Last updated: July 10, 2026

This Privacy Policy describes how QRW.io processes personal data in connection with providing a dynamic URL shortening, QR code generation, and redirection platform.

Privacy Policy

1. Data Controller

  • Company name: Indaplan Kft.
  • Address: 1039 Budapest, Batthyány utca 35/B., Hungary
  • Email: hello@indaplan.hu
  • Phone: +36 124 20629

2. Nature of the Service

QRW.io provides dynamic short links, QR code generation, redirect management, and aggregated analytics. When a short link is accessed, our system performs redirection and may generate anonymized statistics.

3. GDPR Roles

Account Data

For registered users, Indaplan Kft. acts as Data Controller.

Link Visitor Data

For visitors accessing user-created links:

  • The link creator may act as Data Controller.
  • Indaplan Kft. acts as Data Processor providing infrastructure.

4. Categories of Data Collected

4.1 Account Data

Email address and authentication-related identifiers.

Legal basis: Contract performance (Art. 6(1)(b) GDPR)

4.2 Link Redirection Data

  • IP address (processed temporarily)
  • Date and time of access
  • Browser / device type
  • Referrer (if available)
  • Link identifier

This data is used solely for redirection, abuse prevention, and generating aggregated analytics.

We do not sell personal data and do not create behavioral profiles.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)

4.3 Aggregated Analytics

We generate anonymized statistics such as total clicks, approximate country (based on truncated IP), and device category. These are visible only to the link owner.

5. Cookies Policy

Types of Cookies

Essential Cookies

Required for authentication, security, and core functionality. These cannot be disabled.

Analytics Cookies

Used to understand website usage patterns. Activated only after consent for EU users.

Functional Cookies

Store user preferences to improve usability.

Managing Cookies

You may manage cookie preferences via our consent banner or your browser settings. EU users may withdraw consent at any time.

Analytics Providers

We use Google Analytics and Vercel Analytics to understand general website usage. We also use the Barion Pixel for payment fraud prevention (see Section 7).

6. Hosting

The Service is hosted by Vercel Inc., USA. Technical request data may be processed to operate the infrastructure.

7. Barion Pixel — Fraud Prevention

Our website uses the Barion Pixel, a tracking technology provided by Barion Payment Zrt. (1117 Budapest, Alíz utca 2., Hungary). The Barion Pixel collects behavioural data about website visitors — such as page views and interaction patterns — and transmits it to Barion for the purpose of payment fraud prevention and risk assessment.

Data controller for Barion Pixel data: Barion Payment Zrt.
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — fraud prevention in the context of online payments.
Barion Privacy Policy: barion.com/adatkezelesi-tajekoztato

Barion Payment Zrt. is supervised by the Hungarian National Bank; licence number: H-EN-I-1064/2013.

8. Stripe Payment Processing

Online card payments on QRW.io are processed by Stripe, Inc. Card and payment-related data do not reach the merchant (Indaplan Kft.); they are handled exclusively by Stripe.

Data controller for payment data: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA
Data processed: cardholder name, card number (tokenised), billing address, transaction amount — solely for payment execution and fraud prevention.
Legal basis: Contract performance (Art. 6(1)(b) GDPR) and legal obligation (Art. 6(1)(c) GDPR).
Retention: As required by applicable accounting and financial regulations (typically 8 years).
Stripe Privacy Policy: stripe.com/privacy

9. Destination URL Screening (Google Web Risk)

To protect visitors from phishing and malware, the destination URL of a short link is checked against Google Web Risk, operated by Google LLC. The URL is checked when a link is created or updated, and may be re-checked periodically for as long as the link remains active.

Recipient: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Data processed: the destination URL of the short link. If you place personal data inside a destination URL, for example in a query parameter, that data forms part of the URL that is checked. No account identifier, email address, or visitor IP address is sent.
Purpose: detecting and blocking links that point to phishing, malware, or unwanted software.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) in preventing abuse of the Service and protecting visitors and third parties from fraud and malware (see Recital 49 GDPR).
Retention: URLs are transmitted for the check and are not retained by us for this purpose beyond the scan result stored against the link and our standard server logs.
Google Privacy Policy: policies.google.com/privacy

Because this check is automated, a lawful destination may occasionally be misidentified and its link disabled. You may contest such a decision as described in the Terms of Service.

Disclosure of abuse evidence. Where a link is used for phishing, malware, or similar abuse prohibited by the Terms of Service, we may disclose the related account data, the link's destination history, and access logs to law enforcement authorities, the impersonated or affected brand, hosting and domain providers, and anti-abuse and threat-intelligence services. Legal bases: compliance with a legal obligation (Art. 6(1)(c) GDPR) and our legitimate interest in preventing abuse and protecting third parties (Art. 6(1)(f) GDPR). Such evidence may be retained for as long as necessary to investigate the abuse and to establish, exercise, or defend legal claims.

10. International Data Transfers

Where data is transferred outside the European Economic Area, appropriate safeguards such as Standard Contractual Clauses apply.

11. Data Retention

Account data is retained while the account remains active. Analytics data is retained while the link remains active. Server logs are stored only as necessary for security purposes.

12. EU Privacy Rights (GDPR)

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction
  • Right to data portability
  • Right to object
  • Right to withdraw consent

To exercise these rights, contact: hello@indaplan.hu

13. US Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect
  • Request deletion
  • Request correction
  • Opt out of sale or sharing of personal information
  • Non-discrimination for exercising your rights

QRW.io does not sell personal information.

14. Security Measures

We implement HTTPS encryption, access control mechanisms, and monitoring systems to protect personal data.

15. Children's Privacy

The Service is not intended for individuals under 16 years of age.

16. Changes to This Policy

We may update this Privacy Policy periodically. Updates will be published on this page.

17. Contact

  • Email: hello@indaplan.hu
  • Phone: +36 124 20629
  • Address: 1039 Budapest, Batthyány utca 35/B., Hungary