1. Roles.

You (the customer) are the data controller for personal data you submit to the service. Contenza K/S is the processor, acting only on your documented instructions. Where we process data for our own purposes (billing, service security, product improvement on aggregated data), we are an independent controller for that limited purpose and the processing is governed by the privacy policy rather than this agreement.

2. Subject matter, duration, and nature.

Processing is performed to deliver the QRRegistry service: hosting Digital Product Passport records, rendering them to end users, generating QR codes, sending operational email, and billing. Processing lasts for the duration of the subscription and for a wind-down period defined in clause 9.

3. Categories of data and data subjects.

Personal data processed on behalf of the controller is limited to: contact details of manufacturer representatives (as required by Annex III of the Ecodesign regulation), customer employee accounts that administer passports, and end-user scan events (country-level geolocation and user-agent category). Data subjects are staff of the controller and anonymous end users scanning public QR codes.

4. Controller instructions.

We process personal data only on the controller's documented instructions. The Terms of Service and the product behaviour described in public documentation constitute those instructions. If we believe an instruction violates the GDPR, we will inform the controller and suspend the instruction until it is clarified.

5. Confidentiality.

Personnel authorised to process personal data are bound by confidentiality obligations surviving termination of their engagement.

6. Security measures (Art. 32).

  • TLS 1.3 for all data in transit. HSTS enforced on every public domain.
  • Encryption at rest for database volumes and object storage.
  • Role-based access to production systems; access is logged and reviewed quarterly.
  • Password hashing and session cookies that are HTTP-only, Secure, and SameSite=Lax.
  • Daily off-site encrypted backups with a 30-day rolling window.
  • Defence-in-depth: isolated background worker, sandboxed queue, strict CSP on the viewer surface.

7. Sub-processors.

The controller authorises our use of the sub-processors listed at /sub-processors. We will provide at least 30 days' notice of any proposed addition or replacement, during which the controller may object by cancelling the subscription on a pro-rata refund basis.

8. Data subject rights and assistance.

We assist the controller in responding to data-subject requests. Where the request can be satisfied through features in the dashboard (export, correction, deletion), the controller handles it directly; where operator intervention is required, we respond within 10 business days.

9. Deletion and return on termination.

On termination, personal data under the controller's responsibility is deleted within 90 days unless retention is required by law (e.g. invoicing records). Published Digital Product Passports remain accessible in accordance with Article 10(4) of the Ecodesign regulation; the controller can apply for exceptional deletion where the underlying product has been withdrawn from the market.

10. Audits.

The controller may audit compliance with this agreement once per year, at their own cost, by requesting a written gap analysis and supporting evidence. On-site audits are accommodated only where reasonably necessary and subject to a confidentiality agreement.

11. International transfers.

All personal data is stored in the EU. Where a sub-processor operates outside the EU/EEA, transfers rely on the European Commission's Standard Contractual Clauses, supplemented by the technical measures in clause 6.

12. Breach notification.

We notify the controller without undue delay — and in any case within 48 hours of becoming aware — of any personal data breach affecting the controller's data. The notification describes the nature of the breach, the categories and approximate number of affected records, likely consequences, and the measures taken to contain it.

Questions on this policy? Use the contact form — or email the team through the details on the contact page.