Privacy that matches how PayMyQR actually works

1. Who we are and how this policy works

PayMyQR is the publisher and operator of the PayMyQR app and this landing site. This Privacy Policy explains what information PayMyQR may process, why it is processed, when it may be shared, and what choices and rights you may have under applicable law, including Indian law and, where relevant, frameworks such as the GDPR and California privacy law.

PayMyQR is designed around a local-first model. In normal use, much of the content you create or manage in the app is intended to stay on your device or in storage locations you choose. That said, PayMyQR is not a zero-third-party product. Depending on the features you use, third-party services such as Google Play Billing, Google Mobile Ads, Android system services, or your chosen storage provider may also process limited information under their own terms and privacy policies.

2. Information PayMyQR may process

Depending on the features you use, PayMyQR may process the following categories of information:

• Information you enter directly, such as profile names, UPI IDs, contact details, QR content, links, email addresses, WhatsApp numbers, bank-related profile details, business-card content, notes, reminders, and utility labels.
• Camera input, imported images, scanned QR content, document captures, and image-based autofill data when you use capture, scan, vault, or document features.
• Microphone or speech input when you choose optional voice-driven capture or todo features.
• Contacts data when you choose to import contacts into PayMyQR flows.
• SMS content, message metadata, and transaction-related details when SMS-based financial parsing or payment confirmation is enabled.
• Notification content if you enable Android notification-listener access for payment or financial-detection features.
• Calendar data when you choose reminder or event-sync flows.
• Files, exported archives, imported backups, and user-selected storage destinations for import, export, backup, restore, or vault-related workflows.
• Vault password entries you choose to store, including site domains or URLs, usernames or email addresses, passwords, optional labels or notes, and optional links between an Android app package name and a website domain when you use password-manager or assisted-capture features.
• Technical and entitlement information needed for app security, app integrity, purchase status, subscription handling, ad eligibility, backup metadata, and feature availability.

3. Why we process information

PayMyQR processes information only for feature and operations purposes that are reasonably connected to the app, including providing QR, overlay, vault, capture, financial tracking, payment confirmation, backup, restore, reminder, and monetization functionality.

• To create, display, edit, secure, export, restore, and delete user content inside the app.
• To detect and confirm relevant financial events, transaction states, and payment-related activity.
• To support user-requested imports from SMS, notifications, contacts, images, audio, or files.
• To provide premium purchases, subscriptions, entitlement restoration, ad-free access, and related customer support.
• To show ads in supported versions of the app.
• To maintain app security, prevent abuse, diagnose failures, and comply with legal obligations.
• To store, fill, and update login credentials you explicitly save in Vault, including through optional Android Autofill and assisted capture flows you initiate.

Where applicable law requires a legal basis, PayMyQR may rely on consent, performance of a contract or requested service, legitimate interests in secure and responsible operation, and compliance with legal obligations.

4. Permissions and sensitive access

PayMyQR may request Android permissions or sensitive access only when those permissions are tied to a current feature offered in the app. Permissions are intended to support the feature you choose to use, not broad unrelated collection.

• Camera: used for QR scanning, profile capture, vault capture, card capture, and document/image workflows.
• Microphone: used for optional speech and voice-input features.
• Contacts: used only when you choose to import or use contact-based flows.
• Calendar: used only when you choose reminder or event-sync features.
• Notification access: used only if you enable financial or payment-related notification parsing features.
• Storage and file access: used for import, export, backup, restore, and user-selected file handling.
• Autofill service (optional): if you enable PayMyQR as your device’s Autofill provider in Android settings, the app may offer to fill or save login fields in other apps through the platform Autofill framework when you use those apps. PayMyQR does not use Accessibility services or screen recording to read login fields in other apps.

If you deny or later revoke a permission, the related feature may stop working, may work in a limited mode, or may become unavailable. Other parts of the app may continue to function depending on the feature and app configuration.

5. Vault passwords, assisted capture, and Autofill

PayMyQR Vault can act as a local password manager for credentials you choose to store. This section describes how assisted password capture works and what PayMyQR does not do.

• Local storage: passwords and related login metadata are stored on your device as part of your Vault content, subject to your Vault security settings (such as passcode or biometric unlock). PayMyQR does not sell vault passwords or use them for advertising personalization.
• Manual entry: you may type or paste site, username, and password details yourself.
• Assisted website capture: if you choose “Browse website,” PayMyQR opens an in-app browser. You navigate to sign-in pages yourself. Credentials are read from that in-app page only when you tap an explicit action such as “Save login.” PayMyQR does not monitor browsing in the background or read pages you do not choose to save.
• Assisted app capture: if you choose “Pick app,” you may launch another app and complete sign-in there. Saving typically occurs through Android’s Autofill save prompt after you submit a login form, or through a link-only entry you confirm in Vault when you choose to save an app association without a password yet.
• User control: capture happens only when you start a Vault flow and confirm a save action. PayMyQR does not silently harvest credentials from Chrome, other browsers, or other apps outside the Autofill framework.
• Multi-step sign-in: some websites (for example Google or Microsoft) show email and password on separate screens. You may need to continue to the password step before saving. PayMyQR may show guidance when a password field is not yet present on the current page.
• Third-party sites and apps: when you sign in to a third-party service inside Vault or through Autofill, that service’s own terms and security practices also apply. Some providers limit or discourage sign-in inside embedded browsers.

If you disable PayMyQR as your Autofill provider or revoke related permissions, autofill and assisted app-save features may stop working while manual Vault storage may still be available depending on your configuration.

6. SMS and payment confirmation

PayMyQR requests SMS access because SMS-based payment and transaction confirmation is a core feature of the app. When you use PayMyQR to display a payment QR or receive money through supported payment flows, PayMyQR may read relevant transaction-related SMS messages on your device to help confirm whether a payment was successfully completed, credited, debited, settled, or otherwise updated by a bank, UPI provider, card issuer, or other financial institution.

We use SMS access to detect and confirm payment or transaction status for QR-based payment flows, identify relevant details such as amount, timestamps, issuer/provider cues, account hints, or reference fragments, and reduce false confirmations where notification-only signals are delayed, blocked, incomplete, or unreliable.

• PayMyQR is designed to process SMS-derived financial information primarily on-device.
• We do not request SMS access for advertising, unrelated profiling, or generic marketing use.
• We do not knowingly sell SMS content.
• Because Android permission controls may grant broader technical access than a single message, our policy is to use SMS access only for the limited financial and payment-confirmation purposes described here.

If SMS permission is denied or revoked, payment or transaction confirmation features may not work correctly or may be unavailable.

7. Ads, billing, and third-party services

Some versions of PayMyQR may display ads. If ads are enabled, Google Mobile Ads or related ad partners may process technical information associated with ad delivery, fraud prevention, and measurement. PayMyQR does not use your SMS content, contact imports, vault passwords, or payment details for advertising personalization.

If you use paid features, purchases, subscription handling, entitlement restoration, and billing-related status may be processed through Google Play Billing or related platform infrastructure. Payment instruments and store-managed purchase records are handled by Google or other platform providers under their own terms.

PayMyQR may also interact with user-selected storage providers, Android system services, email or messaging apps, sharing targets, and other third-party services when you choose to export, share, back up, restore, or otherwise connect the app to them. Those services remain subject to their own privacy policies and security practices.

8. Sharing, backups, retention, and security

We do not treat your in-app content as something to commercially sell for cash. However, information may be disclosed when necessary to operate app features, respond to lawful requests, protect rights or safety, investigate abuse, complete a merger or restructuring, or support services you explicitly choose, such as export, sharing, or backup destinations.

PayMyQR includes backup, export, and restore features that may write encrypted or user-readable files to your device or to storage locations you choose. If you back up to your own cloud drive, folder, or storage provider, you are responsible for access control and account security for that destination.

Because the app is largely local-first, much of your information remains on your device until you edit it, delete it, export it, clear app data, or uninstall the app. We retain information only for as long as reasonably necessary for feature operation, security, entitlement management, backup integrity, support handling, and legal compliance.

We use reasonable technical and organizational safeguards appropriate to the app’s design, including local-first storage patterns and encrypted backup mechanisms in relevant flows. No method of storage, transmission, or device security is completely risk-free. To the fullest extent permitted by law, PayMyQR does not guarantee absolute security and is not responsible for losses caused by device compromise, malware, rooted or jailbroken environments, insecure device settings, your failure to protect passphrases or accounts, or third-party platform failures. Nothing in this policy excludes liability where exclusion is not permitted by applicable law.

9. Your rights and regional notices

Depending on where you are located and subject to legal limits and technical feasibility, you may have rights to access personal data, request correction, request deletion or erasure, withdraw consent, object to or restrict certain processing, request portability where applicable, and complain to a regulator or data-protection authority.

For local-only information stored on your device, many rights can be exercised directly by editing or deleting content in the app, revoking permissions, deleting backup files, clearing app data, or uninstalling the app. For privacy requests that require our review, contact contact@paymyqr.in. We may request reasonable verification before acting on a request and may deny or limit requests where permitted by law.

• India: where the Digital Personal Data Protection Act, 2023 applies, PayMyQR aims to provide notice, honor consent and applicable legal bases, use reasonable security safeguards, and support grievance or rights handling subject to legal exceptions and technical realities.
• EEA and UK: where GDPR or similar laws apply, PayMyQR seeks to provide transparent notice of controller identity, purposes, legal bases, recipients, retention, international-processing implications, and available rights.
• California: if California law applies, you may have rights such as the right to know, delete, and receive equal treatment for exercising privacy rights, subject to the limits and exceptions allowed by law.

10. Children, international use, policy changes, and contact

PayMyQR is not intended for use by children where consent, age-gating, or parental authorization is required under applicable law. If you believe a child has provided personal data contrary to law, contact us and we will review the request in line with applicable legal requirements.

If third-party services are involved, including app-store, billing, ad, device-platform, or user-selected cloud-storage services, information may be processed outside your country of residence, subject to the legal mechanisms and safeguards applicable to those providers.

We may update this Privacy Policy from time to time to reflect app changes, legal developments, or operational requirements. The updated version becomes effective when posted here unless a different date is stated.