Choose which categories you allow. Your choice is saved in your browser and never sent to our server. You can change it at any time via the “Cookie Preferences” link in the footer. See our Privacy Policy §3 for full details.
qreagle_cookie_consent_v1) so this notice does not reappear.
No personal data is transmitted. Exempt from consent under Art. 5(3) ePrivacy Directive.
fonts.googleapis.com, fonts.gstatic.com).
This causes your browser to send a request to Google’s servers; Google’s
privacy policy
applies to that request. If you decline, a system font is used and the site works normally.
GDPR · CCPA/CPRA · LGPD · PIPEDA · UK GDPR · APPI · International
Last updated: June 1, 2026 · Version 3.0
Applies to: QREagleStudio macOS application and the website qreagle.com
IT Solutions Egarter
Mag. Wolfgang Egarter
St. Oswalderstraße 14
A-9546 Bad Kleinkirchheim
Austria
Email: info@it-egarter.at
Data Protection contact: same address · Response target: 72 hours (business days)
This Privacy Policy describes how IT Solutions Egarter (“we”, “our”, “us”) collects, uses, stores, and protects personal data in connection with:
it.qreagle.qrestudio)We are committed to full compliance with applicable data-protection and privacy legislation worldwide. The primary laws we observe are:
Where requirements differ across jurisdictions, we apply the higher standard of protection. Rights specific to your jurisdiction are listed in §11 and §12 below.
The vast majority of QREagleStudio’s functionality runs entirely on your device. Only the optional Dynamic QR feature involves server-side data storage, and even then the data is minimal and strictly limited to what is necessary for the service.
qreagle.com/go/{slug}) can be redirected to any destination URL by the owner at any time, with aggregate scan counts tracked server-side.localStorage exclusively for functional preferences (cookie-notice dismissal). No tracking cookies are set.QREagleStudio is designed as a privacy-first, on-device application. The following data is processed solely on your Mac and is never transmitted to any server:
All text, URLs, phone numbers, addresses, and other data you type into QREagleStudio forms are used exclusively to generate the QR code on your device. This data:
UserDefaults and file-system mechanisms, encrypted by macOS at the file-system level.Legal basis: Art. 6(1)(b) GDPR — performance of the service you requested.
Your chosen pixel shapes, colours, gradients, presets, label text, logo settings, frame options, and all other design preferences are stored locally in UserDefaults on your Mac. These settings never leave your device and are not shared with us or any third party.
Legal basis: Art. 6(1)(b) GDPR — necessary to provide the service.
The app may request access to your macOS Contacts when you create a vCard QR code. This access is entirely optional — you can type contact details manually.
Legal basis: Art. 6(1)(a) GDPR — your explicit consent via the macOS permission dialog.
The app may request your device location when you create a GPS Coordinate, Google Maps, or Apple Maps QR code.
Legal basis: Art. 6(1)(a) GDPR — your explicit consent.
When you add a custom logo, a custom background image, or use the AI colour palette extractor, the app reads the image file you select. The image is processed locally (colour extraction, compositing, logo embedding). It is never uploaded to any server by us.
Note: If you use the AI QR generation feature, your text prompt (not the image) is sent to the Replicate API (see §6b). No image you provide to the app is sent to Replicate.
Legal basis: Art. 6(1)(b) GDPR — necessary to provide the feature you requested.
If you use the AI QR generation feature, you may enter a Replicate API key. This key is stored exclusively in your macOS Keychain — encrypted with AES-256, sandboxed to QREagleStudio’s bundle identifier. It is never written to disk in plaintext, logged, or transmitted to our server. It is sent only to Replicate’s API (api.replicate.com) as your authentication credential for the AI generation requests you initiate.
Legal basis: Art. 6(1)(b) GDPR — necessary to use the AI generation service.
Your StoreKit purchase transaction is used to derive your Dynamic QR API key (see §5c). The derivation happens on your device; only the resulting API key and your transaction ID are sent to and stored on our server. No payment card details, Apple ID, or billing information is ever received or stored by us. Apple’s privacy policy governs the purchase process.
