Last updated: July 10, 2026
This Privacy Policy describes how QRW.io processes personal data in connection with providing a dynamic URL shortening, QR code generation, and redirection platform.
Privacy Policy
1. Data Controller
- Company name: Indaplan Kft.
- Address: 1039 Budapest, Batthyány utca 35/B., Hungary
- Email: hello@indaplan.hu
- Phone: +36 124 20629
2. Nature of the Service
QRW.io provides dynamic short links, QR code generation, redirect management, and aggregated analytics. When a short link is accessed, our system performs redirection and may generate anonymized statistics.
3. GDPR Roles
Account Data
For registered users, Indaplan Kft. acts as Data Controller.
Link Visitor Data
For visitors accessing user-created links:
- The link creator may act as Data Controller.
- Indaplan Kft. acts as Data Processor providing infrastructure.
4. Categories of Data Collected
4.1 Account Data
Email address and authentication-related identifiers.
Legal basis: Contract performance (Art. 6(1)(b) GDPR)
4.2 Link Redirection Data
- IP address (processed temporarily)
- Date and time of access
- Browser / device type
- Referrer (if available)
- Link identifier
This data is used solely for redirection, abuse prevention, and generating aggregated analytics.
We do not sell personal data and do not create behavioral profiles.
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)
4.3 Aggregated Analytics
We generate anonymized statistics such as total clicks, approximate country (based on truncated IP), and device category. These are visible only to the link owner.
5. Cookies Policy
Types of Cookies
Essential Cookies
Required for authentication, security, and core functionality. These cannot be disabled.
Analytics Cookies
Used to understand website usage patterns. Activated only after consent for EU users.
Functional Cookies
Store user preferences to improve usability.
Managing Cookies
You may manage cookie preferences via our consent banner or your browser settings. EU users may withdraw consent at any time.
Analytics Providers
We use Google Analytics and Vercel Analytics to understand general website usage. We also use the Barion Pixel for payment fraud prevention (see Section 7).
6. Hosting
The Service is hosted by Vercel Inc., USA. Technical request data may be processed to operate the infrastructure.
7. Barion Pixel — Fraud Prevention
Our website uses the Barion Pixel, a tracking technology provided by Barion Payment Zrt. (1117 Budapest, Alíz utca 2., Hungary). The Barion Pixel collects behavioural data about website visitors — such as page views and interaction patterns — and transmits it to Barion for the purpose of payment fraud prevention and risk assessment.
Data controller for Barion Pixel data: Barion Payment Zrt.
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — fraud prevention in the context of online payments.
Barion Privacy Policy: barion.com/adatkezelesi-tajekoztato
Barion Payment Zrt. is supervised by the Hungarian National Bank; licence number: H-EN-I-1064/2013.
8. Stripe Payment Processing
Online card payments on QRW.io are processed by Stripe, Inc. Card and payment-related data do not reach the merchant (Indaplan Kft.); they are handled exclusively by Stripe.
Data controller for payment data: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA
Data processed: cardholder name, card number (tokenised), billing address, transaction amount — solely for payment execution and fraud prevention.
Legal basis: Contract performance (Art. 6(1)(b) GDPR) and legal obligation (Art. 6(1)(c) GDPR).
Retention: As required by applicable accounting and financial regulations (typically 8 years).
Stripe Privacy Policy: stripe.com/privacy
9. Destination URL Screening (Google Web Risk)
To protect visitors from phishing and malware, the destination URL of a short link is checked against Google Web Risk, operated by Google LLC. The URL is checked when a link is created or updated, and may be re-checked periodically for as long as the link remains active.
Recipient: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Data processed: the destination URL of the short link. If you place personal data inside a destination URL, for example in a query parameter, that data forms part of the URL that is checked. No account identifier, email address, or visitor IP address is sent.
Purpose: detecting and blocking links that point to phishing, malware, or unwanted software.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) in preventing abuse of the Service and protecting visitors and third parties from fraud and malware (see Recital 49 GDPR).
Retention: URLs are transmitted for the check and are not retained by us for this purpose beyond the scan result stored against the link and our standard server logs.
Google Privacy Policy: policies.google.com/privacy
Because this check is automated, a lawful destination may occasionally be misidentified and its link disabled. You may contest such a decision as described in the Terms of Service.
Disclosure of abuse evidence. Where a link is used for phishing, malware, or similar abuse prohibited by the Terms of Service, we may disclose the related account data, the link's destination history, and access logs to law enforcement authorities, the impersonated or affected brand, hosting and domain providers, and anti-abuse and threat-intelligence services. Legal bases: compliance with a legal obligation (Art. 6(1)(c) GDPR) and our legitimate interest in preventing abuse and protecting third parties (Art. 6(1)(f) GDPR). Such evidence may be retained for as long as necessary to investigate the abuse and to establish, exercise, or defend legal claims.
10. International Data Transfers
Where data is transferred outside the European Economic Area, appropriate safeguards such as Standard Contractual Clauses apply.
11. Data Retention
Account data is retained while the account remains active. Analytics data is retained while the link remains active. Server logs are stored only as necessary for security purposes.
12. EU Privacy Rights (GDPR)
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction
- Right to data portability
- Right to object
- Right to withdraw consent
To exercise these rights, contact: hello@indaplan.hu
13. US Privacy Rights (CCPA/CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect
- Request deletion
- Request correction
- Opt out of sale or sharing of personal information
- Non-discrimination for exercising your rights
QRW.io does not sell personal information.
14. Security Measures
We implement HTTPS encryption, access control mechanisms, and monitoring systems to protect personal data.
15. Children's Privacy
The Service is not intended for individuals under 16 years of age.
16. Changes to This Policy
We may update this Privacy Policy periodically. Updates will be published on this page.
17. Contact
- Email: hello@indaplan.hu
- Phone: +36 124 20629
- Address: 1039 Budapest, Batthyány utca 35/B., Hungary