GDPR + QR analytics: what we hash, what we don't
- 1
The raw IP never touches the database
When a scan arrives, the redirect handler computes SHA-256(ip + per_install_salt) and writes only the first 16 hex chars to `meliqs_scans.ip_hash`. The full IP appears in PHP memory for at most one request cycle, then is garbage-collected. We never log it.
- 2
What's in a scan event
Per scan we store: hashed IP (16 hex chars), user-agent string (truncated to 200 chars), country (from CDN header — not IP), city if GeoIP is enabled (off by default), referrer, UTM params, timestamp. No first-name, last-name, email, or device identifier.
- 3
Bot filtering removes non-humans first
Before any row is written, we run the user-agent against 25+ known bot patterns and discard matches. The hash function never runs on bot IPs. Bots account for roughly 6-9 % of total inbound scans on our customer cohort.
- 4
Retention is per-event, configurable
Scan-level rows are retained 30 days by default on the Free plan; configurable up to 36 months on Agency. After the retention window, daily aggregates remain (scan counts per QR, per country, per day) but row-level events are deleted. This matches GDPR Article 5(1)(e): storage limitation.
- 5
No third-party data egress by default
No data is sent to Google Analytics, Meta Pixel, or any external analytics by default. The plugin admin must explicitly opt in to GA4 or Meta Pixel forwarding, at which point those services receive only the events the admin selected — never raw IPs or user-agents.
Frequently asked questions
What is QRCode Suite?
QRCode Suite is a premium WordPress plugin that generates branded, dynamic QR codes directly inside your WordPress dashboard. Scan data is stored on your own server — not on a third-party SaaS platform — and WooCommerce orders can be attributed to specific QR codes.
Does QRCode Suite require a separate subscription?
The Free plan is available at no cost. Paid plans (Pro, Business, Agency) are licensed per WordPress site and billed monthly or annually. There is no separate per-scan fee.
What QR code types does QRCode Suite support?
QRCode Suite supports 15 QR code types: URL, vCard, Wi-Fi, SMS, Email, WhatsApp, PDF, Coupon, Plain Text, Social profile, WooCommerce Product, WooCommerce Reorder, Link Hub, Phone, and Dynamic URL.
Can I change the destination of a QR code after printing it?
Yes. Dynamic QR codes use a short redirect URL. You can update the destination from your WordPress dashboard at any time without generating or reprinting the code.
Is QRCode Suite GDPR-compliant?
Yes. QRCode Suite hashes IP addresses with SHA-256 before storage so no raw IPs are ever saved. It also filters bot traffic automatically and includes configurable data-retention settings.
Need help getting started?
Download the free plugin or browse all documentation.