SquareBondSquareBond

Legal

Privacy Policy

Last updated: 11 June 2026

1. Who We Are

SquareBond is operated by SublAim OÜ ("we", "us", or "our"), a company incorporated and registered in Estonia. We are the data controller for personal data processed through the SquareBond platform.

Contact: privacy@squarebond.com

2. Data We Collect

2.1 Information You Provide

  • Account data: Name, email address, password (hashed).
  • Payment data: Billing information processed by Stripe. SquareBond does not store full card numbers.
  • Checkout consent data: Timestamps of Terms of Service acceptance and EU withdrawal waiver confirmation, stored at checkout.
  • Support communications: Messages you send to our support team.

2.2 QR Scan Analytics

When any person scans a QR code or follows a short link operated through the SquareBond platform, we automatically collect:

  • Approximate location (country and city, derived from the scanner's IP address) — the raw IP address is processed transiently for geo-derivation and is not retained.
  • Device type, model, and browser parsed from the User-Agent header.
  • Timestamp of the scan (UTC).
  • Referrer URL when the scanner's browser provides one.
  • Scanner pseudonym — a salted hash of (IP, User-Agent, day) used to deduplicate repeat scans within a 24-hour window. The hash cannot be reversed to an IP address.

Lawful basis (Art. 6(1)(f) GDPR). Scan analytics are processed on the basis of the legitimate interest of the Customer (the SquareBond subscriber who created the QR code) in measuring campaign performance, balanced against the scanner's reasonable expectation of analytics for marketing QR codes. We do not build cross-Customer scanner profiles, we do not enrich scan data with third-party identifiers, and we do not use scan data for behavioural advertising.

Joint controllership (Art. 26 GDPR). For scan analytics, SublAim OÜ and the Customer act as joint controllers. SquareBond determines the analytics architecture, retention, and security; the Customer determines the placement, distribution, and editorial purpose of the QR code. Scanners may exercise their rights against either party — see Section 8.

Scan-data retention.

  • Per-scan rows are retained for twenty-four (24) months from the scan date.
  • Aggregated analytics (counts, geo distributions, daily and weekly rollups) are retained for the lifetime of the Customer's subscription plus thirty-six (36) months after termination.
  • Destination-change audit logs are retained for the lifetime of the short link plus twelve (12) months, in support of our notice-and-action obligations under DSA Article 16 (see Terms of Service §5.6).
  • On Customer account termination, per-scan rows older than 24 months are deleted on a monthly schedule; aggregates persist anonymously until the retention horizon.

2.3 Other Information Collected Automatically

  • Usage data: Pages visited, features used, session duration, and interaction events within the dashboard.
  • Technical data: IP address, browser type, operating system, and cookie identifiers.

3. How We Use Your Data

  • To provide, operate, and improve the SquareBond Service.
  • To process payments and maintain billing records.
  • To enforce our Terms of Service and prevent fraud or abuse.
  • To send transactional emails (account verification, billing receipts, service alerts).
  • To send marketing communications, where you have consented (opt-in only).
  • To comply with our legal obligations.

4. Legal Basis for Processing (GDPR)

We process your data on the following legal bases under Article 6 GDPR:

  • Contract performance: Processing necessary to deliver the Service you subscribed to.
  • Legal obligation: Where we are required to retain data by law (e.g., tax and billing records).
  • Legitimate interests: Security monitoring, fraud prevention, and service improvement.
  • Consent: For marketing communications and non-essential cookies.

5. Data Sharing

We do not sell your personal data. We share data only with:

  • Stripe: Payment processing. Stripe is PCI DSS compliant. See Stripe's Privacy Policy.
  • Supabase: Database and authentication infrastructure hosted in the EU.
  • Cloudflare: DNS, CDN, and DDoS protection.
  • Shlink: Short-link redirection and scan analytics capture (the scanner's request is routed through Shlink before reaching the destination configured by the Customer).
  • Resend: Transactional email delivery (subscription confirmations, renewal notices, cancellation confirmations, DSA notice-and-action statements of reasons).
  • Analytics providers: Aggregated, anonymised usage data only.

All third-party providers are bound by data processing agreements and are required to handle data in compliance with applicable law.

6. Cookies

We use cookies and similar tracking technologies. For detailed information, please see our Cookie Policy .

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. After account termination, we retain account-related data for up to 36 months for legal and fraud-prevention purposes, after which it is securely deleted or anonymised.

Scan analytics retention follows the regime set out in Section 2.2 (per-scan rows 24 months; aggregates subscription lifetime + 36 months; destination-change audit logs short-link lifetime + 12 months).

Billing records are retained for 7 years as required by Estonian tax law.

8. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), you have the following rights:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate data.
  • Right to erasure ("right to be forgotten"): Request deletion of your data, subject to legal retention requirements.
  • Right to restriction of processing.
  • Right to data portability.
  • Right to object to processing based on legitimate interests.
  • Right to withdraw consent at any time (for consent-based processing).

To exercise any of these rights, contact privacy@squarebond.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

8.5 Scanner Rights

If you have scanned a SquareBond QR code (rather than created one), you may exercise the same rights with respect to the scan analytics row generated by your scan. Because we do not know your identity at scan-time, identifying the corresponding row will rely on the IP address and User-Agent string present at the moment of the scan together with the approximate date and time. We will use reasonable efforts to locate matching rows; we cannot guarantee identification in every case. Requests should be sent to privacy@squarebond.com. Because SquareBond and the Customer are joint controllers for scan analytics (Section 2.2), we may route your request to the Customer where required.

9. International Transfers

Our primary infrastructure is located within the EU. Where data is transferred outside the EEA (e.g., via certain analytics or support tools), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Data Security

We implement industry-standard technical and organisational measures to protect your data, including TLS encryption in transit, encrypted storage, access controls, and regular security reviews. However, no system is completely secure, and we cannot guarantee absolute security.

11. Changes to This Policy

11.1 General

SquareBond may update this Privacy Policy as the Service evolves. The "Last updated" date at the top of this page reflects the most recent revision.

11.2 Material vs. Non-Material Changes

Where a change to this Policy is material — including the introduction of a new lawful basis for processing, a new category of personal data, a new category of recipient or sub-processor materially affecting how Customer data is handled, or an extension of retention beyond the periods set out in Section 2 — SquareBond will:

  • (i) provide email notice at least 30 days before the change takes effect;
  • (ii) require the Customer to affirmatively re-accept the updated Policy at next login; and
  • (iii) treat continued use after the effective date without re-acceptance as a cancellation request under Section 13.2 of the Terms of Service, effective at the end of the current Renewal Term, with no early-termination fee.

Non-material changes (typographical corrections, clarifications, equivalent-service sub-processor substitutions not expanding the categories of data processed) may be made by posting the updated text to this page; continued use constitutes acceptance.

11.3 Statutory Transparency

Material changes affecting the lawful basis, categories of personal data, or recipients of personal data will additionally be notified in accordance with GDPR Articles 12–14 before the change takes effect.

12. Governing Language

This Policy is published in English and may be provided in French, Spanish, or other languages for convenience. The English-language version is the authoritative version; in the event of any discrepancy, the English version prevails for purposes of interpretation, without prejudice to the mandatory consumer-protection law of your country of habitual residence. See Terms of Service §14.

Contact

For privacy-related inquiries:
privacy@squarebond.com
SublAim OÜ — Estonia