Privacy Policy

1. Controller

The controller for data processing within the meaning of Art. 4(7) GDPR is:

{{FIRMA}} {{STRASSE}}, {{PLZ}} {{ORT}} Germany Email: contact@viveqode.com

2. Data Protection Officer

Currently no Data Protection Officer is appointed, as the statutory thresholds (Art. 37 GDPR in conjunction with § 38 BDSG) are not met. Please direct privacy requests to contact@viveqode.com.

3. Data we process

• Account data: email, username, optionally salutation, name, address. Passwords are stored exclusively as bcrypt hashes.
• Content data: text, links, images and logos you put behind QR codes or public pages, plus design profiles and scheduling settings.
• Order and payment data: billing address, order items, Stripe customer ID. We do not process card or bank account data ourselves — payments are handled directly by Stripe.
• Scan and usage data: timestamp, code ID, anonymized IP (last octet zeroed / IPv6 prefix /48), shortened user agent. No cookies are set on the scanning device.
• Contact/support data: content of your inquiries; for Customization leads additionally company name and requirement details.
• Technical log data: server access logs (max. 14 days), audit log for admin actions (36 months).

4. Purposes and legal bases

• Account and code management — contract performance, Art. 6(1)(b) GDPR
• Payment processing via Stripe — contract performance, Art. 6(1)(b) GDPR
• Scan analytics (anonymized) — legitimate interest, Art. 6(1)(f) GDPR
• Customization lead inquiries — pre-contractual measure, Art. 6(1)(b) GDPR
• Security/audit logs, spam/bot protection — legitimate interest in IT security, Art. 6(1)(f) GDPR
• Tax-relevant retention — legal obligation, Art. 6(1)(c) GDPR in conjunction with §§ 147 AO, 257 HGB

5. Recipients and processors

Data processing agreements (Art. 28 GDPR) exist with the following service providers:

• Stripe Payments Europe Ltd., Ireland — payment processing.
• Cloudflare Germany GmbH / Cloudflare Inc. — DNS, proxy, DDoS protection, Turnstile captcha. Processing primarily in EU data centers; SCCs for US transfers.
• {{HOSTING_PROVIDER}} — server and database operation, located in {{STANDORT_RZ}}.
• {{MAIL_PROVIDER}} — transactional emails (confirmations, password reset).
• {{POD_PARTNER}} — printing and shipping for physical product orders.
• {{ANALYTICS_PROVIDER, optional}} — cookieless EU-hosted web analytics.

Transfers to third countries occur only under an adequacy decision or appropriate safeguards under Art. 46 GDPR.

6. Cookies and tracking

ViveQode uses only strictly necessary cookies (session token, CSRF, language, optionally cart). Per § 25(2)(2) TTDSG no consent is required. We deliberately do not use marketing or profiling cookies. Should we introduce such technologies in future, we will obtain your consent via a cookie banner first.

7. Retention periods

• Account data and content: until you delete your account.
• Payment and order data: 10 years after contract end (§§ 147 AO, 257 HGB).
• Anonymized scan events: 24 months, then automatic deletion.
• Customization lead inquiries: 12 months after last interaction.
• Audit logs: 36 months. Server access logs: 14 days.

8. Your rights

• Access (Art. 15) — self-service data export in the dashboard.
• Rectification (Art. 16) — directly in the dashboard.
• Erasure (Art. 17) — via Dashboard → Account → "Delete account". Note: Lifetime codes (purchased via pack, apparel or business card) remain reachable in anonymized form so already printed materials keep functioning. All personal data is removed; the code then resolves to a generic ViveQode landing page.
• Restriction (Art. 18), portability (Art. 20), objection (Art. 21), withdrawal of consent (Art. 7(3)).
• Right to lodge a complaint with a supervisory authority (Art. 77) — competent authority: {{LANDESDATENSCHUTZBEAUFTRAGTE_R}}.

9. Obligation to provide data

Providing the data above is neither legally nor contractually required. However, without data necessary for contract performance (e.g. email, payment data) we cannot create an account or process orders.

10. Automated decisions / profiling

We do not carry out any automated individual decision-making or profiling within the meaning of Art. 22 GDPR.

11. Data security

We employ current security standards: TLS for all connections, HSTS, Content Security Policy, bcrypt password hashing, Stripe webhook signature verification, server-side HTML/SVG sanitization, rate limiting on critical endpoints, regular encrypted backups and two-factor authentication for admin accounts.

12. QR code lifetime guarantee — privacy aspect

ViveQode guarantees that every QR code you create remains scannable for the lifetime of the service. In case of account deletion or company wind-down we honor this through anonymization or a minimum six-month migration phase — details in our Terms.

13. Changes to this privacy policy

We may update this policy whenever legal or technical conditions change. The current version is always available at viveqode.com/legal/datenschutz. We will notify registered users by email about material changes.