1. Data Controller
This Privacy Policy explains how the controller handles personal and technical data related to the use of the service.
The data controller is as follows.
QRTRANSFERIO
The service covered by this Policy is as follows.
QrTransfer.io
The responsible party's reference address is as follows.
Madrid Spain
The official website of the service is as follows.
https://qrtransfer.ioThe contact email for privacy and rights exercise is as follows.
The controller has not appointed a data protection officer.
2. Scope of this Policy
This Policy applies to the mobile app, the web, and the services associated with the indicated service.
The indicated service is as follows.
QrTransfer.io
The service enables real-time file transfer between devices using P2P technologies, signaling, and, when necessary, temporary relay or cache infrastructure.
This Policy describes what data is collected, how it is used, how long it is retained, and what rights users may exercise.
3. Data not collected directly
The service does not require creating a user account.
The service does not require registration with email and password.
The service does not collect names, profiles, photos, phone numbers, or postal addresses as part of the app's ordinary use.
The service does not process bank card data directly.
Payments are handled by external providers.
4. Technical data and metadata processed
To provide the service, manage quotas, maintain technical statistics, and protect security, technical data and metadata may be processed.
| Category | Processed data |
|---|---|
| Transferred data | Date, time, and size of files or transfers. |
| App technical data | Operating system, app version, language, approximate country, and connection type. |
| Device data | Anonymous device identifier generated by the app. |
| Purchase data | Purchased packages, active subscriptions, and subscription history. |
This data is used in a limited and proportional manner for the purposes described in this Policy.
Statistical data may be associated with the anonymous device identifier.
5. File contents
The controller does not access the content of the transferred files.
The service uses end-to-end encryption to prevent the controller from reading the content of the files.
Files may temporarily pass through relay or cache infrastructure when a direct P2P connection is not possible.
In that case, files are stored encrypted and only for the time necessary to complete the transfer.
Files are deleted at the end of the session or immediately after the download is complete.
The service does not scan, analyze, or moderate the content of the files.
6. QR, sessions and pairing
The QR code contains pairing data needed to start the transfer.
Pairing data may include issuer, recipient, and session state.
The session, token, QR code, or pairing link remain active until the transfer is complete.
The app may store the last QR token used to speed up future transfers.
This feature is user-selectable.
7. Purposes of processing
Data is processed to provide file transfer services and establish connections between devices.
Data is processed to manage quotas, purchases, subscriptions, and access to paid features.
Data is processed to maintain technical and aggregated usage statistics.
Data is processed to protect security, prevent abuse, avoid fraud, and mitigate misuse.
Data is processed to handle support requests and user communications.
Data is processed to comply with legal obligations and respond to valid requests from authorities when applicable.
8. Legal bases
When European data protection regulations apply, the legal bases may include the performance of a contractual or pre-contractual relationship.
They may also include the legitimate interest in maintaining security, preventing abuse, operating the service, and improving its technical performance.
Compliance with legal obligations may serve as a basis when it is necessary to respond to requests, retain information, or respond to competent authorities.
Consent may be used when the user activates optional features or when required by applicable law.
9. Payments and purchase providers
The controller does not directly process complete bank card data.
Payments may be managed by external providers.
| Supplier | Role |
|---|---|
| Apple App Store | Management of purchases and subscriptions in Apple environments. |
| Google Play | Management of purchases and subscriptions in Android environments. |
| PayPal | Payment management on web and app. |
These providers may process data according to their own policies, terms, and legal obligations.
The controller may internally access purchased packages, active subscriptions, and subscription history.
10. Technical providers
The service may use technical providers for hosting, security, infrastructure, and abuse protection.
| Supplier | Role |
|---|---|
| Hostinger | Hosting and technical infrastructure. |
| Cloudflare | Human verification, security, and anti-abuse protection. |
The service does not use additional analytics, advertising, or crash reporting SDKs according to the current configuration indicated.
The service does not use push notifications according to the current configuration indicated.
11. Cookies and similar technologies
The website uses technical cookies necessary for its operation.
Cloudflare may use cookies or technical checks to verify that access is human and protect the service from abuse.
The service does not use advertising or marketing cookies according to the current indicated settings..
If non-essential cookies are added in the future, the relevant information will be updated and consent will be requested when appropriate..
12. Analytics and statistics
The service uses technical and aggregated statistics to understand overall usage, improve functionality, and maintain security.
These statistics may rely on data associated with an anonymous device identifier.
No advertising profiles or marketing analytics are used according to the current settings indicated.
13. Device permissions
The app may request device permissions to provide its features.
- Camera to scan QR codes.
- Access to photos, gallery, or files to select files to send.
- Access to contacts only to export or import contacts as files when the user chooses.
- Permissions related to APK files when the user chooses to install APKs transferred via the app.
Contacts are not uploaded or synchronized with the data controller's servers.
Contacts are only handled locally when the user chooses to export or import them as a file.
14. Minors
The service may be used by minors from the minimum age indicated.
The indicated minimum age is as follows.
4 years
Use by minors must take place within a family environment and under the supervision and responsibility of parents or legal guardians.
The service is not intended for unsupervised minors.
The service does not collect direct identifying data from minors as part of ordinary use without an account.
Only technical or anonymous device identifiers and the technical data necessary to operate the service are processed..
Responsible adults must supervise the use of the service and prevent minors from sharing inappropriate, unauthorized, or illegal files..
15. Data retention
Metadata, technical data, and device-associated data are retained as long as necessary for statistics, security, quota management, abuse prevention, and service operation..
Transferred files are not stored permanently..
Files passing through relay or cache are deleted at the end of the session or immediately after the download is complete..
Support communications are retained while the inquiry is managed and for a reasonable period afterward as long as legal responsibilities may arise..
Data may be retained longer when necessary to fulfill legal obligations, resolve disputes, prevent abuse, or comply with valid requests..
16. Support and communications
When the user contacts support, data related to the communication may be processed..
- User's email address.
- Query content.
- Technical data voluntarily provided by the user.
- Attachments or additional information the user chooses to send.
The support email is as follows.
17. Security
The controller applies reasonable technical and organizational measures to protect the service, connections, sessions, and processed technical data.
These measures include encryption in transit, end-to-end encryption, encrypted temporary storage in relay or cache, and anti-abuse measures.
No system connected to the internet can be considered absolutely secure.
The user must protect their devices, verify received files, and avoid sharing sensitive information without taking appropriate measures.
18. Automated decisions and anti-abuse measures
The service may apply automatic blocks or limitations in certain cases.
These measures are intended for security, fraud prevention, abuse protection, and maintaining service stability.
These measures are based on technical signals.
These measures do not involve analyzing the content of files.
The user can contact support if they believe a limitation has been applied in error.
19. Recipients and categories of recipients
Data may be shared with technical providers, payment providers, app distribution services, security providers, professional advisors, and competent authorities when appropriate.
External providers will act according to their own terms or the applicable agreements..
The controller does not sell personal data to advertisers..
20. International transfers
International data transfers may occur due to the involvement of providers with infrastructure or entities located outside the European Economic Area.
When European regulations apply, these transfers will be carried out according to available legal mechanisms, such as adequacy decisions, standard contractual clauses, or other valid safeguards.
The user should be aware that providers such as app stores, payment providers, cloud services, or anti-abuse services may operate internationally.
21. User rights
Where data protection regulations apply, the user may exercise their rights of access, rectification, deletion, objection, restriction of processing, and portability..
The user may also withdraw their consent when processing is based on consent..
The user can request information about automated decisions when recognized by applicable law.
To exercise their rights, the user can send a request to the privacy email.
The request must reasonably allow verification of the identity or authorization of the applicant when necessary.
22. Supervisory authority
When Spanish or European data protection regulations apply, the user may file a complaint with the competent supervisory authority.
The indicated supervisory authority is the following.
Spanish Data Protection Agency
It can also be identified by its acronym.
AEPD
23. Territorial scope
The service may operate internationally..
The intended scope of operation is as follows..
worldwide, except restricted countries
The user must not use the service from territories or for purposes prohibited by sanctions, export controls, legal restrictions, or applicable regulations..
24. Changes to this Policy
The controller may update this Policy to reflect technical, legal, operational, or supplier changes.
The version published on the website will be the current version at all times.
When changes are relevant, reasonable efforts will be made to inform the user.
25. Privacy contact
For privacy inquiries, exercising rights, or requests related to personal data, the user may use the following email.