QROMO OÜ ("QROMO", "we", "us", "our") is the data controller responsible for your personal data. We are registered in the Republic of Estonia and operate the QROMO mobile application and website at qromo.xyz.
For data protection enquiries, contact us at privacy@qromo.xyz.
We collect the following categories of personal data:
| Data | Details |
|---|---|
| Phone number | Collected at registration. Used as your primary identifier and for OTP authentication via SMS. |
| Data | Details |
|---|---|
| Wallet public address | Your Solana wallet public address (not private key). This is a public blockchain identifier stored on our servers and on the Solana blockchain. |
| Encrypted wallet key backup | An encrypted copy of your wallet private key, stored on our servers. It is encrypted with a key derived from your phone number and is inaccessible to QROMO. |
| Scan history | Records of QR code scans associated with your account, including campaign ID, timestamp, and reward amount received. |
| Reward and withdrawal history | Records of cryptocurrency rewards credited to your account and any withdrawal requests made. |
| Device information | Platform (iOS / Android / web), operating system version, and app version for technical support and abuse prevention. |
| Authentication logs | IP address and timestamp of login events, retained for security purposes. |
| Purpose | Data used |
|---|---|
| Creating and managing your account | Phone number, device info |
| Sending OTP authentication codes via SMS | Phone number |
| Generating and recovering your non-custodial wallet | Encrypted key backup |
| Processing QR scans and distributing rewards | Wallet address, scan history |
| Processing withdrawal requests | Wallet address, reward balance |
| Fraud detection and platform security | Authentication logs, device info, scan history |
| Complying with legal obligations | All data as required by applicable law |
| Improving the service (analytics) | Aggregated, anonymised scan and engagement statistics |
We do not sell, rent, or share your personal data with advertisers or third-party marketing platforms.
We process your personal data under the following legal bases as defined in Article 6 of the GDPR:
| Legal basis | Applied to |
|---|---|
| Contract performance (Art. 6(1)(b)) | Account creation, OTP authentication, wallet generation, reward distribution, and withdrawal processing — all necessary to provide the service you requested. |
| Legitimate interests (Art. 6(1)(f)) | Security monitoring, fraud detection, abuse prevention, and aggregated analytics. We balance these interests against your rights and freedoms. |
| Legal obligation (Art. 6(1)(c)) | Record-keeping and disclosure to authorities where required by Estonian or EU law. |
| Consent (Art. 6(1)(a)) | QROMO does not currently rely on consent as a legal basis for any core processing. If we introduce optional features in the future (such as marketing communications or optional analytics), we will seek your explicit consent at that time and you will be able to withdraw it freely at any time without affecting the core service. |
We share your data only with the following categories of recipients:
We use Twilio to send OTP SMS messages. Your phone number is transmitted to Twilio solely for this purpose. Twilio is certified under the EU-US Data Privacy Framework and processes data under a Data Processing Agreement with us. Twilio's privacy policy is available at twilio.com/legal/privacy.
Your wallet's public address and all on-chain transactions are publicly visible on the Solana blockchain by design. This is inherent to how public blockchains work and cannot be limited. We do not link your phone number to your public address in any public-facing context.
Our servers are operated on cloud infrastructure. Personal data may be stored on servers located within the European Economic Area. We apply appropriate contractual safeguards for any processing outside the EEA.
If you request a bank transfer withdrawal, your request may be processed through a third-party fiat off-ramp provider. That provider's own privacy policy will apply to the data you provide directly to them.
We may disclose your data to competent authorities if required by Estonian or EU law, or to protect the rights, property, or safety of QROMO, its users, or the public.
| Data | Retention period |
|---|---|
| Account data (phone number) | Until you close your account, plus 30 days for recovery, then deleted. |
| Scan and reward history | 3 years from the date of the scan, for legal and audit purposes. |
| Withdrawal records | 7 years, as required by Estonian accounting law. |
| Authentication logs (IP, timestamp) | 90 days, for security monitoring. |
| Encrypted wallet key backup | Until you close your account and request deletion. Note: on-chain transactions remain on the Solana blockchain indefinitely and cannot be deleted. |
As a data subject in the European Union, you have the following rights:
To exercise any of these rights, email us at privacy@qromo.xyz. We will respond within 30 days. We may need to verify your identity before processing the request.
Please note that deleting your account will result in the loss of access to your encrypted wallet backup. You should withdraw all funds and export your wallet before requesting account deletion.
Our primary servers are operated within the European Economic Area. Where personal data is transferred to recipients outside the EEA (such as Twilio, which operates globally), we ensure appropriate safeguards are in place, including:
You may request a copy of the applicable safeguards by emailing privacy@qromo.xyz.
We implement appropriate technical and organisational measures to protect your personal data, including:
No system is completely secure. If you become aware of any security incident, please notify us immediately at security@qromo.xyz.
The QROMO Service is not directed at anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@qromo.xyz and we will promptly delete it.
We may update this Privacy Policy from time to time. When we make material changes, we will notify you via in-app notification or by posting a prominent notice on our website at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.
For any privacy-related questions or to exercise your rights, please contact:
If you are not satisfied with our response, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon):
EU residents may also contact the data protection authority in their country of residence.