DATA PROCESSING AGREEMENT (DPA)

Service: ME-QR

Last updated: 18 May 2026

This Data Processing Agreement (“DPA”) is an integral part of the Terms and Conditions of ME-QR and reflects the parties' agreement with regard to the processing of Personal Data.

1. Parties and Role Definitions

This DPA is entered into between:

  • Customer: The individual or legal entity using the ME-QR service (the “Controller”).
  • ME TEAM LTD: A company incorporated in the United Kingdom, located at 128 City Road, London, United Kingdom, EC1V 2NX (the “Processor”).

The Controller and the Processor are collectively referred to as the “Parties.”

2. Purpose and Scope

This DPA applies where ME TEAM LTD processes Personal Data on behalf of the Customer while providing the ME-QR service (QR code generation, management, and analytics). Both parties agree to comply with the General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection laws.

3. Subject Matter and Duration

  • Subject Matter: The processing consists of providing a technical platform for creating, managing, and tracking dynamic and static QR codes.
  • Duration: This DPA remains in effect for the duration of the Customer’s use of the ME-QR service and until all Personal Data is deleted or returned in accordance with Section 13.

4. Categories of Data Subjects

Personal Data processed under this DPA may relate to:

  • End Users: Individuals who scan the QR codes generated by the Controller.
  • Authorized Users: Customer’s employees or representatives who access the ME-QR account.
  • Website Visitors: Individuals interacting with the Controller's content via the ME-QR infrastructure.

5. Categories of Personal Data

The Processor processes the following types of data:

  • Technical Data: IP address, device type, operating system, and browser information.
  • Usage Data: Timestamp of scans, frequency of scans, and referral URLs.
  • Location Data: Approximate geolocation derived from the IP address (usually at the city or country level).
  • Account Data: Name, email address, and billing information (if provided).
  • Note: The Processor does not intentionally collect or process "Special Categories of Personal Data" (as defined in Art. 9 GDPR).

6. Nature and Purpose of Processing

The Processor shall process Personal Data only for the following purposes:

  1. Providing and maintaining the QR code generation and management platform.
  2. Generating scan analytics and performance reports for the Controller.
  3. Ensuring the security and integrity of the service (DDoS protection, fraud prevention).
  4. Complying with documented instructions from the Controller.

7. Processor’s Obligations

The Processor (ME TEAM LTD) agrees to:

  • Documented Instructions: Process Personal Data only on documented instructions from the Controller unless required by law.
  • Confidentiality: Ensure that all personnel authorized to process Personal Data have committed themselves to confidentiality.
  • Security: Implement appropriate technical and organizational measures (TOMs) as required by Article 32 of the GDPR.
  • Assistance: Assist the Controller in fulfilling their obligations to respond to Data Subject requests (access, erasure, etc.).
  • Notice: Notify the Controller without undue delay after becoming aware of a Personal Data breach.

8. Technical and Organizational Measures (TOMs)

The Processor implements the following security standards:

  • Data Encryption: Use of HTTPS/TLS encryption for all data in transit.
  • Infrastructure Security: Use of secure, industry-leading hosting providers.
  • Access Control: Strict role-based access control (RBAC) to administrative panels.
  • Monitoring: Continuous logging and monitoring of system access and potential security threats.

9. Sub-processors

The Controller grants a general authorization to the Processor to engage sub-processors (e.g., AWS for hosting, Stripe for payments, Google Analytics).

  • The Processor ensures that all sub-processors are bound by written agreements offering the same level of data protection as this DPA.
  • A list of current sub-processors is available to the Controller upon request.

10. International Data Transfers

If Personal Data is transferred outside the EU/EEA or the UK, the Processor ensures that such transfers are governed by:

  • Adequacy Decisions by the European Commission;
  • Standard Contractual Clauses (SCCs) to ensure an equivalent level of protection.

11. Data Subject Rights

The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures for the fulfillment of the Controller's obligation to respond to requests for exercising Data Subject rights (Access, Rectification, Erasure, etc.).

12. Personal Data Breach

In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay and provide sufficient information to allow the Controller to meet their obligations to notify supervisory authorities and data subjects under Articles 33 and 34 of the GDPR.

13. Deletion or Return of Data

Upon termination of the service, the Processor shall, at the choice of the Controller, delete or return all Personal Data, unless applicable law requires the storage of such data. Backups are overwritten in accordance with the Processor's standard retention cycles.

14. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 of the GDPR and allow for/contribute to audits or inspections conducted by the Controller or an auditor mandated by the Controller.

15. Liability

Liability under this DPA shall be governed by the limitations set forth in the ME-QR Terms & Conditions, except where mandatory law (GDPR) provides otherwise.

16. Governing Law

This DPA is governed by the laws of the United Kingdom, or the laws of the EU Member State in which the Controller is established, as applicable.

