Start creating
Start creating
Legal

QR Code AI Data Processing Agreement

This DPA defines how QR Code AI processes personal data on behalf of customers, in compliance with GDPR and applicable data protection regulations.

DATA PROCESSING AGREEMENT (DPA)

Last updated March 2, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between Supernovae, a company registered in France at 27 Rue Wurtz, Juvisy-sur-Orge 91260, VAT number FR67948452891 ("Processor," "we," "us"), and the entity agreeing to this DPA ("Controller," "you"), collectively referred to as the "Parties."

This DPA applies when we process personal data on your behalf in connection with our QR Code AI services, including via the API.

1. DEFINITIONS

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
  • "Processing" means any operation or set of operations performed on Personal Data, as defined in Article 4(2) of the GDPR.
  • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
  • "UK GDPR" means the GDPR as transposed into UK law by the Data Protection Act 2018.
  • "SCCs" means the Standard Contractual Clauses approved by the European Commission for the transfer of Personal Data to third countries.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. SCOPE AND ROLES

2.1 Controller and Processor

For the purposes of this DPA:

  • You (Controller): You determine the purposes and means of processing Personal Data when you use our Services, particularly when you use our API to generate QR codes for your own customers or integrate our Services into your products.
  • We (Processor): We process Personal Data on your behalf according to your instructions, as described in this DPA and the Agreement.

2.2 When This DPA Applies

This DPA applies when:

  • You use the QR Code AI API to generate QR codes that process your end users' data (e.g., URLs containing personal information, vCard data, contact details encoded in QR codes).
  • You use QR Code AI tracking and analytics features that collect scan data from your end users.
  • Any other scenario where we process Personal Data on your behalf as a data processor.

When you use QR Code AI as an individual user for your own purposes, we act as an independent data controller and our Privacy Policy governs data processing.

3. DATA PROCESSING DETAILS

3.1 Subject Matter and Duration

We process Personal Data for the duration of the Agreement to provide the QR Code AI services, including QR code generation, tracking, analytics, and related functionality.

3.2 Nature and Purpose of Processing

  • Generating QR codes based on input data provided by the Controller
  • Tracking QR code scans and collecting analytics data
  • Storing QR code configurations and associated metadata
  • Processing AI-generated artistic QR code requests
  • Providing reports and analytics dashboards

3.3 Types of Personal Data

The types of Personal Data processed may include:

  • Contact information (names, email addresses, phone numbers) encoded in QR codes
  • URLs and web addresses
  • Location data from QR code scans
  • Device information and IP addresses from QR code scans
  • Text prompts and images provided for AI QR code generation
  • Any other data the Controller chooses to encode in QR codes

3.4 Categories of Data Subjects

  • End users who scan QR codes created by the Controller
  • Individuals whose contact information is encoded in QR codes
  • Users of the Controller's products or services who interact with QR codes

4. OBLIGATIONS OF THE PROCESSOR

4.1 Processing Instructions

We will process Personal Data only on your documented instructions, unless required to do so by EU or Member State law to which we are subject. In such a case, we will inform you of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.

4.2 Confidentiality

We ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of Personal Data in transit (TLS/HTTPS) and at rest
  • Access controls and role-based authentication for internal systems
  • Regular security assessments and vulnerability scanning
  • Infrastructure hosted with ISO 27001 certified providers
  • DDoS protection and web application firewall (Cloudflare)
  • Regular backups with encrypted storage
  • Logging and monitoring of access to Personal Data

4.4 Sub-processors

We use the sub-processors listed on our Subprocessors page. We will notify you of any intended changes to sub-processors by updating that page. You may object to a new sub-processor by contacting us at [email protected] within 30 days of the update. If you object and we cannot reasonably accommodate your objection, either party may terminate the affected portion of the Services.

We enter into written agreements with all sub-processors that impose data protection obligations no less protective than those in this DPA.

4.5 Data Subject Rights

We will assist you in responding to requests from Data Subjects exercising their rights under applicable data protection law (access, rectification, erasure, restriction, portability, objection). If we receive a request directly from a Data Subject, we will promptly redirect them to you unless otherwise instructed.

