GDPR Compliance
Last updated: March 1, 2026
Our Commitment
GrowQR is committed to complying with the General Data Protection Regulation (GDPR) and protecting the data rights of individuals in the European Economic Area (EEA), United Kingdom, and Switzerland. This page outlines our approach to GDPR compliance and your rights as a data subject.
Lawful Basis for Processing
We process personal data under the following lawful bases:
- Contract: Processing necessary to provide the Service you've signed up for (e.g., account management, link analytics).
- Legitimate Interest: Processing necessary for our legitimate business interests (e.g., fraud prevention, service improvement), balanced against your rights.
- Consent: Processing based on your explicit consent (e.g., marketing emails). You may withdraw consent at any time.
- Legal Obligation: Processing required to comply with applicable laws (e.g., tax records, law enforcement requests).
Your Rights Under GDPR
As a data subject, you have the following rights:
Right to Access
Request a copy of the personal data we hold about you.
Right to Rectification
Request correction of inaccurate or incomplete data.
Right to Erasure
Request deletion of your personal data ("right to be forgotten").
Right to Restrict Processing
Request that we limit how we use your data.
Right to Data Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests or for direct marketing.
Right to Withdraw Consent
Withdraw consent at any time where processing is based on consent.
Right to Lodge a Complaint
File a complaint with your local data protection authority.
Data Processing Agreements
GrowQR acts as a data processor for click analytics data collected on behalf of our customers (data controllers). We offer a standard Data Processing Agreement (DPA) that covers GDPR requirements including sub-processor lists, data breach notification procedures, and audit rights. Enterprise customers can request a signed DPA by contacting our sales team.
Sub-processors
We use the following sub-processors to provide the Service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud infrastructure and hosting | US / EU |
| Vercel | Frontend hosting and CDN | Global |
| Stripe | Payment processing | US |
| SendGrid | Transactional email delivery | US |
International Transfers
When personal data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms to ensure adequate protection.
Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by GDPR Article 33 and 34.
Exercising Your Rights
To exercise any of your GDPR rights, please contact our Data Protection team:
Email: privacy@growqr.to
Response time: We will respond within 30 days.