Legal basis: Art. 6(1)(b) GDPR — necessary to unlock the features you paid for.
If you use the Cryptographic QR Signing feature, QREagleStudio generates a P-256 ECDSA key pair entirely on your device using Apple’s CryptoKit framework:
k=). It is not stored on our servers.s=). Computed locally on your device.n=). It is not stored on our servers.All cryptographic operations (key generation, signing) happen on-device only. No private key material, no biometric data, and no Keychain secrets are transmitted anywhere.
Legal basis: Art. 6(1)(b) GDPR — necessary to provide the signing feature you requested.
The following processing activities involve our server at qreagle.com and are subject to additional explanation.
Like all web servers, qreagle.com’s Apache server automatically generates access logs whenever any resource is requested. These logs contain:
/go/abc123 or /api/links)Retention: Access logs are retained for a maximum of 30 days and then deleted automatically. They are used solely for server security monitoring (detecting abuse, brute-force attempts, and DDoS patterns).
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in maintaining server security and operational integrity.
Third parties: Logs are stored on our hosting provider’s infrastructure. No log data is shared with analytics services, advertisers, or any other third party.
When someone scans a Smart QR Card, their browser opens a page at qreagle.com (e.g. qreagle.com/api/gift.php?...). The card’s content is URL-encoded in the QR code itself and passed as query parameters to the rendering script.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in delivering the card page requested by the scanner.
The Dynamic QR feature is available to Pro subscribers. After purchase, the app automatically calls our POST /api/auth endpoint to provision a personal API key.
originalTransactionID (a numeric identifier assigned by Apple).qre_) and the transaction ID, linked by a random internal ID. No payment details, Apple ID, or name is stored.Legal basis: Art. 6(1)(b) GDPR — processing necessary for the performance of the service contract.
When you create a Dynamic QR short link, the following data is stored on our server:
qreagle.com/go/. Auto-generated or chosen by you.What is NOT stored per scan: IP address, full User-Agent string, precise timestamp, cookies, session ID, device fingerprint, or any cross-site identifier. See §5e for the anonymised event data that is collected.
Legal basis: Art. 6(1)(b) GDPR — processing necessary to perform the Dynamic QR service you subscribed to.
Retention: Link data (including scan events) is retained until you delete the individual link or request account deletion (§10). Deletion is immediate and permanent.
When someone scans a Dynamic QR code, their browser opens qreagle.com/go/{slug}. Our server performs the following steps:
302 Found redirect to the (variant) destination URL.| Field | Value stored | Source |
|---|---|---|
| Country | ISO 3166-1 alpha-2 (e.g. “DE”), or null | CDN geo-header (e.g. Cloudflare CF-IPCountry); IP address never stored |
| Browser family | Name only (e.g. “Chrome”, “Safari”) | User-Agent — only family parsed, raw string discarded |
| OS family | Name only (e.g. “iOS”, “Windows”) | User-Agent — only family parsed, raw string discarded |
| Language | BCP 47 root code (e.g. “en”, “de”) | First two chars of Accept-Language header |
| Referrer host | Domain only (e.g. “instagram.com”), or null | Hostname from Referer header; full URL discarded |
| A/B variant | Variant label (e.g. “A”, “B”), or null | Selected per configured weights; null if no variants |
| Date | Calendar date only (e.g. “2026-06-01”) | UTC date — no timestamp, no time-of-day |
What is NOT stored: IP address, full User-Agent string, precise timestamp, cookies, session ID, device fingerprint, browser version, or any cross-site identifier. This data cannot identify or re-identify any individual.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest of the link owner in understanding aggregate scan patterns. Processing is limited to what is strictly necessary; the anonymisation measures (no IP, family-level UA parsing, date-only resolution) make individual identification impossible.
GDPR Art. 25 (Privacy by Design): The IP address is never written to any variable or buffer reaching our database layer. It cannot be reconstructed after the fact.
