QR1

Legal

Data Processing Agreement (Summary)

This summary describes how QR1.app processes data on behalf of customers.

1. Roles

  • For Customer Content (hosted product pages and files) QR1.app generally acts as a Processor on behalf of the Customer.
  • For service security, fraud/abuse prevention, platform logs, and certain aggregated analytics QR1.app may act as an independent Controller (or process data for its own legitimate interests) to operate and secure the service.

2. Processing

We process customer-provided product content to provide the hosting service. We also process scan-related data to provide analytics to the Customer and to operate, secure, and improve the service (as described in the Roles section).

3. Customer Instructions

We process Customer Content in accordance with the Customer’s documented instructions, unless required by EU or Member State law.

4. Security

We apply appropriate technical and organizational measures to protect data.

5. Subprocessors

  • Contabo (hosting)
  • Supabase self-hosted (database/storage)
  • Umami self-hosted (analytics)
  • Tolgee self-hosted (localization)
  • Stripe (payments; independent controller / separate controller for payment processing)
  • MXroute (email delivery; processor/subprocessor; potential transfers; SCC)
  • Telegram (notifications if enabled)
  • MaxMind (GeoIP database used locally; no IP data is sent to MaxMind during lookups)

6. International Transfers

International transfers: Email delivery and related metadata may be processed by MXroute which may involve transfers to third countries. We rely on Standard Contractual Clauses (SCC) and other appropriate safeguards where applicable.

7. Retention

Raw scan analytics are retained for up to 13 months. Customer content remains until deletion.

8. Assistance

We will provide reasonable assistance to the Customer in responding to data subject requests and in meeting GDPR obligations, taking into account the nature of the processing and information available to us.

9. Security Incidents

We will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Content processed as a Processor.

10. Deletion / Return

Upon termination or deletion of the account, we delete Customer Content and related data within the service, unless retention is required by law or necessary for legal claims and security.