Privacy Policy

Introduction

This Privacy Policy explains the nature, scope and purpose of the processing of personal data (hereinafter referred to as data). Data is processed within our online software QR Planet GmbH, its functions and contents, the websites linked to it and external online presences such as social media profiles (hereinafter jointly referred to as Online Service).

1. Controller and Overview of Data Processing

Controller

QR Planet GmbH
Mariahilfer Straße 7/2, 1060 Vienna, Austria
Phone: +34607691605
E-Mail: [email protected]
Complete legal information: https://qrplanet.com/imprint
The Controller is hereinafter also referred to as we or us.

Description of our services and objectives

The QR Code Manager of QR Planet GmbH is an online tool to help you in creating successful mobile marketing campaigns. You can track who scans your QR Codes and analyze your audience to optimize your advertising strategy.

Type of processed data

• Customer master data (company name, contact person, address, VAT registration number, e-mail address);
• Account data (name, e-mail address, cryptographic hash of the password);
• Payment data (account data and/or credit card data);
• Contract data (type of service, fee, term, contract history, payment history);
• Content data that is entered in QR Planet GmbH by customers/users themselves (QR Codes, Landing Pages, Media Files);
• Usage data/ metadata (server logging: IP address, user agent, request parameter, time stamp).

Processing of special categories of Data (Art. 9 (1) GDPR)

In general, no special categories of data are processed, unless these are submitted by the user for processing, e.g. in Lead Landing Pages.

Categories of data subjects

• Customers, test users, business partners.
• Visitors and users of the online offer.

In the following, we will also summarise the data subjects as users.

Purpose of Processing

• Provision of the Online Service, its contents and functions.
• Providing and operating QR Planet GmbH (Software as a Service) and related services (computing capacities, databases, software, maintenance and development).
• Security measures.
• Response to contact requests and communication with users.
• Marketing, advertising and market research.

Automated individual decision-making (Art. 22 GDPR)

We do not use exclusively automated individual decision-making.

As of

May 2018

2. Rights of data subjects, legal basis for the processing and general information

Rights of Data Subjects

You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the further information and a copy of the data in accordance with Art. 15 GDPR.

In accordance with Article 16 of the GDPR, you have the right to obtain from the controller the rectification of inaccurate personal data concerning you, or the completion of the data concerning you.

In accordance with Art. 17 GDPR, you have the right to demand that relevant data be erased without undue delay or, alternatively, to demand a restriction of the processing of the data in accordance with Art. 18 GDPR.

You have in accordance with Art. 20 GDPR the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.

In accordance with Art. 77 GDPR, you also have the right to file a complaint with a supervisory authority.

Right of Withdrawal

You have the right to withdraw consents granted pursuant to Art. 7 (3) GDPR with effect for the future.

Right to Object

You can object to the future processing of the data concerning you in accordance with Art. 21 GDPR at any time. The objection may be lodged in particular against processing for direct marketing purposes.

Cookies

We use temporary and permanent cookies, i.e. small files that are stored on the user's devices (for the explanation of the term and function, see last section of this Privacy Policy). Our cookies serve security purposes or are required for the operation of our Online Services (e.g., for the appearance of the website).

If users do not want cookies to be stored on their computer, they are advised to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies leads to functional restrictions of this Online Service.

Do not track policy

DNT is a web browser setting a consumer may set to "on" or "off." When turned on, the user is instructing their browser to disable tracking of their web browsing activities. We honor DNT cookie policy and if it is set on your browser we will not place any cookie when you visit our site.

Solely Automated individual decision-making

In accordance with Art. 22 GDPR, you have the right not to be subject to a decision based exclusively on automated processing - including profiling - which has legal effect concerning you or similarly significantly affects you.

We inform you that we do not use exclusively automated individual decision-making.

Erasure of data and archiving obligations

The data processed by us will be erased or its processing restricted in accordance with Articles 17 and 18 GDPR. Unless expressly stated in this Privacy Policy, the data stored by us will be erased as soon as it is no longer required for its intended purpose and there are no legal obligations to retain it. If the data are not erased because they are necessary for other and legally permissible purposes, their processing is restricted. This means that the data is excluded and not processed for other purposes. This applies, for example, to data that must be retained for commercial or taxation reasons.

