• Türkçe
    • English
    • Español

PRIVACY NOTICE

At Elera Yazılım ve Bilgi Teknolojileri Ltd. Şti. (“Company”, “we”, “us”), we value the privacy of users of our services available at qrcodeg.com. This Privacy Notice explains how we collect, use, share and protect personal data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the UK GDPR where applicable, and Turkish Personal Data Protection Law No. 6698 (“KVKK”).

1. Data Controller

The data controller responsible for the processing of your personal data is:

  • Legal name: Elera Yazılım ve Bilgi Teknolojileri Ltd. Şti.
  • Registered address: Yalvaç Sok. No:7 Kat:1 İçerenköy / Ataşehir / İstanbul / Turkey
  • Email: [email protected]

2. Personal Data We Collect

We process the following categories of personal data:

Identity data:

  • First name, last name

Contact data:

  • Email address
  • Phone number

Technical and usage data:

  • IP address
  • Browser type, device information
  • Usage logs and access records
  • Cookie information
  • Account and login credentials

Financial data:

  • Billing and payment information (where applicable)

User content data:

  • Data you enter into the platform to generate QR codes (URLs, text, vCard details, event information, etc.)

3. How We Use Your Data and Legal Bases

We process your personal data for the following purposes and on the following legal bases under Article 6(1) of the GDPR:

  • Account creation, login and service delivery — Legal basis: performance of a contract (Art. 6(1)(b) GDPR)
  • QR code generation, management and tracking — Legal basis: performance of a contract (Art. 6(1)(b) GDPR)
  • Responding to your inquiries and support requests — Legal basis: performance of a contract (Art. 6(1)(b) GDPR) and legitimate interests (Art. 6(1)(f) GDPR)
  • Compliance with legal obligations (including tax, accounting, and consumer protection laws) — Legal basis: legal obligation (Art. 6(1)(c) GDPR)
  • Improving our services, user experience and platform stability — Legal basis: legitimate interests (Art. 6(1)(f) GDPR)
  • Statistical analysis and reporting (in aggregated and where possible anonymised form) — Legal basis: legitimate interests (Art. 6(1)(f) GDPR)
  • Marketing communications (email, SMS, etc.) — Legal basis: your consent (Art. 6(1)(a) GDPR), which can be withdrawn at any time
  • Information security and fraud prevention — Legal basis: legitimate interests (Art. 6(1)(f) GDPR) and legal obligation (Art. 6(1)(c) GDPR)
  • Processing payments and issuing invoices — Legal basis: performance of a contract (Art. 6(1)(b) GDPR) and legal obligation (Art. 6(1)(c) GDPR)
  • Operational support based on customer requests — Legal basis: performance of a contract (Art. 6(1)(b) GDPR)

Where our legal basis is “legitimate interests”, we have carried out a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You have the right to object to such processing as described in Section 14.

4. Support and Operational Access

Within the scope of customer requests, payment confirmations (such as bank transfers), technical support, and operational processes, our authorised personnel may access your account in order to carry out operations on your behalf based on your instructions. Such access is performed only at your express request or where strictly necessary for the provision of the service.

All such access events are logged within our systems and retained for security and auditing purposes, in line with our obligations under Article 32 of the GDPR.

5. Sharing Your Data and International Transfers

Recipients of your data:

  • Public authorities, where required by applicable law
  • Our legal advisors and auditors, under confidentiality obligations
  • Authorised business and solution partners
  • Payment service providers (to process your payments)

International transfers:

To provide our services, your personal data may be processed by the following service providers located outside of Turkey:

  • Hetzner Online GmbH (Germany, EU): Server hosting and database infrastructure
  • Cloudflare, Inc. (United States): Content delivery network (CDN), DNS, and object storage (R2)
  • Sinch France SAS / Mailjet (France, EU): Transactional and marketing email delivery

Transfers to providers located within the European Economic Area (EEA) are not subject to additional safeguards under GDPR. For transfers to providers in third countries that do not benefit from an EU Commission adequacy decision (such as Cloudflare in the United States), transfers take place on the basis of the European Commission’s Standard Contractual Clauses together with any required supplementary measures, as set out in Articles 44–49 of the GDPR.

We have entered into Data Processing Agreements (DPAs) with all of our international service providers pursuant to Article 28 of the GDPR. Under these agreements, our providers commit to:

  • Process your data only on our documented instructions;
  • Apply appropriate technical and organisational security measures (Art. 32 GDPR);
  • Notify us promptly in the event of any data breach;
  • Maintain transparency about their sub-processors.

You may obtain a copy of the safeguards in place for international transfers by contacting us at the address provided in Section 1.

6. How Long We Keep Your Data

We retain your personal data only for as long as necessary for the purposes for which it was collected, in accordance with the following retention periods:

  • Account and membership data: While your account is active and for 2 years after account closure
  • QR code content data: While your account is active
  • Billing and invoicing data: 10 years (as required by Turkish tax legislation)
  • Access and log records: 2 years
  • Support and operational access logs: 2 years
  • Marketing consent records: Until consent is withdrawn; thereafter retained for 3 years for evidentiary purposes
  • Support tickets and contact form submissions: 2 years after the matter is resolved

Once the retention period expires or the purpose of processing no longer applies, your personal data is securely deleted, destroyed, or anonymised.

