Privacy Policy Last updated: 21 Apr 2026 Effective: 21 Apr 2026

This Privacy Policy explains how Pageloot OÜ ("Pageloot", "we", "us") collects, uses, and shares information in connection with our websites and services at pageloot.com, app.pageloot.com, pglt.me, and qrcd.ee (the "Platform"). Controller: Pageloot OÜ, Kadaka tee 7, 12915 Tallinn, Estonia. Privacy/Data requests: [email protected]. General support: [email protected].

Quick summary (not a substitute for the full policy):

We process personal data to provide and improve the Platform, run analytics, support, and affiliate tracking—only where we have a legal basis (contract, consent, legal obligation, or legitimate interests).
When you use our free QR and shortlink tools, we log your IP address and the URLs you submit for abuse prevention and platform security (see Section 2a).
You can control optional cookies/trackers via our cookie preferences banner.
EU/UK users have GDPR rights (access, rectify, erase, restrict, portability, object). California and similar jurisdictions have additional rights; see "Your Rights".

1. Scope

This Policy covers visitors and customers using the Platform and related services, including our public QR tools, free shortlinks, and logged-in features.

2. Data We Collect

Account & Billing Data. Name, email, company, plan details, payment identifiers (handled by our payment processors), billing history.
Content/Data You Provide. QR code contents, design assets, URLs, projects, workspace names, and settings you create in the Platform.
Usage & Device Data. Pages viewed, features used, clicks, referring pages, approximate location (IP-based), device/browser info, crash logs.
Support & Communications. Messages you send us (e.g., support/chat, email) and related metadata.
Abuse Reports. Information you submit through the abuse reporting form or email ([email protected]), including any personal data about third parties you include in your report.
Cookies & Similar Tech. Essential cookies for login and security; optional analytics/marketing cookies with your consent.

2a. Free QR Codes and Shortlinks

When you create a free QR code or shortlink through pageloot.com/q/, pageloot.com/s/, pglt.me, or qrcd.ee without signing up, we automatically collect and process:

The destination URL you submit and any file you upload (e.g., PDFs for PDF QR codes).
Your IP address, used for rate limiting, abuse prevention, and security scanning.
The time of creation and subsequent scan/redirect events.
Aggregated scan counts per code. We do not identify individual scanners for free codes.
Your email address, if you voluntarily provide it to receive scan milestone notifications.

We use this data to operate the service, prevent abuse (including automated scanning of destination URLs against the Google Safe Browsing API and similar services), enforce our Terms of Service, and comply with legal obligations. Legal bases: contract (to provide the requested Redirect URL) and legitimate interests (platform safety and abuse prevention). We retain creation logs for up to 24 months for security and abuse investigation purposes. We do not sell this data.

If your abuse report to us includes personal information about a third party (for example, when reporting a phishing URL), we process that information on the legal basis of our legitimate interest in platform safety and abuse prevention.

3. Legal Bases (GDPR/UK GDPR)

Contract. To create and manage your account, provide features (including free Redirect URLs), billing, and support.
Legitimate Interests. To secure, maintain, and improve the service; prevent abuse, fraud, and misuse of free tools; measure basic engagement.
Consent. For non-essential cookies/trackers, certain marketing, and optional communications.
Legal Obligation. To comply with tax, accounting, and regulatory duties; to respond to valid legal process; to report CSAM to law enforcement and NCMEC.

4. How We Use Data

Provide, maintain, and secure the Platform; personalize features and retain your settings.
Measure performance and improve the user experience; develop new features.
Send transactional messages (password resets, billing notices); send marketing only with the appropriate legal basis.
Detect, prevent, and address fraud, abuse, or policy violations, including operating our URL safety scanning and abuse reporting workflows.

5. Cookies, Analytics & Tracking

We use a consent banner to manage optional cookies and trackers. You can review or change your choices at any time via the cookie preferences tool on our site. We may deploy the following categories/services:

Consent Management: Cookie consent tool to obtain/store preferences.
Analytics/Tagging: Google Tag Manager and Google Analytics 4 (GA4).
Affiliate Tracking: Tools for referral attribution (e.g., Rewardful, Reditus).
Support Chat: Crisp chat for real-time support / Freshdesk for ticket management.
Abuse Prevention: Cloudflare Turnstile CAPTCHA on free tools to prevent automated abuse.
Advertising Platforms: Meta Pixel for conversion tracking and retargeting. We may share hashed customer data (e.g., email addresses) with Meta to deliver relevant ads and build lookalike audiences. Email addresses are hashed before transmission and never sent in plain text. This sharing occurs under our legitimate interests in marketing to existing customers; you can opt out at any time via the cookie banner or by contacting [email protected].

Optional cookies and trackers operate only when permitted by your preferences within the consent banner.

6. Sharing & Recipients

Service Providers (Processors). We share data with vendors who help us host, analyze, support, bill, communicate, and attribute referrals—only under contracts that protect your data. This includes Google (Safe Browsing URL scanning), Cloudflare (CAPTCHA and CDN), AWS (file storage for uploads), and Freshdesk (support and abuse ticket management).
Affiliates/Corporate Transactions. We may share with our affiliates or in a merger, acquisition, or sale of assets, subject to safeguards.
Legal & Safety. We may disclose data to comply with law, respond to valid legal process, or protect rights, safety, and integrity of the Platform. For CSAM, we report directly to law enforcement and NCMEC.

7. International Transfers

We are based in Estonia and may transfer data outside the EEA/UK where needed (e.g., to cloud/analytics providers). When we do, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (and UK equivalents, as applicable).

8. Retention

Account & billing records: for the life of the account and for up to 6–10 years after closure to meet tax/legal obligations.
Support/chat logs: typically 12–24 months, unless needed longer for legitimate reasons (e.g., dispute resolution).
Analytics data: typically 14–26 months in aggregated or de-identified form.
QR content/projects (logged-in): while your workspace or item remains active, or until you delete them.
Free QR / shortlink creation logs and IP addresses: up to 24 months for abuse investigation.
Abuse reports: up to 5 years for pattern analysis and legal defense.

9. Security

We use appropriate technical and organizational measures to protect personal data, including encryption in transit, access controls, and monitoring. No method is 100% secure; we encourage strong, unique passwords and two-factor authentication where available. Security vulnerabilities can be reported via /.well-known/security.txt or [email protected].

10. Your Privacy Choices & Rights

Cookie Preferences. Adjust optional cookies/trackers using the cookie banner.
Marketing. Opt out of marketing emails via unsubscribe links; service (transactional) emails will still be sent.
GDPR/UK GDPR Rights. Access, rectify, erase, restrict, portability, object. You may also object where we rely on legitimate interests.
US State Rights (e.g., California). Depending on your location, you may have rights to know/access, delete, correct, and opt out of "sharing" for cross-context behavioral advertising. We only engage in such "sharing" when you consent to advertising cookies; you can opt out at any time via the cookie banner.
Exercising Rights. Email [email protected]. We may verify your request and ask for more information.

11. Children

The Platform is not directed to children, and we do not knowingly collect personal data from children under the age required by local law (e.g., 13/16). If you believe a child provided us data, contact us and we will take appropriate steps.

12. Third-Party Links

Our site may link to third-party sites/services that we do not operate. Their practices are governed by their own policies. Redirect URLs created through our tools send users to third-party destinations; we are not responsible for the privacy practices of those destinations.

13. Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will notify you via the Platform or email.

14. Contact

Controller: Pageloot OÜ
Address: Kadaka tee 7, 12915 Tallinn, Estonia
Privacy/Data requests: [email protected] · General support: [email protected] · Abuse: [email protected]