Data Processing Agreement

Last updated: February 2, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between QRWolf ("Processor") and you ("Controller") for the processing of personal data in connection with the QRWolf service. This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

1. Definitions

"Personal Data," "Processing," "Data Subject," "Controller," "Processor," and "Supervisory Authority" have the meanings given in the GDPR. "Service" means the QRWolf QR code generation, management, and analytics platform.

2. Scope and Purpose of Processing

The Processor processes Personal Data on behalf of the Controller solely for the purpose of providing the Service. The categories of data processed include:

  • Account data: email addresses, names, and profile information provided by the Controller
  • QR code content: destination URLs, embedded content, and metadata configured by the Controller
  • Scan analytics: anonymised device type, browser, operating system, approximate geolocation (country/city/region), timestamps, and hashed IP addresses of individuals who scan QR codes

The Data Subjects include the Controller's end users and any individuals who scan QR codes created through the Service.

3. Obligations of the Processor

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, unless required by applicable law
  • Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
  • Not engage another processor without prior written authorisation from the Controller
  • Assist the Controller in responding to Data Subject requests
  • Make available to the Controller all information necessary to demonstrate compliance with obligations under Article 28 of the GDPR

4. Sub-processors

The Controller authorises the use of the following sub-processors:

  • Supabase Inc. — Database hosting and authentication (United States)
  • Stripe Inc. — Payment processing (United States)
  • Vercel Inc. — Application hosting and edge network (United States / Global)
  • Upstash Inc. — Redis caching and rate limiting (United States)
  • Resend Inc. — Transactional email delivery (United States)

The Processor will notify the Controller of any intended changes to sub-processors, giving the Controller an opportunity to object.

5. Security Measures

The Processor implements the following security measures:

  • Encryption of data in transit using TLS 1.2 or higher
  • Encryption of data at rest in the database
  • Row-Level Security (RLS) policies to isolate tenant data
  • IP addresses are hashed before storage; raw IPs are never persisted
  • Per-QR geolocation opt-out to disable location data collection
  • API key authentication with rate limiting
  • Regular dependency updates and security monitoring

6. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject rights requests, including the rights of access, rectification, erasure, restriction of processing, data portability, and objection. The Service provides self-service tools for data export and account deletion.

7. Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach. The notification shall include the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.

8. International Transfers

Where Personal Data is transferred outside the European Economic Area, the Processor shall ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including Standard Contractual Clauses where applicable.

9. Data Retention and Deletion

The Processor retains Personal Data for as long as the Controller's account is active. The Controller may configure scan data retention periods (30, 90, or 365 days) to automatically purge older scan records. Upon termination of the Service or upon the Controller's request, the Processor shall delete all Personal Data within 30 days, unless retention is required by applicable law.

10. Duration and Termination

This DPA shall remain in effect for the duration of the Controller's use of the Service. Upon termination, the Processor shall cease all processing and delete or return all Personal Data in accordance with Section 9.

11. Contact

For questions about this DPA or to exercise your rights, contact us at:

Email: privacy@qrwolf.com

See also our Privacy Policy.