QRChat is a privacy-first encrypted messenger designed with a zero-knowledge architecture. This Privacy Policy explains what information QRChat collects, how it is used, who it is shared with, and your rights regarding your data.
Your conversations are yours alone. All messages are end-to-end encrypted. We cannot read, scan, or analyze your message content. We collect the absolute minimum data necessary to deliver the service.
This policy applies to all users of the QRChat application, regardless of geographic location. Specific rights for EU/EEA, California, and Republic of Moldova residents are detailed in Section 9.
Required by: Apple App Store Guidelines 5.1.1(i), Google Play User Data Policy.
The data controller responsible for processing your personal data is:
Data Protection Officer (DPO): QRChat is developed and operated by an individual developer and does not process personal data on a large scale. Pursuant to GDPR Article 37, appointment of a DPO is not mandatory. All data protection inquiries may be directed to the email address above.
Required by: GDPR Art. 13(1)(a)(b), Republic of Moldova Law No. 133/2011 Art. 12.
| Category | Data | Where Stored | Encrypted? | Linked to Identity? |
|---|---|---|---|---|
| User-provided | Display Name | On device only (SQLCipher) | Yes (AES-256) | No — never leaves the device except via encrypted P2P transfer to approved contacts |
| User-provided | Profile Photo (optional) | On device only (SQLCipher) | Yes (AES-256) | No — shared only P2P encrypted with approved contacts |
| Auto-generated | Cryptographic Key Pair (X25519) | Private key: iOS Keychain / Android Keystore. Public key: server (in-memory only while connected) | Private key: Keychain/Keystore protected. Public key: transmitted over TLS | Public key serves as pseudonymous identifier |
| Auto-generated | Anonymous Mailbox ID | Server (JSON file, mapped to userId for routing) | Transmitted over TLS | Random 128-bit value, not derived from identity. Server maintains userId-to-mailboxId mapping for push notification routing only |
| Auto-generated | APNs/FCM Device Token | Server (JSON file, mapped to mailboxId) | Transmitted over TLS | Linked to mailboxId (not directly to userId in storage) |
| Transient | Encrypted Pending Messages | Server (JSON file, max 48h) | Yes — E2E encrypted, server cannot decrypt | No (opaque encrypted blob) |
| Transient | Contact Request Metadata | Server (pending queue, max 48h if recipient offline) | No — display names and public keys stored in cleartext temporarily | Yes — contains sender's display name and public key |
| Transient | TURN Relay Credentials | Metered.ca (relay provider) | Media streams are encrypted (SRTP/DTLS) | No |
| License | Device ID (licensing) | Server (JSON file) | Transmitted over TLS | No — a randomly generated UUID, not derived from or linked to any hardware identifier or user identity |
| User-initiated | Report Data | Server (JSON file) | Transmitted over TLS | Yes — contains reporter ID, reported user ID, and reason |
| Transient | IP Address | Server (in-memory only, rate-limit window) | N/A | Potentially — used only for rate limiting and abuse prevention, not logged or persisted |
Required by: GDPR Art. 13(1)(d)(e), CCPA §1798.100(b), Apple 5.1.1(i), Google Play User Data Policy.
QRChat relies on contract performance (Art. 6(1)(b) GDPR) as the legal basis for all data processing. Processing is strictly necessary for delivering the messaging service. We do not rely on consent (Art. 6(1)(a)) as our legal basis.
| Data | Legal Basis | Justification |
|---|---|---|
| Public Key (pseudonymous ID) | Art. 6(1)(b) — Contract | Required to route encrypted messages to the intended recipient |
| Mailbox ID + Push Token | Art. 6(1)(b) — Contract | Required to deliver push notifications for offline messages |
| Encrypted Pending Messages | Art. 6(1)(b) — Contract | Required to deliver messages when recipient is offline |
| Licensed Device ID | Art. 6(1)(b) — Contract | Required for QRChat Unlimited license verification |
| TURN Relay | Art. 6(1)(b) — Contract | Required when direct peer-to-peer connection is not possible |
| Report Data | Art. 6(1)(c) — Legal obligation | Required by Apple App Store Guidelines for user safety reporting |
| IP Address (transient) | Art. 6(1)(f) — Legitimate interest | Abuse prevention and rate limiting |
Required by: GDPR Art. 6, Art. 13(1)(c)(d).
QRChat uses the TweetNaCl (Networking and Cryptography library) for all message encryption:
WHEN_UNLOCKED_THIS_DEVICE_ONLY) / Android KeystoreContact exchange is performed primarily via in-person QR code scanning, which exchanges public keys directly between devices. Contact requests may also be sent remotely through the signaling server; in this case, the request metadata (display name, public key, fingerprint) is transmitted in cleartext through the server.
Zero-knowledge architecture: The server does not hold decryption keys and has zero ability to read, scan, or analyze your message content.
