QRTrustDon't trust every QR code.
Privacy-First Approach

Privacy Policy

Simple, transparent privacy practices. I collect only what's essential to provide the QR scanning service and keep your data secure.

Last Updated: October 22, 2025 - Added Forensic Evidence Tracking & Integrity Mechanisms

Data Encryption
End-to-end encryption
GDPR Compliant
Full EU compliance
User Control
You own your data
Transparency
Clear data practices

What Data We Collect & Why

Scan Metadata

I collect minimal metadata to provide the QR scanning service and improve threat detection.

Technical Information: Device type, IP address, timestamp
Scan Results: URL verification results, threat classifications
Security Logs: Threat detection events, blocked URLs, scan timestamps
Local Database Queries: URLs checked against local threat database
Account Information

Currently, QRTrust operates as a free service without user accounts, so no personal account information is collected.

No User Accounts: Currently no registration or login required
No Personal Data: No names, emails, or personal information stored
Anonymous Usage: Basic usage statistics without personal identification

Data Minimization Principle

I collect only the minimal data necessary to provide the QR scanning service. Unlike many platforms, I don't track personal browsing habits, create advertising profiles, or share data with third-party marketers.

Cookies & Tracking Technology

Essential Cookies

Required for core functionality and security

  • Session management
  • Language preferences
  • Security tokens
  • Load balancing
Always active
Analytics Cookies

Help us improve our service performance

  • Usage statistics
  • Performance metrics
  • Error tracking
  • Feature usage
Your choice
Marketing Cookies

We do not use marketing or advertising cookies

  • No ad tracking
  • No behavioral profiling
  • No cross-site tracking
  • No social media pixels
Never used

Cookie Management

You can control cookie settings through our cookie banner (appears on first visit) or adjust settings in your browser. Essential cookies cannot be disabled as they are required for basic security and functionality.

Third-Party Services & APIs

Local Threat Database

We maintain our own continuously updated local threat intelligence database:

Purpose: Comprehensive phishing and malware URL database for offline threat detection
Data Sharing: NO data is shared with third parties during URL scans
Processing: All URL checks are performed locally on EU servers
Updates: Database updated continuously with latest threats
Privacy: Your scanned URLs never leave our servers

✓ Privacy-First Approach: We maintain and query our threat database locally. Your URLs are NEVER sent to third-party services. All processing happens on our EU servers.

Google Safe Browsing

Google's threat intelligence with over 5M malware and phishing URLs

Purpose: Malware & phishing protection
Data Shared: URLs for threat verification
Operator: Google LLC
Privacy: Subject to Google API terms

Data Location: USA/EU (Google Cloud infrastructure)

AI Pattern Analysis

Proprietary AI model for advanced threat detection (optional)

Purpose: Typosquatting & pattern detection
Processing: All processing on our servers
Data Storage: No AI training with user data
Privacy: User-controlled, opt-in feature

Data Location: EU (GDPR-compliant infrastructure)

Privacy-First Architecture

QRTrust is designed with privacy at its core. We minimize third-party dependencies and keep your data in the EU:

Local Processing Only
End-to-End Encryption
EU Data Residency
Community Database

Local phishing database built from community reports:

User Submissions: Voluntarily reported phishing URLs
Admin Review: All submissions manually verified
Data Storage: Stored locally on EU servers
Privacy: No personal data required for submissions
Logging & Monitoring

Security and performance logs for service operations:

Scan Logs: URL, timestamp, result, IP, user-agent (30 days)
Security Logs: Authentication, rate limits, attacks (90 days)
Error Logs: System errors without personal data
Auto-Purge: Logs automatically deleted after retention period
Forensic Evidence Tracking & Integrity

QRTrust implements enterprise-grade forensic security mechanisms to ensure the integrity and traceability of all evidence:

Chain of Custody

Every access to evidence (screenshots, archives, reports) is logged in a cryptographically secured chain.

  • SHA-256 hash verification
  • Tamper-evident logging
  • Complete access history
  • Legal admissibility

Tamper-Evident Audit Logs

All security-critical events are logged in a blockchain-inspired audit log.

  • Cryptographically linked entries
  • Automatic integrity verification
  • Detects tampering attempts
  • Immutable record

Automated Integrity Checks

Scheduled integrity verification runs every 6 hours to detect any anomalies.

  • Evidence file verification
  • Chain of custody validation
  • Audit log integrity check
  • Automatic alerts

Compliance Standards

Our forensic mechanisms comply with international security standards.

  • ISO/IEC 27037 (Digital Evidence)
  • NIST SP 800-92 (Log Management)
  • GDPR Art. 32 (Security of Processing)
  • Forensic best practices

Data Retention for Forensic Evidence: Evidence files and their chain of custody records are retained for 90 days to support legal proceedings and incident investigations. All forensic data is stored encrypted on EU servers and automatically purged after the retention period.

How I Protect Your Data

Encryption Standards

  • AES-256 encryption at rest
  • TLS 1.3 for data in transit
  • End-to-end encrypted connections
  • Regular encryption key rotation

Access Controls

  • Multi-factor authentication required
  • Role-based access permissions
  • Regular access reviews and audits
  • Zero-trust network architecture

Secure Infrastructure

  • ISO 27001 certified facilities
  • SOC 2 Type II compliance
  • Regular security assessments
  • 24/7 security monitoring

Your Privacy Rights

GDPR Rights (EU Users)

Right to Access

Request copies of all data we store about you

Right to Rectification

Correct inaccurate or incomplete data

Right to Erasure

Request deletion of your personal data

Right to Data Portability

Export your data in a machine-readable format

CCPA Rights (California Users)

Right to Know

Learn what personal information we collect and why

Right to Delete

Request deletion of your personal information

Right to Opt-Out

Opt-out of sale of personal information (we don't sell data)

Right to Non-Discrimination

Equal service regardless of privacy choices

Exercise Your Rights

To exercise any of these rights, contact our Data Protection Officer at privacy@qrtrust.eu or use our automated privacy portal.

Data Sharing & Third Parties

We Don't Sell Your Data

QRTrust has never sold, rented, or traded user data to third parties for marketing purposes, and we never will. Your privacy is not for sale.

✓ No data brokers • ✓ No ad networks • ✓ No marketing partnerships

Authorized Sharing

We may share data only in these limited cases:

  • With your explicit consent
  • To comply with legal obligations
  • With trusted service providers (under strict contracts)
  • For legitimate business purposes (mergers, etc.)
Infrastructure & Data Sources

Our privacy-respecting infrastructure:

  • EU-based servers (Germany) - ISO 27001 certified
  • Local threat database (continuously updated)
  • Self-hosted AI model on EU servers
  • Privacy-focused, no third-party tracking

No Data Export: All URL scans and analysis happen locally on our servers. Your data never leaves the EU.

Contact Our Privacy Team

Privacy Contact

privacy@qrtrust.eu

General Contact

info@qrtrust.eu

Location

Germany
European Union

Policy Updates

I'll notify you of material changes to this privacy policy via:

  • Email notification (30 days advance notice)
  • In-app notifications
  • Website banner announcements

Ready to Get Started?

Join municipalities, authorities or companies that already trust QRTrust.