DATA PROCESSING AGREEMENT (DPA)

Service: ME-QR

Last updated: 18 May 2026

This Data Processing Agreement (“DPA”) is an integral part of the Terms and Conditions of ME-QR and reflects the parties' agreement with regard to the processing of Personal Data.

1. Parties and Role Definitions

This DPA is entered into between:

• Customer: The individual or legal entity using the ME-QR service (the “Controller”).
• ME TEAM LTD: A company incorporated in the United Kingdom, located at 128 City Road, London, United Kingdom, EC1V 2NX (the “Processor”).

The Controller and the Processor are collectively referred to as the “Parties.”

2. Purpose and Scope

This DPA applies where ME TEAM LTD processes Personal Data on behalf of the Customer while providing the ME-QR service (QR code generation, management, and analytics). Both parties agree to comply with the General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection laws.

3. Subject Matter and Duration

• Subject Matter: The processing consists of providing a technical platform for creating, managing, and tracking dynamic and static QR codes.
• Duration: This DPA remains in effect for the duration of the Customer’s use of the ME-QR service and until all Personal Data is deleted or returned in accordance with Section 13.

4. Categories of Data Subjects

Personal Data processed under this DPA may relate to:

• End Users: Individuals who scan the QR codes generated by the Controller.
• Authorized Users: Customer’s employees or representatives who access the ME-QR account.
• Website Visitors: Individuals interacting with the Controller's content via the ME-QR infrastructure.

5. Categories of Personal Data

The Processor processes the following types of data:

• Technical Data: IP address, device type, operating system, and browser information.
• Usage Data: Timestamp of scans, frequency of scans, and referral URLs.
• Location Data: Approximate geolocation derived from the IP address (usually at the city or country level).
• Account Data: Name, email address, and billing information (if provided).
• Note: The Processor does not intentionally collect or process "Special Categories of Personal Data" (as defined in Art. 9 GDPR).

6. Nature and Purpose of Processing

The Processor shall process Personal Data only for the following purposes:

1. Providing and maintaining the QR code generation and management platform.
2. Generating scan analytics and performance reports for the Controller.
3. Ensuring the security and integrity of the service (DDoS protection, fraud prevention).
4. Complying with documented instructions from the Controller.

7. Processor’s Obligations

The Processor (ME TEAM LTD) agrees to:

• Documented Instructions: Process Personal Data only on documented instructions from the Controller unless required by law.
• Confidentiality: Ensure that all personnel authorized to process Personal Data have committed themselves to confidentiality.
• Security: Implement appropriate technical and organizational measures (TOMs) as required by Article 32 of the GDPR.
• Assistance: Assist the Controller in fulfilling their obligations to respond to Data Subject requests (access, erasure, etc.).
• Notice: Notify the Controller without undue delay after becoming aware of a Personal Data breach.

8. Technical and Organizational Measures (TOMs)

The Processor implements the following security standards:

• Data Encryption: Use of HTTPS/TLS encryption for all data in transit.
• Infrastructure Security: Use of secure, industry-leading hosting providers.
• Access Control: Strict role-based access control (RBAC) to administrative panels.
• Monitoring: Continuous logging and monitoring of system access and potential security threats.

9. Sub-processors

The Controller grants a general authorization to the Processor to engage sub-processors (e.g., AWS for hosting, Stripe for payments, Google Analytics).

• The Processor ensures that all sub-processors are bound by written agreements offering the same level of data protection as this DPA.
• A list of current sub-processors is available to the Controller upon request.

10. International Data Transfers

If Personal Data is transferred outside the EU/EEA or the UK, the Processor ensures that such transfers are governed by:

• Adequacy Decisions by the European Commission;
• Standard Contractual Clauses (SCCs) to ensure an equivalent level of protection.

11. Data Subject Rights

The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures for the fulfillment of the Controller's obligation to respond to requests for exercising Data Subject rights (Access, Rectification, Erasure, etc.).

12. Personal Data Breach

In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay and provide sufficient information to allow the Controller to meet their obligations to notify supervisory authorities and data subjects under Articles 33 and 34 of the GDPR.

13. Deletion or Return of Data

Upon termination of the service, the Processor shall, at the choice of the Controller, delete or return all Personal Data, unless applicable law requires the storage of such data. Backups are overwritten in accordance with the Processor's standard retention cycles.

14. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 of the GDPR and allow for/contribute to audits or inspections conducted by the Controller or an auditor mandated by the Controller.

15. Liability

Liability under this DPA shall be governed by the limitations set forth in the ME-QR Terms & Conditions, except where mandatory law (GDPR) provides otherwise.

16. Governing Law

This DPA is governed by the laws of the United Kingdom, or the laws of the EU Member State in which the Controller is established, as applicable.