Privacy Policy

Privacy Policy

Last updated: May 4, 2026

This Privacy Policy applies to the HCC2D website, including the online generator, API key request form, and related API services (hereinafter referred to as "the Service"). In this Privacy Policy, "we", "us", "our", and "the developer" refer to the developer identified below.

Data Controller / Personal Information Handler: Querini Marco

Country: Italy

Location: Rome, Italy

Contact Email: info@hcc2d.com

1. General Statement

The Service allows users to generate QR codes and HCC2D images and to request API access.

The Service operates using server-side processing. This means that content submitted by users is transmitted to our servers solely for the purpose of generating the requested output.

By using the Service or submitting information, users acknowledge and agree that their data may be processed as described in this Privacy Policy.

We do not sell personal data and do not use submitted content for profiling, marketing, or analytics purposes. Processing is strictly limited to providing the requested functionality and maintaining the security and reliability of the Service.

2. Definition of Personal Information

"Personal Information" refers to any information relating to an identified or identifiable natural person, in accordance with applicable laws including the General Data Protection Regulation (GDPR) and the Personal Information Protection Law of the People's Republic of China (PIPL).

3. Generator Input Data

When using the generator, content submitted by the user is transmitted to our servers and processed solely to generate QR or HCC2D images. Generated files are stored temporarily and automatically deleted within 1 hour. This content may contain personal information depending on what the user provides.

We do not retain generator input beyond temporary processing unless required for security purposes.

4. API Key Requests

When requesting an API key, we may collect:

  • Name
  • Email address
  • Intended use description
  • Optional website or project URL

By submitting an API key request, users consent to the processing of this information for the purposes described in this Policy.

This information is used to evaluate the request, communicate with the applicant, and deliver and manage API access.

API keys are stored only as a SHA-256 hash. The original key is shown once and is not stored in plain form.

5. Server and API Logs

We may automatically collect technical metadata, including:

  • IP address
  • Request timestamps
  • Response status
  • Basic user-agent information

These logs are used strictly for security monitoring, abuse prevention, rate limiting, and service reliability. Logs are retained for up to 30 days and are not used for profiling, marketing, or cross-service tracking.

6. Legal Basis for Processing

We process personal information in accordance with applicable laws, including the General Data Protection Regulation (GDPR) and the Personal Information Protection Law of the People's Republic of China (PIPL).

Under GDPR, processing is based on:

  • Performance of a contract or service (Art. 6(1)(b))
  • Legitimate interests (Art. 6(1)(f)), limited to ensuring security, preventing abuse, and maintaining system integrity
  • Consent, where applicable (Art. 6(1)(a))

Under PIPL, processing is based on:

  • User consent
  • Necessity for the performance of a contract or provision of requested services
  • Necessity for maintaining the security and stable operation of the Service
  • Compliance with legal obligations, where applicable

Processing is limited to what is necessary and is carried out in accordance with the principles of legality, legitimacy, necessity, and good faith.

7. Purpose of Processing

Personal information is processed solely for the following purposes:

  • Generating QR and HCC2D images
  • Providing API access and managing API keys
  • Responding to API key requests
  • Maintaining security and preventing misuse
  • Ensuring service functionality and reliability

8. Data Storage and Retention

We retain data only for as long as necessary:

  • Generated files are automatically deleted within 1 hour
  • API request data is retained for administrative, audit, and abuse-prevention purposes
  • Server logs are retained for up to 30 days

We do not retain generator input beyond temporary processing unless required for security purposes.

9. Data Sharing and Cross-Border Transfer

We do not sell personal information. We do not share personal information with third parties except when necessary to operate and secure the Service or comply with legal obligations.

The Service is hosted on infrastructure provided by Oracle Cloud (OCI), with servers located in Turin, Italy. Personal information is processed within the European Economic Area (EEA).

Users may access the Service from outside the EEA. In such cases, personal information is transmitted by the user to servers in Italy on a user-initiated basis. By using the Service from outside the EEA, users acknowledge and agree that their information will be processed in Italy.

We do not intentionally transfer personal information outside the EEA. If cross-border processing were to occur, it would be carried out in accordance with applicable data protection laws, including GDPR and PIPL, and subject to appropriate safeguards.

10. User Rights

Under applicable laws, including GDPR and PIPL, users may have the right to:

  • Access their personal information
  • Request correction of inaccurate data
  • Request deletion of personal information
  • Restrict or object to processing
  • Request data portability (where applicable)
  • Withdraw consent (where processing is based on consent)
  • Lodge a complaint with a competent data protection authority

Due to the nature of the Service (which does not provide user accounts and does not retain most submitted content beyond temporary processing), some rights may be limited or not applicable in practice. For example, data portability may not apply where no structured, retained dataset exists, and access or deletion rights may be limited to data retained in logs or API request records.

Requests can be submitted via the contact email below. We will respond within a reasonable timeframe, generally within 30 days.

Users may also lodge a complaint with a competent data protection authority.

11. Data Security

We implement reasonable technical and organizational measures to protect personal information.

However, no method of transmission or storage is completely secure, and absolute security cannot be guaranteed.

12. Children's Privacy

The Service is not specifically intended for children. Where required by applicable law, users below the applicable age of consent should use the Service under the supervision of a parent or legal guardian.

13. Updates to This Policy

This Privacy Policy may be updated from time to time. The latest version will always be available on the website.

14. Legal Compliance

This Privacy Policy is designed to comply with applicable data protection laws, including:

  • General Data Protection Regulation (GDPR)
  • Personal Information Protection Law of the People's Republic of China (PIPL), where applicable

15. Contact

If you have any questions or requests regarding this Privacy Policy, please contact:

← Back to HCC2D