Plain English summary: QRCap lets event organisers collect guest photos via a QR code. We store your account details, event data, and uploaded photos. We never sell your data. Guests upload photos anonymously. You can delete everything at any time.
Who we are
QRCap ("we", "us", "our") is a photo-sharing service for events, operated as a UK-based business. Our website is qrcap.co.uk.
For the purposes of UK GDPR and the Data Protection Act 2018, QRCap is the data controller for information collected through this service.
You can contact us at any time at [email protected].
Data we collect
Account holders (event organisers)
- Name and email address (on sign-up)
- Password (stored securely, never in plain text)
- Event details: name, type, date, guest message
- Payment information (processed by Stripe — we do not store card details)
- Delivery address if printed table cards are ordered
Guests (photo uploaders)
- Photos uploaded via the guest upload page
- No name, email, or account is required to upload photos
- Basic technical data such as upload timestamp
All visitors
- Standard web server logs (IP address, browser type, pages visited)
- These are used for security and performance monitoring only
How we use your data
We use your data only to provide the QRCap service. Specifically:
- To create and manage your account
- To create and host your event's guest upload page
- To process your payment via Stripe
- To send your payment confirmation and event details by email
- To fulfil printed table card orders (delivery address used for postage only)
- To allow you to view, download, and delete guest photos
- To respond to support enquiries
We do not use your data for marketing without explicit consent, and we never sell data to third parties.
Legal basis for processing
Under UK GDPR, we rely on the following legal bases:
- Contract — processing your account, event, and payment data is necessary to deliver the service you have purchased.
- Legitimate interests — server logs and security monitoring to protect our platform and users.
- Consent — guests voluntarily upload photos with full awareness of what they are sharing. No personal account data is required from guests.
Who we share data with
We use a small number of trusted third-party services to operate QRCap:
- Supabase — database and authentication hosting. Servers located in the EU. Privacy policy
- Cloudinary — photo storage and delivery. Privacy policy
- Stripe — payment processing. Card details are handled entirely by Stripe and never stored by QRCap. Privacy policy
- Cloudflare — website hosting and security. Privacy policy
- Resend — transactional email delivery. Privacy policy
We do not share your data with any other third parties, advertisers, or data brokers.
How long we keep data
- Account data — kept for as long as you have an active account. You may delete your account at any time by contacting us.
- Event photos — stored for 30 days after your event date, then automatically deleted.
- Payment records — kept for 7 years as required by UK financial regulations.
- Server logs — retained for up to 30 days for security purposes.
You can delete individual photos or entire events at any time from your dashboard. Deleted photos are removed from our systems promptly.
Your rights
Under UK GDPR you have the following rights regarding your personal data:
- Right to access — request a copy of the personal data we hold about you
- Right to rectification — ask us to correct inaccurate or incomplete data
- Right to erasure — request deletion of your personal data ("right to be forgotten")
- Right to restriction — ask us to limit how we process your data
- Right to portability — receive your data in a portable format
- Right to object — object to processing based on legitimate interests
To exercise any of these rights, email us at [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.
Cookies
QRCap uses only essential cookies required to operate the service:
- Authentication cookies — set by Supabase to keep you logged in to your account. These are strictly necessary and cannot be disabled.
We do not use advertising, tracking, or analytics cookies. We do not use Google Analytics or similar third-party tracking tools.
Security
We take reasonable technical and organisational measures to protect your data:
- All data is transmitted over HTTPS
- Passwords are hashed and never stored in plain text
- Database access is restricted via row-level security policies
- Payment data is handled entirely by Stripe and never touches our servers
In the unlikely event of a data breach that affects your rights and freedoms, we will notify you and the ICO within 72 hours as required by UK GDPR.
Contact us
If you have any questions about this privacy policy or how we handle your data, please get in touch: