GDPR Compliance

GDPR Compliance Overview

ElkQR is fully compliant with the General Data Protection Regulation (GDPR). This page explains how we protect your data, your rights as a data subject, and our commitment to data protection.

Data Hosting and Location

European Data Residency

All ElkQR data is hosted within the European Union to ensure GDPR compliance:

• Application Infrastructure: Hosted on DigitalOcean droplets in Amsterdam, Europe (ams3 datacenter)
• Database: Secure database infrastructure in Amsterdam, Europe (ams3 datacenter)
• File Storage: Cloudflare R2 storage in European locations
• Data Processing: All processing occurs within EU boundaries

This ensures your personal data never leaves the European Economic Area (EEA) and remains subject to EU data protection laws.

Your Data Protection Rights

Under GDPR, you have the following rights regarding your personal data:

Right to Access (Article 15)

• Request confirmation of what personal data we hold about you
• Obtain a copy of your personal data
• Learn about how we process your data

Right to Rectification (Article 16)

• Correct inaccurate personal data
• Complete incomplete personal data
• Contact hello@elkqr.com to update account information like email addresses
• Direct email changes disabled for security - our team verifies identity and updates manually

Right to Erasure (Article 17)

• Request deletion of your personal data
• Account deletion available through your profile settings
• 30-day soft delete period with option to cancel
• Complete data removal after deletion period

Right to Data Portability (Article 20)

• Export all your data in machine-readable JSON format
• Download includes QR codes, analytics, files, and account information
• Available through your profile settings
• Secure delivery via temporary download links

Right to Restrict Processing (Article 18)

• Limit how we process your personal data
• Available through account settings and privacy controls
• Cookie consent management for tracking preferences

Data Processing Activities

What We Collect

• Account Information: Email, name, authentication credentials
• QR Code Data: Content you create and embed in QR codes
• Usage Analytics: How you interact with our platform
• Scan Analytics: Anonymous statistics about QR code scans
• Files: Images, documents, and media you upload
• Feedback Data: Bug reports, feature requests, and screenshots submitted through the feedback widget

Legal Basis for Processing

• Contract Performance: Providing our QR code generation services
• Legitimate Interest: Platform security and fraud prevention
• Consent: Analytics and marketing communications (where required)
• Legal Obligation: Compliance with applicable laws

Data Security Measures

Technical Safeguards

• Encryption: Data encrypted in transit (TLS) and at rest (AES-256)
• Automated Backups: Daily encrypted database backups with 30-day retention, stored in DigitalOcean Spaces (Amsterdam ams3)
• Disaster Recovery: Complete backup and restore capability with 212-hour recovery point objective
• Access Controls: Multi-factor authentication and role-based permissions
• Audit Logging: Comprehensive tracking of all data access activities
• Breach Detection: Automated monitoring for suspicious activities
• Regular Security Reviews: Ongoing assessment of security measures

Organizational Safeguards

• Data Protection by Design: Privacy considerations built into all features
• Staff Training: Team educated on GDPR requirements
• Incident Response: Procedures for handling data breaches
• Vendor Management: Ensuring third-party processors meet GDPR standards

Data Retention

Retention Periods

• Account Data: Retained while your account is active
• QR Code Data: Retained until you delete your QR codes
• Analytics Data: Retained for service improvement purposes
• Audit Logs: Retained for 3 years for compliance purposes
• Feedback Submissions: Retained for product improvement purposes; can be deleted upon request
• Deleted Accounts: Data permanently removed after 30-day grace period for manual deletions. Trial accounts that expire without subscription are scheduled for deletion 60 days after trial expiration, with email warnings sent at 7, 3, and 1 day before the deletion date. Subscribing to any paid plan cancels the scheduled deletion.

Trial Expiration Policy

In accordance with GDPR's data minimization principle (Article 5), we automatically delete inactive trial accounts:

• Trial Duration: 14-day free trial from account registration
• Grace Period: 60 days after trial expiration to allow reactivation (total 74 days from signup)
• Transparency: Email notifications sent at 7, 3, and 1 day before deletion
• User Control: Deletion can be prevented by subscribing to any paid plan
• Complete Deletion: All associated data (workspaces, QR codes, files, analytics) permanently removed
• Team Member Protection: Only workspace owners face deletion; team member accounts remain unaffected

Cookie Management

Landing Page QR Cookie Consent

For Landing Page QR codes (custom pages built with our block editor), workspace owners can configure cookie consent:

• Essential Cookies: Required for basic functionality
• Analytics Cookies: Optional - can be disabled
• Marketing Cookies: Optional - can be disabled
• User Control: Accept, reject, or customize cookie preferences
• Workspace Control: Business owners can configure consent for their Landing Page QR codes

Third-Party Data Sharing

Service Providers

We share data only with trusted service providers within the EU:

• DigitalOcean: EU-based hosting and database services - GDPR Compliance
• Cloudflare: EU-based file storage and CDN services - GDPR Compliance
• AWS SES: For sending platform notifications - Data Protection
• Paddle: For handling subscription payments - GDPR Compliance

All third-party processors are contractually bound to GDPR compliance standards.

International Data Transfers

ElkQR ensures all data processing occurs within the European Economic Area (EEA). We do not transfer personal data outside the EEA except where:

• You explicitly consent to the transfer
• The transfer is necessary for contract performance
• Adequate safeguards are in place (Standard Contractual Clauses)

Exercising Your Rights

How to Contact Us

To exercise any of your GDPR rights or for data protection inquiries:

• Data Protection Email: privacy@elkqr.com
• General Contact: hello@elkqr.com
• Account Settings: Most rights can be exercised directly through your account
• Response Time: We respond to requests within 30 days

Automated Rights Exercise

Many GDPR rights can be exercised directly through your ElkQR account:

• Data Export: Available in your profile settings
• Account Deletion: Request deletion through profile settings
• Data Correction: Update information directly in your account
• Cookie Policy Integration: Configure your business cookie consent popup that appears on your QR code landing pages via workspace settings

Complaints and Supervisory Authority

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with your local data protection authority.

Data Protection Officer

For specific data protection questions or concerns, you can contact our data protection team at privacy@elkqr.com. We are committed to resolving any privacy concerns promptly and transparently.

Updates to This Information

We may update this GDPR compliance information from time to time. We will notify users of any material changes through email or platform notifications. Continued use of ElkQR after changes constitutes acceptance of updated practices.