Retention: Scan events are deleted when the parent link is deleted, or upon account deletion request (§10).
When someone visits qreagle.com/api/verify to verify a signed QR code, the following data is processed:
d=): The original content of the QR code, base64url-encoded in the URL. Decoded in memory for verification; never stored.s=): The P-256 ECDSA signature, base64url-encoded. Used only to run openssl_verify(); never stored.k=): The signer’s raw P-256 public key (64 bytes), base64url-encoded. Used only for signature verification; never stored.n=): An optional display name chosen by the QR creator, base64url-encoded. Displayed on the page; never stored.The /api/verify endpoint is completely stateless. All four parameters are passed in the URL itself and processed entirely in memory for the duration of the request. Nothing is written to any database or log beyond the standard web server access log described in §5a (deleted after 30 days).
No private key material is ever sent to this endpoint — only the public key and signature, both of which the QR creator intentionally embeds in the QR code for public verification.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in providing a publicly accessible, stateless signature verification service with no personal data retention.
The AI QR generation feature is optional and available to Pro subscribers. When you use it, QREagleStudio sends your text prompt to the Replicate API (api.replicate.com), a third-party AI infrastructure service.
What is NOT sent: Any personal data from your QR content, your name, your email, or any data from your QR library.
Legal basis: Art. 6(1)(b) GDPR — you explicitly initiated the AI generation request.
Replicate’s data practices are governed by Replicate’s Privacy Policy. We are not responsible for how Replicate processes data it receives. Replicate is incorporated in the United States; data sent to Replicate may be processed outside the EEA under appropriate transfer mechanisms (Replicate’s DPA).
AI-generated images are composited with the QR code on your device and treated as a background image. The composited result is available for export as PNG. Saving to your Photos library is disabled for AI-generated images to prevent accidental exposure; export to file is always available.
All in-app purchases (Pro Monthly subscription and Lifetime licence) are processed exclusively through Apple’s App Store and StoreKit 2.
Legal basis: Art. 6(1)(b) GDPR — processing necessary to fulfil the purchase contract.
QREagleStudio and qreagle.com contain no analytics SDK, crash reporter, advertising identifier, or third-party tracking library of any kind. Specifically:
ASIdentifierManager (IDFA) is never accessed.We do not know who you are, what QR codes you create, or how often you use the app. Only the Dynamic QR feature involves any server interaction, and even there the data is minimal (§5).
QREagleStudio is distributed via the Mac App Store. Apple’s privacy practices govern the App Store download and purchase process. Apple may collect diagnostic and usage data as described in their privacy policy. We have no control over or access to Apple’s data collection.
Reference: apple.com/privacy
The qreagle.com server infrastructure is operated by a European web hosting provider. Server access logs (§5a) are physically stored on their infrastructure within the EEA. The hosting provider acts as a data processor under Art. 28 GDPR. A Data Processing Agreement (DPA) is in place. The hosting provider does not independently access or process your data beyond infrastructure operation.
The qreagle.com website loads the “Inter” typeface from Google Fonts via a request to fonts.googleapis.com. This request transmits your IP address to Google’s servers. Google’s privacy policy applies: policies.google.com/privacy.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in providing a consistently styled website.
If you use the AI QR generation feature, prompts and conditioning data are sent to Replicate, Inc. (USA). Replicate processes this data under their privacy policy and DPA. The transfer is based on Standard Contractual Clauses (SCCs) as provided by Replicate. This processing only occurs if you actively initiate AI generation; it does not occur during normal app use.
Reference: replicate.com/privacy
Our primary server infrastructure is located within the European Economic Area (EEA). If any third-party service (Apple, Google, Replicate) processes data outside the EEA, they do so under standard contractual clauses (SCCs) or other GDPR-compliant transfer mechanisms. We do not independently transfer personal data outside the EEA.
We take appropriate technical and organisational measures to protect personal data against loss, manipulation, or unauthorised access:
data/ directory on the server is protected by Apache access controls that deny direct HTTP access.In the event of a personal data breach posing a high risk to your rights, we will notify you and the relevant supervisory authority within 72 hours in accordance with Art. 33–34 GDPR.
