This Data Processing Agreement ("DPA") supplements the Terms of Service between QRFancy ("Processor") and the Customer ("Controller") and applies whenever QRFancy processes Personal Data on behalf of the Controller in connection with the Service.
1. Definitions
Capitalised terms not defined here have the meaning given in the EU General Data Protection Regulation ("GDPR") and, where applicable, the UK GDPR.
2. Subject matter and duration
QRFancy processes Personal Data only for the purpose of providing the Service, for the duration of the Customer's account, and in accordance with the Controller's documented instructions (which include the Service configuration chosen in the dashboard).
3. Categories of data and data subjects
- Data subjects: the Controller's end users, scan visitors, and lead-form respondents.
- Personal data: account identifiers, scan event metadata (country, device, referrer, no full IP), lead-capture submissions if enabled by the Controller, and any data the Controller chooses to embed in QR destinations.
4. Obligations of QRFancy
- Process Personal Data only on documented instructions from the Controller.
- Ensure persons authorised to process the data are bound by confidentiality.
- Implement appropriate technical and organisational measures (Article 32 GDPR) — see Annex II.
- Assist the Controller with data subject requests, DPIAs and breach notifications.
- Notify the Controller without undue delay (and within 72 hours where feasible) of any Personal Data Breach.
- Delete or return all Personal Data at the end of the Service, unless retention is required by law.
5. Sub-processors
The Controller authorises QRFancy to engage the sub-processors listed in our Privacy Policy. QRFancy will give the Controller at least 30 days' notice (by email or in-product) of any new sub-processor. The Controller may object on reasonable grounds; if no resolution is found, the Controller may terminate the affected Service.
6. International transfers
Where Personal Data is transferred outside the EEA / UK, the parties incorporate the EU Standard Contractual Clauses (Module 2 — Controller to Processor, EC Decision 2021/914) and, for UK transfers, the UK International Data Transfer Addendum, by reference.
7. Audit
On reasonable written request and no more than once per year, the Controller (or an independent auditor mutually agreed) may audit QRFancy's compliance with this DPA. QRFancy may satisfy this obligation by providing third-party security reports or penetration test summaries.
8. Liability
Each party's liability under this DPA is subject to the limitation of liability set out in the Terms of Service.
Annex I — Processing details
- Nature and purpose: hosting, storing, displaying and analysing data the Controller submits to the Service.
- Retention: as set out in the Privacy Policy.
Annex II — Security measures
- TLS 1.2+ in transit, AES-256 at rest.
- Row-Level Security on the database; principle of least privilege for staff access.
- Secrets stored in a managed vault, not in source code.
- Centralised logging with restricted access and retention limits.
- Regular dependency audits and a public security contact at security@qrfancy.com.
- Annual restore test of database backups.
Need a counter-signed copy on letterhead? Email legal@qrfancy.com.