7. Data Security

In accordance with Article 32 of the GDPR, we implement appropriate technical and organisational measures to protect your personal data, including:

  • SSL/TLS encryption for data transmission
  • Secure server infrastructure and access control systems
  • Role-based access and the principle of least privilege
  • Regular security testing and system updates
  • Confidentiality undertakings and data protection training for personnel
  • Access and operation logging with regular monitoring
  • Regular backups and disaster recovery procedures

Data breach notification: In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR. Where the breach is likely to result in a high risk, we will also notify the affected data subjects in accordance with Article 34 of the GDPR.

8. Cookies and Similar Technologies

We use cookies and similar technologies on our website to enhance user experience, analyse site performance, and provide personalised content. For detailed information about the cookies we use, please review our Cookie Policy.

You can manage or reject cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our website.

9. Automated Decision-Making and Profiling

Our system automatically analyses QR code usage statistics and performance metrics for the purposes of:

  • Improving service quality;
  • Enhancing user experience;
  • Identifying and resolving technical issues.

We do not make decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you, within the meaning of Article 22 of the GDPR. Should this change in the future, we will provide additional information and where required obtain your explicit consent.

10. Third-Party Data in QR Code Content

Our services allow you to create QR codes containing content such as vCards, contact details, and event information. Where you include personal data of third parties in such content:

  • You act as the data controller with respect to such third-party data;
  • You are responsible for obtaining the necessary consents or other legal bases and for providing required privacy notices to the affected individuals;
  • We act solely as a data processor in providing the technical hosting service, and any legal liability arising from such content rests with you.

11. Children’s Data

Our services are not directed at children. We do not knowingly collect personal data from children under the age of 16 (or the lower age set by applicable national law in EU Member States, but not below 13). If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact us and we will delete such data without undue delay.

12. Marketing Communications and Consent

We will only send you marketing communications (email, SMS, etc.) where we have a valid legal basis to do so, which in most cases is your explicit consent.

You may give consent by:

  • Ticking the relevant opt-in box during registration;
  • Updating your email preferences in your account settings;
  • Otherwise providing an explicit, affirmative indication of consent.

You can withdraw your consent at any time by:

  • Clicking the “unsubscribe” link in any marketing email;
  • Updating your communication preferences in your account settings;
  • Writing to us at [email protected].

Withdrawing consent does not affect the lawfulness of processing carried out prior to withdrawal.

13. Your Rights as a Data Subject

Subject to the conditions set out in the GDPR (and equivalent rights under the UK GDPR and KVKK), you have the following rights with respect to your personal data:

  • Right of access (Art. 15 GDPR): to obtain confirmation as to whether we process your data, and to receive a copy of such data;
  • Right to rectification (Art. 16 GDPR): to have inaccurate or incomplete data corrected;
  • Right to erasure / “right to be forgotten” (Art. 17 GDPR): to request the deletion of your data in certain circumstances;
  • Right to restriction of processing (Art. 18 GDPR): to request that we limit the processing of your data;
  • Right to data portability (Art. 20 GDPR): to receive your data in a structured, commonly used and machine-readable format, and to transmit it to another controller;
  • Right to object (Art. 21 GDPR): to object, on grounds relating to your particular situation, to processing based on legitimate interests; you have an absolute right to object to processing for direct marketing purposes;
  • Rights related to automated decision-making (Art. 22 GDPR): not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects you;
  • Right to withdraw consent (Art. 7 GDPR): where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

14. How to Exercise Your Rights

To exercise any of the rights described above, please contact us using the following channels:

  • Email: [email protected]
  • Postal address: Elera Yazılım ve Bilgi Teknolojileri Ltd. Şti., Yalvaç Sok. No:7 Kat:1 İçerenköy / Ataşehir / İstanbul / Turkey

Response timeframe: We will respond to your request without undue delay and in any case within one month of receipt. This period may be extended by two additional months where necessary, taking into account the complexity and number of requests; we will inform you of any such extension and the reasons for the delay.

Identity verification: Where we have reasonable doubts about the identity of the person making the request, we may request additional information necessary to confirm your identity.

No fee: Responding to your request is free of charge. However, where requests are manifestly unfounded or excessive, in particular due to their repetitive character, we may either charge a reasonable fee or refuse to act on the request.

15. Right to Lodge a Complaint

If you believe that our processing of your personal data infringes data protection law, you have the right to lodge a complaint with a competent supervisory authority.

For data subjects in the European Union / EEA: You may lodge a complaint with the data protection authority of the EU Member State of your habitual residence, place of work, or place of the alleged infringement. A list of EU supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

For data subjects in the United Kingdom: You may contact the Information Commissioner’s Office (ICO) at ico.org.uk.

For data subjects in Turkey: You may contact the Turkish Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu) at www.kvkk.gov.tr.

We would, however, appreciate the opportunity to address your concerns directly before you approach a supervisory authority, so we encourage you to contact us first.

16. Updates to This Notice

We may update this Privacy Notice from time to time to reflect changes in applicable law or our processing activities. The current version is always available on our website. Where changes are material, we will notify you in advance through appropriate channels.

Last updated: 14 May 2026