ANNEX I: Description of the Processing

A. List of Parties

  • Data Exporter (Controller): The Customer using the ME-QR service.
  • Data Importer (Processor): ME TEAM LTD (legal entity providing services to the EU/EEA and UK markets). Contact: privacy@me-team.org

B. Description of Processing

  1. Subject Matter: Provision of QR code generation, management, and analytics services via the ME-QR platform.
  2. Duration: For the duration of the Customer’s use of the Service and until deletion of Personal Data in accordance with Annex III (Retention Schedule).
  3. Nature of Processing: Collection, recording, organization, structuring, storage, retrieval, consultation, use, disclosure (by transmission), alignment, restriction, deletion, and destruction of personal data.
  4. Purpose(s) of Processing:
    • Providing QR code analytics and management tools.
    • Ensuring platform security and fraud prevention.
    • Maintaining service performance and reliability.
    • Supporting Customer requests and technical support.
  5. Categories of Data Subjects:
    • End users scanning QR codes.
    • Customer’s employees or account users.
    • Website visitors interacting with QR codes.
  6. Categories of Personal Data:
    • IP address.
    • Device and browser information (OS, browser type).
    • Timestamp of scan.
    • Approximate geolocation (IP-based city/country level).
    • Account data (email, name).
    • Usage statistics.

C. Competent Supervisory Authority

  • The supervisory authority of the EU Member State where the Controller is established, or the Information Commissioner's Office (ICO) for the United Kingdom.

ANNEX II: Technical and Organisational Measures (TOMs)

ME TEAM LTD implements the following technical and organizational security measures to protect Personal Data:

  1. Confidentiality:
    • Role-based access control (RBAC) ensuring data is only visible to authorized personnel.
    • Least-privilege access model applied to all internal production infrastructure.
    • Binding confidentiality agreements signed by all employees and contractors.
    • Multi-factor authentication (MFA) required for all administrative and server access.
  2. Integrity:
    • Enforced HTTPS/TLS encryption for all data in transit.
    • Secure authentication protocols and data validation rules.
    • Input validation and continuous abuse monitoring to prevent malicious data injection.
  3. Availability:
    • Cloud-based infrastructure redundancy across multiple availability zones.
    • Automated database backup systems.
    • Documented disaster recovery procedures.
  4. Resilience:
    • Continuous infrastructure monitoring and centralized logging systems.
    • Rate limiting and Web Application Firewall (WAF) protection provided via Cloudflare.
    • Automated bot protection and abuse detection algorithms.
  5. Testing & Evaluation:
    • Regular automated software updates and dependency checks.
    • Strict security patch management policies.
    • Real-time infrastructure performance and security monitoring.
  6. Data Minimisation:
    • Data collection strictly limited to necessary analytical and operational account data.
    • No intentional collection or processing of sensitive, special categories of data.

ANNEX III: Retention Schedule

Data Category Retention Period
Account data Until account deletion + 30 days grace period
QR scan analytics 12 months
Security logs 6 months
Billing data As required by applicable corporate and tax laws
Backup data Automatically overwritten within backup cycles (maximum 30–60 days)

ANNEX IV: List of Sub-processors

ME TEAM LTD currently engages the following core sub-processors to ensure platform delivery and performance:

Provider Purpose Location
Hetzner
Online
GmbH		 Server and cloud hosting infrastructure European Union (EU)
Cloudflare, Inc. Content Delivery Network (CDN), security, WAF EU / United States
Stripe, Inc. Payment processing and billing operations EU / United States
Google LLC (GA4) Internal platform usage analytics EU / United States
Elastic / Monitoring provider System logging and application monitoring European Union (EU)

SCC MODULE STRUCTURE (International Data Transfers)

For cross-border transfers of Personal Data outside the EEA or the United Kingdom to countries without an adequacy decision, the parties agree that:

  1. Module Two (Controller to Processor) of the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) shall apply and is hereby incorporated by reference.
  2. The provisions of Annex I, II, and III of this DPA shall serve directly as Annexes I, II, and III of the Standard Contractual Clauses.
  3. Where applicable, additional technical safeguards (such as pseudo-anonymization and advanced transit encryption) are deployed to ensure data protection remains equivalent to EU/UK legal requirements.
ME-QR Logo

Create codes with our free QR generator of codes. Comprehensible interface, variety in choosing the type of your QR-code, the ability to view statistics!

Download Our App

Now it’s simple and easy to create and scan QR Codes!

AppStore Icon GooglePlay Icon

Create codes with our free QR generator of codes. Comprehensible interface, variety in choosing the type of your QR-code, the ability to view statistics!

Download Our App

Now it’s simple and easy to create and scan QR Codes!

AppStore Icon GooglePlay Icon
meticket mepage mereview mebooking meads mecity mepromo

Copyright © 2018- Me-Team

Visa Master Card PayPal