GDPR Compliance
QRZone is committed to compliance with the EU General Data Protection Regulation (GDPR). This page outlines how we process personal data in accordance with GDPR requirements.
Last updated: February 2026
1. Our Role Under GDPR
QRZone acts as a data processor when processing QR scan data on behalf of our customers (data controllers). For account and billing data, QRZone acts as a data controller. This distinction is critical for understanding responsibilities under GDPR.
2. Lawful Basis for Processing
We process personal data under the following lawful bases:
- Contract performance: Processing necessary to provide our services as agreed in your subscription
- Legitimate interest: Platform improvement, security monitoring, and fraud prevention
- Consent: Marketing communications and optional analytics cookies
- Legal obligation: Compliance with applicable laws and regulations
3. Data Subject Rights
Under GDPR, individuals have the following rights, which QRZone supports:
- Right of access -- Request a copy of your personal data
- Right to rectification -- Correct inaccurate personal data
- Right to erasure -- Request deletion of your personal data
- Right to restriction -- Limit processing of your data
- Right to data portability -- Export your data in a structured format
- Right to object -- Object to processing based on legitimate interest
To exercise these rights, contact our Data Protection team at privacy@qrzone.io. We respond to valid requests within 30 days.
4. Data Minimisation
QRZone collects only the data necessary to provide our services. Scan data is collected at an aggregate level where possible, and personally identifiable information is minimised by design. We do not collect biometric data, health data, or any special category data through QR scans.
5. Cross-Border Data Transfers
When data is transferred outside the European Economic Area, QRZone relies on Standard Contractual Clauses (SCCs) approved by the European Commission. Our Data Processing Agreement includes these clauses and is available to all customers.
6. Data Protection by Design
QRZone implements privacy-by-design principles throughout our platform development lifecycle. This includes encryption at rest and in transit, access controls, data anonymisation capabilities, configurable retention policies, and regular privacy impact assessments.
7. Sub-Processors
QRZone uses a limited number of sub-processors to provide our services. A current list of sub-processors is available upon request. We notify customers of any changes to our sub-processor list with reasonable advance notice.
8. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to individuals, QRZone will notify affected data controllers without undue delay and within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
9. Data Processing Agreement
QRZone provides a comprehensive Data Processing Agreement (DPA) to all customers. The DPA covers controller/processor responsibilities, processing instructions, security measures, sub-processor management, and cross-border transfer mechanisms. Request your DPA at legal@qrzone.io.
10. Contact
For GDPR-related inquiries, contact our Data Protection team at privacy@qrzone.io or through our contact page.