WQR
Legal

Privacy Policy

How we process personal data in WQR.

Last updated: 31 December 2025

This Privacy Policy explains how the WQR password manager app (the “App”) processes personal data. The App is designed so that your sensitive content stays on your device.

1. Controller

Controller
Printolis
Address
Herbertzstr. 126, 47809 Krefeld
Email
info@printolis.de
Website
www.whyqr.de

2. Key principle: your secrets stay on your device

  • Passwords, master passwords, and decryption keys are processed locally on your device.
  • We do not upload or store your passwords on our servers.
  • The App stores your WQR/QR images locally on your device (unless you export/share them).

3. What the App stores locally (on your device)

Depending on how you use the App, it may store locally:

  • Saved WQR/QR images and the metadata you enter (titles, labels, groups).
  • App settings (language, UI options, Autofill preferences).
  • Local exports you create (if you choose to export).

Retention: stored until you delete it in the App, remove local files/exports, or uninstall the App.

4. Network processing for QR encode/decode (ciphertext only)

Some App features use the internet to perform QR encoding/decoding and related processing. This is how it works:

What is sent

  • The App sends only already-encrypted data (“ciphertext”), or a QR image/matrix that contains ciphertext.
  • The App does not send your plaintext passwords, your master password, or your decryption keys.

What the server does

  • The server performs QR-related work such as building a QR matrix from ciphertext or extracting ciphertext from a QR image/matrix.
  • The server does not need your master password and does not decrypt your secrets.

Retention on the server

  • Ciphertext is processed transiently (typically in memory) only for the time required to generate or decode the QR code result.
  • Ciphertext is not stored after processing. It is deleted immediately after the QR code matrix/result is produced and sent back to the App.

Logging

  • We aim to keep server logs minimal. If logs are used, they should not include request bodies that contain ciphertext.

If you prefer an offline-only workflow, do not use features that require network-based QR processing.

5. Technical data (metadata) that may be processed

When the App connects to a server, standard internet metadata may be processed:

  • IP address
  • Timestamp
  • Basic request/response metadata necessary to deliver the service (e.g., app version, device type in a generic form, error codes)

This technical data is used for operating the service (delivery, security, troubleshooting). Retention should be limited (e.g., rotated/deleted regularly), unless longer retention is required by law or needed for security incident investigation.

6. Device permissions

The App may request permissions only when needed for features you use, such as:

• Files/Storage
to load/save WQR/QR images or exports.
• Biometric / device authentication
to confirm sensitive actions (e.g., revealing secrets).
  • Autofill service (if supported on your platform and enabled by you).

You can revoke permissions in your system settings. Some features may not work without the required permissions.

7. Autofill (if enabled)

If you enable Autofill, your operating system may provide the App with the context needed to fill credentials into other apps or websites. This processing is intended to be on-device, under your control, and only when you trigger Autofill.

8. Sharing data with third parties

We do not sell your personal data.

We share data only when:

  • You explicitly choose to send it (e.g., contacting support), or
  • It is required to operate optional infrastructure you use (e.g., hosting provider), limited to what is necessary, or
  • We are legally required to do so.

If you download the App via an app store (e.g., Google Play / Apple App Store), the store provider processes data under their own privacy policies.

9. Legal bases (GDPR / EU)

Where GDPR applies, legal bases may include:

• Art. 6(1)(b) GDPR (contract)
providing App functions you request.
• Art. 6(1)(f) GDPR (legitimate interests)
basic security and service reliability.
• Art. 6(1)(a) GDPR (consent)
where you enable optional features requiring consent.

10. Security

We follow privacy-by-design principles:

  • Sensitive content remains on your device and is not stored on our servers.
  • We recommend protecting your device with a PIN/password and biometric lock.

Important: If your design does not include server-side recovery, then if you forget your master password, we cannot recover your secrets.

11. Your rights

Depending on your location, you may have rights to:

  • Access, rectification, deletion, restriction
  • Data portability
  • Object to processing
  • Withdraw consent (where processing is based on consent)
  • Lodge a complaint with a supervisory authority (EU/EEA)

Because most content is stored locally on your device, deleting it in the App or uninstalling the App is usually the fastest way to erase it.

12. Children

The App is not intended for children under 16 (or the minimum age in your country) without parental consent.

13. Changes to this policy

We may update this policy to reflect changes in features or legal requirements. We will update the “Last updated” date and may provide an in-app notice where appropriate.

14. Contact

Privacy questions: info@printolis.de

Appendix A — Regional privacy rights (selected)

This appendix is provided to help users understand common privacy rights in certain regions. It is not exhaustive. Mandatory local laws still apply.

A1) California (CCPA/CPRA) — if applicable

If CCPA/CPRA applies to our processing, California residents may have rights such as: • the right to know/access personal information a business collects about you; • the right to request deletion (subject to exceptions); • the right to correct certain inaccurate personal information (CPRA); • the right to opt out of the “sale” or “sharing” of personal information (where applicable); • the right to non-discrimination for exercising privacy rights.

We do not sell your personal information. To exercise applicable rights, contact us using the Privacy contact in this policy. We may need to verify your request (as permitted by law).

A2) Other regions

Other jurisdictions (e.g., Brazil LGPD, Canada PIPEDA, various Asian privacy laws) may provide similar rights (access, deletion, correction). Contact us and we will respond consistent with applicable law.