Privacy Policy

Last updated: June 2, 2026 · Effective: June 2, 2026

This Privacy Policy explains how Nexx Digital Sdn Bhd, a company registered in Malaysia (“QR Wave”, “we”, “us”, “our”), collects, uses, and protects information in connection with the QR Wave service (“Service”) available at qr-wave.com.

This policy covers individuals and businesses who create an account on QR Wave (“account holders”). If you are looking for information about data collected when someone scans a QR code created through QR Wave, please see our QR Scan Privacy Policy.

By using the Service, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Account Information

When you create an account or subscribe to a paid plan, we collect:

  • Email address and password (or Google account identifier if using Google Sign-In)
  • Organization name
  • Billing information (processed and stored by Stripe; we do not store credit card numbers)

1.2 QR Code and Campaign Data

When you use the Service, we store:

  • QR codes you create, including destination URLs, names, tags, and styling configuration
  • Campaign information (names, descriptions, assigned QR codes)
  • Destination URL change history for dynamic QR codes
  • Uploaded logo images used in QR code styling

1.3 Website Analytics

We use Google Analytics 4 (GA4) on our marketing pages to understand how visitors use QR Wave. We collect:

  • Page views, traffic sources, and referral information
  • Conversion signals used to measure and optimise Google Ads campaigns

Google Analytics data is processed on Google’s servers in the United States. We implement Google Consent Mode v2, which allows GA4 to operate with anonymised, non-identifying signals even where full tracking consent has not been granted, supporting aggregate reporting while respecting user preferences.

In addition, key conversion events — specifically account creation and plan upgrades — are reported to Google Analytics directly from our servers using the GA4 Measurement Protocol. These server-side events do not set cookies and contain no personally identifiable information. They are processed under our legitimate interest in measuring business performance. No stable user identifier is transmitted to Google as part of this process.

To opt out of Google Analytics tracking across all websites, install the Google Analytics Opt-out Browser Add-on.

1.4 Cookies

We use cookies for the following purposes:

  • Authentication — to keep you signed in to your account.
  • Analytics — Google Analytics 4 sets cookies to measure website usage, traffic sources, and conversion events (see Section 1.3).
  • Ads measurement — when QR Wave runs Google Ads campaigns, GA4 cookies are used to attribute conversions (e.g. sign-ups, upgrades) to ad clicks. We do not use these signals to serve personalised ads on third-party websites.

We do not use third-party retargeting pixels or tracking technologies beyond Google Analytics.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service.
  • Process payments and manage your subscription.
  • Generate anonymous scan analytics for your QR codes and campaigns.
  • Send transactional emails related to your account (password resets, billing receipts, critical service updates).
  • Detect and prevent abuse, fraud, or violations of our Terms of Service.

We do not sell, rent, or share your personal information with third parties for marketing purposes.

3. Third-Party Services

We use the following third-party services to operate QR Wave:

ServicePurposeData Shared
Supabase (US East)Database, authenticationAccount data, QR code data, scan events
CloudflareQR code redirect handling, edge cachingAnonymous scan metadata
StripePayment processingBilling information, email address
VercelWebsite hostingServer logs (standard web hosting)
Google Analytics 4 (Google LLC, US)Website analytics, user behaviour events, Google Ads conversion trackingPage view data, behavioural events, cookie identifiers

We do not share your QR code performance data or scan analytics with any third party. Your data is visible only to you.

4. Data Storage and Retention

4.1 Location

Account data and scan analytics are stored on Supabase servers in the United States (US East region). QR code redirect caching is handled by Cloudflare's global edge network.

4.2 Retention

  • Account data — retained for the duration of your account. When you delete your account, your personal data is deleted within 30 days.
  • QR codes and campaigns — retained for the duration of your account. Archived QR codes remain stored but inactive.
  • Scan analytics — retained indefinitely as anonymous, non-personal data. See our QR Scan Privacy Policy for details.
  • Billing records — retained as required by applicable tax and financial regulations.

4.3 Data Portability

Pro plan subscribers can export their scan analytics data as CSV files through the dashboard.

5. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

  • Encryption in transit (TLS/HTTPS) for all connections.
  • Row-level security on all database tables, ensuring account data is isolated per organization.
  • Authentication tokens with scoped claims to prevent unauthorized cross-organization access.
  • No storage of raw IP addresses, passwords in plaintext, or payment card details.

No system is completely secure. While we take reasonable precautions, we cannot guarantee absolute security.

6. Your Rights

6.1 All Users

You may at any time:

  • Access your account data through the dashboard.
  • Update or correct your account information.
  • Delete your account, which will remove your personal data within 30 days.
  • Export your scan analytics data (paid plans).

6.2 European Economic Area (GDPR)

If you are located in the EEA, you have additional rights under the General Data Protection Regulation, including the right to access, rectify, erase, restrict processing, data portability, and object to processing of your personal data.

Our legal basis for processing account data is contractual necessity (to provide the Service) and legitimate interest (to improve the Service and prevent abuse).

To exercise your GDPR rights, contact us at privacy@qr-wave.com.

6.3 California (CCPA)

If you are a California resident, the California Consumer Privacy Act gives you rights regarding your personal information, including the right to know what we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information.

We also comply with applicable requirements of the Malaysian Personal Data Protection Act 2010 (PDPA).

7. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected personal information from a minor, we will take steps to delete that information promptly.

8. International Data Transfers

Your data may be transferred to and processed in the United States and other countries where our service providers operate. When transferring data from the EEA, we rely on Standard Contractual Clauses and the data protection commitments of our service providers to ensure adequate protection.

9. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the Service prior to the change becoming effective. The “Last updated” date at the top indicates when it was last revised.

10. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

Nexx Digital Sdn Bhd
Email: privacy@qr-wave.com

Privacy Policy — QR Wave