capyQR

Acceptable Use Policy

Effective May 16, 2026

Effective date: May 16, 2026 Last updated: May 16, 2026

This Acceptable Use Policy (the "AUP") governs your use of CapyQR (the "Service", as defined in our Terms of Service). It forms part of those Terms of Service and is binding on every User. By using the Service, you agree to comply with this AUP. If you do not agree, you must stop using the Service.

We may update this AUP from time to time; the version in force at the time of the relevant use applies.

1. Who this applies to

This AUP applies to every User of the Service, including Free-Tier Users, Trial Users, paid Subscribers, and anyone who accesses or uses the Service on your behalf. It also applies to anyone who scans, follows, or otherwise interacts with a QR code generated through the Service ("Scanners"), to the extent the relevant conduct is within their control.

You remain responsible for all activity carried out under your Account, including by employees, contractors, or others you authorize.

2. Your core responsibilities

You are solely responsible for:

  • the Customer Content you submit to the Service (URLs, text, vCard fields, designs, file uploads of any kind);
  • the Destination URL of every Dynamic QR you create, for as long as the QR exists, including after it has been printed, distributed, or affixed to physical media;
  • the lawfulness, accuracy, safety, and ongoing functionality of those destinations;
  • any consequences, claim, or harm caused to any Scanner, third party, or regulator by your QR, your Destination URL, or any content displayed at that destination;
  • ensuring you have all rights, licenses, consents, and permissions needed for the content you encode and the destinations you point to;
  • complying with all applicable laws — including the laws of your country of residence, any EU or UK law where it applies to your use of the Service, and any other law that applies to you, your business, your customers, or the territories you operate in.

We are a software-as-a-service provider that creates and resolves QR codes on your behalf. We do not pre-approve, monitor, or moderate Customer Content or Destination URLs in the ordinary course of business. You cannot shift responsibility for your content or destinations to us by virtue of our having technically facilitated it.

3. Prohibited uses — general

You may not use the Service to create, host, distribute, link to, redirect to, or in any way facilitate content or activity that:

3.1 Is unlawful or facilitates unlawful conduct

  • violates any law, regulation, sanctions regime, court order, or governmental order applicable to you or to us — including the law of your country of residence, EU or UK law where applicable, US sanctions law (OFAC), and any other international law that applies;
  • infringes export-control or sanctions law;
  • facilitates fraud, money laundering, terrorism financing, tax evasion, bribery, or any criminal offense;
  • promotes or facilitates illegal drugs, illegal firearms, human trafficking, child sexual abuse material, or any other gravely illegal activity.

3.2 Is deceptive, fraudulent, or misleading

  • impersonates any person, organization, or government;
  • falsely claims affiliation with, sponsorship by, or endorsement from any third party (including us);
  • engages in phishing, smishing, pretexting, identity theft, account takeover, or any social-engineering scheme;
  • uses bait-and-switch tactics, deceptive redirect chains, hidden destinations, cloaking, or any technique designed to mislead the Scanner about where the QR will take them;
  • carries out fake-review, fake-engagement, or other artificial-amplification schemes;
  • promotes pyramid schemes, "get-rich-quick" schemes, or other deceptive monetary practices.

3.3 Is harmful, abusive, or violent

  • threatens, harasses, stalks, bullies, intimidates, or incites violence against any person or group;
  • contains hate speech, discrimination, or content that incites hatred against any protected group;
  • promotes, glorifies, or instructs in self-harm, suicide, eating disorders, or violence;
  • targets minors with content unsuitable for them, or attempts to obtain personal data of a person under 16 without proper consent.

3.4 Distributes malicious or unsafe technology

  • contains or links to malware, ransomware, spyware, adware, rootkits, keyloggers, Trojan horses, worms, time bombs, or any other malicious code;
  • engages in or facilitates the deployment of such code, including watering- hole attacks, drive-by downloads, or malicious-redirect attacks;
  • attempts to compromise the security or integrity of any system, network, or device, including by exploiting known or unknown vulnerabilities;
  • contains links to known-malicious or sanctioned domains, or to content that has been flagged as malicious by recognized security vendors.

3.5 Infringes intellectual property or proprietary rights

  • copies, reproduces, distributes, modifies, or creates derivative works of any third-party content without the necessary rights;
  • uses any third-party trademark, logo, name, or brand in a way that is confusing, deceptive, or unauthorized;
  • infringes copyright, patent, trademark, trade secret, publicity, database, or any other proprietary right;
  • circumvents, removes, or impairs any technical-protection measure or rights-management information.

3.6 Violates privacy or data-protection laws

  • collects, processes, transmits, sells, or rents personal data without the legal basis required by the GDPR, the UK GDPR, the ePrivacy Directive, the US CCPA / state privacy laws, or any other data-protection law applicable to you or to the data subjects;
  • creates or distributes vCard, contact, or other QR types containing personal data of a third party without that third party's consent or other valid legal basis;
  • carries out unlawful surveillance, doxing, "revenge"-content distribution, unconsented sharing of intimate imagery, or unauthorized disclosure of personal information;
  • redirects to content that violates the privacy or data-protection rights of any individual.

