Privacy Policy

1. Information We Collect

Chirp.QR collects the following information when you use our app or website:

• Audio Recordings — The app allows you to record audio files, which are uploaded to our server in the EU. Recordings are not linked to a user's real name or email address; they are identified only by an internal ID and a per-recording access key.
• QR Codes — The app generates QR codes containing links to the uploaded audio files. QR codes themselves are stored locally on your device.
• Subscription Status — If you subscribe to Chirp Premium, we receive a subscription status from Apple to determine the retention period of your audio files. We do not receive Apple ID or payment details.
• School Admin Account Data — If you sign up for a school licence at chirpqr.com/schools, we collect the school admin's name, email address, school name, billing address, and (where applicable) VAT number and organisation number. This data is used to provision the school licence, send invoices, and contact the admin about the subscription.
• Listener Data — When someone scans a Chirp.QR code and plays the audio, the playback page does not collect personal information about the listener. We log the request server-side (timestamp, IP address, and the audio ID requested) for abuse prevention and rate-limiting only; these logs are retained for a short period and are not used to profile listeners.

What we do not collect. Chirp.QR does not display advertising, does not use third-party analytics or tracking on listener playback pages, does not sell or rent personal data, and does not collect personal information from students who scan QR codes in a classroom.

2. How We Use Your Information

We use your data as follows:

• Audio Storage — Your recordings are uploaded to a server in the EU so that they can be played back via the QR code's URL. This is the core function of the service.
• QR Code Generation — QR codes link to the uploaded audio files for sharing.
• Chirp Premium — If you subscribe to Chirp Premium, your audio files remain active and stored on our server for as long as your subscription is active.
• School Licence Administration — School admin account data is used to provision and manage the school's licence, issue invoices, send subscription-related communications (renewal reminders, payment confirmations, expiry notices), and provide customer support.
• Service Operation and Abuse Prevention — Server logs are used to keep the service running, detect abuse, enforce rate limits, and respond to security incidents.

For non-premium users, audio files may become inactive after a certain period and will be automatically deleted by our scheduled cleanup process.

3. Data Storage and Retention

• Server Location — All audio recordings and account data are stored on infrastructure located in the European Union. Data does not leave the EU in the course of normal operation.
• Chirp Premium Subscribers — Audio recordings are stored for as long as your subscription is active. You have full control over your recordings and can delete them at any time.
• Non-Premium Users — Audio files remain active for a limited period. After this period the files become inactive and are deleted from our server by our scheduled cleanup process.
• School Licences — Audio recordings made under a school licence are stored for the duration of the licence. School admin account data and invoice records are retained for as long as the licence is active and for the period required by Swedish accounting law (currently seven years) after the licence ends, for tax and audit purposes.
• QR Codes — QR codes are stored locally on your device and contain links to the audio files. If an audio file is deleted, the QR code will no longer function.
• Server Logs — Operational logs (request timestamps, IP addresses, error logs) are retained for a short period and then deleted.

4. Third-Party Services

We use a small number of third-party services strictly to operate Chirp.QR:

• One.com (EU hosting) — hosts our website, app backend, and audio file storage. One.com's data centres are located in the European Union.
• Apple — handles all Chirp Premium in-app subscription billing. We receive subscription status from Apple but do not receive Apple ID, payment card details, or other Apple account information.
• Billing service (billing.moonshade.eu) — for school licence customers only. Our billing service handles invoice generation, payment processing, and accounting integration. It is operated by us on EU infrastructure.
• Stripe — for school licence customers paying by card. Stripe processes payments and is contractually a data processor under our school licence terms. We do not store full payment card details.

We do not share your data with advertisers, analytics providers, or data brokers.

5. Security

We take reasonable and appropriate steps to protect your data:

• All data transfers between the app, website, and our servers use HTTPS (TLS) encryption.
• Audio recordings are accessed only through a per-recording access key, not by guessable identifiers.
• School admin access is protected by password, with sessions configured for security (HTTP-only cookies, Secure flag, SameSite restrictions).
• Servers are kept up to date and access is restricted to the maintainer.
• Suspicious activity is rate-limited and logged.

