Data Processing Addendum (DPA)

Effective Date: July 12, 2026

This Data Processing Addendum ("DPA") describes how QRCard processes personal data when you use the digital business card service.

1. Definitions

The terms "Controller", "Processor", "Data Subject", "Personal Data", and "Processing" have the meanings given under applicable EU data protection law, including the GDPR.

2. Scope and Role

When you collect leads via Mutual Exchange or publish a card containing personal data, you are the Controller of that data. QRCard acts as Processor for hosting cards, generating vCards, storing leads, and providing view/save analytics on your behalf.

3. Processor Obligations

QRCard will:

  • Process personal data only to provide the QRCard service as configured by you.
  • Keep personnel who access personal data under confidentiality obligations.
  • Apply technical and organizational measures appropriate to the risk.
  • Assist you in responding to Data Subject requests where reasonably possible.

4. Sub-processors

QRCard uses Cloudflare (Pages, Workers, D1, R2) to host and run the service. Additional optional integrations (such as Google Drive or Google OAuth) process data only when you connect them.

5. Security Incidents

If a confirmed security incident affects your personal data, QRCard will notify you without undue delay and share available details and mitigation steps.