Privacy Policy
Last updated: June 5, 2026
1. Introduction
Welcome to SMLLR. We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, and safeguard information when you interact with our platform, including when you scan QR codes powered by SMLLR or visit our website.
2. Our Role — Controller and Processor
SMLLR operates in two distinct roles depending on whose data is being processed. Understanding this distinction is important for knowing who is responsible for your data and how to exercise your rights.
When you are a registered SMLLR user (a business or individual with an account):
SMLLR is the Data Controller for your personal data (name, email, billing details, profile information). We determine why and how that data is processed, and this Privacy Policy applies in full to you.
When you are an End User scanning a QR code created by one of our customers:
SMLLR acts as a Data Processor on behalf of the business that created that QR code. That business is the Data Controller for your scan data and is responsible for informing you about its collection. SMLLR collects and stores that data only under the business's instructions, as set out in our Data Processing Agreement.
3. Information We Collect
A. Data about registered users (Controller)
- Account Data – name, email address, password (hashed), company name, industry, and country provided during registration.
- Profile Data – billing address, contact number, company registration number, and tax number if provided in your profile.
- Payment Data – order amounts and payment status. Card details are handled exclusively by our payment gateways (PayU) and never stored on our servers.
- Usage Data – how you use the SMLLR dashboard, features accessed, and session information.
B. Scan Analytics Data collected on behalf of our business customers (Processor)
When an End User scans a QR code or accesses a link created by a SMLLRcustomer, SMLLR automatically collects the following data on behalf of that customer (who is the Data Controller for this data):
- Network identifiers – IP address, used to derive approximate geographic location (country, city, region).
- Device data – browser type, operating system, device category (mobile, tablet, desktop).
- Interaction data – scan timestamp, QR code identifier, and target URL.
- Pseudonymous scan identifier – a cookie-based identifier used to distinguish unique from repeat scans, set on the End User's device on behalf of the business customer.
No names, email addresses, or special category data are collected from End Users through the scanning process. If you are an End User with questions about your scan data, please contact the business whose QR code you scanned.
4. How We Use Your Information & Lawful Basis
Under the Digital Personal Data Protection Act, 2023, we are required to identify a lawful basis for each processing activity. The table below sets out how we use Account Data and the basis on which we process it:
| Purpose | Data Used | Lawful Basis |
|---|---|---|
| Create and manage your account | Name, email, password | Contractual necessity |
| Process payments and issue GST invoices | Billing address, GSTIN, order data | Contractual necessity; legal obligation (GST Act 2017) |
| Send transactional emails (OTP, receipts, alerts) | Email address | Contractual necessity |
| Provide customer support | Name, email, support messages | Contractual necessity; legitimate interest |
| Improve platform performance and reliability | Usage data, session data | Legitimate interest |
| Prevent fraud, abuse, and enforce Terms of Service | Account data, usage logs | Legitimate interest; legal obligation |
| Send marketing communications (with consent) | Email address | Consent (opt-in only; may be withdrawn at any time) |
Scan Analytics Data is processed solely on behalf of our business customers (the Data Controllers) for the purposes they determine — primarily to provide QR engagement analytics and geographic insights. SMLLR does not use Scan Analytics Data for its own marketing or advertising purposes.
5. Sharing of Information
SMLLR may share aggregated or anonymized analytics data with businesses that use our platform. This information helps them understand customer engagement with their QR codes or marketing campaigns.
We do not sell personal data such as names, phone numbers, or email addresses without explicit user consent.
Third-Party Data Processors: To derive geographic location from IP addresses for analytics purposes, we use the following third-party IP geolocation services. Your IP address may be transmitted to these services as part of this process:
- ipapi.co – IP geolocation (Privacy Policy)
- ipinfo.io – IP geolocation (Privacy Policy)
- ip-api.com – IP geolocation (Legal)
- Google Analytics & Google Tag Manager – Website usage analytics, only when you have given cookie consent.
- Vercel – Hosting and performance analytics for theSMLLR website.
- Amazon Web Services (AWS) – Cloud infrastructure (Lambda, DynamoDB, S3) hosted in the Mumbai (ap-south-1) region, India.
- Brevo (formerly Sendinblue) – Transactional and marketing email delivery. Your email address is transmitted to Brevo to send emails on our behalf. (Privacy Policy)
- PayU – Payment processing. When you make a purchase, your billing details and order amount are transmitted to the payment gateway you select. Card details are handled exclusively by these gateways and never stored on our servers. Each gateway is PCI-DSS certified and maintains its own privacy policy.
These processors act on our instructions and are contractually bound to handle your data securely and in compliance with applicable law.
6. Location Permissions
When scanning QR codes powered by SMLLR, your device may request permission to access your location through your browser. Granting this permission allows us to collect precise location data to improve analytics accuracy for businesses using our services.
Location access is optional and can be declined through your browser settings.