4.6 Assistance with Compliance

We will assist you in ensuring compliance with your obligations under Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to us.

5. DATA BREACH NOTIFICATION

5.1 Notification Timeline

We will notify you of a Data Breach without undue delay, and in any event within 72 hours of becoming aware of the breach. Notification will be sent to the email address associated with your account.

5.2 Notification Content

The notification will include, to the extent available:

  • A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and records affected.
  • The name and contact details of our data protection point of contact.
  • A description of the likely consequences of the Data Breach.
  • A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects.

5.3 Ongoing Cooperation

We will cooperate with you and provide reasonable assistance in investigating, mitigating, and remediating any Data Breach, and in making any notifications to supervisory authorities or Data Subjects that you are required to make.

6. INTERNATIONAL DATA TRANSFERS

6.1 Data Location

Personal Data is primarily stored and processed in the European Union:

  • France (EU) via Scaleway
  • Netherlands (EU) via DigitalOcean

6.2 Transfers Outside the EU/EEA

Some of our sub-processors are located outside the EU/EEA, primarily in the United States. For these transfers, we rely on:

  • EU-US Data Privacy Framework: Where applicable, for transfers to US-based providers certified under the framework.
  • Standard Contractual Clauses (SCCs): We incorporate the European Commission-approved SCCs (Commission Implementing Decision (EU) 2021/914) into our agreements with sub-processors located outside the EU/EEA where the Data Privacy Framework does not apply.

6.3 Transfer Impact Assessment

We conduct transfer impact assessments for transfers to third countries and implement supplementary measures where necessary to ensure an adequate level of data protection.

7. AUDITS AND INSPECTIONS

7.1 Audit Rights

You have the right to audit our compliance with this DPA. We will make available to you all information necessary to demonstrate compliance and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you.

7.2 Audit Process

Audits are subject to the following conditions:

  • You must provide at least 30 days' written notice before any audit.
  • Audits may be conducted no more than once per year, unless required by a supervisory authority or following a Data Breach.
  • Audits must be conducted during normal business hours and must not unreasonably interfere with our operations.
  • You are responsible for the costs of any audit, unless the audit reveals a material breach of this DPA.
  • Confidential information of our other customers must not be exposed during the audit.

8. DATA RETENTION AND DELETION

8.1 During the Agreement

We retain Personal Data for the duration of the Agreement as necessary to provide the Services.

8.2 Upon Termination

Upon termination of the Agreement or upon your written request:

  • We will delete Personal Data from our active systems within 30 days.
  • Personal Data in backup archives will be purged within 6 months.
  • We may retain Personal Data to the extent required by applicable law (e.g., tax, accounting obligations), in which case we will isolate and protect such data and limit further processing to what is required by law.

8.3 Certification

Upon your request, we will provide written confirmation that Personal Data has been deleted in accordance with this section.

9. LIABILITY

Each party's liability under this DPA is subject to the limitations of liability set out in the Agreement. Nothing in this DPA limits either party's liability to Data Subjects or supervisory authorities under applicable data protection law.

10. GOVERNING LAW

This DPA is governed by the laws of France. For Data Subjects in the EU, the GDPR applies. For Data Subjects in the UK, the UK GDPR applies. Any disputes arising from this DPA will be resolved in accordance with the dispute resolution provisions of the Agreement.

11. HOW TO EXECUTE THIS DPA

This DPA is incorporated into and forms part of the Terms of Service. By using the QR Code AI Services, you agree to this DPA.

If you require a separately signed copy of this DPA for your records, please contact us at [email protected] and we will provide one within 10 business days.

12. CONTACT

For questions about this DPA or our data processing practices:

Supernovae 27 Rue Wurtz Juvisy-sur-Orge, Ile-de-France 91260 France [email protected]

Start Creating QR Codes with QR Code AI

QR Code AI helps you generate customised QR codes with AI-powered designs, branded colours, and real-time scan analytics. Choose from 1,200+ templates, download in PNG, SVG, or PDF format, and track every scan across 109 supported locales.

Generate Your Free QR Code