3.7 Carries unsolicited or unlawful communications

  • uses the Service to send, support, or enable unsolicited bulk communications ("spam") — including email, SMS, WhatsApp, push, or any other channel — that fail to comply with the GDPR, the ePrivacy Directive, the UK PECR, the US CAN-SPAM Act, or any equivalent anti-spam law applicable to the recipient;
  • redirects to mailing lists, signup forms, or communication channels that violate consent rules;
  • masks, falsifies, or omits the sender identity required by anti-spam law.

3.8 Is obscene, pornographic, or otherwise restricted

  • contains, redirects to, or hosts pornographic, obscene, or sexually explicit content, except where (i) such content is lawful in every jurisdiction it can be accessed from, (ii) all participants are adults who have provided documented consent, (iii) the destination employs appropriate age verification, and (iv) we have explicitly authorized such use in writing — which we are under no obligation to do, and which we may revoke at any time.

3.9 Compromises the Service or our infrastructure

  • attempts to gain unauthorized access to the Service, to other Users' Accounts, or to any underlying infrastructure;
  • circumvents, disables, or interferes with any security, authentication, rate-limiting, abuse-detection, or other technical measure;
  • scrapes, crawls, harvests, or otherwise extracts data from the Service by automated means without our prior written authorization;
  • transmits viruses, malicious code, or content designed to disrupt the Service;
  • conducts security testing, penetration testing, or any form of vulnerability research against the Service without our prior written authorization (you can request that authorization via our security contact at privacy@capyqr.com; we will respond as resources allow but are not obligated to authorize any test);
  • generates artificially inflated scan volume, scan-bot traffic, or any other form of analytics manipulation against your own QRs or those of any other User.

3.10 Misuses the redirect or analytics functions

  • chains your CapyQR Dynamic QR through one or more intermediate redirectors to obscure the final destination;
  • uses Dynamic QRs as part of a click-laundering, ad-injection, or affiliate-cookie-stuffing scheme;
  • creates redirects intended for use in jurisdictions where you do not have the right to operate the underlying business;
  • exports, manipulates, or uses scan analytics for surveillance or other purposes that violate applicable privacy law.

4. Dynamic QRs — specific rules

In addition to the prohibitions in Section 3, you may not, with respect to any Dynamic QR you create through the Service:

  1. point the Destination URL to content that you would not be allowed to distribute directly through the Service under this AUP;
  2. change the Destination URL of a printed Dynamic QR to content materially different in nature from the content you represented at the time of creation, where doing so would mislead a reasonable Scanner — i.e., no bait-and-switch on long-lived printed campaigns;
  3. resell, sublicense, or transfer access to a Dynamic QR to a third party in a way that uses our infrastructure as a redirect-as-a-service product for others (Dynamic QRs are for your own use, not as a wholesale redirector for resale);
  4. use Dynamic QR analytics or rate-limit headroom in any way calculated to gain unfair advantage over us, over our other Users, or in violation of antitrust or competition law.

These rules are in addition to the dynamic-QR-specific contractual terms in Section 9 of the Terms of Service (which include our right to disable, redirect, throttle, or modify any Dynamic QR).

5. Custom domains — additional rules

If you use the custom-domain feature to point your own domain at the CapyQR redirector:

  • you warrant that you are the lawful registrant of, or are duly authorized by the registrant of, the domain;
  • you remain responsible for the registration, renewal, DNS configuration, and all third-party costs of the domain;
  • you must not point a domain at our redirector if doing so would violate any third party's trademark, brand-protection, or proprietary rights;
  • we may refuse to onboard, or may remove, any custom domain that we reasonably believe is being used to facilitate prohibited activity.

6. Reporting violations — notice and action (DSA Art. 16)

If you believe any content reachable via the Service violates this AUP or applicable law, you may submit a notice using the abuse-report form at capyqr.com/abuse or by email to privacy@capyqr.com.

Your notice should include:

  • a description of the content or QR you are reporting (e.g., the capyqr.com/r/<slug> short URL, the custom-domain URL, the destination domain);
  • the reason you believe it violates this AUP or the law (with reference to the specific provision where possible);
  • your name and contact email (we may need it to follow up);
  • a statement that the information in your notice is, to the best of your knowledge, accurate and complete.

We will process notices in accordance with Article 16 of Regulation (EU) 2022/2065 ("Digital Services Act"). We may, in our discretion, take any of the actions in Section 7 in response. We will inform the affected User of action taken to the extent the DSA requires, except where doing so would prejudice an investigation, jeopardize safety, or violate applicable law.

