Privacy Policy

This Privacy Policy describes how Contenza K/S ("we", "us", "QRStandard") collects, uses, and protects personal data when you use qrstandard.eu. We are the data controller for all personal data processed through this service.

1. Who we are

Contenza K/S
CVR: 43349023 · VAT: DK43349023
Denmark
Contact: qrstandard.eu/contact

2. What data we collect

We collect the minimum data required to operate the service:

• Account data: Your email address, collected when you register or sign in. We use a magic link authentication system — no passwords are ever stored.
• QR code data: The labels, destination URLs, and configuration you create for your QR codes.
• Scan analytics: When a QR code is scanned, we record the timestamp, approximate country (derived from IP address, not stored), device type, and referrer URL. We do not store IP addresses from scans.
• Billing data: If you subscribe, Stripe processes your payment details directly. We store your Stripe customer ID and subscription status. We do not see or store card numbers.
• Usage data: Server access logs (IP address, request path, timestamp) retained for up to 30 days for security and debugging purposes.

3. Legal basis for processing

• Contract (Art. 6(1)(b) GDPR): Processing your email address and QR code data to provide the service you signed up for.
• Legitimate interests (Art. 6(1)(f) GDPR): Server logs for security and abuse prevention; scan analytics to provide you with redirect performance data.
• Legal obligation (Art. 6(1)(c) GDPR): Retaining billing records as required by Danish accounting law (Bogføringsloven).

4. Where your data is stored

All data is stored on servers located in Germany (Hetzner Cloud, Nuremberg data centre) and does not leave the European Economic Area. We do not use US-based cloud providers for personal data storage.

5. Sub-processors

We use the following third-party processors:

• Hetzner Online GmbH (Germany) — server infrastructure and storage
• Stripe, Inc. — payment processing. Stripe is certified under PCI DSS and complies with GDPR. Data transfer to the US is covered by the EU-US Data Privacy Framework.
• Resend, Inc. — transactional email (magic link delivery, receipts). Data processed in accordance with GDPR under standard contractual clauses.

6. Data retention

• Login tokens: Expire after 15 minutes and are permanently invalidated after first use.
• Session cookies: Expire after 30 days of inactivity.
• QR codes and redirect data: Retained until you delete them or close your account.
• Scan events: Retained for 24 months, then deleted.
• Billing records: Retained for 5 years as required by Danish accounting law.
• Server logs: Retained for 30 days.

7. Your rights under GDPR

As a data subject, you have the following rights:

• Access (Art. 15): Request a copy of all personal data we hold about you.
• Rectification (Art. 16): Correct inaccurate data. You can update your email address by contacting us.
• Erasure (Art. 17): Request deletion of your account and all associated data. We will comply within 30 days, subject to our legal retention obligations for billing records.
• Portability (Art. 20): Request your data in a machine-readable format (JSON).
• Restriction (Art. 18): Request that we restrict processing of your data while a complaint is pending.
• Objection (Art. 21): Object to processing based on legitimate interests.

To exercise any of these rights, contact us via our contact form. We will respond within 30 days. You also have the right to lodge a complaint with the Danish Data Protection Authority (Datatilsynet) at datatilsynet.dk.

8. Cookies

We use one first-party cookie:

• qrr_session — an authentication session token. HttpOnly, Secure, SameSite=Lax. Expires after 30 days. This cookie is strictly necessary for the service to function and does not require consent under ePrivacy Directive Art. 5(3).

We do not use tracking cookies, advertising cookies, or third-party analytics scripts. We do not use Google Analytics, Meta Pixel, or similar tools.

9. Security

All data is transmitted over TLS (HTTPS). Passwords are never stored — authentication uses cryptographically signed single-use tokens. Database access is restricted to application processes running on the same server. Backups are encrypted at rest.

10. Changes to this policy

We will notify registered users of material changes to this policy by email at least 14 days before they take effect. The current version is always available at qrstandard.eu/privacy.