In accordance with statutory provisions in Austria, the records are kept in particular for 7 years in accordance with Sections 132 (1) Austrian Financial Act (BAO).

Changes and Updates to this Privacy Policy

We ask you to keep yourself regularly informed about the contents of our Privacy Policy. We will adapt the Privacy Policy as soon as any changes in data processing carried out by us make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.

Relevant Legal Basis for the Processing

In accordance with Art. 13 GDPR, we inform you of the legal basis of our data processing. If the legal basis is not explicitly stated in the Privacy Policy, the following applies: The legal basis for obtaining consents is Art. 6 (1) a and Art. 7 GDPR, the legal basis for processing for the performance of our services and performance of contractual measures as well as for answering inquiries is Art. 6 (1) b GDPR, the legal basis for processing to fulfil our legal obligations is Art. 6 (1) c GDPR, and the legal basis for processing to protect our legitimate interests is Art. 6 (1) f GDPR. In the event that the vital interests of the data subject or another natural person require the processing of personal data, Article 6(1)(d) GDPR serves as the legal basis.

The principles for commercial communications outside of business relations, in particular by post, telephone, fax and e-mail, are contained in § 7 of the Austrian Unfair Competition Act (UWG).

Security of Data Processing

We shall take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk in accordance with Article 32 GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons; the measures include in particular ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as the access, input, transfer, integrity and pseudonymity. Furthermore, we have established procedures that guarantee the assertion of data subjects' rights, the erasure of data and the response to data hazards. Furthermore, we already consider the protection of personal data during the development or selection of hardware, software and procedures, in accordance with the principle of data protection by design of technology and by data protection-friendly presettings (Art. 25 GDPR).

The security measures include in particular the encrypted transmission of data between your browser and our server or the encryption of your password in our database.

Disclosure and Transmission of Data

If we disclose data to other persons and companies (processors or third parties) within the scope of our processing, transfer the data to them or otherwise grant them access to the data, this will only be carried out on the basis of a legal permission (e.g. if a transfer of the data to third parties, such as to payment service providers, is required for contract fulfilment pursuant to Art. 6 (1) b GDPR), if you have consented, if a legal obligation requires this or on the basis of our legitimate interests (e.g. when using agents, web hosting services, etc.).

If we commission third parties with the processing of data on the basis of a so-called Data Processing Agreement, this is done on the basis of Art. 28 GDPR.

Transfers to Third Countries

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA) or if this occurs in the context of the use of third-party services or disclosure or transmission of data to third parties, this only takes place if it is necessary to fulfil our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or let the data being processed in a third country only if the special requirements of Art. 44 ff GDPR are met. This means, for example, processing is carried out on the basis of special guarantees, such as the officially recognised adequate data protection level corresponding to the EU (e.g. for the USA by the Privacy Shield) or compliance with officially recognised special contractual obligations (so-called Standard Contractual Clauses).

3. Processing operations

The following section provides an overview of our processing activities, which we have subdivided into other areas of operation. Please note that the areas of operation are for guidance only and that processing activities may overlap (e.g. the same data may be processed in several operations).

For reasons of clarity and comprehensibility, you will find the frequently repeated terms in section 4 of this data protection declaration.

Contractual services (QR Planet GmbH)

We process the data of our customers within the scope of QR Planet GmbH's services in order to provide our contractual services.

• Data processed: Customer master data (company name, contact person, address, VAT registration number, e-mail address), user and account data (name, e-mail address, cryptographic hash of password), payment data (account data and/or credit card data), contract data (type of service, fee, term, contract history, payment history), content data which are entered by customers/users themselves in QR Planet GmbH (QR Codes, Location Data, Landing Pages), usage data/ metadata (server logging: IP address, user agent, request parameter, time stamp).
• Special categories of personal data: In general, no special categories of data are processed unless they are submitted by the user.
• Data subjects: Customers, test users, business partners, visitors who view landing pages or QR codes from customers.
• Purpose of Processing: infrastructure and platform services, computing capacity, storage and database services, security services, technical maintenance services.
• Legal basis: Art. 6 (1) b GDPR (performance of the contract).
• Necessity / interest in processing: The data are necessary to establish and fulfil the contractual performance.
• External disclosure and purpose: For hosting purposes only or within the scope of legal permissions and obligations towards legal consultants and authorities.
• Processing in third countries: none.
• Deletion of data: Content data entered into QR Planet GmbH by customers themselves will be archived for 2 years after termination of the account or expiration of the trial and automatically deleted afterwards. Customer master data will be stored indefinitely, unless they are no longer required; the necessity of storing the data will be checked every three years; in the case of statutory archiving obligations the deletion will take place after their expiry (end of retention obligation - commercial, 2 years / tax, 7 years).
  Content data created by visitors to a customer's landing pages can be deleted by customers themselves. With digital guest registration, contacts older than 28 days are automatically deleted. Contacts from lead landing pages can be automated or manually deleted.

