Qrop logoQrop

Privacy policy

This policy is issued in terms of the Protection of Personal Information Act 4 of 2013 (POPIA) and explains how ShellRick Tech Pty Ltd, trading as Qrop(“we”, “us”), processes personal information collected through https://www.qrop.co.za and the Qrop API.

1. Responsible party

ShellRick Tech Pty Ltd t/a Qrop is the responsible party for the personal information described in this policy.

Registration number: 2025/619155/07
Registered address: 3 Grosvenor Road, Diep River, 7800, Cape Town

2. Information Officer

Requests, complaints, or questions about how we handle your personal information can be directed to our Information Officer:

Frederick Niekerk
Email: informationofficer@shellricktech.co.za

3. What we collect

Depending on how you use Qrop, we process:

  • Account information — name, email address, phone number, and (for company accounts) a company name, collected at registration and verified via one-time codes.
  • Billing information— credit purchases, subscription plan, and payment status. Card details are entered directly into PayFast’s hosted payment page and never touch our servers.
  • API key metadata — a salted hash of each API key, a label you choose, and last-used timestamps. We never store API keys in plain text.
  • Generation records — the data type, format, and resolution of each QR code you generate, and the IP address of anonymous (logged-out) requests, used for daily rate limiting and abuse detection. IP addresses are automatically removed after 30 days.

We do not read, store, or scan the content you encode into a QR code (URLs, Wi-Fi credentials, contact cards, etc.) beyond what is technically required to generate the image and return it to you.

4. Why we process your information

  • To create and operate your account, and generate QR codes you request (contract).
  • To bill credit purchases and API subscriptions (contract, legal obligation).
  • To prevent abuse of the free anonymous tier through IP-based rate limiting (legitimate interest).
  • To respond to support requests and Information Officer enquiries (legitimate interest).
  • To show advertising on the free tier (anonymous or registered, never paying accounts), only where you have given consent (consent).

5. Who we share it with

We share personal information with the following operators, strictly to provide the service. None of them may use your information for their own purposes:

  • Amazon Web Services (Cognito) — authentication and identity verification, hosted in Cape Town, South Africa (af-south-1).
  • Vercel — application hosting and compute, served from Cape Town, South Africa and Frankfurt, Germany (EU).
  • Neon — database hosting for account, billing, and generation records, hosted in Frankfurt, Germany (EU).
  • Upstash — short-lived rate-limit counters (Redis), keyed by IP or API key, hosted in Cape Town, South Africa.
  • PayFast (Pty) Ltd — payment processing and subscription billing, hosted in South Africa. We share your name, email address, and the transaction amount with PayFast when you initiate a payment. Card details are entered directly on PayFast’s hosted payment page and never reach our servers. PayFast’s own privacy policy is available at payfast.co.za/privacy-policy.
  • Google AdSense — only with your cookie consent, as described above.

Your account, billing, and generation records are stored in our Neon database in Frankfurt, Germany, and some of our application compute is served from Vercel’s Frankfurt region — both outside South Africa. These are cross-border transfers under section 72 of POPIA, and we rely on the fact that the European Union (including Germany) is recognised as having a data protection framework (the GDPR) that is at least equivalent to POPIA’s conditions for lawful processing. Authentication (AWS Cognito), rate-limiting (Upstash), and the remainder of our application compute (Vercel) are located in Cape Town, South Africa. Google AdSense may also process data on servers outside South Africa (including the United States) as part of providing advertising; we rely on its standard data processing terms to impose safeguards equivalent to POPIA’s conditions in that case. We do not sell personal information to any third party.

6. How long we keep it

  • Account and billing records: for as long as your account is active, plus the period required by tax and financial record-keeping law thereafter.
  • Anonymous rate-limit IP logs: rolling 30 days, then deleted automatically.
  • Generation history: for as long as your account is active, so you can review past usage.

7. Security safeguards

API keys are hashed with SHA-256 and shown in full only once, at creation. Passwords and identity verification are handled entirely by AWS Cognito and never touch our database. All traffic is served over HTTPS, and access to personal information in our systems is restricted to what each service needs to operate.

8. Cookies

Strictly necessary cookies (session authentication, security) are always active and cannot be disabled, as the service cannot function without them. Advertising cookies (Google AdSense, shown only on the free tier — never to paying accounts) are off by default and only activate once you choose “Accept all” in the cookie banner. You can change your choice at any time by clearing the qrop_consent entry in your browser’s local storage and reloading the page.

9. Your rights

Under POPIA, you have the right to:

  • Be told what personal information we hold about you and why.
  • Request access to, or a copy of, your personal information.
  • Request correction of inaccurate or outdated personal information.
  • Request deletion or de-identification of personal information we no longer have a lawful basis to keep.
  • Object to processing based on legitimate interest, or to direct marketing, at any time.
  • Lodge a complaint with the Information Regulator (South Africa) at inforegulator.org.za if you believe we have not handled your information lawfully.

Registered users can exercise the access and deletion rights directly from Account & privacy in the dashboard — download a full copy of your data as JSON, or permanently delete your account and personal information. For any other request, or if you don’t have an account, contact our Information Officer at informationofficer@shellricktech.co.za. We will respond within a reasonable time and may need to verify your identity first.

10. Changes to this policy

We may update this policy as the service changes. Material changes will be reflected on this page with an updated effective date.

We use strictly necessary cookies to run Qrop, and — only with your consent — advertising cookies. See our privacy policy for details.