GDPR Compliance
Your data protection rights and our commitment to privacy
Last Updated:
Our Commitment to GDPR
QRAnalytica is committed to complying with the General Data Protection Regulation (GDPR) and protecting the privacy rights of individuals in the European Economic Area (EEA), United Kingdom, and Switzerland. This page explains our GDPR compliance measures and your rights under GDPR.
GDPR Compliant: We have implemented comprehensive technical and organizational measures to ensure the protection of your personal data in accordance with GDPR requirements.
1. Legal Basis for Data Processing
We process your personal data under the following legal bases as defined by GDPR Article 6:
Contract Performance (Article 6(1)(b))
Processing necessary to provide our QR code analytics services, manage your account, and fulfill our contractual obligations to you.
Consent (Article 6(1)(a))
Processing based on your explicit consent for marketing communications, optional features, and third-party integrations.
Legitimate Interests (Article 6(1)(f))
Processing necessary for our legitimate business interests, including fraud prevention, security, service improvement, and analytics (where not overridden by your rights).
Legal Obligation (Article 6(1)(c))
Processing required to comply with legal obligations, such as tax laws, data retention requirements, and responding to legal requests.
2. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights:
Right to Access (Article 15)
You have the right to request access to your personal data and receive information about how we process it.
How to exercise: Contact us or export your data from your dashboard settings.
Right to Rectification (Article 16)
You have the right to correct inaccurate or incomplete personal data.
How to exercise: Update your information in your account settings or contact us for assistance.
Right to Erasure "Right to be Forgotten" (Article 17)
You have the right to request deletion of your personal data in certain circumstances, such as when it's no longer necessary for the purposes it was collected.
How to exercise: Request account deletion through your dashboard or contact us at [email protected]
Right to Restriction of Processing (Article 18)
You have the right to request that we limit the processing of your personal data in certain situations, such as while verifying data accuracy.
How to exercise: Contact us at [email protected] with your request.
Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format and transmit it to another controller.
How to exercise: Export your data in JSON or CSV format from your dashboard or contact us.
Right to Object (Article 21)
You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.
How to exercise: Unsubscribe from emails or contact us to object to other processing activities.
Right to Withdraw Consent (Article 7(3))
You have the right to withdraw consent at any time for processing activities that rely on your consent.
How to exercise: Manage your consent preferences in your account settings or contact us.
Right to Lodge a Complaint (Article 77)
You have the right to lodge a complaint with a supervisory authority if you believe your GDPR rights have been violated.
How to exercise: Contact your local data protection authority or supervisory authority in your country.
3. How to Exercise Your Rights
To exercise any of your GDPR rights, you can:
Response Time
We will respond to your request within 30 days (or sooner in most cases). We may request additional information to verify your identity before processing certain requests.
4. Technical and Organizational Measures
We implement appropriate technical and organizational measures to ensure data protection:
Technical Measures
- End-to-end encryption for data in transit (TLS/SSL)
- Encryption of data at rest in our databases
- Regular security audits and penetration testing
- Automated backup systems with encryption
- Multi-factor authentication for user accounts
- Intrusion detection and prevention systems
Organizational Measures
- Staff training on data protection and GDPR compliance
- Data protection by design and by default principles
- Regular privacy impact assessments
- Vendor due diligence and data processing agreements
- Incident response and breach notification procedures
- Access controls and role-based permissions
Data Minimization
We collect only the data necessary to provide our services and delete it when no longer needed. We apply pseudonymization and anonymization where possible to protect your privacy.
5. Data Processing Agreements (DPA)
For enterprise customers who need a Data Processing Agreement (DPA) to comply with GDPR Article 28, we provide a comprehensive DPA that includes:
- Subject matter and duration of processing
- Nature and purpose of processing
- Types of personal data and categories of data subjects
- Processor obligations and rights
- Sub-processor arrangements
- Data security measures
- Data breach notification procedures
- Assistance with data subject rights
- Deletion and return of data
Need a DPA? Contact us at [email protected] to request a Data Processing Agreement.
6. International Data Transfers
When we transfer personal data outside the EEA, UK, or Switzerland, we ensure appropriate safeguards are in place:
Standard Contractual Clauses (SCCs)
We use European Commission-approved Standard Contractual Clauses for data transfers to countries without an adequacy decision.
Adequate Safeguards
We conduct transfer impact assessments and implement supplementary measures where necessary to ensure data protection equivalent to GDPR standards.
Service Provider Locations
Our primary service providers are located in:
- European Union (data storage)
- United States (cloud infrastructure with SCCs)
7. Data Breach Notification
In accordance with GDPR Article 33 and 34, we have procedures in place to detect, report, and investigate data breaches:
To Supervisory Authority
We will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach that poses a risk to individuals' rights and freedoms.
To Affected Individuals
If a breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, describing the breach, its likely consequences, and mitigation measures.
8. Processing Children's Personal Data
In accordance with GDPR Article 8, our services are not directed to children under 16 years of age (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children.
If you are a parent or guardian and believe we have collected information from your child, please contact us immediately so we can delete it.
9. Automated Decision-Making and Profiling
Good News: We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.
We use basic analytics to understand usage patterns and improve our services, but these do not result in automated decisions about individuals.
10. Data Protection Officer & Contact
For questions about GDPR compliance or to exercise your rights, contact us:
Response Time
Within 30 days of receiving your request
Include "GDPR Request" in your email subject line to ensure prompt handling of your inquiry.
Have Questions About Your Data Rights?
We're committed to protecting your privacy and helping you exercise your GDPR rights. Don't hesitate to reach out.