GDPR Compliance
Qtrackr is built for the EU and Swiss market. Data protection isn't an afterthought — it's how we designed the platform from day one.
Our commitments
As a Swiss company subject to both the Swiss FADP and EU GDPR (where we process EU residents' data), we maintain the following standards:
Data minimisation
We only collect what we need to run queues and deliver tickets. No tracking pixels, no ad networks, no data brokers.
EU/Swiss infrastructure
Firestore data resides in Google Cloud EU regions. Application hosting via Vercel with EU edge caching.
Defined retention periods
Queue data is retained for 12 months post-event, then permanently deleted. Admin accounts are purged 6 months after closure.
Subject rights honoured
Access, rectification, erasure, portability, and objection requests are handled within 30 days. Email hello@qtrackr.io.
International transfers
Where data leaves the EEA/Switzerland, we rely on Standard Contractual Clauses (SCCs) and adequacy decisions.
Processor agreements
All sub-processors (Google Cloud, Vercel, Resend, Twilio, Paddle) have signed Data Processing Agreements with us.
Sub-processors
These are the third-party services that process personal data on our behalf. Each has a signed DPA.
| Service | Purpose | Data location |
|---|---|---|
| Google Cloud (Firebase) | Database, authentication, file storage | EU (eur3) |
| Vercel | Application hosting, edge network | Global (EU primary) |
| Resend | Transactional email delivery | US (SCCs in place) |
| Twilio | SMS delivery (when configured) | US (SCCs in place) |
| Paddle | Payment processing (Merchant of Record) | UK (adequacy decision) |
| Cloudflare | Bot protection (Turnstile) | Global (no personal data shared) |
| Upstash | Rate limiting | EU (Frankfurt) |
For event organisers (data controllers)
When you use Qtrackr to manage queues for your events, you are the data controllerfor your customers' personal data. Qtrackr acts as your data processor.
Your responsibilities
- Ensure you have a lawful basis for collecting customer data (typically legitimate interest or contract performance)
- Inform your customers that you use Qtrackr to manage their queue data
- Respond to data subject requests from your customers (we'll help where needed)
- Delete event data when you no longer need it (or we'll auto-delete after 12 months)
What we provide
- A signed Data Processing Agreement (DPA) — available on request
- Technical and organisational measures to protect data
- Assistance with data subject requests
- CSV export for data portability
- Breach notification within 72 hours
Need a DPA?
Enterprise and Advanced plan customers can request a signed DPA by emailing hello@qtrackr.io. We'll send it over within 24 hours.
For customers (data subjects)
If you've joined a queue on Qtrackr, here's what you need to know:
- Your data is used only to manage your place in the queue and deliver your tickets
- We never sell your data or use it for advertising
- You can view and edit your details from your status page at any time
- You can request full deletion by emailing hello@qtrackr.io
- Your data is encrypted in transit and at rest
- Geolocation is checked on your device only — your coordinates are never sent to our servers
For full details, read our Privacy Policy.
Questions about data protection?
We're happy to answer questions about how we handle data, provide DPAs, or assist with compliance reviews.
Get in touch