Required by: GDPR Art. 32, Apple 5.1, Google Play encryption disclosure.
All personal data (messages, contacts, keys, settings, profile) is stored locally on your device in an encrypted SQLite database (SQLCipher, AES-256). Deleting the app permanently erases all local data. On iOS, files are protected with NSFileProtectionCompleteUntilFirstUserAuthentication.
The QRChat signaling server is hosted on Railway.app (data center: United States, Oregon region). The following data is stored on the server:
The server does not store user profiles, contact lists, message history, or any decrypted content.
| Data | Retention Period | Deletion Mechanism |
|---|---|---|
| Encrypted pending messages | Maximum 48 hours | Automatic server-side purge (hourly TTL check) |
| Contact request metadata | Maximum 48 hours | Same pending message queue expiry |
| Push notification tokens | Until token is invalidated by Apple/Google | Automatic cleanup (BadDeviceToken / Unregistered) |
| Mailbox IDs | Until associated push token is invalidated | Cleaned up together with push token |
| Licensed device IDs | Indefinitely (required for ongoing license verification) | Upon user request |
| Report data | Stored for platform safety compliance | Upon user request or regulatory requirement |
| IP addresses (rate limiting) | 60 seconds (rate limit window) | Automatic in-memory expiry |
| On-device data | Until app is uninstalled or data is manually cleared | User action |
Required by: GDPR Art. 5(1)(e), Art. 13(2)(a), CCPA/CPRA retention disclosure (effective January 1, 2026).
QRChat does NOT sell, rent, trade, or share your personal data with any third party for marketing, advertising, or any purpose beyond the delivery of the messaging service.
Absent SDKs: QRChat does not contain any analytics (Firebase Analytics, Google Analytics), crash reporting (Sentry, Crashlytics), advertising (AdMob, Facebook Ads), social media, or tracking SDKs.
Each third-party service provider listed above offers data protection equivalent to or exceeding that described in this policy, as confirmed per Apple App Store Guideline 5.1.1(i).
Required by: GDPR Art. 13(1)(e)(f), Apple 5.1.1(i), Google Play Data Safety.
The QRChat signaling server is hosted on Railway.app in the United States (Oregon). Server-side data (mailbox IDs, push tokens, encrypted pending messages) may be transferred to and from the United States.
Required by: GDPR Art. 44-49, Art. 13(1)(f).
Under the General Data Protection Regulation, you have the following additional rights:
Response time: We will respond to any request within 30 calendar days, per GDPR Art. 12(3).
Note: Law No. 195/2024 (new data protection law aligned with GDPR) enters into force on August 23, 2026, and will replace Law 133/2011. QRChat is designed to comply with both the current and upcoming legislation.
Required by: GDPR Art. 13(2)(b)(c)(d), Art. 15-22, CCPA §1798.100-199, Moldova Law 133/2011.
QRChat is rated 17+ on the App Store and is not directed at children under 13 (COPPA) or under 16 (GDPR).
Parents/Guardians: If you believe a child under 13 is using QRChat, please contact us at ruscon2001@gmail.com.
Required by: COPPA (16 CFR Part 312), GDPR Art. 8, Apple 5.1.4, Google Play Families Policy.
ePrivacy Directive (2002/58/EC): QRChat does not store or access information on the user's device for tracking purposes. All on-device storage is strictly functional (messages, encryption keys, app settings).
Required by: ePrivacy Directive Art. 5(3), GDPR Recital 30.
We implement the following technical and organizational security measures:
Required by: GDPR Art. 32, Apple 5.1 Guideline 1.6.
QRChat uses non-exempt encryption: TweetNaCl/NaCl (XSalsa20-Poly1305, X25519, Ed25519) and SQLCipher (AES-256). ITSAppUsesNonExemptEncryption is set to YES in Info.plist.
Encryption is used exclusively for protecting user data in peer-to-peer communication and local storage. The cryptographic libraries are open-source and publicly available. QRChat is distributed as mass-market software through app stores.
Applicable: US Export Administration Regulations (EAR), BIS Category 5 Part 2, License Exception ENC §740.17(b)(1).
QRChat does not use automated decision-making or profiling within the meaning of GDPR Article 22. There are no recommendation algorithms, scoring systems, or other automated processes that produce legal effects or significantly affect users.
Required by: GDPR Art. 13(2)(f), Art. 22.
We may update this Privacy Policy when necessary. Significant changes will be communicated by updating the "Last Updated" date at the top of this page and/or through a notification in the app. Continued use of QRChat after changes constitutes acceptance of the updated policy.
This policy will be reviewed at least annually.
Required by: Apple 5.1, CCPA annual update requirement, GDPR Art. 13(3).
Required by: GDPR Art. 13(1)(a)(b), CCPA §1798.130.
This Privacy Policy is governed by the laws of the Republic of Moldova.
Required by: GDPR Art. 3 (territorial scope), CCPA §1798.140(c).