Sovrio

Privacy Policy: Scan Data Processing

Last updated: February 2026

What We Collect

When a QR code managed by Sovrio is scanned, we may collect certain data about the scan event. The exact data collected depends on the privacy level configured by the QR code owner (the Controller):

  • Full Analytics: Timestamp, IP address, country, device type, browser, referrer, and language preference.
  • Anonymized: Timestamp, hashed IP address, country, device type, and language preference. Browser and referrer data are not collected.
  • No Analytics: No personal data is collected. The redirect is performed without any data recording.

Why We Collect It

Scan data is processed for the following purposes:

  • Redirect functionality: Device type and country data may be used for smart routing rules (e.g., redirecting mobile users to a mobile-optimized page).
  • Analytics: Providing QR code owners with scan statistics, including scan counts, geographic distribution, and device breakdowns.
  • Fraud prevention: Detecting and preventing abuse such as automated scanning, bot traffic, or denial-of-service attempts.

How Long We Keep It

Data retention is configured per tenant (organisation) by the QR code owner. Retention periods range from 7 to 365 days.

After the configured retention period expires, scan data is automatically and permanently deleted. QR code owners can also manually delete data at any time through the dashboard or API.

Where We Store It

All application data (databases, caching, file storage) is processed and stored exclusively on Hetzner infrastructure in Germany and Finland (EU). Hetzner is ISO 27001 certified and fully GDPR compliant.

Transactional emails (password resets, invitations) are sent via MailPace, a UK-based provider that stores and processes all email data in France (EU). None of our subprocessors are subject to the US CLOUD Act. For a full list, see our compliance page.

Your Rights

Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

  • Right of access (Article 15): request a copy of the personal data we hold about you.
  • Right to rectification (Article 16): request correction of inaccurate personal data.
  • Right to erasure (Article 17): request deletion of your personal data.
  • Right to restriction (Article 18): request limitation of processing.
  • Right to data portability (Article 20): receive your data in a structured, machine-readable format.
  • Right to object (Article 21): object to processing based on legitimate interest.

To exercise any of these rights, please contact us through our contact page.

Privacy Levels

QR code owners can choose from three privacy levels for each asset. This determines what data is collected when a QR code is scanned.

Full

Complete scan analytics including IP address, device type, browser, referrer, country, and language. Maximum insight for campaign performance analysis.

Anonymized

IP addresses are hashed and cannot be traced back to individuals. Browser and referrer data are not collected. Provides useful aggregate analytics while minimizing personal data processing.

None

No personal data is collected or stored. The QR code performs a simple redirect with zero data recording. Ideal for privacy-sensitive contexts.

Privacy Contact

For privacy-related enquiries, data subject requests, or to reach our Data Protection Officer, please use our contact page.

Contact Us