Privacy Policy

1. Introduction and Applicable Law

This Privacy Policy explains how easyfreeqr.com (operated by TFB Beyond UG (i.G.), Germany) handles personal information of users accessing the website from the Republic of the Philippines. The operator is a foreign provider established in Germany. Processing is governed primarily by the EU General Data Protection Regulation (GDPR) and German law. To the extent it applies extraterritorially to a foreign provider under section 6 of the Act, we also aim to honour the Data Privacy Act of 2012 (Republic Act No. 10173) ("DPA"), its Implementing Rules and Regulations ("IRR"), and the circulars and issuances of the National Privacy Commission (NPC) (privacy.gov.ph).

2. Data Processing in the Browser

QR code generation on easyfreeqr.com is performed entirely in your browser (client-side, in JavaScript). The data you enter (URLs, text, Wi-Fi credentials, contact details, uploaded logos, etc.) is not transmitted to our servers; it is processed directly on your own device. We do not replace your link with a tracking URL — the QR code that is scanned contains exactly the data you entered.

3. Server Logs (Hosting)

When you access the website, technical data (IP address, user agent, requested URL, timestamp, referrer) is recorded by our hosting provider — Netlify, Inc., 44 Montgomery Street, Suite 300, San Francisco, CA 94104, USA — in standard server logs. Legal basis: Art. 6(1)(f) GDPR and the legitimate interest criterion under section 12(f) of the DPA (legitimate interests pursued by the personal information controller, except where such interests are overridden by fundamental rights and freedoms of the data subject). The data is deleted automatically after 7 days. Netlify is certified under the EU-US Data Privacy Framework.

4. External CDNs (jsDelivr)

When the page loads, the following JavaScript libraries are fetched via the jsDelivr CDN (operated by Prospect One Sp. z o.o., delivered via Cloudflare and Fastly):

• qr-code-styling — for QR code generation
• jsPDF — for the PDF download
• Simple Icons — for official platform logos (only when "Social Media" is selected)

In the course of loading, your IP address, user agent, and referrer are transmitted to jsDelivr / Cloudflare / Fastly. We use these CDNs for performance reasons (Art. 6(1)(f) GDPR; section 12(f) DPA). Transmission takes place only to data centres within the EU or to servers certified under the EU-US Data Privacy Framework. We use Subresource Integrity (SRI) to prevent tampering with the loaded scripts.

5. Cookies

We use only the following:

• Strictly necessary storage (browser localStorage): saves your cookie choice and theme/language preference.
• Advertising cookies (Google AdSense) — only with your explicit consent. Legal basis: Art. 6(1)(a) GDPR; consent within the meaning of section 3(b) DPA.

You may withdraw your consent at any time via the "Cookie settings" button in the footer.

6. Google AdSense (Only After Consent)

This website uses Google AdSense (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) to deliver advertisements. The AdSense script is only loaded after your explicit consent; until then, no data is transmitted to Google. Once loaded, Google uses cookies to deliver relevant advertisements. Personalized advertisements are served only after your consent (via Consent Mode v2). Further information: Google Privacy Policy.

7. General Data Privacy Principles under the DPA

To the extent the DPA, its IRR, and NPC issuances apply to our processing in respect of users in the Philippines, we adhere to the general data privacy principles set out in section 11 of the Act, namely transparency, legitimate purpose, and proportionality. We process the minimum personal data necessary for the operation and security of the website, as described in this Policy.

8. Your Rights as a Data Subject (DPA, Sections 16 and 18)

Subject to the DPA and the IRR, you have the following rights in respect of personal information we process about you:

• Right to be informed of the existence, nature, and purpose of processing
• Right to access the personal information we hold about you
• Right to object to processing, including for direct marketing or profiling
• Right to rectification of inaccurate or erroneous personal information
• Right to erasure or blocking of personal information in the cases provided by law
• Right to damages for inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal information
• Right to data portability (section 18 DPA), where the personal information is processed by electronic means and in a structured and commonly used format
• Right to file a complaint with the NPC

Please direct any request to hello@schnelligkeitstest.de. We aim to respond within a reasonable time consistent with NPC guidance.

9. Data Protection Officer / Grievance Contact

Pursuant to section 21(a) DPA and the IRR, the person designated for compliance and grievance handling is:

Goran Martinovic
Email: hello@schnelligkeitstest.de
TFB Beyond UG (i.G.), Blieschendorferweg 24, 23769 Fehmarn, Germany

If a grievance is not resolved to your satisfaction, you may lodge a complaint with the National Privacy Commission (NPC) of the Philippines at www.privacy.gov.ph.

10. Security Measures

In line with sections 20 of the DPA and Rule VI of the IRR, we implement reasonable and appropriate organizational, physical, and technical security measures appropriate to the nature of the limited data we process. These include HTTPS transport encryption, Subresource Integrity for loaded scripts, short server-log retention periods, and the privacy-by-design approach of performing QR generation entirely in the user's browser.

11. Data Breach Notification

In the unlikely event of a personal data breach affecting Philippine users that meets the thresholds set out in NPC Circular No. 16-03 (Personal Data Breach Management) — namely where there is reasonable belief that the breach involves sensitive personal information or information that may be used for identity fraud, and the breach is likely to give rise to a real risk of serious harm — we will notify the NPC and affected data subjects within 72 hours, in line with section 38 of the DPA's IRR.

12. Cross-Border Transfer of Personal Information

Because the website is operated from Germany, any limited personal information we receive (in particular server logs) is processed within the European Union and/or in third countries that provide an adequate level of protection (such as recipients certified under the EU-US Data Privacy Framework). Under section 21(b) DPA, we remain accountable for personal information under our control or custody, including information transferred to third parties for processing.

13. Your Rights Under the GDPR

For the limited personal data we process (server logs, AdSense cookies after consent), you also have rights under the GDPR:

• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection (Art. 21 GDPR)
• Lodge a complaint with a supervisory authority (Art. 77 GDPR)

14. Amazon Associates Programme (Affiliate Links)

On the /empfehlungen/ page and on individual topic pages, we may link to products via the Amazon Associates Programme. Such links are labeled as "Ad" or "sponsored". If you click such a link and subsequently make a purchase on Amazon, we may receive a small commission — at no extra cost to you. A tracking cookie is then set by Amazon for attribution purposes. Legal basis: Art. 6(1)(a) GDPR and consent within the meaning of the DPA. You may prevent this at any time by disabling cookies in your browser or by not clicking such links.

Amazon privacy information: Amazon Privacy Policy.

15. Children's Data

The website is not directed at children. We do not knowingly collect personal information of children. Processing of personal information of a minor in the Philippines generally requires the consent of a parent or legal guardian, consistent with NPC issuances. Where we become aware that such data has been provided without proper consent, we will promptly delete it.

16. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in law (including amendments to the DPA, its IRR, or NPC issuances) or in our practices. The current version is always available on this page with the "Last updated" date shown at the top.

17. Responsible Party

Please see the Legal Notice for our full contact details.