← Back to InsightQRCode

Privacy Policy

Last updated: April 8, 2026

1. Who we are

InsightQRCode is operated by SouquetConsulting ("we", "us"). If you have questions about this policy, contact us at privacy@leosouquet.com.

2. What data we collect

a) QR code creators (authenticated users)

When you sign in with Google, we store:

  • Your name, email address, and profile picture (provided by Google)
  • A unique user ID
  • The QR codes you create (destination URLs, creation date)
  • Session data to keep you logged in

Legal basis: Contract performance (Art. 6(1)(b) GDPR) — we need this data to provide the service you signed up for.

b) QR code scanners (people who scan a QR code)

When someone scans a dynamic QR code, we collect:

  • Country — derived from CloudFront geolocation headers
  • Device type — Mobile, Desktop, or Tablet
  • Browser family — e.g. Chrome, Safari, Firefox
  • Operating system — e.g. iOS, Android, Windows
  • Referrer category — where the scan came from (direct, social, etc.)

We do not collect:

  • IP addresses
  • Precise geolocation (no city, latitude, or longitude)
  • Raw user-agent strings (we parse them into categories and discard the original)
  • Cookies or tracking pixels on the redirect

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — aggregated, anonymized scan analytics help QR code owners understand how their codes perform. The data we store cannot identify an individual.

3. How long we keep data

  • Scan analytics: automatically deleted after 90 days (via DynamoDB TTL)
  • User accounts and QR codes: kept until you delete your account
  • Session data: expires automatically when your session ends

4. Where data is processed

All data is processed and stored in the EU (AWS eu-west-3, Paris). We use the following AWS services:

  • Amazon DynamoDB — stores user accounts, QR codes, and scan analytics
  • Amazon S3 — stores QR code images
  • AWS Lambda — runs the API
  • Amazon CloudFront — serves requests and provides country-level geolocation

Authentication is provided by Google OAuth. When you sign in, Google shares your name, email, and profile picture with us per their privacy policy.

5. Your rights (GDPR)

As an EU resident, you have the right to:

  • Access your data — request a copy of everything we store about you
  • Rectify inaccurate data
  • Delete your account and all associated data
  • Export your data in a portable format
  • Object to processing based on legitimate interest
  • Lodge a complaint with your local data protection authority

To exercise any of these rights, email privacy@leosouquet.com. We will respond within 30 days.

6. Cookies

We use a single essential session cookie to keep you logged in. It is set by NextAuth.js and is required for the service to function. We do not use advertising, analytics, or third-party tracking cookies.

7. Third-party services

  • Google OAuth — authentication only, no data shared back to Google
  • Amazon Web Services — infrastructure provider (EU region), acting as data processor

We do not sell, share, or transfer your data to any other third parties.

8. Changes to this policy

We may update this policy from time to time. The "last updated" date at the top will change accordingly. For significant changes, we will notify authenticated users by email.