Data Processing Addendum (DPA)
Effective Date: July 12, 2026
This Data Processing Addendum ("DPA") describes how QRCard processes personal data when you use the digital business card service.
1. Definitions
The terms "Controller", "Processor", "Data Subject", "Personal Data", and "Processing" have the meanings given under applicable EU data protection law, including the GDPR.
2. Scope and Role
When you collect leads via Mutual Exchange or publish a card containing personal data, you are the Controller of that data. QRCard acts as Processor for hosting cards, generating vCards, storing leads, and providing view/save analytics on your behalf.
3. Processor Obligations
QRCard will:
- Process personal data only to provide the QRCard service as configured by you.
- Keep personnel who access personal data under confidentiality obligations.
- Apply technical and organizational measures appropriate to the risk.
- Assist you in responding to Data Subject requests where reasonably possible.
4. Sub-processors
QRCard uses Cloudflare (Pages, Workers, D1, R2) to host and run the service. Additional optional integrations (such as Google Drive or Google OAuth) process data only when you connect them.
5. Security Incidents
If a confirmed security incident affects your personal data, QRCard will notify you without undue delay and share available details and mitigation steps.