The GDPR-Compliant QR Code Platform
for European Teams
Track QR code scans with full analytics — without storing a single IP address. Built for companies where compliance is not optional.
Why most QR platforms fail GDPR review
Raw IP addresses logged
Most platforms store the full IP address of every person who scans a QR code. Under GDPR Article 4(1), IP addresses are personal data — requiring a legal basis, purpose limitation, and a retention policy.
US-based infrastructure
Bitly, QR Code Monkey, and others process scan data on US servers. After Schrems II invalidated Privacy Shield, transfers to the US require Standard Contractual Clauses — which many DPOs reject outright.
No DPA available
When you use a third-party tool that processes personal data on your behalf, GDPR Article 28 requires a Data Processing Agreement. Many QR vendors have no DPA at all, or bury it behind enterprise sales calls.
Privacy-by-design, not privacy-by-policy
We architected Qrius so it is technically impossible to leak personal data — not just contractually prohibited.
How we handle IP addresses
Every QR scan triggers this pipeline — the original IP never touches our database.
The daily rotating salt means even the hash cannot be correlated across days. Unique scan counts are calculated in-memory and stored as a counter — no personal data required.
No personal data stored
IP addresses are hashed with HMAC-SHA256 and a daily rotating salt immediately on receipt. The original IP is never written to any database, log file, or cache.
EU hosting — Stockholm, Sweden
All infrastructure runs within the European Economic Area. No data is transferred to the US, UK, or any third country. Clean Schrems II compliance.
GDPR Article 28 DPA included
A complete Data Processing Agreement is available for all paid plans. Covers processing purposes, sub-processors, retention periods, and your rights. No sales call needed.
No cookies, no consent banners
Scan tracking uses no cookies, browser storage, or fingerprinting. Your visitors do not need to interact with a consent banner when they scan one of your codes.
Full analytics without PII
See scans by country, city, device type, browser, and OS — all derived from anonymous hashes and aggregated metadata. Rich insights without touching personal data.
Real-time dashboard
Live scan feed via Server-Sent Events. Watch scans arrive in real time, see which country and device — all without any personal data crossing the wire.
DPA ready — no enterprise sales call
GDPR Article 28 requires a signed Data Processing Agreement with every sub-processor that handles personal data on your behalf. Our DPA covers:
- ✓Roles: Data Controller (you) vs. Data Processor (Qrius)
- ✓Lawful processing purposes and instructions
- ✓Technical & Organisational Measures (TOMs)
- ✓Sub-processor list with EU-based hosting
- ✓Data breach notification within 72 hours
- ✓Your right to audit and inspect
- ✓Governing law: Swedish law / GDPR
Compliance checklist
Everything you need. Nothing you shouldn't have.
You don't have to choose between analytics and compliance. Here's what you get with Qrius.
GDPR questions — answered
Is an IP address personal data under GDPR?
Yes. The Court of Justice of the EU (CJEU) and the EDPB have confirmed that IP addresses are personal data under GDPR Article 4(1) when they can be linked to an individual — even indirectly via an ISP. Any tool that logs raw IP addresses from QR scans is processing personal data.
How does Qrius handle IP addresses?
We never store raw IPs. On each scan: (1) we run a geo lookup to extract country/city, (2) we hash the IP with HMAC-SHA256 and a daily rotating secret salt, (3) the original IP is discarded. The hash is one-way — it cannot be reversed to identify anyone. The daily salt prevents cross-day correlation.
Do I need cookie banners for Qrius QR codes?
No. Our scan tracking uses no cookies, localStorage, sessionStorage, or device fingerprinting. There is nothing that triggers consent requirements under the ePrivacy Directive. Your visitors do not encounter a cookie banner from a QR scan.
Where is Qrius data stored?
All data is stored on EU-based servers in Stockholm, Sweden. We do not use US-based infrastructure for any core data processing. This means no Schrems II complications for your DPA.
Do you provide a Data Processing Agreement?
Yes. A full GDPR Article 28-compliant DPA is available for all paid plans. It covers processing roles, purposes, technical and organisational measures (TOMs), sub-processors, breach notification timelines, and your right to audit. No sales call required — download it directly at qrius.io/dpa.
Is Qrius compliant with Schrems II?
Yes. Because all data stays within the EU (Sweden), and we don't use US sub-processors for core processing, there are no cross-border transfer issues under Schrems II. Your DPA does not require Standard Contractual Clauses for the core Qrius service.
What analytics can I see without storing personal data?
Total scans, unique daily scans (via anonymous hashing), country, city, device type (mobile/desktop/tablet), browser family, and OS — all derived and stored as aggregated, non-personal metadata. Full analytics with zero personal data.
Start GDPR-compliant QR tracking today
Free plan. No credit card. DPA available on Pro and Business plans.
Questions? Email [email protected]