Privacy Policy for CarQR

Effective Date:** 17.05.2026 **Website: luminadigitale.com

This Privacy Policy explains how CarQR ("CarQR", "we", "us", or "our") collects, uses, stores, shares, and protects personal data when users access or use the CarQR mobile application, website, public QR alert pages, vehicle alert services, premium features, physical QR products, car scent packages, support channels, and related services.

CarQR is a QR-based vehicle alert platform. A vehicle owner adds a vehicle in the app, receives a QR code or QR link, places the QR code on or inside the vehicle, and third parties may scan the QR code to send limited predefined vehicle-related alerts without seeing the vehicle owner's phone number.

CarQR is not an emergency service, law enforcement service, towing service, insurance service, vehicle security system, or guaranteed communication channel.

1. Data Controller

For applicable privacy and data protection laws, including KVKK, GDPR, UK GDPR, and similar regulations where applicable, the data controller is CarQR. For data protection and privacy requests, use the contact page on luminadigitale.com.

2. Information We Collect

We may collect the following categories of information depending on how the user interacts with CarQR.

2.1 Account Information

We may process:

• Email address
• User ID
• Authentication identifiers
• Account creation date
• Login/session information
• Language preference
• App settings

Passwords and authentication processes may be handled by third-party authentication infrastructure such as Firebase Authentication. We do not intentionally store plain-text passwords.

2.2 Vehicle Information

Depending on what the user provides, we may process:

• Vehicle nickname
• Vehicle type
• Vehicle color
• Vehicle QR slug
• Public QR URL
• QR status
• Vehicle alert preferences
• Vehicle-related notification history

Users should not enter unnecessary sensitive or personal information into vehicle names, notes, or QR-related fields.

2.3 QR Alert Information

When a third party scans a CarQR code and sends an alert, we may process:

• QR slug
• Selected alert category
• Timestamp
• Alert delivery status
• Seen/resolved/archived status
• Technical request metadata
• Abuse-prevention and rate-limit data

The QR scanner does not need to install the app.

2.4 Device and Technical Information

We may process:

• Device type
• Operating system
• App version
• Firebase Cloud Messaging token
• IP address
• User agent
• Crash logs
• Diagnostics
• Security logs
• Rate-limit and abuse-prevention metadata

2.5 Shipping and Physical Product Information

If physical products are offered, such as QR stickers, QR cards, car scents, premium kits, or replacement products, we may process:

• Recipient name
• Delivery address
• Delivery phone number, if required for delivery
• Country/city/postal code
• Order and fulfillment status
• Delivery-related support communications

Shipping information is used for fulfillment, fraud prevention, customer support, legal compliance, and operational purposes.

2.6 Subscription and Purchase Information

If purchases or subscriptions are offered, we may process:

• Selected plan
• Purchase status
• Subscription status
• Entitlement status
• Transaction reference
• Renewal/cancellation/refund status
• Platform purchase metadata

We do not intentionally store full card details directly.

2.7 Support Communications

If users contact us, we may process:

• Email address
• Name, if provided
• Account/order references
• Support message content
• Screenshots or attachments voluntarily provided
• Communication history

2.8 Cookies and Similar Technologies

Our website and public QR pages may use cookies, local storage, CAPTCHA/Turnstile-like protection, security tokens, and similar technologies for security, abuse prevention, language settings, session handling, analytics if enabled, and service performance.

3. How We Use Data

We use personal data to:

• Create and manage user accounts
• Authenticate users
• Generate and manage vehicle QR codes
• Deliver vehicle alerts
• Send push notifications
• Display notification history
• Manage vehicle alert preferences
• Enable QR sharing, saving, printing, or PDF delivery
• Provide premium features
• Manage physical product fulfillment, if applicable
• Process subscriptions and entitlements, if applicable
• Provide customer support
• Prevent spam, abuse, fraud, unauthorized access, scraping, and misuse
• Maintain security and system integrity
• Enforce our Terms
• Comply with legal obligations
• Protect our rights, users, and third parties

4. Legal Bases

Where applicable privacy laws require a legal basis, we may rely on:

• Performance of a contract
• User consent
• Legitimate interests
• Compliance with legal obligations
• Establishment, exercise, or defense of legal claims
• Platform security and abuse prevention

Examples:

• Account and vehicle data are processed to provide the CarQR service.
• FCM tokens are processed to send push alerts.
• Shipping data is processed to deliver physical products.
• Security logs are processed to prevent abuse and fraud.

