QRsuite — Privacy Policy
Effective date: April 19, 2026
This policy explains what data QRsuite collects, why, and the choices you have. It is written in plain English on purpose — you should be able to read it in a few minutes.
1. Who we are
QRsuite is an iOS app for scanning and generating QR codes and barcodes. It is developed and operated by Abdullah Al Hadi ("we", "us"). For the purposes of the EU / UK / EEA General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA/CPRA), Abdullah Al Hadi is the data controller for personal data collected through the QRsuite app. For any privacy questions, contact us at hadi.fiftytwo@gmail.com.
This policy covers the QRsuite iOS app and its bundled extensions (Widget and Share Extension).
2. Data we collect
Stays only on your device — never sent anywhere
Everything below is stored locally on your device using Apple's SwiftData framework. If you have iCloud Backup enabled on your iPhone, Apple includes this data in your encrypted iCloud backup — that backup is between you and Apple; we have no access to it.
- Scan history — every QR or barcode you scan, including the decoded text, timestamp, and any folder, note, or favorite flag you attach to it.
- Created QRs — QRs you generate, with their design settings and thumbnails.
- Saved templates — designs you save to reuse later.
- Folders and notes — organizational data you add yourself.
- Preferences — your settings (theme, App Lock on/off, etc.), stored in iOS user defaults.
You can delete any of this at any time from within the app (swipe-to-delete, bulk-delete, or Settings → "Clear all history"). Uninstalling the app removes all of it.
Sent to Firebase (Google)
We use two Firebase services from Google to improve the app: Analytics and Crashlytics. Both are configured with the minimum data surface needed for product decisions and crash fixing — no advertising identifiers, no cross-app tracking.
Firebase Analytics collects:
- Device identifiers scoped to this app only (Apple's IDFV, a Firebase installation ID). These cannot identify you across other apps.
- Device type, OS version, app version, language, and country (derived from IP).
- Which screens you view in the app.
- Aggregate feature usage, so we can decide what to keep, fix, or cut:
- The type of code you scan or create (URL, Wi-Fi, text, etc.) — never the content
- Actions you take on a scan result (open, copy, share, add to contacts, etc.) — action name only
- Which Pro-only features you attempt and which subscription plan you consider
- Counts of operations on history, folders, templates, and notes (created, edited, deleted) — never the names or contents
- Whether a scan or render attempt failed, with a generic reason (e.g. "no barcode found")
We do NOT request App Tracking Transparency permission. Firebase Analytics, as we use it, does not collect your advertising identifier (IDFA) and cannot link you across other apps or websites.
What we do NOT send: the contents of any QR or barcode (scanned or created), the text of your notes, the names of your folders or templates, the contents of your photo library, any image bytes, any passwords, or any Wi-Fi credentials.
Firebase Crashlytics collects data only when the app crashes:
- Stack traces from the crash.
- A snapshot of device state at the time of the crash (OS version, device model, memory pressure, etc.).
- Breadcrumbs — short text messages we log as you use the app (e.g. "opened Design screen") to help us reproduce the crash. These never contain QR payloads, notes, or personal content.
- Non-fatal errors explicitly reported by the app (e.g. "QR render failed").
3. Permissions the app asks for
- Camera — required to scan codes in real time. Frames are processed on-device by Apple's Vision framework. Camera frames are never stored and never transmitted.
- Photo Library — optional. Used only when you tap the gallery picker to scan a photo. We read only the image(s) you explicitly select. Nothing is uploaded.
- Face ID / Touch ID / passcode — optional, only used when App Lock is enabled. The check happens locally via Apple's LocalAuthentication framework. Your biometric data never leaves your device and is never seen by the app.
4. How we use this data
- Local data (scan history, templates, etc.) powers the app's features for you — searching your own history, reusing a created QR, etc. It is not used for anything else.
- Firebase Analytics tells us which features are actually being used. We look at aggregate counts — not at individual users. The goal is to decide what to improve and what to remove.
- Firebase Crashlytics tells us when and why the app crashes so we can fix the underlying bug.
We do not sell your personal information, and we do not share it for cross-context behavioral advertising (as those terms are defined under the California Consumer Privacy Act). We do not share data with advertisers, and we do not build profiles across other apps.
5. Third parties
The only third-party service the app communicates with is Firebase, operated by Google LLC. Google processes Analytics and Crashlytics data as our service provider, under the Firebase Data Processing and Security Terms. Google's own privacy practices are covered by the Google Privacy Policy.
Google primarily processes this data on servers located in the United States. For users in the EEA, UK, or Switzerland, international transfers rely on Google's Data Processing and Security Terms, which incorporate the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum.
No other third-party analytics, advertising, or tracking SDK is bundled in the app.
6. How long we keep it
- Local data — kept on your device until you delete it or uninstall the app.
- Firebase Analytics — Google retains event-level data for 14 months (Firebase's default), after which older events are aggregated or dropped.
- Firebase Crashlytics — Google retains crash reports for 90 days.
7. Your rights and choices
- Delete your history at any time — swipe-to-delete, bulk-delete, or Settings → Clear all history.
- Turn off analytics system-wide — iOS Settings → Privacy & Security → Analytics & Improvements → Share iPhone Analytics. When this is off, Firebase still receives minimal crash data; you can prevent even that by uninstalling the app.
- Access or erase your data under GDPR (EEA, UK), CCPA/CPRA (California), or similar laws — email hadi.fiftytwo@gmail.com. Because we don't tie analytics data to a persistent identity, the most reliable erasure is uninstalling the app, which invalidates the Firebase installation ID.
- Opt out of analytics inside the app — not currently available as a per-app toggle. If you'd like one, email us and we'll prioritize it.
- Lodge a complaint — if you're in the EEA, UK, or Switzerland and believe we're mishandling your data, you have the right to complain to your local data protection authority. We'd appreciate the chance to address your concern first — email hadi.fiftytwo@gmail.com and we'll respond within 30 days.
8. Children's privacy
QRsuite is not directed at children under 13. We don't knowingly collect data from children under 13. If you believe a child has used the app and want the data associated with that device erased, email hadi.fiftytwo@gmail.com — we'll help you uninstall and reset.
9. Security
- Local data is stored using iOS's standard app sandbox protections. If you enable App Lock, it's additionally gated behind Face ID / Touch ID / passcode.
- Data sent to Firebase travels over HTTPS (TLS).
- We cannot guarantee perfect security — no one can. If we become aware of a breach that affects your data, we will notify you as required by applicable law.
10. Changes to this policy
If we change this policy, the new version will replace this page at https://hadicuet.github.io/qrsuite-legal/ and the "Effective date" at the top will be updated. Material changes (e.g. a new third-party service, a new category of data) will be called out in the app's release notes.
11. Contact us
Questions, requests, or complaints: hadi.fiftytwo@gmail.com.