Data Processing Agreement

Terms governing how QRZone processes personal data on behalf of our customers. This DPA covers both US state privacy law (CCPA/CPRA) service provider obligations and GDPR data processor requirements.

Last updated: March 2026

1. Scope

This Data Processing Agreement (DPA) applies to all personal information and personal data (as defined under applicable law) processed by QRZone on behalf of customers using our QR code infrastructure, analytics, smart routing, and link management services. This DPA supplements our Terms of Service and Privacy Policy.

2. Definitions

  • "Personal Information" has the meaning given under the California Consumer Privacy Act (CCPA, Cal. Civ. Code § 1798.140(v)), and includes identifiers, geolocation data, internet activity, and device information collected through QR code scans.
  • "Personal Data" has the meaning given under GDPR (Art. 4(1)).
  • "Customer" means the entity that has entered into a subscription agreement with QRZone and for whose benefit QRZone processes personal information/data.
  • "Service Provider" (CCPA) / "Data Processor" (GDPR) means QRZone, which processes personal information/data on behalf of the Customer.
  • "Business" (CCPA) / "Data Controller" (GDPR) means the Customer.

3. Roles and Responsibilities

3.1 Under CCPA/CPRA (US)

The Customer is a "Business" under CCPA. QRZone is a "Service Provider" under CCPA § 1798.140(ag). QRZone certifies that it:

  • Processes personal information only as necessary to perform the services specified in the subscription agreement
  • Does not sell or share personal information received from the Customer
  • Does not retain, use, or disclose personal information for any commercial purpose other than providing the contracted services
  • Does not combine personal information received from the Customer with personal information from other sources, except as permitted under CCPA § 1798.140(ag)(1)(A)
  • Will comply with applicable obligations under CCPA/CPRA and grant the Customer the right to take reasonable and appropriate steps to ensure compliance
  • Will notify the Customer if it can no longer meet its CCPA/CPRA obligations

3.2 Under GDPR (EU/EEA/UK)

The Customer acts as the Data Controller. QRZone acts as the Data Processor, processing personal data only as necessary to provide the contracted services and in accordance with documented customer instructions.

3.3 Under Other US State Laws

For customers subject to Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, or other US state privacy laws, QRZone acts as a "Processor" and processes personal data only pursuant to the Customer's instructions and the subscription agreement.

4. Categories of Personal Information Processed

QRZone processes the following categories of personal information on behalf of Customers:

  • Identifiers: Scanner IP addresses (transient, used for geolocation and discarded), device identifiers
  • Geolocation data: City-level location derived from IP address during QR scan events
  • Internet/electronic network activity: Scan timestamps, device type, OS, browser, referrer URL, language/locale
  • Inferences: Smart routing decisions (device type routing, language-based routing, geo-routing)

5. Data Security Measures

  • AES-256 encryption at rest for all stored data
  • TLS 1.3 encryption for all data in transit
  • Regular security audits and annual penetration testing
  • Role-based access controls (RBAC) with multi-factor authentication (MFA)
  • Audit logging of all data access events
  • Incident response procedures with 72-hour breach notification (GDPR Art. 33) and prompt notification under US state laws
  • Annual employee security awareness training

6. Sub-Processors

QRZone maintains a list of authorized sub-processors on our Subprocessors page. Customers are notified 30 days before any new sub-processor is engaged, with the right to object. Sub-processors are bound by data processing terms no less protective than this DPA.

7. Data Retention and Deletion

Scan analytics data is retained according to plan-specific schedules as described in our Data Retention Policy. Upon contract termination, QRZone will delete or return all customer personal information within 30 days, unless retention is required by applicable law (e.g., tax records for 7 years per IRS requirements). Backup copies are purged within 30 days of primary deletion.

8. CCPA Consumer Request Assistance

QRZone will assist the Customer in responding to consumer requests under CCPA/CPRA (right to know, right to delete, right to correct, right to opt out). Upon receiving a verifiable consumer request forwarded by the Customer, QRZone will process the request within 10 business days. QRZone will not respond directly to consumer requests unless instructed by the Customer.

9. International Transfers

QRZone's primary infrastructure is located in the United States. Where Customer personal data originates from the EU/EEA/UK, QRZone relies on Standard Contractual Clauses (SCCs) approved by the European Commission (2021/914) and supplementary measures to ensure adequate protection. For other jurisdictions, appropriate safeguards are applied as required by local law.

10. Audit Rights

The Customer may, upon 30 days written notice and no more than once per year, request an audit of QRZone's data processing practices relevant to this DPA. QRZone may satisfy this requirement by providing a copy of its most recent SOC 2 Type II report or equivalent third-party audit report.

11. Term and Termination

This DPA remains in effect for the duration of the subscription agreement. The data processing obligations survive termination until all personal information is deleted or returned as specified in Section 7.

Related Legal Documents