, session identifiers, login activity, and related operational or security logs.
• Scan analytics data: the QR code scanned, timestamp, organization context, and country-level location inferred from network metadata. GeoQR does not describe itself here as collecting precise GPS location from scans.
• Support and communication data: messages you send to us, the contents of support requests, and our responses.

Sources of Data

We collect personal information from a combination of sources:

• Directly from you when you create an account, sign in, or contact us.
• From customer-configured campaign content and QR routing settings managed inside GeoQR.
• From your browser, device, and network context when you use the marketing site or product.
• From Stripe in connection with billing, subscription, and payment status events.
• From Resend or related delivery events for transactional email operations.

How We Use Information

We use personal information to:

• Provide, operate, maintain, and improve GeoQR and the marketing site.
• Register accounts, authenticate users, and manage workspace access.
• Process subscriptions, maintain billing state, and administer plans.
• Send transactional emails for verification, password resets, invitations, billing, and service-security matters.
• Run redirect logic, maintain QR configurations, and generate country-level scan analytics.
• Respond to support requests and other communications.
• Detect abuse, prevent fraud, secure the service, and troubleshoot incidents.
• Comply with legal obligations and enforce our terms and policies.

Legal Bases

Where applicable privacy law requires a legal basis, we rely on the following:

• Contract: to create and administer accounts, provide the GeoQR service, manage subscriptions, and deliver core product functionality.
• Legitimate interests: to secure the service, prevent abuse, maintain reliability, improve product performance, respond to business communications, and operate the marketing site.
• Legal obligation: where we must retain, disclose, or otherwise process information to comply with applicable law, tax rules, accounting rules, or lawful requests.
• Consent: where a specific optional flow depends on consent. This Privacy Policy does not treat the current marketing site as using non-essential advertising or analytics trackers by default.

Required and Optional Information

Some information is required so we can provide GeoQR. For example, we need account credentials and contact information to create and secure an account, and we need subscription and billing metadata to manage paid plans. Other information may be optional, such as details you include in support messages or certain profile fields.

Cookies and Similar Technologies

We use cookies and similar technologies where needed to keep you signed in, maintain secure sessions, and support essential site and product functionality. You can control cookies through your browser settings, but disabling essential cookies may prevent parts of GeoQR from working properly.

How We Share Information

We may share personal information with:

• Service providers that support hosting, infrastructure, security, operational tooling, and customer support.
• Stripe for subscription, billing, and payment-related processing.
• Resend for delivery of transactional emails such as account verification, invitations, password resets, billing, and security notices.
• Customers and workspace members where shared access to account, organization, QR, billing, or campaign-management information is part of the service.
• Authorities or other parties where disclosure is required by law, legal process, or to protect rights, safety, and the security of the service.
• Relevant transaction parties in connection with a merger, acquisition, financing, restructuring, or sale of all or part of our business.

We do not sell personal information.

International Transfers

GeoQR and our service providers may process information in countries other than your own. Where applicable law requires safeguards for international transfers, we use contractual, technical, and organizational measures intended to protect personal information during those transfers.

Data Retention

We retain personal information for as long as necessary for the applicable purpose, including to provide the service, maintain security, resolve disputes, and comply with legal obligations. Retention varies by category, such as:

• Account and workspace records while the account or workspace remains active.
• Billing and transaction records for the periods required by accounting, tax, and legal obligations.
• Session, security, and operational logs for the period reasonably needed to maintain service integrity, investigate incidents, and defend legal claims.
• Support and communication records for the period needed to handle the request, maintain continuity, and document business interactions.
• Campaign and scan-related records according to the customer’s use of the service, product settings, and the operational needs of the platform.

When information is no longer needed, we may delete it, de-identify it, or retain it only where continued storage is required or permitted by law.

Data Security

We use administrative, technical, and organizational safeguards designed to protect personal information against unauthorized access, misuse, loss, alteration, and disclosure. These measures are intended to reflect the sensitivity of the data and the nature of our service. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.

Your Rights

Depending on where you live and the role we play for the data involved, you may have rights to:

• Access personal information we hold about you.
• Correct inaccurate or incomplete personal information.
• Request deletion of personal information.
• Request restriction of processing.
• Object to certain processing.
• Request portability of personal information where applicable.
• Withdraw consent where processing relies on consent.
• Lodge a complaint with a competent supervisory authority.

If GeoQR processes data on behalf of one of our customers, we may direct you to that customer where they are the primary controller for the relevant campaign or scan-related information.

To exercise your rights, contact Bilfi ApS at info@geoqr.io. We may ask you to verify your identity before we fulfill a request, and we will respond within the time period required by applicable law.

Automated Decision-Making

GeoQR uses operational logic such as redirect routing, country-based fallback selection, and security checks to provide the service. We do not describe this processing in this Privacy Policy as solely automated decision-making that produces legal effects or similarly significant effects about individuals.

Children's Privacy

GeoQR is not directed to children, and we do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, contact us and we will review the request.

Complaints

If you have concerns about how Bilfi ApS handles personal information, we encourage you to contact us first at info@geoqr.io. You may also lodge a complaint with the Danish Data Protection Agency, Datatilsynet, or with your local supervisory authority where applicable.

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date on this page. Continued use of GeoQR after an update takes effect means the revised policy will apply to your future use of the service.

Contact

If you have questions about this Privacy Policy or GeoQR's data practices, contact Bilfi ApS at info@geoqr.io or write to Vindingvej 34, 7100 Vejle, Denmark.