Hosting QR Planet GmbH data

The hosting services we use serve to provide the following services: Infrastructure and platform services, computing capacity, storage and database services, security services, technical maintenance services.

• Data processed: Inventory data, contact data, content data, contract data, usage data, meta/communication data.
• Special categories of personal data: none.
• Legal basis: Art. 6 (1) f GDPR.
• Data subjects: customers, prospective customers.
• Special security measures: Data Processing Agreement.
• Processing in third countries: none.
• External disclosure and purpose: Hetzner Online GmbH - Industriestr. 25 - 91710 Gunzenhausen - Germany (hosting QR Planet GmbH)
• Necessity / interest in processing: Security, efficiency, business interests.

Hosting Website, Blog, Mail Server

The hosting services we use serve to provide the following services: Infrastructure and platform services, computing capacity, storage and database services, security services, technical maintenance services.

• Data processed: Inventory data, contact data, content data, contract data, usage data, meta/communication data.
• Special categories of personal data: none.
• Legal basis: Art. 6 (1) f GDPR.
• Data subjects: customers, prospective customers, visitors of the website.
• Special security measures: Data Processing Agreement.
• External disclosure and purpose: DI Kurz Klaus e.U. - Untere Weißgerberstr. 28/11 - 1030 Wien - Österreich (hosting website, blog, mail server).
• Processing in third countries: none
• Necessity / interest in processing: Security, efficiency, business interests.

DDoS Protection

The services we use serve to protect our service from DDoS attacks. Only in the event of an attack are visitors first directed to an external server, which checks whether it is a real person and only if the check is positive will it be forwarded to our servers. For users visiting our international page qrplanet.com, Cloudflare is always turned on, to protect our website. When a user wants to register on qrplanet.com, we also send a JS challenge from Cloudflare to avoid bots registering on our website.

• Data processed: content data, usage data, meta/communication data.
• Special categories of personal data: none.
• Legal basis: Art. 6 (1) f GDPR.
• Data subjects: customers, prospective customers, visitors of the website.
• Special security measures: Data Processing Agreement.
• External disclosure and purpose: Cloudflare Germany GmbH Rosental 7, c/o Mindspace, 80331 München (securing QR Planet GmbH)
• Processing in third countries: yes
• Necessity / interest in processing: Security

Answering Inquiries and Customer Service

Information in inquiries that we receive via our contact form and other means, e.g. via e-mail, we process in order to answer the inquiries.

• Data processed: Inventory data, contact data, contract data, payment data, usage data, metadata.
• Data subjects: customers, prospective customers, business partners, website visitors.
• Purpose of processing: Answering inquiries.
• Type, scope and mode of operation of the processing: registration process, termination option.
• Necessity / interest in processing: Necessary to answer queries.
• Legal basis: Art. 6 (1) b./f GDPR.
• External disclosure and purpose: Hetzner Online GmbH - Industriestr. 25 - 91710 Gunzenhausen - Germany (hosting website, blog, mail server)
• Processing in third countries: none.
• Retention of data: We delete the inquiries if they are no longer required. We review the requirement every two years; requests from customers who have a customer account are stored permanently and are linked to the customer account details for deletion. In the case of statutory archiving obligations, the erasure takes place after their expiry (end of commercial law (2 years) and tax law (7 years) storage obligation).

Administration, Financial Accounting, Office Organization, Archiving

We process data within the framework of administrative tasks as well as the organization of our company, financial accounting and compliance with legal obligations, such as archiving.

