ScanCore
Grab the shirt PL EN
Grab

Privacy

Privacy Policy and GDPR/RODO Notice

This policy explains how ScanCore processes personal data for dynamic QR shirts, owner management links, public QR scans, contact requests, and basic operational analytics.

Last updated: 26 May 2026

Data controller
BBest24 OÜ
Registry code
14878717
Legal form
Private limited company (OÜ)
Registered address
Harju maakond, Tallinn, Lasnamäe linnaosa, Sepapaja tn 6, 15551
Contact
hello@scancore.eu

Company details are based on the public Estonian e-Business Register entry for BBest24 OÜ.

1. Who is responsible for your data

BBest24 OÜ operates ScanCore and acts as the data controller for the personal data processed through this website and the ScanCore QR shirt service.

2. What data we process

ScanCore keeps the data limited to what is needed to run and protect the MVP service:

  • contact form data: name, e-mail address, topic, message, status, and submission time;
  • shirt configuration data: public code, selected mode, destination URL, title, description, CTA label, CTA URL, uploaded image path, status, scan count, and update times;
  • owner and admin security data: private token hash, token hint, admin e-mail address, admin password hash, technical session data, and CSRF protection data;
  • scan analytics data: scan time, event type, related public code, hashed IP address, user agent, and referrer. The app does not store raw IP addresses in scan events.
  • project web analytics data from self-hosted Umami: sanitized page paths, stable event names, device/browser signals handled by Umami, and non-identifying event metadata. Private owner tokens, public QR codes, admin e-mails, contact messages, destination URLs, CTA URLs, and upload filenames are not sent to Umami.

3. Purposes and legal bases

  • Service operation and contact handling: to provide the QR shirt functionality, owner management flow, admin support, and replies to messages. Legal basis: contract or pre-contractual steps, GDPR Article 6(1)(b).
  • Security and abuse prevention: to protect private owner links, admin sessions, exports, uploads, and public QR redirects. Legal basis: legitimate interest, GDPR Article 6(1)(f).
  • Operational records and legal compliance: to keep necessary records, handle claims, and meet applicable legal obligations. Legal basis: legal obligation or legitimate interest, GDPR Article 6(1)(c) or 6(1)(f).

4. QR scans and analytics

When someone scans a public QR code, ScanCore may record a minimal event so the owner and operator can understand whether the pilot is being used. This includes public scans and CTA clicks, but not advertising profiles or sale of analytics data.

Scan data is used for product validation, security review, and simple aggregated reporting. Private management tokens are not included in public analytics views.

ScanCore may also use self-hosted Umami analytics to understand overall project usage across public, owner, preview, and admin screens. Umami events use masked URL patterns such as /m/:private_token and /s/:public_code instead of real tokens or QR codes.

5. Public content and uploads

Text, links, CTA labels, and images added by a shirt owner may become visible on the public shirt page after scanning the public QR. Do not upload confidential files or personal data of other people unless you have a lawful basis to do so.

6. Cookies and technical sessions

ScanCore uses technical cookies or session data needed for language preference, form protection, admin login, and secure operation of the service. Project analytics are handled through self-hosted Umami without owner-token tracking, advertising profiles, or sale of analytics data.

7. Recipients and processors

Data may be processed by trusted technical providers used for hosting, storage, backups, security, and operational tooling. Public QR content is visible to anyone who opens the public QR URL. ZIP/CSV exports containing private management URLs are confidential and should be handled only by the operator or authorized production partners.

8. Retention

Data is kept only as long as needed for the QR shirt pilot, service support, security, backups, legal obligations, and possible claims. Uploaded files and shirt content may be kept until removed, replaced, or the related shirt record is archived. Contact requests are kept for the time needed to handle the conversation and related follow-up.

9. Your rights

Under GDPR/RODO, you may request access, rectification, erasure, restriction, portability, or object to processing where applicable. If processing is based on consent, you may withdraw it at any time without affecting earlier lawful processing.

For owner-link requests, ScanCore may need to verify that the requester controls the relevant private token or otherwise has a legitimate basis to act for the shirt owner.

10. Complaints

You can contact us first at hello@scancore.eu. You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or with another competent EU supervisory authority, such as UODO in Poland.

11. Updates

We may update this policy when ScanCore changes, for example when new hosting, storage, analytics, or sales flows are introduced. The current version will remain available on this page.