Data Processing Agreement
Effective date: June 5, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer" or "Controller") and SMLLR ("Processor") and governs the processing of personal data through the SMLLR platform. By using SMLLR, you agree to this DPA.
1. Definitions
- "Customer" / "Controller" — the business, agency, or individual that has created an account on SMLLR and uses the platform to create and manage QR codes, campaigns, or landing pages.
- "Processor" / "SMLLR" — SMLLR, the entity that operates the SMLLR platform and processes personal data on behalf of the Customer.
- "End User" — any individual who scans a QR code, visits a short link, or interacts with a landing page created by the Customer using the SMLLR platform.
- "Scan Analytics Data" — technical data collected automatically when an End User scans a QR code or accesses a link, including IP address, approximate geographic location, device type, browser type, operating system, and scan timestamp.
- "Account Data" — personal data that the Customer provides directly to SMLLR to create and maintain an account, such as name, email address, and billing information.
- "Data Protection Laws" — all applicable data protection and privacy laws, including the Digital Personal Data Protection Act, 2023 (India) and any rules or regulations notified thereunder.
- "Personal Data" — any data about an individual who is identifiable by or in relation to such data, as defined under applicable Data Protection Laws.
2. Roles of the Parties
The parties acknowledge and agree that with respect to Scan Analytics Data:
- The Customer is the Data Controller. The Customer determines the purposes and means of collecting Scan Analytics Data from their End Users. The Customer creates the QR codes, chooses to enable analytics, and directs their End Users to interact with their codes or links.
- SMLLR is the Data Processor. SMLLR collects and stores Scan Analytics Data solely on behalf of, and under the documented instructions of, the Customer. SMLLR does not determine the purpose of this collection and does not use Scan Analytics Data for its own independent purposes.
With respect to Account Data (the Customer's own name, email, billing information, etc.), SMLLR acts as the Data Controller and processes such data in accordance with its Privacy Policy.
3. Data Processed
Under this DPA, SMLLR processes the following categories of Scan Analytics Data on behalf of the Customer:
| Data Category | Examples | Purpose |
|---|---|---|
| Network identifiers | IP address | Fraud detection, geo enrichment |
| Device data | Browser, OS, device type (mobile/desktop/tablet) | Scan analytics |
| Approximate location | Country, city, region (derived from IP) | Geographic analytics for Customer |
| Interaction data | Scan timestamp, QR code ID, target URL | Scan counting, campaign attribution |
| Pseudonymous identifier | Cookie-based scan UID (repeat scan detection) | Unique vs repeat visitor analytics |
No special category data (health, biometric, financial, religious, etc.) is collected from End Users through the SMLLR platform.
4. Customer Obligations (Controller)
As the Data Controller for Scan Analytics Data, the Customer agrees to:
- Establish a lawful basis for collecting Scan Analytics Data from their End Users before enabling analytics features on any QR code or campaign. Lawful bases may include legitimate interest, consent, or any other basis applicable under Data Protection Laws.
- Provide appropriate notice to End Users — for example, through a privacy notice on their own website or physical marketing materials — that scanning their QR codes may result in the collection of technical and location data for analytics purposes.
- Handle data subject requests from End Users (access, correction, erasure) that relate to Scan Analytics Data. SMLLR will assist the Customer in responding to such requests as set out in Section 7.
- Not instruct SMLLR to process Scan Analytics Data in any manner that would violate applicable Data Protection Laws.
- Ensure that any third-party content, landing pages, or redirect destinations they configure do not collect personal data in a manner inconsistent with their own privacy commitments to End Users.
5. Processor Obligations (SMLLR)
SMLLR agrees to:
- Process Scan Analytics Data only on documented instructions from the Customer and only for the purposes described in Section 3.
- Ensure that personnel who access Scan Analytics Data are bound by appropriate confidentiality obligations.
- Implement and maintain reasonable technical and organisational security measures appropriate to the nature of the data (see Section 8).
- Not transfer Scan Analytics Data outside of India except as strictly necessary to operate the Sub-processors listed in Section 6, each of which has been assessed and disclosed to the Customer in that section. Cross-border transfers to such Sub-processors are made on the basis of contractual protections and are limited to what is necessary for the stated purpose.