7. Cookies and Tracking Technologies
We use cookies and similar technologies on our platform and on QR redirect flows. The table below describes each cookie we set, its purpose, and the lawful basis on which it is set.
| Cookie | Purpose | Lawful Basis | Duration |
|---|---|---|---|
| smllr_uid | Set on End User devices when a QR code is scanned. Stores a pseudonymous identifier to distinguish unique scans from repeat scans on behalf of the QR creator (our business customer). No personal identity is revealed by this cookie. | Legitimate interest of our business customer (QR creator) to measure unique engagement | 1 year |
| auth_token / refresh_token | Maintains your authenticated session on the SMLLR dashboard. Set only when you log in. | Contractual necessity (authentication) | Session / 12 hours |
| _ga, _gid (Google Analytics) | Website usage analytics on www.smllr.app. Only set after you accept analytics cookies in our cookie banner. | Consent (can be withdrawn via cookie settings) | Up to 2 years |
You can manage or delete cookies through your browser settings at any time. Note that disabling cookies may affect the functionality of the SMLLR dashboard.
8. Data Retention
We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. The table below sets out our specific retention periods:
| Data Type | Retention Period | Reason |
|---|---|---|
| QR scan analytics (Scan Analytics Data) | 90 days from scan date | Automatically deleted via database TTL; sufficient for analytics purposes |
| Account data (name, email, profile) | Immediately upon account deletion request | Personal identifiers are anonymised at point of deletion; no grace period |
| Payment records and GST invoices | 7 years from invoice date | Legal obligation under the GST Act, 2017 and Income Tax Act, 1961 |
| Security and audit logs | 2 years | Fraud investigation, legal disputes, and IT Act compliance |
| Support ticket messages | 90 days after ticket resolution | Sufficient for quality review; deleted when no longer needed |
You may request deletion of your account and personal data at any time by exercising your Right to Erasure as described in Section 10, or directly from your account settings. Deletion is processed immediately, subject to the legal retention obligations noted above (e.g. tax records).
9. Data Security
We implement appropriate technical and organizational measures to protect your information from unauthorized access, loss, misuse, or alteration.
10. Your Rights (Data Principals)
Under the Digital Personal Data Protection Act, 2023 (India) and other applicable laws, you have the following rights with respect to your personal data:
- Right to Access – You may request a summary of the personal data we hold about you and the purposes for which it is being processed.
- Right to Correction – You may request that we correct any inaccurate or incomplete personal data we hold about you.
- Right to Erasure – You may request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, or where you withdraw consent. You can initiate account deletion from your account settings or by contacting us at [email protected].
- Right to Grievance Redressal – You may raise a complaint with our Grievance Officer (see Section 12) if you believe your data has been processed in violation of applicable law.
- Right to Nominate – You may nominate another individual to exercise these rights on your behalf in the event of your death or incapacity, in accordance with applicable law.
To exercise any of the above rights, please contact us at [email protected]. We will acknowledge your request within 48 hours and respond within 30 days.
11. Minimum Age
The SMLLR platform is intended for use by individuals who are 18 years of age or older. We do not knowingly collect, process, or store personal data from children under the age of 18. If you believe that a child under 18 has provided us with personal data, please contact us immediately at [email protected] and we will take prompt steps to delete that information.
12. Marketing Communications & TRAI Compliance
We send two categories of emails:
- Transactional emails – Account creation, OTP verification, payment receipts, and service alerts. These are necessary to deliver the service and cannot be opted out of while your account is active.
- Marketing emails – Product updates, offers, and newsletters. These are sent only with your explicit consent and you may unsubscribe at any time by clicking the "Unsubscribe" link in any marketing email or by emailing us at [email protected].
SMLLR complies with the Telecom Regulatory Authority of India (TRAI) regulations and is registered on the Distributed Ledger Technology (DLT) platform for commercial communications as required under the Telecom Commercial Communications Customer Preference Regulations, 2018.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our services or legal obligations. Updates will be posted on this page with the revised date.
14. Data Breach Notification
In the event of a personal data breach that is likely to result in risk to your rights, we will notify affected individuals and the Data Protection Board of India as soon as reasonably practicable and in accordance with the Digital Personal Data Protection Act, 2023.
15. Grievance Officer
In accordance with the Digital Personal Data Protection Act, 2023 and the Consumer Protection (E-Commerce) Rules, 2020, a Grievance Officer has been designated to address concerns regarding the processing of your personal data.
Grievance Officer: SMLLR Support Team
Email: [email protected]
Response timeline: Complaints will be acknowledged within 48 hours and resolved within 30 days of receipt.
If you are not satisfied with the resolution, you may escalate your complaint to the Data Protection Board of India once it is constituted under the DPDP Act, 2023.
16. Contact Us
If you have questions about this Privacy Policy or your data, please contact us at:
[email protected]