Depending on your country of residence, you have different legal rights with respect to your personal data. Because most processing in QREagleStudio happens on your own device, many of these rights can be exercised directly within the app. The table below maps the most common rights to our specific processing activities.
| Right | Jurisdictions | How to exercise |
|---|---|---|
| Access / Know — obtain confirmation and a copy of your data | GDPR Art. 15, UK GDPR, CCPA, LGPD, PIPEDA, APPI, DPDP (India), PIPL (China), PIPA (Korea), PDPA (Singapore/Thailand), POPIA (South Africa), NZ Privacy Act, UAE PDPL | Dynamic QR links are visible in the app. Email info@it-egarter.at for a full export. |
| Rectification / Correction — correct inaccurate data | GDPR Art. 16, UK GDPR, LGPD, PIPEDA, APPI, DPDP (India), PIPL (China), PIPA (Korea), PDPA, POPIA, NZ Privacy Act, UAE PDPL | Edit destination URL and label directly in the Dynamic QR tab in the app. Other corrections: email us. |
| Erasure / Deletion / Right to be Forgotten | GDPR Art. 17, UK GDPR, CCPA, LGPD, PIPEDA, PIPL (China), PIPA (Korea), PDPA (Thailand), POPIA, UAE PDPL, DPDP (India) | Delete individual links in the app (also deletes all scan events). Full account deletion: email us — we will complete it within 30 days. |
| Restriction of Processing | GDPR Art. 18, UK GDPR, LGPD | Contact info@it-egarter.at. We acknowledge within 72 hours. |
| Data Portability — receive data in machine-readable format | GDPR Art. 20, UK GDPR, LGPD, CCPA, PDPA (Thailand), PIPL (China), UAE PDPL | GET /api/links returns your link data as JSON. Email us for a full structured export. |
| Object to Processing | GDPR Art. 21, UK GDPR, LGPD | Contact info@it-egarter.at. We will cease processing unless we can demonstrate compelling legitimate grounds. |
| Withdraw Consent | GDPR Art. 7(3), UK GDPR, LGPD, DPDP (India), PIPL (China), PIPA (Korea), PDPA (Singapore/Thailand), POPIA, UAE PDPL | Revoke Contacts or Location permission in System Settings → Privacy & Security at any time. |
| No Automated Decision-Making | GDPR Art. 22, UK GDPR | Not applicable — we do not use automated profiling that produces legal or significant effects. |
| Non-Discrimination | CCPA §1798.125 | We will never deny service, charge different prices, or provide a different level of quality because you exercised a privacy right. |
| Opt-Out of Sale / Sharing | CCPA/CPRA §1798.120 | Not applicable — we do not sell, share, rent, or trade personal data to or with any third party for monetary or other valuable consideration, ever. |
To exercise any right, write to info@it-egarter.at or use the postal address in §17. We will respond within 30 days (45 days for CCPA requests if we notify you of an extension need). No fee is charged for requests unless manifestly unfounded or excessive.
Under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), California residents have the following additional rights:
Categories of personal information collected (CCPA categories): Identifiers (transaction ID, API key); Commercial information (product purchased); Internet/network information (anonymised scan events: country, browser family, OS family, language, referrer host, date — no IP). We do not collect geolocation data, biometric data, sensitive personal information, or financial account numbers.
Shine the Light: California Civil Code §1798.83 permits California residents to request information regarding disclosure of personal information to third parties for direct-marketing purposes. We do not disclose personal information for direct-marketing purposes, so no such disclosure has occurred.
To submit a CCPA request: email info@it-egarter.at with subject line “CCPA Request”. We will respond within 45 days (extendable by 45 days with notice).
The UK GDPR (as retained in UK law) provides rights substantially equivalent to the EU GDPR listed in §11. The Information Commissioner’s Office (ICO) is the UK supervisory authority.
Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Phone: +44 0303 123 1113 | ico.org.uk
Transfers of personal data from the UK to the EEA (our server) are covered by the UK adequacy regulations. No additional safeguards are required for this transfer.
Under the Lei Geral de Proteção de Dados (LGPD), Brazilian residents have rights of access, correction, anonymisation, blocking, deletion, data portability, and the right to be informed about sharing. Our legal basis for processing is:
Data transfers from Brazil to Austria (EEA) are based on the adequacy of the European data protection framework as recognised by Brazilian data protection authorities.
National Data Protection Authority (ANPD): gov.br/anpd
Under PIPEDA, individuals have the right to access their personal information and request corrections. We collect only the minimum information necessary to provide the Dynamic QR service, and we obtain meaningful consent before any collection beyond service performance. Data is retained only as long as necessary (see §15). To submit a PIPEDA access or correction request, contact our Privacy Officer at info@it-egarter.at.
Office of the Privacy Commissioner of Canada: priv.gc.ca
Under Japan’s Act on the Protection of Personal Information (APPI), we notify users of the purpose of use of personal information and handle retained personal information in accordance with the Act. You have the right to request disclosure, correction, addition, deletion, and suspension of use of retained personal information. Requests may be submitted to info@it-egarter.at.
Transfer of personal data from Japan to Austria is based on the adequacy determination and appropriate safeguards including contractual protections consistent with APPI requirements.
The revised Swiss Federal Act on Data Protection (nFADP, in force since September 2023) provides rights broadly equivalent to the GDPR. Our EEA-based server satisfies the adequacy requirements for data transfers from Switzerland. You may contact us at info@it-egarter.at to exercise your rights under the nFADP.
Federal Data Protection and Information Commissioner (FDPIC): edoeb.admin.ch
Under the Australian Privacy Principles (APPs), you have the right to access and correct personal information we hold about you, and to make a complaint to the Office of the Australian Information Commissioner (OAIC). We collect, use, and disclose personal information in accordance with the APPs and only for the stated purposes. Contact info@it-egarter.at for access or correction requests.
OAIC: oaic.gov.au
Under India’s Digital Personal Data Protection Act 2023, you have the right to access information about personal data processed, right to correction and erasure, right to nominate a successor, and right to grievance redressal. We process data lawfully under the Act and handle it responsibly. Contact info@it-egarter.at to exercise your rights. The Data Protection Board of India is the regulatory authority.
Under China’s Personal Information Protection Law (PIPL, in force 1 November 2021), individuals have the right to know and to decide on the processing of their personal information, the right of access and copy, the right to correction, the right to deletion, the right to withdraw consent, and the right to request explanation of automated decision-making. We process data on the basis of contractual necessity. Contact info@it-egarter.at for any PIPL request. Cross-border transfer to Austria is made with appropriate safeguards to meet PIPL requirements.
Under South Korea’s Personal Information Protection Act (PIPA), you have the right to access, correction, deletion, and to suspend processing of your personal information. We comply with PIPA’s requirements including lawful basis and data minimisation. Contact info@it-egarter.at for any PIPA request. The Personal Information Protection Commission (PIPC) is the supervisory authority: pipc.go.kr
Under Singapore’s Personal Data Protection Act (PDPA), 2021 amendments, you have the right to access and correct your personal data, and the right to withdraw consent. We collect and use data only for the purposes notified and rely on contractual necessity as our primary basis. Contact info@it-egarter.at for PDPA requests. The Personal Data Protection Commission (PDPC) is the supervisory authority: pdpc.gov.sg
Under South Africa’s Protection of Personal Information Act (POPIA, in force 1 July 2021), you have the right to access, correction, deletion, and objection to processing of your personal information. We process data as a responsible party and comply with the eight conditions for lawful processing. Contact info@it-egarter.at for POPIA requests. The Information Regulator is the supervisory authority: inforegulator.org.za
Under New Zealand’s Privacy Act 2020, you have the right to access and request correction of your personal information. We follow the 13 Information Privacy Principles (IPPs). Contact info@it-egarter.at for requests. The Office of the Privacy Commissioner (OPC) is the supervisory authority: privacy.org.nz
Under Thailand’s Personal Data Protection Act (PDPA, fully in force 1 June 2022), you have the right to access, portability, erasure, objection, restriction of processing, and withdrawal of consent. We process data on the basis of contract performance and legitimate interest, with appropriate safeguards. Contact info@it-egarter.at for PDPA requests. The Personal Data Protection Committee (PDPC) is the supervisory body.
