This website uses necessary cookies to ensure that our website is ideally usable. We do not use cookies that process personal data without your prior consent. Read our Cookie Policy

EU General Data Pro­tection Regu­lation (GDPR)

GDPR QR Code compliance

Our commitment

We took the opportunity to create a stronger data protection basis for the benefit of all. Since the GDPR regulation became enforceable on May 25, 2018 our platform is fully GDPR compliant.

What we do for it

We have updated our terms of service and privacy policy to give you an insight about how we use your data. Each of our products proactively applies the privacy principles.

Resources

On this page you will find resources on the subject of data protection, where and how will apply this and prepare your data and that of your customers GDPR compliant.

Data Security

SSL certificate

All connections and communication between your computer and our servers is encrypted by using an SSL certificate signed by GlobalSign certified by WebTrust.

Data Encryption

Sensitive data like passwords or personal data such as IP address are stored encrypted in the database and cannot be read in plain text.

Backups

We create daily backups of all databases with a retention period of up to 30 calendar days for the free recovery of data loss caused by us.

What personal data do we collected from you?

Core Data

When creating an account on our site, at least an e-mail address is required. With this unique identification, you can log in to your account and we can inform about changes in our terms and conditions. If you create a paid account, you can optionally enter your name, address, telephone number and VAT ID. We use this data exclusively for the purpose of issuing invoices.

Authentication via Facebook or LinkedIn

If you create a free account with your Facebook or LinkedIn account, the email address, first and last name are sent to us.

Onboarding E-Mails

In the first days you will receive onboarding e-mails that explain how to use the platform. You can unsubscribe at any time by clicking on the unsubscribe link in the mail.

Newsletter

You will receive newsletters separately only if you have given us your explicit consent. The consent can be revoked at any time.

IP Address

Server Logs

We store all access to our servers in so-called log files. These include the IP address and which resource was accessed. The data in the log files are not linked to any persons. Only in case of a criminal act or attack on our infrastructure we use the log files to find a clue about the attack or forward the log data to the authorities. The logs will be deleted after one month.

User Account / QR Code

For each user account or QR code created, the IP address is saved. In case the QR code points to a fraudulent site with illegal content, we are able to temporarily disable the QR code or the user account and to hand over the IP address to the authorities. If the account or the QR code is deleted, the stored IP address will also be deleted.

Matomo

For the evaluation of visitors on our website we use Matomo. This helps us to understand how often and from where our website is visited. IP addresses are saved anonymously in Matomo. The last 3 digits of the IP are omitted and thus no personal identification of visitors more possible.

You are in control of your data

Right to Information

You have the right to ask for confirmation as to whether personal data is being processed and for information about this data.

Right to Rectification

You have the right to request the completion of the data concerning you or the correction of the incorrect data concerning you.

Right to transmission

You have the right to receive data that you have provided to us and to request their transmission to other persons responsible.

How is your data deleted?

GDPR gives you the right to be forgotten. We have implemented this consistently and do not keep any of your data for longer than necessary.

On demand

Upon request of an individual from a verified e-mail address, we will immediately delete all personal data and contents that you have created under your account (QR codes, landing page and statistics). Please, log into your account and click on your account settings to "close account". If you have been a customer with us and have already received an invoice, we are obliged to keep your billing data for the tax office for 7 years.

Automated

If your free account has not been active for 5 years your account including all data will be deleted automatically. An account is inactive if you do not login within that time range nor any of your QR Codes has been scanned longer than 5 years.

QR Code Tracking

The tracking of QR code scans is compliant with our service according to GDPR data protection, because no personal information is processed or stored.

IP Address

We use the IP address to determine the country where the QR code was scanned. After the lookup, the IP is stored anonymously in the database. It is not possible to relate to a person using the anonymous IP address.

GPS Position

The GPS position can only be retrieved by explicit consent of the user in the browser. This security query was issued by W3 Consortium and is built into every browser. The query cannot be bypassed.

Phone Number

From the browser in which the target URL of the QR code is requested, only very limited information can be extracted. It is not possible to retrieve the device's phone number or any other contact information.

Landing Pages

In order to comply with the EU General Data Protection Regulation (GDPR) when creating your landing pages, you can set optional links to your imprint and privacy policy on every landing page.

If you integrate content from external servers (such as Google Fonts) on your landing pages, you should include a notice in your privacy policy for each service.

Imprint and Privacy policy for Landing Page (GDPR)

Positive Opt-In

When a user sends personal information, you must request his consent, which is when he or she gives a statement of intent, i.e. the user marks the checkbox. Pre-checked boxes that use customer inaction to assume consent are not valid under GDPR. You can optionally specify how many days the customer data should be saved.

Positive Opt-Ins

When creating a dynamic QR Code, you can include third party tracking plugins such as Google Analytics or a re-targeting pixel by Facebook when a QR Code is scanned. Those external tracking services will store a third-party cookie on the user's device.

In EU countries, due to the General Data Protection Regulation (GDPR) and in the United States, because of the California Consumer Privacy Act (CCPA), express consent from a user is required, if third-party cookies are to be stored on his device.

Our service provides an optional consent popup, that is displayed to the user before the cookies are stored and the user is being redirected to the target page.

Cookie Consent

If the option for the consent is activated, the user first confirms that he agrees to the storage of cookies on his device before he is redirected. If he does not agree, the cookies are not created, and he is redirected to the target page. If the popup for consent is deactivated, the user is redirected to the landing page without his knowledge that third-party cookies are being saved.

