Compliance & Data Residency

Transparency about how we handle your data and protect your privacy.

Data Residency

All application data (databases, caching, file storage) is processed and stored exclusively on Hetzner infrastructure in Germany and Finland (EU). Hetzner is ISO 27001 certified and fully GDPR compliant.

Transactional emails (password resets, invitations) are sent via MailPace, a UK-based provider that stores and processes all data in France (EU). All subprocessors are listed below. None are subject to the US CLOUD Act.

Subprocessor List

Name	Purpose	Location	DPA Status
PostgreSQL (Hetzner Cloud)	Primary database	Germany (EU)	Included
Redis (Hetzner Cloud)	Caching & rate limiting	Germany (EU)	Included
Stripe	Payment processing	EU (Dublin)	Signed
MailPace	Transactional email	France (EU)	Included in ToS

We keep our subprocessor list to a minimum. Any changes will be communicated 30 days in advance.

Security Overview

Hosted on Hetzner, ISO 27001 certified, GDPR compliant
All data encrypted in transit (TLS 1.3) and at rest (AES-256)
Authentication via secure session tokens with JWT
Role-based access control (4 roles: Admin, Editor, Viewer, Super Admin)
IP anonymization for scan analytics
Rate limiting on all API endpoints
Complete audit trail for all operations

GDPR Features

Available on all plans, including Free.

Three privacy levels: Full Analytics, Anonymized, No Analytics
Per-asset privacy controls
Automated data retention with configurable policies
GDPR data export (Article 15)
GDPR data deletion (Article 17)
Privacy badge for QR code landing pages
Compliance dashboard (Business+ plans)

Data Processing Summary

What data is collected per privacy level when a QR code is scanned.

Data Point	Full	Anonymized	None
Timestamp	✓	✓	✗
Country	✓	✓	✗
Device type	✓	✓	✗
Browser	✓	✗	✗
IP address	✓	Hashed	✗
Referrer	✓	✗	✗
Language	✓	✓	✗

Need a signed DPA or have compliance questions?

View DPA Template Contact Us