Privacy policy

This is a courtesy translation of the French document. Only the French version is legally binding.

1. Introduction

QR-PAY is a product of Group-E, a private limited company with enterprise number 0837.215.413, registered at Rue du Panorama 13, 1331 Rosières (hereinafter referred to as 'we' or 'QR-PAY'). We are committed to complying with regulations on the protection of personal data (GDPR) and the protection of privacy in the electronic communications sector. This privacy statement aims to inform you about the nature of the personal data we process, the purposes for which we process it, your rights, and the remedies available to you. For the purposes of this statement, the following terms are defined as follows: - Personal data: any information relating to an identified or identifiable natural person. - Processing: any operation performed on personal data. - Controller: the legal entity that determines the purposes and means of processing. - Processor: the legal entity that processes data on behalf of the controller. - Third party: any natural or legal person other than the data subject, controller, and persons authorised to process data. - Recipient: any natural or legal person who receives personal data. - Consent: any freely given, specific, informed and unambiguous indication of agreement.

2. Who is the controller of your personal data?

As a ticketing and cashless payment platform, QR-PAY acts as the controller for data collected during platform registration and user profile creation. When you participate in an event organised through QR-PAY, QR-PAY acts as a processor on behalf of the event organiser, who is then the controller of your data in that context.

3. What categories of personal data do we process?

In connection with your use of our platform, we process the following categories of data: For users (attendees): - Personal identification data: last name, first name, email address - Financial data: information relating to payments and cashless wallet top-ups - Platform usage data: order history, tickets purchased, wallet balance - Ticket information: QR codes, order references - Miscellaneous data: preferred language, notification preferences For organisers: - Identification data: last name, first name, email address, phone number - Company data: company name, enterprise number, address - Financial data: IBAN for transfers, billing information

4. What are the sources of your personal data?

We collect your personal data in two ways: 1. Directly from you: when you register on the platform, when you purchase tickets, when you top up your cashless wallet, or when you create an organiser profile. 2. Via third parties: when you purchase a ticket through the platform, the event organiser may communicate certain information about you to us for the purpose of managing the event.

5. For what purposes do we process personal data and on what legal basis?

We process your personal data for the following purposes: - Creating and managing your user profile on the platform - Processing your ticket orders and payments - Managing your cashless wallet - Communications related to your orders and account (confirmations, reminders, notifications) - Providing tickets in digital format (QR codes, Apple Wallet / Google Wallet passes) - For organisers: creating and managing events, tracking sales, processing transfers The legal basis for these processing activities is the performance of a contract within the meaning of Article 6(1)(b) GDPR, insofar as the processing is necessary to provide the service you have requested.

6. How long is your data retained?

Your personal data is retained for as long as your account is active on the platform. If you delete your account, your personal data will be erased within a reasonable time, subject to legal retention obligations (in particular for financial data, which may be retained for up to 7 years in accordance with accounting and tax legislation).

7. Who are the recipients of the data collected?

Your personal data may be shared with the following categories of recipients: - Authorised QR-PAY staff in the course of performing their duties - Event organisers whose events you attend (limited to data necessary for event management) - Our third-party service providers (see the 'Third-Party Services' section below) - Competent public authorities where required by law

Third-Party Services

As part of our services, we use the following third-party providers who may process certain personal data on our behalf:

Mollie Payments

Purpose :: Processing ticket payments and cashless wallet top-ups
Data shared :: Name, email address, payment amount, order reference
Legal basis :: Performance of a contract (Article 6(1)(b) GDPR)
Privacy policy :: https://www.mollie.com/en/privacy

Brevo (formerly Sendinblue)

Purpose :: Sending transactional emails (confirmations, reminders, notifications)
Data shared :: Email address, name, preferred language
Legal basis :: Legitimate interest (Article 6(1)(f) GDPR) — communication related to contract performance
Privacy policy :: https://www.brevo.com/legal/privacypolicy/

Expo Push Notifications

Purpose :: Sending push notifications to mobile app users
Data shared :: Expo Push token (device identifier), notification content
Legal basis :: Legitimate interest (Article 6(1)(f) GDPR) — event reminders
Privacy policy :: https://expo.dev/privacy

Google Wallet

Purpose :: Adding event tickets to Google Wallet on Android devices
Data shared :: Ticket details (event name, date, QR code), Google account identifier
Legal basis :: Performance of a contract (Article 6(1)(b) GDPR)
Privacy policy :: https://policies.google.com/privacy

Apple Wallet

Purpose :: Adding event tickets to Apple Wallet on iOS devices
Data shared :: Ticket details (event name, date, QR code), Apple ID
Legal basis :: Performance of a contract (Article 6(1)(b) GDPR)
Privacy policy :: https://www.apple.com/legal/privacy/

None of these services place cookies on your device through our site. Mollie redirects you to its own domain for payment, where its own cookie policy applies.

8. Is your data transferred abroad?

QR-PAY is committed to processing your personal data within the European Economic Area (EEA). In the event that certain data is transferred outside the EEA, we ensure that appropriate safeguards are in place in accordance with the GDPR, including through European Commission adequacy decisions or Standard Contractual Clauses (SCCs).

9. What are your rights?

In accordance with the GDPR, you have the following rights: - Right of access: you can obtain a copy of your personal data. - Right to rectification: you can request the correction of inaccurate or incomplete data. - Right to erasure ('right to be forgotten'): you can request the deletion of your data in certain cases. - Right to restriction of processing: you can request the restriction of processing of your data in certain cases. - Right to data portability: you can receive your data in a structured, machine-readable format. - Right to deletion: you can delete your account and your data directly from the platform.

10. How to exercise your rights?

Any request in this regard can be sent to us in writing, accompanied by proof of your identity (copy of both sides of your identity card, with non-essential information redacted), at the following address:

Group-E srl 13 Rue du Panorama 1331 Rosières Info@group-e.be

You can also contact us through the QR-PAY platform.

11. Who can you address your questions/complaints to?

QR-PAY will make every effort to follow up as quickly as possible. If QR-PAY's response is not entirely satisfactory, every data subject has the right to lodge a complaint with a supervisory authority. For Belgium, the supervisory authority is the Data Protection Authority (DPA): contact@apd-gba.be — Rue de la Presse 35, 1000 Brussels.