Data Processing Addendum

This Data Processing Addendum ("DPA") is incorporated by reference into the Terms of Service between QRQuick ("Processor") and you, the business customer ("Controller").

It governs the processing of personal data by QRQuick on the Controller's behalf — for example, when a Controller uploads contact lists for a lead-capture campaign, or when end users scan a Controller's QR codes.

This DPA applies automatically the moment a paid plan is activated. No signature is required — both parties agree to be bound by these terms once the Service is used commercially. A signed PDF copy is available on request to legal@qrquick.in.

Capitalized terms not defined here have the meaning given in the Terms of Service.

• Personal Data — data relating to an identified or identifiable individual processed under this DPA
• Processing — any operation performed on Personal Data
• Sub-processor — a third party engaged by QRQuick to process Personal Data on Controller's behalf
• Data Subject — the individual the Personal Data is about
• Applicable Law — DPDP Act 2023 (India), GDPR (where applicable), and any other privacy law that governs the parties

Subject matter — providing the QRQuick QR-code platform to the Controller.

Duration — for as long as the Controller has an active account, plus retention periods set out in the Privacy Policy.

Nature and purpose — hosting, storing, displaying, and analyzing QR redirects and associated metadata; sending transactional emails on the Controller's behalf; supporting the Controller's use of the Service.

Categories of Personal Data — names, email addresses, phone numbers, postal addresses (where Controller chooses to collect them via lead-capture blocks); IP-derived approximate location, device, and timestamps of scanners.

Categories of Data Subjects — Controller's employees, agency clients, marketing-campaign leads, and end users scanning Controller's QRs.

QRQuick will:

• process Personal Data only on documented instructions from the Controller (the Terms, this DPA, and the dashboard settings constitute documented instructions)
• ensure persons authorized to process Personal Data are under confidentiality obligations
• implement appropriate technical and organizational measures (see Annex — Security Measures)
• engage Sub-processors only under this DPA's terms (see "Sub-processors" below)
• assist Controller with Data Subject rights requests and with security/breach obligations
• on termination, delete or return all Personal Data within 30 days, retaining only data required by Applicable Law

QRQuick will notify the Controller without undue delay and within 72 hours of becoming aware of a Personal Data breach affecting Controller's data.

Controller authorizes QRQuick to engage the following Sub-processors:

• Razorpay Software Pvt Ltd (Bengaluru, India) — payment processing
• Hetzner Online GmbH (Falkenstein, Germany) — primary application + database hosting
• Amazon Web Services India Pvt Ltd (Mumbai, India) — encrypted off-site database backups
• Resend Inc. (Delaware, USA) — transactional email delivery

QRQuick will notify Controller by email at least 30 days before adding a new Sub-processor. The Controller may object on reasonable grounds; if the parties cannot agree, the Controller may terminate the affected portion of the Service and receive a pro-rated refund.

Where Personal Data is transferred outside India to a Sub-processor (Hetzner in Germany, Resend in the United States), QRQuick relies on Standard Contractual Clauses approved by the European Commission and on supplementary safeguards including encryption-at-rest and access logging.

The Controller may request a copy of executed SCCs by emailing legal@qrquick.in.

QRQuick maintains annual SOC 2-style internal security reviews (we are pre-certification but follow the same controls framework). On reasonable written notice, Controller may:

• request the most recent internal-review summary
• ask up to two clarifying questions per quarter
• on Controller's request and at Controller's cost, commission a third-party audit no more than once per 12 months, subject to a confidentiality agreement

Audits will not unreasonably disrupt the Service.

Controller represents and warrants that:

• it has a lawful basis (consent, contract, or legitimate interest) for the Personal Data it routes through the Service
• it has provided required notice to Data Subjects regarding the processing
• it will not upload "sensitive Personal Data" (e.g. health, financial, or political-opinion data) without first contacting QRQuick to confirm appropriate safeguards are in place
• it will respond to Data Subject requests it receives; QRQuick will assist on request but is not the primary respondent

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

Nothing in this DPA limits liability for fraud, willful misconduct, or any liability that cannot be lawfully excluded.

This DPA is effective from the moment the Controller's first paid plan is activated and continues until all Personal Data has been deleted or returned.

In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to data-processing matters.

For any matter under this DPA — including breach notifications, sub-processor objections, audit requests, and SCC copies — contact:

• legal@qrquick.in for contract matters
• privacy@qrquick.in for data-protection matters
• security@qrquick.in for security incidents

For a counter-signed PDF or a custom DPA addendum (e.g. for enterprises with their own template), reply to your account manager or email legal@qrquick.in.