Privacy Policy
Last updated: March 25, 2026
Data Controller
This Privacy Policy explains how QrX B.V. ("QrX", "we", "us", "our") collects, uses, stores and protects personal data when you use our platform, websites, mobile applications and services (together the "Services"). QrX B.V. acts as the data controller for the personal data described in this policy.
QrX B.V.
Deventerweg 2A, 3843 GD Harderwijk, The Netherlands
KVK: 99715554
BTW: NL869103076B01
Email: [email protected]
1. What Personal Data We Collect
The personal data we collect depends on how you interact with our Services. We collect the following categories of data:
Account information — name, email address, phone number, company name, business registration details and login credentials when you create a QrX account.
Transaction data — payment amounts, payment status, order references, delivery addresses, QR code scan events and payment confirmations processed through our platform.
Financial information — bank account details (IBAN), billing addresses, invoicing data and payment settlement information necessary to process transactions.
Technical data — IP address, browser type, device identifiers, operating system, screen resolution and usage analytics collected automatically when you access our Services.
Communication data — messages, support requests, feedback and correspondence exchanged with our team.
Delivery data — carrier information, tracking numbers, delivery status updates and proof-of-delivery records related to QrX On Delivery flows.
2. How We Use Your Information
We process personal data only for specific, legitimate purposes:
To provide and operate our payment services, including QR code generation, payment processing, delivery coordination and real-time transaction tracking.
To verify your identity, authenticate your account and maintain the security of our platform through fraud detection and prevention measures.
To communicate with you about your account, transactions, service updates and respond to your support requests.
To process settlements, generate invoices and manage billing in accordance with your merchant agreement.
To improve our platform's performance, develop new features and analyse usage patterns to enhance the user experience.
To comply with legal obligations including tax reporting, anti-money laundering regulations and financial record-keeping requirements under Dutch and EU law.
3. Legal Basis for Processing
Under the GDPR, we process personal data based on the following legal grounds:
Contract performance — processing necessary to provide our Services to merchants, carriers and customers, including account management and payment processing.
Legitimate interests — processing necessary for fraud prevention, platform security, service improvement and business analytics, where these interests are not overridden by your rights.
Legal obligations — processing required to comply with Dutch tax law, financial regulations, anti-money laundering legislation and other mandatory legal requirements.
Consent — where we rely on your explicit consent, for example for marketing communications or optional analytics cookies. You may withdraw consent at any time.
4. Data Sharing
We share personal data only when necessary for the purposes described in this policy. Recipients include:
Payment service providers — Stripe, Mollie, MultiSafePay, IcePay and Pay.nl process payments on behalf of our merchants. Each PSP acts as an independent controller or processor depending on the transaction flow.
Delivery partners — carriers such as UPS, GLS and Peddler receive delivery and payment data necessary to coordinate QrX On Delivery operations.
Cloud infrastructure providers — we use Amazon Web Services (AWS) for hosting and data storage within the European Economic Area.
Communication providers — SendGrid (email), Twilio (SMS) and Firebase (push notifications) process contact data to deliver transactional messages on our behalf.
Analytics and monitoring — Sentry for error tracking and Intercom for customer support, both bound by data processing agreements.
We never sell your personal data to third parties. All processors and partners are contractually bound to process data securely and in compliance with applicable law.
5. International Data Transfers
QrX primarily stores and processes data within the European Economic Area (EEA). Where data is transferred outside the EEA — for example to service providers in the United States — we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs), data processing agreements with adequate security requirements, and technical protections such as encryption in transit and at rest. We regularly assess the data protection practices of our international service providers.
6. Data Security
We implement industry-standard technical and organisational measures to protect your personal data, including HMAC-signed API requests for request integrity, encrypted data transmission using TLS 1.2 or higher, secure payment processing through PCI DSS-certified payment service providers, strict access controls with role-based permissions and multi-factor authentication, regular security assessments and vulnerability monitoring via Sentry, and encrypted backup and disaster recovery systems. While we take comprehensive measures to protect your data, no system can guarantee absolute security. You are responsible for maintaining the confidentiality of your own login credentials.
7. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes described in this policy. Account data is retained for the duration of your business relationship with QrX and deleted within 12 months of account closure, unless longer retention is required by law. Transaction records are retained for a minimum of 7 years in accordance with Dutch fiscal record-keeping requirements (Algemene wet inzake rijksbelastingen). Technical logs and analytics data are retained for up to 24 months. Communication records are retained for up to 36 months to support ongoing customer relationships.
8. Your Rights Under the GDPR
Under the General Data Protection Regulation, you have the following rights regarding your personal data:
Right of access — request a copy of the personal data we hold about you.
Right to rectification — request correction of inaccurate or incomplete personal data.
Right to erasure — request deletion of your personal data where there is no compelling reason for continued processing ("right to be forgotten").
Right to restriction — request that we limit the processing of your data in certain circumstances.
Right to data portability — receive your personal data in a structured, machine-readable format and transmit it to another controller.
Right to object — object to processing based on legitimate interests, including direct marketing.
Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at www.autoriteitpersoonsgegevens.nl.
9. Cookies and Tracking
Our platform uses cookies and similar technologies for authentication, preferences and analytics. Essential cookies are required for the platform to function. Non-essential cookies are only placed with your consent. For full details, please read our Cookie Policy.
10. Children's Privacy
QrX services are designed for businesses and adult consumers. We do not knowingly collect personal data from children under the age of 16. If we discover that we have inadvertently collected data from a child, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at [email protected].
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies or legal requirements. The most recent version will always be published on our website with the updated effective date. Where changes are significant, we will notify you by email or through the platform before they take effect.
12. Contact Us
If you have questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your personal data, please contact our Data Protection Officer:
Company: QrX B.V.
Address: Deventerweg 2A, 3843 GD Harderwijk, The Netherlands
KVK: 99715554
BTW: NL869103076B01
Email: [email protected]