StudioDemoSolutionsPricingBlog
ScanSign inTry Pro freeTry Pro
DPA

Data Processing Agreement

Last updated · 2026-06-07

Who is who

When you (the “Customer”) use QRA to manage QR codes for your own end-users, you are the Data Controller and QRA is the Data Processor. We process Customer data only on your documented instructions — the act of creating a workspace and using the dashboard is the instruction.

What we process for you

  • Workspace data: team-member emails + names, QR codes, destinations, folder + tag metadata, brand assets, custom-domain records.
  • Scan event data: timestamp, country, device class, OS, browser, hashed IP, referrer. No personally-identifying visitor information.
  • Audit log: who did what in the workspace, retained for 180 days for accountability.

Sub-processors

We engage the following sub-processors. We'll notify Customers via email at least 30 days before adding or replacing any sub-processor (subscribe to privacy@qra.cc for the list).

  • Supabase — Postgres database, Auth, Storage. Region: AWS eu-central-1 (Frankfurt). DPA: supabase.com/legal/dpa.
  • Vercel — Web hosting + serverless runtime. Region: global edge with US-East primary. DPA: vercel.com/legal/dpa.
  • Cloudflare — DNS + scan-redirect worker (Jeddah / Bahrain / Dubai PoPs). DPA: cloudflare.com/cloudflare-customer-dpa.
  • Resend — Transactional email (invites, confirmations, billing notices). Region: AWS us-east-1. DPA: resend.com/legal/dpa.
  • Tap Payments — Card processing for the GCC / MENA (PCI-DSS Level 1). Receives only the data needed to charge a card (we never see full PANs).

International transfers

Workspace data is stored in the EU (Supabase Frankfurt). Scan-redirect logs hit the nearest Cloudflare PoP — for MENA Customers this is typically Jeddah, Bahrain, or Dubai. Transfers from the EU to processors based outside the EU rely on Standard Contractual Clauses (SCC). KSA Customer data is processed in accordance with KSA PDPL data-transfer requirements.

Retention + deletion

  • Active data: retained while your workspace is active.
  • Scan analytics: raw scan events retained for 18 months; aggregated daily rollups retained for 5 years.
  • Audit log: 180 days.
  • On workspace deletion: all data is purged within 30 days (cascades through Supabase's deletion procedure). Backups overwrite within 90 days.

Security commitments

  • Encryption in transit (TLS 1.2+) and at rest (AES-256 on Supabase).
  • Row-Level Security (RLS) on every multi-tenant table. Workspace data is isolated at the database layer, not just the app layer.
  • Optional TOTP-based two-factor authentication for any workspace member (enable from Security settings).
  • Service-role credentials never sent to the browser. All write paths through validated server routes.

Breach notification

If we discover a personal-data breach affecting your data, we'll notify your workspace owner by email within 72 hours, in line with GDPR Art. 33 and KSA PDPL requirements. The notice will include what we know, what we're doing, and what we recommend you do.

Audits + counter-signed DPA

Enterprise Customers can request a counter-signed DPA (DOCX). Email legal@qra.cc with your company legal name + signatory and we'll return a signed copy within 5 business days. For a security questionnaire, attach the SIG / CAIQ / your internal template and we'll fill it.

Stop reprinting your stickers. Start learning.

A short monthly note — product updates, customer stories, MENA QR research. No filler. Unsubscribe in one click.

Dynamic QR codes that ship like brand assets — Arabic-first, mada-supported, used worldwide.

العربية

Product

  • Studio
  • Free generator
  • QR scanner
  • Analytics
  • Pricing
  • What’s new

Resources

  • Blog
  • Help center
  • API reference
  • Demo
  • Solutions

Company

  • About
  • Careers
  • Contact

Legal

  • Privacy
  • Terms
  • Refunds
  • Cookies
  • DPA
© 2026 QRA · hello@qra.ccQR Code is a registered trademark of DENSO WAVE INCORPORATED.