Data Processing Agreement

For the purposes of this DPA:

• “Personal Data” means any information relating to an identified or identifiable natural person (“data subject”), as defined in applicable data protection law.
• “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• “Controller” means the entity that determines the purposes and means of processing Personal Data (you, the customer).
• “Processor” means the entity that processes Personal Data on behalf of the Controller (PageQR).
• “Sub-processor” means a third party engaged by PageQR to process Personal Data in connection with the services.
• “Services” means the PageQR platform and related services as described in the Terms of Service.
• “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council.

Subject Matter

PageQR processes Personal Data for the sole purpose of providing the Services to the Controller as described in the Terms of Service and this DPA.

Nature of Processing

Storage, retrieval, display, and deletion of data uploaded or generated through the Services.

Types of Personal Data Processed

• Controller’s account data: email address, display name, company name
• Content data uploaded by Controller: text, image files, PDF files, video URLs, links
• End user data collected via the Services: anonymized scan analytics (hashed IP addresses, approximate geographic location, device type, timestamp), and optionally email addresses collected via lead-capture gates on Controller’s pages
• Payment-related identifiers: Stripe customer ID, subscription status

Categories of Data Subjects

• The Controller’s authorized users (account holders)
• End users who scan the Controller’s QR codes and visit instruction pages
• End users who submit their email address through lead-capture gates on the Controller’s pages

Duration of Processing

PageQR processes Personal Data for the duration of the Controller’s subscription and until data is deleted in accordance with the retention schedule in our Privacy Policy and Section 8 of this DPA.

The Controller represents and warrants that:

• It has a lawful basis for processing Personal Data and for instructing PageQR to process Personal Data on its behalf.
• It has provided all required notices to, and obtained all required consents from, data subjects as required by applicable data protection law.
• Its instructions to PageQR comply with applicable data protection law.
• It will promptly notify PageQR if it becomes aware of any instructions that violate applicable data protection law.

PageQR agrees to:

• Process Personal Data only on documented instructions from the Controller (including as set out in the Terms of Service and this DPA), unless required to do so by applicable law.
• Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational security measures in accordance with Section 5 of this DPA.
• Respect the conditions for engaging Sub-processors as set out in Section 6 of this DPA.
• Assist the Controller in responding to requests from data subjects exercising their rights under applicable data protection law, to the extent reasonably practicable given the nature of the processing.
• Assist the Controller in meeting its obligations under Articles 32 to 36 of the GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and information available to PageQR.
• At the Controller’s choice, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage.
• Make available to the Controller all information necessary to demonstrate compliance with this DPA and cooperate with reasonable audits or inspections.
• Notify the Controller without undue delay if any instruction infringes applicable data protection law.

PageQR implements appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

• Encryption in transit: All data transmitted between clients and servers is encrypted using TLS 1.2 or higher.
• Encryption at rest: Database storage and object storage are encrypted at rest.
• Access controls: Row-Level Security (RLS) policies at the database level ensure users can only access their own data. Internal access is restricted on a need-to-know basis.
• Authentication: Secure authentication flows using PKCE (Proof Key for Code Exchange) are implemented. We do not store passwords.
• IP address handling: Raw IP addresses of end users scanning QR codes are never stored. We apply irreversible one-way hashing before storage.
• Vulnerability management: Dependencies are regularly updated and scanned for known vulnerabilities.
• Infrastructure security: Services are hosted on Vercel and Supabase, both of which maintain SOC 2 Type II compliance.

PageQR reviews and updates its security measures on an ongoing basis to account for the state of the art, costs of implementation, and risks posed by processing.

The Controller provides a general authorization for PageQR to engage Sub-processors, subject to the requirements of this Section. PageQR will inform the Controller of any intended changes to Sub-processors, giving the Controller reasonable opportunity to object before the new Sub-processor begins processing. If the Controller objects on reasonable data protection grounds, PageQR will work to resolve the objection.

Approved Sub-processors

The following Sub-processors are currently authorized:

PageQR requires all Sub-processors to comply with data protection obligations equivalent to those in this DPA by way of written contract.

To the extent that data subjects exercise their rights under applicable data protection law directly against PageQR, PageQR will promptly notify the Controller and, where possible, refer the data subject to the Controller. Where the Controller cannot fulfill a data subject request without PageQR’s assistance, PageQR will provide commercially reasonable assistance.

