This is a template for review. It is not legal advice — DEVOUT BV must have it reviewed and adapted by qualified Belgian legal counsel before publication.
Effective [DD Month YYYY] · Controller: DEVOUT BV
DEVOUT BV (“we”) is the controller for personal data processed through Hopp (hopp.qr-redirects.be), a dynamic QR-code redirect service. Registered address [DEVOUT BV, …, Belgium], enterprise no. [KBO 0XXX.XXX.XXX], VAT [BE 0XXX.XXX.XXX]. Contact: privacy@qr-redirects.be.
| Purpose | Data | Legal basis (Art. 6 GDPR) |
|---|---|---|
| Account & sign-in | Email, name, magic-link/OAuth | Contract — 6(1)(b) |
| Serving redirects & storing your codes | QR codes, destination URLs | Contract — 6(1)(b) |
| Cookieless scan analytics | Hashed IP, coarse GeoIP, device/OS/browser | Legitimate interest — 6(1)(f) |
| Security & abuse prevention | Hashed IP, account data | Legitimate interest — 6(1)(f) |
| Payments & subscriptions | Billing data (via Stripe) | Contract — 6(1)(b) |
| Invoices & bookkeeping | Billing records | Legal obligation — 6(1)(c) |
| Support | Emails & ticket metadata (via Mailgun) | Contract / legitimate interest |
| Marketing email (optional) | Email, consent status | Consent — 6(1)(a) |
Cookieless by design: we never store raw IPs (only a salted hash), use only coarse location, set no tracking cookies, and build no individual profiles. Impact on scanners is minimal.
| Provider | Role | Location | Safeguard |
|---|---|---|---|
| Hetzner | Hosting | EU (DE/FI) | EU/EEA · DPA |
| Stripe | Payments | IE / US | SCCs · DPA |
| Mailgun | Support email | US | SCCs · DPA |
| Replicate | AI QR (optional) | US | SCCs |
| Postmark / SES | System email | US | SCCs |
| MaxMind GeoLite2 | GeoIP (local DB) | On our servers | No data sent |
Access, rectification, erasure, restriction, portability, objection (incl. to the analytics above), and withdrawing consent. Email privacy@qr-redirects.be, or use account settings. We respond within one month. No automated decision-making with legal effect.
You may complain to the Belgian DPA — Gegevensbeschermingsautoriteit / Autorité de protection des données, Rue de la Presse 35, 1000 Brussels, +32 (0)2 274 48 00, contact@apd-gba.be.
Not intended for users under the Belgian digital-consent age (13). We don't knowingly collect their data.
Effective [DD Month YYYY]
We set no analytics or tracking cookies when a code is scanned, so no consent banner is required for analytics under ePrivacy and Belgian law. We use only strictly-necessary cookies, which are exempt from consent:
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
| hopp_session | Keeps you signed in (httpOnly, SameSite=Lax) | Session / 30d | Strictly necessary |
| hopp_csrf | CSRF protection | Session | Strictly necessary |
| hopp_lang | Remembers your language | ~12 months | Functional (necessary) |
| __stripe_mid/sid | Stripe checkout & fraud | ~12 mo / 30 min | Strictly necessary (Stripe) |
No advertising or cross-site tracking cookies are used. If we ever add non-essential cookies, we'll first add a GBA-compliant consent banner.