Compliance

GDPR & Data Processing

Last updated: 15 April 2026 · Effective: GDPR (EU) 2016/679

This page is for compliance managers, procurement teams, and data protection officers assessing QRStandard as a vendor. It covers our data residency architecture, sub-processor list, Art. 28 compliance, and how to request a Data Processing Agreement (DPA).

Data location
Germany, EU
Data controller
Contenza K/S
Governing law
GDPR + Danish law
DPA available
Yes — on request

Data controller

Contenza K/S
CVR: 43349023 · VAT: DK43349023
Denmark
Contact: qrstandard.eu/contact

Contenza K/S is the data controller for all personal data processed through QRStandard. We do not appoint a joint controller. If you are a business customer using QRStandard to process personal data of your own users or customers (for example, scan analytics linked to identifiable individuals), you act as a separate data controller and we act as your data processor under Art. 28 GDPR.

Data residency

All personal data processed by QRStandard is stored exclusively on servers located in Nuremberg, Germany, operated by Hetzner Online GmbH. No personal data is transferred outside the European Economic Area for storage or processing.

This means:

  • Your account data, QR code configurations, and redirect records are stored in Germany.
  • Scan analytics are processed and stored in Germany.
  • Backups are stored on the same infrastructure in Germany.
  • No US-based cloud services (AWS, GCP, Azure) are used for personal data.

Sub-processors

We use the following sub-processors. We maintain Data Processing Agreements with each of them as required by Art. 28(4) GDPR.

Processor Country Purpose Transfer mechanism
Hetzner Online GmbH Germany Server infrastructure, database, object storage EEA — no transfer
Stripe, Inc. US Payment processing and subscription management EU-US Data Privacy Framework + SCC
Resend, Inc. US Transactional email (authentication, receipts) Standard Contractual Clauses (Art. 46(2)(c))

We will notify customers of any material changes to our sub-processor list with at least 14 days' notice, providing the opportunity to object before the change takes effect.

What data we process on your behalf (Art. 28)

When you use QRStandard as a business customer, we process the following categories of data on your behalf:

  • QR code scan events: Timestamp, approximate country (IP-derived, IP not stored), device type, referrer URL. These may be linked to individuals if your QR codes are deployed in contexts where the scanner is identifiable (for example, employee-facing codes or authenticated customer journeys).
  • Destination URLs: The URLs your QR codes redirect to, which you provide and control.
  • Audit log entries: Records of who changed which QR code destination and when, based on user accounts you manage within our platform.

Technical and organisational measures (TOMs)

We implement the following measures to protect personal data:

  • Encryption in transit: All connections use TLS 1.2 or higher. Certificates are managed automatically via Let's Encrypt.
  • Encryption at rest: Database backups are encrypted. Application-level secrets are stored in environment variables, not in source code or version control.
  • Access control: Database access is restricted to application processes running on the same server. No direct external database access is permitted. Admin access to the server requires SSH key authentication — passwords are disabled.
  • Authentication: Magic link authentication only — no passwords are stored. Session tokens are cryptographically signed, single-use, and expire after 15 minutes.
  • Monitoring: System health and error rates are monitored continuously. Alerting is in place for service failures and unusual error patterns.
  • Data minimisation: We do not store IP addresses from QR code scans. Country is derived from IP and the IP is immediately discarded.
  • Retention limits: Scan events are deleted after 24 months. Server logs are deleted after 30 days. Session tokens expire after 30 days.

Your rights as a data subject

Full details of data subject rights are in our Privacy Policy. In summary:

  • Right of access (Art. 15) — request all data we hold about you
  • Right to erasure (Art. 17) — request account and data deletion
  • Right to portability (Art. 20) — receive your data in JSON format
  • Right to rectification (Art. 16) — correct inaccurate data
  • Right to object (Art. 21) — object to processing based on legitimate interests

Contact us via our contact form. Response within 30 days. You may also lodge a complaint with the Danish Data Protection Authority: datatilsynet.dk · +45 33 19 32 00.

Regulatory compliance context

QRStandard is infrastructure for EU digital labelling and traceability requirements. Our customers operate under regulations including EU MDR/IVDR (2017/745+746), EU Machinery Regulation (2023/1230), EU Battery Regulation (2023/1542), and ESPR digital product passport requirements. We understand that these contexts involve sensitive supply chain and product data, and our data architecture is designed accordingly.

If your regulatory context requires specific data handling arrangements — such as enhanced logging retention, custom audit export formats, or dedicated infrastructure — contact us to discuss enterprise options.

Need a Data Processing Agreement?

We provide a standard Art. 28 DPA to all paid subscribers on request. Contact us and we'll send it within 2 business days.

Request DPA →
Data protection contact
Contenza K/S · CVR 43349023
Denmark