Data subjects may exercise the following rights:

• Right of access (Article 15 GDPR) — request a copy of personal data held
• Right to rectification (Article 16 GDPR) — correct inaccurate data
• Right to erasure (Article 17 GDPR) — request deletion of personal data
• Right to data portability (Article 20 GDPR) — receive data in a structured, machine-readable format
• Right to restriction (Article 18 GDPR) — restrict processing in certain circumstances
• Right to object (Article 21 GDPR) — object to processing based on legitimate interests

To exercise these rights, data subjects should contact the Controller in the first instance. For requests directed to PageQR, contact privacy@pageqr.io.

PageQR retains Personal Data for the duration of the Controller’s subscription and in accordance with the retention schedule set out in our Privacy Policy. Upon termination of the Services, or upon the Controller’s written request, PageQR will:

• Delete or anonymize all Personal Data within 30 days, unless longer retention is required by law.
• Ensure Sub-processors delete Personal Data in a consistent timeframe.
• Provide the Controller with written confirmation of deletion upon request.

Payment records may be retained for 7 years as required by financial regulations, managed by our payment processor, Stripe.

In the event PageQR becomes aware of a personal data breach affecting Personal Data processed under this DPA, PageQR will:

• Notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach.
• Provide sufficient information to allow the Controller to meet its notification obligations to supervisory authorities and data subjects, including:
  • A description of the nature of the breach
  • The categories and approximate number of data subjects affected
  • The categories and approximate number of records affected
  • The likely consequences of the breach
  • Measures taken or proposed to address the breach
• Cooperate with the Controller and take reasonable steps to mitigate the effects of the breach.

Breach notifications should be reported to privacy@pageqr.io.

Personal Data is processed and stored primarily in the United States. For transfers of Personal Data from the European Economic Area (EEA), the United Kingdom, or Switzerland to countries not recognized as providing adequate protection under applicable law, PageQR relies on the following safeguards:

• EU Standard Contractual Clauses (SCCs): Transfers from the EEA to the United States are governed by the European Commission’s Standard Contractual Clauses (Module 2: Controller to Processor and Module 3: Processor to Sub-processor), as adopted by Commission Decision (EU) 2021/914 of 4 June 2021.
• UK International Data Transfer Agreement (IDTA): Transfers from the United Kingdom comply with the ICO-approved IDTA, or the EU SCCs with the UK Addendum.
• Sub-processor transfers: PageQR requires all Sub-processors to implement appropriate safeguards for international transfers of Personal Data.

By accepting this DPA, the Controller agrees to the incorporation of the applicable SCCs or IDTA into this agreement. Copies of the applicable transfer mechanisms are available upon request at privacy@pageqr.io.

PageQR will ensure that any person it authorizes to process Personal Data under this DPA is subject to appropriate obligations of confidentiality, whether by contract or professional obligation, and that such persons process Personal Data only as necessary to provide the Services.

Upon the Controller’s reasonable written request (no more than once per year absent cause), PageQR will:

• Make available all information necessary to demonstrate compliance with the obligations set out in this DPA.
• Allow for and contribute to audits or inspections, conducted by the Controller or an auditor appointed by the Controller, at the Controller’s cost and on reasonable prior written notice of at least 30 days.

PageQR may satisfy audit requests by providing relevant third-party certifications or audit reports (such as SOC 2 reports from our infrastructure providers), where these are sufficient to address the Controller’s audit objectives.

This DPA is effective for the duration of PageQR’s provision of the Services to the Controller and terminates automatically upon termination or expiry of the Terms of Service, subject to any obligations that survive termination (including data deletion, breach notification, and confidentiality obligations).

This DPA is governed by the same law as the Terms of Service (the laws of the State of Delaware, United States), except where EU or UK data protection law mandates otherwise. For EU/EEA data subjects, the supervisory authority for PageQR’s processing activities is the relevant lead authority under the GDPR. For UK data subjects, it is the Information Commissioner’s Office (ICO).

For questions about this DPA or to request a signed copy, contact:

PageQR Data Privacy
Email: privacy@pageqr.io

For EU/EEA inquiries, you may also contact the relevant supervisory authority in your country of residence. A list of EU supervisory authorities is available at edpb.europa.eu.