7. Our enforcement rights

We may take any of the following actions, in our reasonable discretion exercised in good faith, with or without prior notice to the affected User, and without liability to you, if we reasonably believe a violation of this AUP, the Terms of Service, or applicable law has occurred or is likely to occur:

  • Investigate the suspected violation, including reviewing logs and Account activity;
  • Disable, redirect, throttle, rate-limit, or remove any individual Dynamic QR, custom domain, or Customer Content;
  • Suspend or terminate your Account in whole or in part;
  • Replace the destination of one or more Dynamic QRs with a generic "Inactive QR" or "QR temporarily disabled" landing page operated by us;
  • Cancel any pending or scheduled communications, exports, or integrations associated with your Account;
  • Refuse to provide any further service to you or to any related Account;
  • Require corrective action as a condition of restoring service;
  • Preserve information relating to the violation in case of legal, regulatory, or enforcement need;
  • Report the suspected violation to law-enforcement authorities, data-protection supervisory authorities (in whichever jurisdiction has competence over the alleged breach), competent courts, payment processors, domain registrars, or other intermediaries, as appropriate;
  • Cooperate with any law-enforcement or judicial process, including responding to subpoenas, court orders, or formal information requests;
  • Pursue legal remedies for any harm caused, including damages, injunctive relief, and costs.

The list above is non-exhaustive. We may take any other action permitted by law or contract.

8. Consequences for you

If we take enforcement action against your Account or your Customer Content because of an actual or suspected AUP violation:

  1. No refund is owed to you for any unused portion of your Subscription term, unless mandatory consumer-protection law requires otherwise.
  2. We retain the right to recover from you any costs, damages, or penalties we incur as a result of your violation, including legal fees and damages we owe to any third party — see Section 18 of the Terms of Service (Indemnification).
  3. We may refuse to allow you to re-register for the Service, including under a different email address, in our discretion.
  4. Where we have reported the violation to law-enforcement or a regulator, we may not be permitted to disclose to you what we have reported, when, or to whom.

9. No obligation to monitor

Nothing in this AUP requires us to monitor Customer Content or Destination URLs in the ordinary course of business. We have neither the legal duty nor the practical capacity to pre-screen every QR our Users create or every URL they point to. We act on credible notices, on signals from our abuse-detection systems, and on our own observation. The absence of enforcement action against any particular content does not constitute our approval of that content, our endorsement of it, or a waiver of our right to act later.

10. Cooperation with authorities

We will cooperate with reasonable, lawful, and properly authenticated requests from law-enforcement, regulatory, or judicial authorities, including under:

  • the EU e-Evidence framework once it applies to us;
  • the Council of Europe Convention on Cybercrime ("Budapest Convention");
  • the GDPR (in the context of supervisory-authority investigations);
  • the DSA (Articles 9–10 orders to act against illegal content / provide information).

We will inform an affected User of such cooperation where the law allows.

11. Examples (non-exhaustive, illustrative)

The following are examples of conduct that would violate this AUP. They are illustrative, not exhaustive. The absence of an example similar to your conduct does not mean your conduct is permitted.

  • Printing 50,000 packaging stickers with a Dynamic QR that redirects to a product landing page, then six months later silently changing the destination to an unrelated cryptocurrency-investment page.
  • Creating a Dynamic QR that, on first scan, redirects to a legitimate page, but subsequently redirects to a phishing clone of a bank login.
  • Creating a vCard QR with a third party's personal contact details without their consent.
  • Running a script that scans your own Dynamic QR every two seconds to inflate your scan counts or to exhaust our rate-limit allowance.
  • Reselling access to "your" Dynamic QR slugs as if they were a white-label redirect-as-a-service product to your customers.
  • Pointing a Dynamic QR at a .zip payload hosted on a hijacked server.
  • Using a vCard QR to mass-distribute someone's personal phone number to harass them.
  • Linking a Dynamic QR to a landing page that sells regulated goods (e.g., pharmaceuticals, financial products, alcohol) in a jurisdiction where you do not hold the required licenses or omit mandatory consumer-information disclosures.

12. Updates to this AUP

We may update this AUP from time to time. Material changes will be notified to active Users by email and/or in-app banner at least thirty (30) days before they take effect. Non-material changes (clarifications, examples, formatting) take effect when posted.

We may also make immediate changes to this AUP where required by law, court order, or to address a new and significant abuse vector; in such cases the change takes effect at posting and we will note the reason in the change log.

13. Reservation of rights

We reserve all rights not expressly granted under this AUP, the Terms of Service, or any other agreement between us. Nothing in this AUP creates any duty on our part to provide any particular level of moderation, monitoring, review, or appeal.

Contact

Report a suspected violation: capyqr.com/abuse or privacy@capyqr.com Questions about this AUP: privacy@capyqr.com Security disclosure (vulnerabilities): privacy@capyqr.com

Last updated: May 16, 2026.