Compliance & Data Residency

Transparency about how we handle your data and protect your privacy.

Data Residency

All application data — databases, caching, file storage — is processed and stored exclusively on Hetzner infrastructure in Germany and Finland (EU). Hetzner is ISO 27001 certified and fully GDPR compliant.

Transactional emails (password resets, invitations) are sent via MailPace, a UK-based provider that stores and processes all data in France (EU). All subprocessors are listed below — none are subject to the US CLOUD Act.

Subprocessor List

Name	Purpose	Location	DPA Status
PostgreSQL (Hetzner Cloud)	Primary database	Germany (EU)	Included
Redis (Hetzner Cloud)	Caching & rate limiting	Germany (EU)	Included
Stripe	Payment processing	EU (Dublin)	Signed
MailPace	Transactional email	France (EU)	Included in ToS

We keep our subprocessor list to a minimum. Any changes will be communicated 30 days in advance.

Security Overview

Hosted on Hetzner — ISO 27001 certified, GDPR compliant
All data encrypted in transit (TLS 1.3) and at rest (AES-256)
Authentication via secure session tokens with JWT
Role-based access control (4 roles: Admin, Editor, Viewer, Super Admin)
IP anonymization for scan analytics
Rate limiting on all API endpoints
Complete audit trail for all operations

GDPR Features

Available on all plans, including Free.

Three privacy levels: Full Analytics, Anonymized, No Analytics
Per-asset privacy controls
Automated data retention with configurable policies
GDPR data export (Article 15)
GDPR data deletion (Article 17)
Privacy badge for QR code landing pages
Compliance dashboard (Business+ plans)

Data Processing Summary

What data is collected per privacy level when a QR code is scanned.

Data Point	Full	Anonymized	None
Timestamp	✓	✓	✗
Country	✓	✓	✗
Device type	✓	✓	✗
Browser	✓	✗	✗
IP address	✓	Hashed	✗
Referrer	✓	✗	✗
Language	✓	✓	✗

Need a signed DPA or have compliance questions?

View DPA Template Contact Us