- Notify the Customer without undue delay upon becoming aware of a personal data breach affecting Scan Analytics Data (see Section 9).
- Delete or return Scan Analytics Data upon termination of the Customer's account, in accordance with Section 10.
- Make available to the Customer reasonable information necessary to demonstrate compliance with this DPA.
6. Sub-Processors
The Customer grants SMLLR general authorisation to engage the following sub-processors to assist in delivering the service. SMLLR will impose data protection obligations on each sub-processor equivalent to those in this DPA.
| Sub-Processor | Purpose | Data Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure — Lambda, DynamoDB, S3, SES | Mumbai, India (ap-south-1) |
| ipapi.co | IP-to-location enrichment for scan geo analytics | EU / US |
| ipinfo.io | IP-to-location enrichment (fallback) | US |
| ip-api.com | IP-to-location enrichment (fallback) | EU |
| Brevo (formerly Sendinblue) | Transactional and marketing email delivery | EU |
| Vercel | Frontend hosting and edge delivery | Global CDN |
| PayU / Razorpay / Paytm | Payment processing for Customer subscriptions. Receive billing details and order amounts; card data is handled exclusively by the gateway and never stored by SMLLR. Each gateway maintains PCI-DSS Level 1 certification as a Merchant Service Provider, which can be verified on the PCI Security Standards Council website. | India |
Each sub-processor is contractually required to: (a) process personal data only for the purposes described in this DPA; (b) implement appropriate technical and organisational security measures; and (c) comply with the Digital Personal Data Protection Act, 2023 (India) and other applicable Data Protection Laws.
SMLLR will notify the Customer of any intended changes to sub-processors by updating this DPA with at least 14 days' notice. If the Customer objects to a new sub-processor on reasonable data protection grounds, they may notify SMLLR at [email protected].
7. Data Subject Rights
End Users who wish to exercise their rights under applicable Data Protection Laws (access, correction, erasure, etc.) with respect to Scan Analytics Data should contact the Customer directly, as the Customer is the Data Controller for that data.
If SMLLR receives a request directly from an End User relating to Scan Analytics Data, SMLLR will promptly inform the Customer and will not respond to such requests on the Customer's behalf without the Customer's prior written authorisation.
SMLLR will provide reasonable technical assistance to the Customer to help them fulfil data subject requests, including providing tools within the platform to export or delete scan records associated with a specific QR code.
8. Security
SMLLR implements and maintains the following technical and organisational measures to protect Scan Analytics Data:
- Encryption of data in transit using TLS 1.2 or higher.
- Data stored in AWS DynamoDB with access restricted to authorised personnel; encryption at rest via AWS KMS is being progressively enabled across all production tables.
- Access to production data restricted to authorised personnel only.
- JWT-based authentication with token blacklisting on logout.
- Rate limiting on all public-facing endpoints.
- Fraud detection scoring on all scan events.
- Point-in-time recovery enabled on production databases.
- Automated TTL-based data expiry for scan records (90 days default).
9. Data Breach Notification
In the event of a personal data breach affecting Scan Analytics Data, SMLLR will notify the affected Customer without undue delay and in any case within 72 hours of becoming aware of the breach. Notification will include, to the extent known:
- A description of the nature of the breach.
- The categories and approximate number of individuals and records affected.
- The likely consequences of the breach.
- Measures taken or proposed to address the breach.
The Customer is responsible for notifying their End Users and any relevant regulatory authority (including the Data Protection Board of India) as required by applicable Data Protection Laws.
10. Data Retention and Deletion
Scan Analytics Data is automatically purged after 90 days from the date of the scan event via DynamoDB TTL. Customers may request earlier deletion of scan records for a specific QR code or campaign by contacting [email protected].
Upon termination of a Customer's account, all associated Scan Analytics Data will be permanently deleted within 30 days, subject to any legal retention obligations.
11. Audits and Compliance
SMLLR will make available to the Customer, upon written request, all information reasonably necessary to demonstrate compliance with this DPA. Customers may conduct an audit of SMLLR's data processing activities no more than once per calendar year, with at least 30 days' prior written notice, at the Customer's expense.
12. Governing Law
This DPA is governed by and construed in accordance with the laws of India. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts in India.
13. Contact
For any questions regarding this Data Processing Agreement, or to exercise rights under it, please contact:
[email protected]