• Data processed: Data that we process in the course of our Online Services.
• Special categories of personal data: none.
• Legal basis: Art. 6 (1) c GDPR, Art. 6 (1) f GDPR.
• Data subjects: customers, prospective customers, business partners, website visitors.
• Purpose of processing: administration, financial accounting, office organization, archiving.
• Necessity / interest in processing: The processing is necessary to maintain our business and our services.
• External disclosure and purpose: financial administration, tax consultants, other fee agencies, payment service providers to carry out contractual or legal payment transactions; payment data is only stored at the following payment service providers (=no own storage or processing): GEVEST Steuer- und BetriebsberatungsgmbH - Schottenfeldgasse 40/8 - 1070 Wien - Österreich
  Stripe Payments Europe Ltd - Block 4, Harcourt Centre, Harcourt Road - Dublin 2 - Irland
• Processing in third countries: none.
• Retention of data: We delete the inquiries if they are no longer required. We review the requirement every two years; requests from customers who have a customer account are stored permanently and are linked to the customer account details for deletion. In the case of statutory archiving obligations, the erasure takes place after their expiry (end of commercial law (2 years) and tax law (7 years) storage obligation).

Content delivery network (CDN)

Users accessing our website will get static files like images, JavaScript or CSS files from a content delivery network

• Data processed: IP-Address
• Special categories of personal data: none.
• Processing principles: Art. 6 (1) b GDPR; Art. 6 (1) f GDPR.
• Affected persons: Website visitors
• Purpose of the processing: improving page load time
• Necessity / interest in processing: lowering bounces and improving SEO
• Protective measures: IP addresses are stored anonymously
• processing in third countries: yes.
• Deletion of data: not necessary since no personal data is stored.

Blog

User comments on the blog are stored and can be validated to ensure they are not spam.

• Data processed: Inventory data (names, e-mail addresses, links to own website); content data (comment)
• Special categories of personal data: none.
• Processing principles: Art. 6 (1) b GDPR; Art. 6 (1) f GDPR.
• Affected persons: Authors of comments
• Purpose of the processing: storage of the comment.
• Necessity / interest in processing: security purposes (spam check).
• Protective measures: Users are welcome to use pseudonyms.
• processing in third countries: no.
• Deletion of data: Data remains stored until the author revokes his comment. If the comment was identified as spam, then the data remains permanently stored.

Google Maps

To show QR code scan positions on a map, we have included in our website maps from the service Google Maps by Google LLC via their API.

• Data processed: IP-Address
• Special categories of personal data: none.
• Processing principles: Art. 6 (1) b GDPR; Art. 6 (1) f GDPR.
• Affected persons: Customers, test users
• Purpose of the processing: Viewing Maps
• Necessity / interest in processing: Visualization of QR Code Scan Positions
• Protective measures: Users are welcome to use pseudonyms.
• In this processing, our cooperation with Google is based on a shared responsibility agreement under Art. 26 GDPR, which can be accessed here.
• Retention of data: The deletion policies of the respective networks / platforms apply.

Online Presences in Social Media

We maintain online presences within social networks and platforms in order to communicate with active customers, interested parties and users and to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and the privacy policy of their respective providers apply. Unless otherwise stated in our privacy policy, we will process the data of users who communicate with us within social networks and platforms, e.g. send us messages.

The links to social networks and platforms (hereinafter referred to as social media) used within our Online Services do not establish a data transmission between social networks and users until users click on the links and access the respective networks or their websites.

Social networks/platforms used by us: Facebook, Twitter, tawk.to

• Data processed: Inventory data, content data.
• Special categories of personal data: In principle, no, except as provided voluntarily by users.
• Legal basis: Art. 6 (1) f GDPR.
• Data subjects: Users of social media networks / platforms (this can include customers and prospective customers).
• Purpose of processing: Information and communication.
• Type, scope and mode of operation of the processing: By providers of the respective platforms as a general rule: permanent cookies, tracking, targeting, remarketing, online behavioural advertising.
• Necessity / interest in processing: Expectations of users active on the platforms, business interests.
• External disclosure and purpose: To the social networks/platforms.
• Processing in third countries: USA.
• Guarantee when processing in third countries: Privacy Shield, Facebook Inc., Twitter, Goolge LLC, tawk.to
• Retention of data: The deletion policies of the respective networks / platforms apply.