No method of transmission or storage is 100% secure, and we cannot guarantee absolute security. If we become aware of a data breach affecting personal data, we will notify affected users and the relevant supervisory authority within the timeframe required by GDPR (72 hours).

6. Your Rights and Control Over Your Data

Under the EU and UK GDPR, you have the following rights regarding your personal data. To exercise any of these rights, contact us at support@chirpqr.com.

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — ask us to correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten") — ask us to delete your data. You can also delete your own recordings at any time from within the app.
• Right to restriction — ask us to limit how we process your data.
• Right to data portability — receive your data in a structured, commonly used format.
• Right to object — object to processing where we rely on legitimate interests.
• Right to lodge a complaint — with your local data protection authority (in Sweden: Integritetsskyddsmyndigheten / IMY; in the UK: ICO).

7. Schools and Educational Use

Chirp.QR is widely used by teachers and students in schools, both through the free iOS app and through our school licensing service at chirpqr.com/schools. Educational use is supported and welcome.

Legal basis and data controller relationship. When Chirp.QR is used under a school licence, the school is the data controller for any audio recordings made by teachers or students as part of classroom activities, and Chirp.QR acts as a data processor on the school's behalf. The school is responsible for providing the legal basis for processing under GDPR (typically the public-interest task of providing education, or — where required by local law — parental consent), for notifying parents, and for setting age-appropriate use within the classroom.

No student accounts. Chirp.QR does not create individual student accounts. A school licence is activated by entering a single school code on a device, which unlocks Chirp Premium features for that device. No student name, email, date of birth, or other personal identifier is collected by Chirp.QR.

Audio recordings of students. If teachers or students record audio as part of classroom activities, those recordings will contain the speaker's voice, which is personal data under GDPR. Recordings are stored in the EU, accessible only through a per-recording access key, and are deleted when the school licence ends (or earlier on request). Recordings are not linked to a student's name or other identifier by Chirp.QR.

No advertising or profiling. Chirp.QR does not display advertising to students or listeners, does not profile students, does not use student data for any purpose other than providing the service, and does not sell or share student data with third parties.

Data Processing Agreement. Schools that require a written Data Processing Agreement (DPA) or further documentation for their own data protection records can request one by contacting us at support@chirpqr.com.

8. Children's Privacy

Chirp.QR is suitable for use by children when used under appropriate adult supervision, including under a school licence as described in Section 7. We handle children's data with particular care:

• No direct account creation by children — Chirp.QR does not provide signup, account creation, or any direct account-holder relationship with individual children. The iOS app does not require an account to record audio; the school licensing service is restricted to school admin users, who are adults.
• EU users under 16 (GDPR Article 8) — where Chirp.QR is used by a child under 16 outside a school setting, parental consent is required for the processing of their personal data. Parents who become aware that their child has used Chirp.QR and want their child's data deleted can contact us at support@chirpqr.com and we will remove it.
• US users under 13 (COPPA) — we do not knowingly collect personal information directly from children under 13 in the United States outside a school context. In a school context, the school is responsible for providing parental notification and consent as required by COPPA.
• UK users under 13 — under the UK Age Appropriate Design Code, we do not profile children, do not use nudge techniques, and do not display advertising. The same protections apply to all users.
• Reporting concerns — if you are a parent, guardian, teacher, or school admin and have any concern about a child's data on Chirp.QR, please contact us at support@chirpqr.com and we will respond promptly.

9. Changes to This Privacy Policy

We may update this privacy policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. For material changes (changes that meaningfully affect how we process your data), we will give reasonable advance notice through the app, the website, or by email to school admin contacts.

10. Contact Us

If you have any questions, concerns, or want to exercise your data protection rights, please contact us at support@chirpqr.com.

Chirp.QR is operated from Sweden. Our data protection enquiries are handled directly by the founder.