test

Log in
Sign up

Privacy Policy (ghost-qr.com)

Effective date: 27 December 2025

This Privacy Policy explains how Mainostoimisto Loud Oy (Finland) (“Ghost QR”, “we”, “us”) processes personal data when you use ghost-qr.com, create QR codes, or scan QR codes that route through Ghost QR redirect pages.

1) Controller (who is responsible)

Mainostoimisto Loud Oy

Business ID (Y-tunnus): 2820137-3

Address: Ylästöntie, 01690 Vantaa, Finland

Email: info@ghost-qr.com

2) How Ghost QR works (including ads)

Ghost QR lets users generate QR codes that forward scanners to a destination URL.

Advertising logic on QR redirects

  • For the first 7 days after a QR code is created, scans are forwarded without advertisements and go directly to the destination URL.
  • After 7 days, scans may show a Ghost QR advertisement page first. After skipping/waiting, the visitor is forwarded to the same destination URL.
  • Advertisements can be removed with a payment (upgrade), which disables ads for the applicable QR code/account.

3) What personal data we collect

A) Data from QR creators (people generating QR codes)

We may process:

  • Destination URL and QR settings (format, size, etc.)
  • QR identifier (slug/code) and creation time
  • If you create an account: email, authentication and security logs
  • Messages you send us (support emails)

Please avoid placing sensitive personal data in QR destinations or QR content.

B) Data from scanners/visitors (people who scan)

When a redirect page (and, where applicable, an ad page) loads, we may process:

  • IP address (personal data in the EU context)
  • Country and city derived from IP (approximate; may be inaccurate)
  • Device/browser data (e.g., user agent), timestamp
  • Event data such as: redirect page view, ad view, ad click, skip/continue action, and successful forward to the destination URL

C) Ghost QR self-hosted ads (our own system)

We do not use third-party ad networks for Ghost QR ads. Our ad measurement may record:

  • Country
  • City
  • Views (impressions)
  • Clicks

4) Cookies and similar technologies

We may use cookies and similar technologies (including local storage) for:

  • Strictly necessary functionality and security (these do not require consent); and
  • Optional preferences and measurement (used only if enabled and where required, only with your consent).

You can manage your choices via the cookie banner / Cookie Settings on the site, and you can withdraw consent at any time by changing your settings or clearing cookies in your browser.

5) Why we process personal data (purposes)

We process personal data to:

  • Provide QR creation and forwarding/redirect functionality
  • Enforce the 7-day ad-free period and apply paid ad removal
  • Measure usage and ad performance (e.g., views/clicks and approximate location)
  • Prevent fraud, abuse, and attacks; maintain security and reliability
  • Provide customer support
  • Meet legal obligations (e.g., accounting/tax)

6) Legal bases (GDPR)

Depending on the context, we rely on:

  • Contract (Art. 6(1)(b)) — to provide the service you request (QR creation, redirects, paid ad removal)
  • Legitimate interests (Art. 6(1)(f)) — security, abuse prevention, service reliability, and proportionate service measurement (where applicable). We balance these interests against your rights and implement safeguards.
  • Consent (Art. 6(1)(a)) — where required for optional cookies/technologies (and where applicable for optional measurement)
  • Legal obligation (Art. 6(1)(c)) — accounting/tax and lawful requests by authorities

7) Payments

Ad removal payments are processed by Stripe. Stripe processes payment details according to its own terms and privacy documentation. We receive limited payment-related data such as payment status, transaction identifiers, and plan/entitlement information.

8) Sharing and recipients

We share personal data only as needed to run the service, for example with:

  • Stripe (payments)
  • Hosting, infrastructure, and security providers (to deliver and protect the site)

We do not sell personal data.

9) International data transfers

If any of our service providers process personal data outside the EEA, we use appropriate safeguards where required (for example, Standard Contractual Clauses) and apply additional measures when needed.

10) Retention (how long we keep data)

We keep personal data only as long as necessary for the purposes described above:

  • QR redirect mapping (QR → destination URL): kept while the QR code is active or until it is deleted/expired under our service rules.
  • Security/server logs (may include IP): retained for a limited period for security and troubleshooting, and longer if needed to investigate incidents.
  • Ad/redirect measurement (e.g., views/clicks, approximate country/city): kept as needed for reporting and fraud prevention, then deleted or aggregated.
  • Accounting/payment records: retained according to Finnish accounting retention rules (certain accounting materials at least 10 years and vouchers/transaction materials at least 6 years, depending on category).

11) Your rights (EEA/Finland)

Depending on the situation, you may have the right to:

  • Access your data
  • Correct your data
  • Delete your data
  • Restrict processing
  • Object to processing (especially where based on legitimate interests)
  • Data portability (in certain cases)
  • Withdraw consent at any time (where processing is based on consent)

To exercise your rights, contact: info@ghost-qr.com.

You also have the right to lodge a complaint with the Finnish supervisory authority:

Office of the Data Protection Ombudsman.

12) Security

We use reasonable technical and organizational measures to protect personal data (e.g., HTTPS, access controls, monitoring). No online service can guarantee absolute security.

13) Children

Ghost QR is not intended for children, and we do not knowingly collect personal data from children.

14) Third-party destinations

QR codes may forward you to third-party websites (the destination URL). Their privacy practices are governed by their own policies, and we are not responsible for their content or processing.

15) Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The latest version will be posted on this page with an updated effective date.