Legal

Privacy Policy

Last updated: February 27, 2026

Who We Are

Qodie (“we”, “us”, “our”) is a QR code generator service operated by Ângelo Cunha. We are committed to protecting your privacy and processing your personal data in compliance with the General Data Protection Regulation (GDPR) and other applicable EU data protection laws.

Data Controller
Ângelo Cunha
Contact
hello@aesc.dev
Website
aesc.dev

Data We Collect

We only collect data that is necessary to provide and improve our service. We do not sell your personal data to third parties.

  • Account data: Email address and hashed password when you create an account.
  • Payment data: Billing information processed securely through Stripe. We do not store credit card numbers on our servers.
  • Usage data: QR codes you generate (URLs encoded, customization options selected). Generated QR code images are not stored permanently on our servers.
  • Technical data: IP address, browser type, and device information collected automatically through server logs for security and debugging purposes.

Legal Basis for Processing

Under GDPR Article 6, we process your personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b)): Processing your account and payment data is necessary to provide the service you signed up for.
  • Legitimate interest (Art. 6(1)(f)): Collecting technical data for security, fraud prevention, and service improvement.
  • Consent (Art. 6(1)(a)): Where required, such as for optional marketing communications. You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): Retaining billing records as required by tax and accounting laws.

How We Use Your Data

  • To create and manage your account
  • To process payments and manage subscriptions
  • To generate QR codes based on your input
  • To provide customer support
  • To detect and prevent fraud or abuse
  • To comply with legal obligations (e.g., tax reporting)

Third-Party Services

We use the following third-party processors. Each operates under their own privacy policy and GDPR-compliant data processing agreements:

  • Supabase — Authentication and user data storage. Data may be processed in the EU or US under Standard Contractual Clauses.
  • Stripe — Payment processing. Stripe is a certified PCI Level 1 Service Provider and processes data under their privacy policy.

Data Retention

  • Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
  • Payment records: Retained for 7 years as required by EU tax regulations.
  • Server logs: Automatically deleted after 90 days.
  • Generated QR codes: Processed in memory and not permanently stored.

Your Rights Under GDPR

As a data subject in the European Union, you have the following rights. To exercise any of these rights, contact us at hello@aesc.dev. We will respond within 30 days.

  • Right of access (Art. 15): Request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16): Request correction of inaccurate personal data.
  • Right to erasure (Art. 17): Request deletion of your personal data (“right to be forgotten”).
  • Right to restrict processing (Art. 18): Request that we limit how we use your data.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interest.
  • Right to lodge a complaint: You may file a complaint with your local data protection authority (supervisory authority) if you believe your rights have been violated.

Cookies

We use only essential cookies required for the service to function. These include authentication session cookies. We do not use advertising or tracking cookies. No cookie consent banner is required for strictly necessary cookies under the ePrivacy Directive.

International Data Transfers

Some of our third-party processors may transfer data outside the European Economic Area (EEA). Where this occurs, appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or the processor operates in a country with an EU adequacy decision.

Security

We implement appropriate technical and organizational measures to protect your personal data, including encrypted data transmission (TLS/HTTPS), hashed passwords, and access controls. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

Children’s Privacy

Our service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email to registered users. The “last updated” date at the top of this page reflects the most recent revision.

Questions?

If you have any questions about this privacy policy or how we handle your data, reach out at hello@aesc.dev.