Server-Logs

The server on which this Online Service is hosted collects so-called log files each time the Online Service is accessed, in which user data is stored. The data is used for statistical analysis to maintain and optimize server operation and for security purposes, e.g. to detect potential unauthorized access attempts.

• Data processed: Usage data and metadata (name of the accessed website, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user's operating system, IP address).
• Special categories of personal data: none.
• Legal basis: Art. 6 (1) f GDPR.
• Data subjects: customers, prospective customers, visitors of the Online Service.
• Purpose of processing: Optimization of server operation and security monitoring.
• Necessity / interest in processing: Security, business interests.
• Processing in third countries: no.
• Deletion of data: After 1 month from the time of the collection.

Server-Monitoring

We monitor our servers with a local instance of Matomo (Piwik) to ensure the availability and integrity of our Online Services and use the data for technical and user-friendly optimisation.

• Data processed: Aggregated performance data and pseudonymisation of IP address
• Special categories of personal data: none.
• Legal basis: Art. 6 (1) f GDPR, Art. 28 (3 p. 1 GDPR.
• Data subjects: customers, users, business partners, website visitors
• Purpose of processing: server logging; server monitoring & error tracking.
• Type, scope and mode of operation of the processing: Third-party cookies, permanent cookies.
• Special security measures: No transmission of IP addresses. No transmission of unique user ids like e-mail. In addition, users who have set "I don't want to be tracked" in their browser (do-not-track activated) will not be tracked by Matomo.
• Necessity / interest in processing: Security, efficiency of the Online Service.
• Processing in third countries: no.
• Deletion of data: IP addresses are immediately anonymized. Aggregated data that is not personal data remains stored indefinitely.

Newsletter

We send e-mail newsletters to users and our customers, informing them about news on the platform, maintenance work, new functions, etc.

• Data processed: E-Mail-Address, Firstname, Lastname
• Special categories of personal data: none.
• Legal basis: Art. 6 (1) f GDPR, Art. 28 (3 p. 1 GDPR.
• Data subjects: customers, users
• Purpose of processing: Communication about maintenance, changes and news from our service
• Special security measures: All data is processed in-house and is not sent to any third-party newsletter mailing programs. A newsletter will only be sent to the user if the user has given his consent and he has confirmed his email address via a double opt-in. No profiling is carried out.
• Necessity / interest in processing: Communication about maintenance, changes and news from our service
• Processing in third countries: no.
• Deletion of data: The newsletter can be stopped any time via an unsubscribe link in every email or deactivated in the user account. If the user terminates his account, he will also no longer receive emails.

4. Definitions

This section provides an overview of the terms used in this Privacy Policy. Many of the terms are taken from the law and defined above all in Art. 4 GDPR. The legal definitions are binding. The following explanations, on the other hand, are intended primarily for understanding. The terms are sorted alphabetically.

Consent

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Controller

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Cookies

Cookies are small files that are stored on the user's computer. Different data can be stored in the cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) during or after his or her visit to a website. Temporary cookies or session cookies or transient cookies are cookies that are deleted after a user leaves a website and closes his browser. In such a cookie, for example, the login status can be stored. Cookies are referred to as permanent or persistent if they are stored even after the browser is closed. For example, the login status can be saved permanently.

Processor

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Privacy Shield

The EU-US Privacy Shield is an informal agreement in the field of data protection law negotiated between the European Union and the United States of America. It consists of a number of assurances from the US government and a decision by the EU Commission. Companies certified under the Privacy Shield offer a guarantee to comply with European data protection law (https://www.privacyshield.gov).

Processing

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Pseudonymisation / Pseudonyms

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person; E.g. if an exact interest profile of the computer user is stored in a cookie, but not the name of the user, then data is processed pseudonymously. If his name is stored, e.g. as part of his e-mail address or his IP address is stored, then the processing is no longer pseudonymous.

Special categories of personal data

Data identifying racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic data, biometric data uniquely identifying a natural person, health data or data relating to a natural person's sex life or sexual orientation.

Third countries

Third countries are countries in which the GDPR is not directly applicable law, i.e. in general states that do not belong to the European Union (EU) or the European Economic Area (EEA).

Third Party

Third Party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.