5. Push Notifications

CarQR uses push notifications to alert vehicle owners. Push delivery depends on device settings, notification permissions, internet access, operating system restrictions, Firebase Cloud Messaging availability, and other third-party infrastructure.

We do not guarantee that every notification will be delivered instantly, successfully, or at all.

If users disable notifications, core alert functionality may not work properly.

6. Public QR Pages

Public QR pages are designed to let third parties send limited vehicle-related alerts without exposing the vehicle owner's phone number, email address, or private contact details.

Public QR pages must not be used for:

• Harassment
• Spam
• Threats
• Fraud
• Advertising
• Scraping
• Stalking
• Illegal content
• Attempting to identify or expose the vehicle owner
• Misusing the alert system

We may block, rate-limit, investigate, log, or restrict abusive activity.

7. Data Sharing

We may share data with:

• Cloud infrastructure providers
• Authentication providers
• Database providers
• Push notification providers
• Hosting providers
• Payment or app store providers, if purchases are enabled
• Delivery/fulfillment partners, if physical products are offered
• Customer support tools
• Analytics providers, if enabled
• Legal, tax, accounting, compliance, and professional advisors
• Authorities, courts, or regulators where legally required
• Successors in case of merger, transfer, restructuring, or sale of assets

We do not publicly display vehicle owner phone numbers on QR pages.

We do not sell users' private contact details.

8. International Transfers

Your data may be processed in Türkiye or other countries where our service providers operate. Where required, we use appropriate legal safeguards, contractual protections, or other recognized transfer mechanisms.

9. Data Retention

We retain personal data only as long as necessary for the purposes described in this Policy, unless a longer period is required or permitted by law.

Indicative retention:

• Account data: while the account is active
• Vehicle data: while the vehicle remains registered
• Alert history: according to plan limits, app settings, or deletion requests
• Security logs: for a limited period necessary for abuse prevention and legal protection
• Shipping/order records: as required for fulfillment, tax, accounting, consumer law, and disputes
• Support records: as needed for customer support, dispute resolution, and legal protection

We may anonymize or aggregate data so it no longer identifies users.

10. Security

We use reasonable technical and organizational measures, including:

• Authentication controls
• Server-side business logic
• Database security rules
• Restricted client access
• Rate limiting
• Abuse logging
• Secure infrastructure
• Access controls
• Encryption in transit where supported

No system is completely secure. Users are responsible for keeping their devices, accounts, and credentials secure.

11. User Rights

Depending on applicable law and location, users may have rights to:

• Access personal data
• Correct inaccurate data
• Request deletion
• Restrict processing
• Object to processing
• Withdraw consent
• Request portability
• Opt out of certain data sharing
• File a complaint with a data protection authority

Requests can be submitted through the contact page on luminadigitale.com.

We may verify identity before processing requests.

12. Children

CarQR is not intended for children under 13 or under the minimum legal age required in the user's jurisdiction. We do not knowingly collect personal data from children. If we become aware of such processing, we will delete the data where legally required.

13. Third-Party Services

CarQR may interact with third-party services such as app stores, cloud providers, authentication providers, payment processors, hosting providers, analytics tools, and delivery partners. Their privacy practices are governed by their own policies.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes may be communicated through the app, website, email, or other reasonable methods.

Continued use of CarQR after changes means acceptance of the updated Policy where permitted by law.

15. Contact

For privacy, data protection, support, and account requests, use the contact page on luminadigitale.com.