White Label Users

Imprint and Privacy policy for White Label Platform (GDPR)

If you operate your QR Code platform under your own name and under your own domain, you can optionally also provide links to your imprint, your terms of use and your privacy policy in your account settings, which are displayed in the footer of the platform.

External Data Processor

Payment Service Provider

Through our products you have the opportunity to complete payment obligations subscriptions. Insofar as this is necessary for the performance of the contract, data is also sent to our payment service providers or hand over the bank responsible for the payment processing. The scope of the data is limited to the minimum required for the purpose of contract execution. Sensitive credit card information is never stored on our servers.

Stripe

When paying by credit card or direct debit, the payment is executed via Stripe from the payment service provider Stripe Payments Europe Ltd, Block 4, Harcourt Centre, Harcourt Road, Dublin 2, Irland.

stripe.com

PayPal

When paying with PayPal, payment are executed via PayPal (Europe) S.à r.l. et Cie, S.C.A. 22-24 Boulevard Royal L-2449 Luxembourg

paypal.com

Gevest

Our tax consulting company GEVEST Steuer- und Betriebs­beratungsgmbH A-1070 Vienna, Schottenfeldgasse 40/8 receives all relevant billing data from us for the preparation of a tax return.

gevest.at

Microsoft

For our Customer Relation Management we use the following services of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA.
Personal data required for the use of the application are stored in encrypted form in databases.

microsoft.com

OneDrive

Individually created offers or files, which we receive from you for special customer projects, are stored on the OneDrive cloud.

Exchange

To communicate with our customers, we use Exchange where contacts, e-mails and appointments and managed.

Hetzner

We are hosting and managing our server infrastructure at the Hetzner data centers in Nuremberg and Falkenstein. Hetzner GmbH - Industriestr. 25 - 91710 Gunzenhausen - Germany

hetzner.com

BunnyCDN

To provide you with fast and responsive page loading times we are using the content delivery network BunnyCDN a service from BunnyWay d.o.o. Škofjeloška Cesta 13, 1215 Medvode Slovenia

bunnycdn.com

Uservoice

For you to make suggestions for new features or ideas, we use the following service of UserVoice, Inc., 121 2nd Street, 4th Floor, San Francisco, CA 94105

uservoice.com

tawk.to

To directly contact anyone interested in our site via chat, we use the following service from tawk.to inc., 187 East Warm Springs Rd, Las Vegas, NV, 89119

tawk.to

Google Maps

To show QR code scan positions on a map, we have included in our website maps from the service Google Maps by Google LLC via their API.

google.com

YouTube

We embed videos on our website for educational purposes streamed from YouTube, Google Ireland Limited, Gordon House, Barrow Street,Dublin 4, Irland. There is no installation of cookies from YouTube and your IP is not sent to a YouTube server until you consent to it.

youtube.com

Cloudflare

We protect our website from DDoS attacks with Cloudflare Germany GmbH Rosental 7, c/o Mindspace, 80331 Munich. Only in the event of an attack are visitors first directed to a Cloudflare server, which checks whether the visitor is a real person and only if the check is positive the visitor will be forwarded to our servers.

cloudflare.com

Privacy Policy for your Website

If you use our service to generate QR codes and you want to mention us in your privacy policy, you can use the following HTML snippet:

<p>
    We create QR Codes with the QR Code Generator from qrplanet.com.
    qrplanet.com will not process or store any of your personal data.
    For more information, see
    <a href="https://qrplanet.com/gdpr" target="_blank">https://qrplanet.com/gdpr</a>
</p>
            

In case you want to use our QR Code Solutions, where we process personal data of your clients we act as a data processor. We recommend you to include our service in your privacy policy explaining which personal data is stored by us as well as link to our GDPR page like shown in the example above.

Data Processing Agreement (DPA)

By opening a paid account, we automatically create a DPA with your and our contact information. You can conclude the contract online and receive it as a PDF document for download.

You do not have to send us the DPA. The DPA serves for your safety that we as a partner are GDPR compliant and you can present the contract in the event of an inspection by the GDPR-authority.

Download DPA Example

Servers and IT infrastructure

The Germany located datacenter is equipped with emergency power systems, precision air conditioning and humidity control, early fire detection, gas fire extinguishing system and biometric access control.

server map

What hardware do my servers run on?

The CX line Hetzner Cloud servers run on the first generation of Intel® Xeon® Scalable CPUs. We also have a line of cloud servers, the CPX line, which are based on AMD 2nd generation EPYC CPUs. The CAX line is based on Ampere® Altra® CPUs. And there are also models (the CCX line) that have dedicated vCPUs (AMD EPYC). For local storage, we use NVMe SSDs.

What hypervisor and NIC/disk drivers do you use?

We are running KVM as a hypervisor. We use virtio for both virtual NICs and disks.

What kind of connection do the instances have?

The host systems for our Cloud instances all have a redundant 10 Gbits connection. This connection is shared by all instances on the host. We do not offer bandwidth guarantees for our Cloud servers, but you can expect about 300-500 Mbits.

DDoS Protection

We have optimal protection against outside attacks by

  • using recognized security technologies
  • having partnerships with the market’s best solution providers
  • using qualified support provided by certified network technicians
  • being ready for scaled attacks up to more than 100 Gbps

All measures that we take to protect your data can be found under Technical Organizational Measures and on our information page on the General Data Protection Regulation.