Privacy Policy

Effective: 2026-06-05  ·  Controller: QRCL Technologies OÜ, Estonian reg 17467802  ·  DPO: dpo@qrcl.net

1. Data Controller

QRCL Technologies OÜ
Järvevana tee 9, Kesklinna linnaosa
Tallinn 11314, Estonia (EU)
Estonian Commercial Register: 17467802
EU PIC: 864110436  ·  D-U-N-S: 988006603
General contact: info@qrcl.net
Data Protection Officer: dpo@qrcl.net

2. Website Data Collection

qrcl.net collects zero personal data. We do not use cookies, session cookies, tracking pixels, analytics scripts, or any form of user profiling. There is nothing to consent to — no consent banner is shown because no tracking exists.

• No cookies (persistent or session)
• No analytics (Google Analytics, Matomo, Plausible, etc.)
• No tracking pixels or third-party scripts
• No user accounts or registration forms
• No IP address logging beyond standard Cloudflare CDN edge infrastructure (Cloudflare DPA applies; Cloudflare is an EU-SCCs-covered processor)

3. Lawful Basis for Processing (GDPR Art. 6)

QRCL's cryptographic infrastructure processes only cryptographic hashes of technical identifiers — not personal data in the GDPR Art. 4(1) sense. Where processing may incidentally touch pseudonymous data (e.g. ADS-B Mode S codes processed as input to post-quantum digital signatures signing), the lawful basis is:

• Art. 6(1)(e) — task carried out in the public interest (aviation safety, national critical infrastructure protection)
• Art. 6(1)(c) — compliance with ICAO Annex 10, EUROCONTROL ATM requirements, NIS2 Directive 2022/2555, and EASA regulations
• Art. 6(1)(f) — legitimate interest of QRCL in operating and improving its post-quantum cryptographic verification infrastructure

For identity verification / payment verification layers (credential status infrastructure): Art. 6(1)(c) under eIDAS 2.0 (Reg (EU) 2024/1183) and Art. 6(1)(e). A full DPIA per Art. 35 has been completed (QRCL DPIA-2026-05-20, on file).

4. Records of Processing Activities (Art. 30 RoPA)

QRCL maintains a Register of Processing Activities. Key entries:

• Cryptographic infrastructure operation — Purpose: cryptographic verification infrastructure
• Email correspondence — Purpose: business communication. Data: sender email address, message content. Legal basis: Art. 6(1)(f). Retention: 3 years from last contact.
• Grant / regulatory submissions — Purpose: EU grant applications (EIC, ESA BIC). Data: founder name, company data, project descriptions. Legal basis: Art. 6(1)(c). Retention: 7 years (EU grant audit requirement).

5. Sub-processors and Data Processors (Art. 28)

QRCL has executed Data Processing Agreements with all processors that may handle personal data on our behalf:

• Cloud Infrastructure Provider — EU-based hosting with ISO 27001 certification and independent security audits. Data Processing Agreement (DPA) signed per Art. 28 GDPR.
• Cloudflare, Inc. — CDN / DNS for qrcl.net. EU Standard Contractual Clauses in place. Processes: edge request logs (IP, timestamp, URL) for DDoS mitigation. Retention: per Cloudflare DPA.

QRCL does not use any other third-party processors for personal data. No data is transferred outside the EEA without adequate safeguards.

6. Data Protection Impact Assessment (DPIA — Art. 35)

A DPIA has been completed for the following high-risk processing activities:

• identity verification (digital identity credential status) — Risk: MEDIUM residual. Measures: unlinkable cryptographic identifiers, post-quantum digital signatures, cryptographic verification. Data Protection Impact Assessment completed per GDPR Art. 35.
• Payment and regulated-sector verification for critical financial systems (details under NDA) — Risk: LOW residual. regulated healthcare credential infrastructure requires Art. 36 prior consultation with Estonian DPI (AKI) before production deployment.

7. Security of Processing (Art. 32)

Technical and organisational measures implemented:

• Post-quantum cryptography: post-quantum digital signatures (NIST FIPS 204) for all signatures; post-quantum key encapsulation (FIPS 203) for key encapsulation
• cryptographic verification infrastructure
• Hash-only data design — personal data pre-images never persisted by infrastructure
• Constant-time cryptographic comparisons (timing-attack resistant)
• Secret-key zeroisation via ctypes after use (FIPS 140-3 / CC EAL2)
• Regular security audits: Bandit, pip-audit, Semgrep (0 P0/P1 CVEs as of 2026-06-01)
• All connections encrypted (HTTPS/TLS 1.3)

8. Data Retention

• Cryptographic audit log entries: securely stored per cryptographic design (pseudonymous hashes only)
• Operational log files: 30 days, then purged
• Email correspondence: 3 years from last contact
• Grant/regulatory documents: 7 years (EU audit requirement)
• Website CDN logs (Cloudflare): per Cloudflare DPA (typically 24h edge cache, no persistent logging by QRCL)

9. Your Rights (GDPR Art. 15–22)

Since QRCL processes zero personal data via qrcl.net, most data subject rights are not triggered. Nevertheless, you have the right to:

• Access (Art. 15), Rectification (Art. 16), Erasure (Art. 17), Restriction (Art. 18), Portability (Art. 20), Object (Art. 21)
• Lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at www.aki.ee, Tatari 39, Tallinn 10134, Estonia.

To exercise any right, contact dpo@qrcl.net. We respond within 30 days (Art. 12(3)).

10. Breach Notification (Art. 33–34)

QRCL has internal procedures to detect, assess, and report personal data breaches. In the event of a breach affecting personal data, QRCL will notify the Estonian Data Protection Inspectorate within 72 hours of becoming aware (Art. 33). Affected individuals will be notified without undue delay where there is a high risk to their rights and freedoms (Art. 34). Since QRCL does not store personal data on qrcl.net, the risk of a reportable breach is minimal.

11. Supervisory Authority

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon — AKI)
Tatari 39, Tallinn 10134, Estonia
www.aki.ee  ·  info@aki.ee

12. Contact — Data Protection Officer

QRCL Technologies OÜ
Data Protection Officer
Järvevana tee 9, Kesklinna linnaosa
Tallinn 11314, Estonia
dpo@qrcl.net  ·  info@qrcl.net

Last updated: 2026-06-05  ·  Version 2.0  ·  Supersedes v1.0 (2026-06-02)