Under the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL), you have the right to access, correction, deletion, restriction, and portability of your personal data. We process data lawfully and transparently and implement appropriate technical and organisational security measures. Contact info@it-egarter.at for any PDPL request.
Regardless of your location: we do not sell, rent, lease, or trade personal data to any third party for monetary or other valuable consideration. This applies to all QREagleStudio users worldwide.
QREagleStudio is not directed at children under the age of 13 (or 16 in jurisdictions where that threshold applies under the GDPR). We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact us immediately at info@it-egarter.at and we will promptly delete it.
You have the right to lodge a complaint with a data protection supervisory authority at any time. You may use the authority of your country of residence, place of work, or the place of the alleged infringement. In Austria, the competent authority is:
Austrian Data Protection Authority
(Datenschutzbehörde, DSB)
Barichgasse 40–42
1030 Vienna, Austria
Phone: +43 1 531 15-202525
Email: dsb@dsb.gv.at
We would appreciate the opportunity to address your concern directly before you contact the supervisory authority. Please reach out to us first at info@it-egarter.at.
We retain personal data only for as long as necessary for the stated purpose or as required by law:
| Data Category | Retention Period | Deletion Trigger |
|---|---|---|
| QR library & settings (on-device) | Until you delete | App uninstall or manual delete |
| Server access logs | Maximum 30 days | Automatic rolling deletion |
| API key & transaction ID | Duration of Pro subscription + 90 days | Deletion request or subscription lapse |
| Dynamic QR link data (slug, URL, label, scan count) | Until deleted by you | In-app delete or full account deletion request |
| Smart Card data | Not stored server-side | N/A — data lives only in the QR code URL |
| Cookie consent preference (localStorage) | Until you clear browser storage | Browser data clear or manual removal |
| AI generation prompts (Replicate) | Per Replicate’s retention policy | See replicate.com/privacy |
We may update this Privacy Policy to reflect changes in the app’s features, applicable law, or our data practices. When we make material changes:
We encourage you to review this page periodically. Continued use of the app after changes constitutes acceptance of the updated policy. If you disagree with any change, you may request deletion of your data (§11) and stop using the service.
Version history:
v5.1 — June 1, 2026: Added §5d/5e analytics + A/B testing disclosure; expanded §12 to cover 16 jurisdictions worldwide (CCPA, UK GDPR, LGPD, PIPEDA, APPI, nFADP, Australian Privacy Act, DPDP India, PIPL China, PIPA Korea, PDPA Singapore/Thailand, POPIA South Africa, NZ Privacy Act 2020, UAE PDPL); expanded §11 rights table; updated §1 jurisdiction list.
v4.0 — May 28, 2026: Added §4h (Cryptographic QR Signing key pair, on-device only) and §5f (stateless verify endpoint at qreagle.com/api/verify, no data retention).
v3.0 — May 27, 2026: Added cookie consent section (§3), AI generation section (§6), expanded localStorage table, Replicate third-party entry, updated retention table, refreshed numbered section structure.
v2.0 — May 18, 2026: Initial comprehensive GDPR policy.
v1.0 — April 2026: Placeholder policy.
For any questions, requests, or concerns regarding this Privacy Policy or your personal data, please contact us in writing:
IT Solutions Egarter
Mag. Wolfgang Egarter
St. Oswalderstraße 14
A-9546 Bad Kleinkirchheim, Austria
Email: info@it-egarter.at
We aim to respond to all data protection enquiries within 72 hours (business days) and to fulfil formal requests within one calendar month.