This privacy policy describes how dndsoftware, publisher of the RankQR service, collects, uses and protects the personal data of its Users and Customers, in accordance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and the amended French Data Protection Act of 6 January 1978.
1. Data controller
| Information | Details |
|---|---|
| Data controller | dndsoftware |
| Legal form | Sole proprietorship (French micro-entreprise) |
| Owner | Sylvain Dendele |
| SIRET | 882 882 608 00020 |
| Contact email | [email protected] |
dndsoftware is not required to appoint a Data Protection Officer (DPO) given its size and the nature of its activities. Any data protection request can nevertheless be sent to the address above.
2. Personal data collected
| Category | Data collected |
|---|---|
| Identification | First name, last name, email address, hashed password, organisation name |
| Authentication | OAuth identifiers (Google) when this method is used |
| Billing | Stripe customer ID, last digits of the payment method, invoice history, billing address |
| Usage data | QR codes created, labels, folders, campaigns, target URLs, uploaded files and logos, customisation parameters |
| Scan data | Scan timestamp, country inferred from IP, device and OS type, statistical aggregates |
| Browsing data | IP address (anonymised for analytics), browser type, pages visited, application events |
| Communication | History of transactional emails and exchanges via the contact form |
dndsoftware does not collect "sensitive" data within the meaning of article 9 of the GDPR.
3. Purposes and legal bases
| Purpose | Legal basis (GDPR) | Description |
|---|---|---|
| Account creation and management | Performance of contract (art. 6 § 1 b) | Sign-up, authentication, session and password management. |
| Service delivery | Performance of contract (art. 6 § 1 b) | QR generation and resolution, file hosting, scan accounting. |
| Invoicing and accounting | Legal obligation (art. 6 § 1 c) | Invoice issuance and retention in accordance with the French Commercial Code. |
| Online payment | Performance of contract (art. 6 § 1 b) | Payment processing through Stripe, subscription and renewal management. |
| Customer support | Performance of contract (art. 6 § 1 b) | Response to requests sent by email or via the application. |
| Service security | Legitimate interest (art. 6 § 1 f) | Detection and prevention of abuse, fraud and intrusion attempts. |
| Product analytics | Consent (art. 6 § 1 a) | Application behaviour analysis via PostHog, subject to your consent. |
| Marketing measurement and third-party tags | Consent (art. 6 § 1 a) | Tag orchestration via Google Tag Manager, subject to your consent. |
| B2B prospecting | Legitimate interest (art. 6 § 1 f) | Sending information to professionals who have expressed interest, with the right to object at any time. |
4. Data recipients
Your personal data may be shared with the following recipients and processors, strictly to the extent necessary to perform their tasks:
| Recipient | Purpose | Location |
|---|---|---|
| OVH SAS | Web hosting, database, S3 object storage | European Union (France) |
| Stripe | Payment and subscription processing | EU / United States (Standard Contractual Clauses and DPF) |
| Resend | Transactional emails | United States (Standard Contractual Clauses) |
| Google (OAuth) | Optional authentication via Google account | United States (SCC and DPF) |
| Google Tag Manager | Third-party tag orchestration on the marketing site (subject to consent) | United States (SCC and DPF) |
| PostHog | Product analytics and error capture (subject to consent) | United States (SCC) |
| Technical advisors | Occasional support, under confidentiality agreement | European Union |
dndsoftware does not sell or rent personal data for commercial purposes.
5. Transfers outside the European Union
Some processors may process data outside the European Union (notably in the United States). These transfers are framed by:
- the Standard Contractual Clauses approved by the European Commission (Decision 2021/914);
- the EU-US Data Privacy Framework when the processor is certified.
dndsoftware ensures that any transfer outside the EU benefits from appropriate safeguards within the meaning of articles 44 et seq. of the GDPR.
6. Retention periods
| Category | Duration |
|---|---|
| Account data | Duration of the contractual relationship + 3 years |
| Billing and accounting data | 10 years from the close of the financial year (art. L123-22 of the French Commercial Code) |
| User content (QR codes, files) | Duration of the subscription, then deletion within a reasonable timeframe after termination, save for legal obligations |
| Scan statistics | 25 months maximum, in aggregated form beyond 13 months |
| Browsing data and technical logs | 13 months maximum (CNIL recommendation) |
| Contact-form data | 3 years from the last exchange |
At the end of these periods, data is irreversibly deleted or anonymised, save for legal obligations to the contrary.
7. Rights of data subjects
Pursuant to articles 15 to 22 of the GDPR, you have the following rights:
| Right | Description |
|---|---|
| Right of access (art. 15) | Obtain confirmation that your data is processed and receive a copy. |
| Right of rectification (art. 16) | Correct inaccurate or incomplete data about you. |
| Right to erasure (art. 17) | Request deletion of your data, subject to legal retention obligations. |
| Right to restriction (art. 18) | Temporarily restrict processing of your data. |
| Right to object (art. 21) | Object to processing based on legitimate interest, in particular commercial prospecting. |
| Right to portability (art. 20) | Receive your data in a structured, commonly used and machine-readable format. |
| Withdrawal of consent | Withdraw your consent at any time for processing that depends on it (PostHog, Google Tag Manager). |
| Post-mortem directives (art. 85 LIL) | Define directives regarding the fate of your data after your death. |
How to exercise your rights
| Channel | Address |
|---|---|
| [email protected] | |
| Customer area | Editing and account deletion from the Account management area |
dndsoftware undertakes to respond within one month of receiving your request, extended by two months in case of complexity (article 12 § 3 of the GDPR).
Complaint to the CNIL
If you believe your rights are not respected, you may file a complaint with the French data protection authority (CNIL):
| Information | Details |
|---|---|
| Website | https://www.cnil.fr |
| Address | 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 |
8. Cookies and trackers
The list of cookies used (name, provider, purpose, duration) is available on the dedicated cookie policy page. You can change or withdraw your consent at any time via the management banner accessible from the site footer.
9. Data security
dndsoftware implements appropriate technical and organisational measures to protect data against unauthorised access, alteration, disclosure or destruction:
| Measure | Description |
|---|---|
| Encryption in transit | TLS 1.2 / 1.3 across all exchanges |
| Encryption at rest | Storage at OVH with disk encryption |
| Password hashing | Modern adjustable-cost algorithms (PBKDF2 / Argon2) |
| Access management | Principle of least privilege, sensitive-action logging |
| Backups | Regular database backups |
| Audits | Periodic code and configuration reviews |
| Subcontractors | Contractual confidentiality and GDPR commitments |
In case of a personal data breach likely to result in a risk to the rights and freedoms of individuals, dndsoftware notifies the CNIL within 72 hours and informs the affected individuals within the timeframes and conditions of articles 33 and 34 of the GDPR.
10. Minors
The Service is not intended for individuals under 15. dndsoftware does not knowingly collect data about minors under 15. A parent or guardian who notices that a minor has provided data without their consent may request its deletion at [email protected].
11. Automated decisions
dndsoftware does not use the Service to make decisions producing legal effects or significantly affecting the User, based solely on automated processing within the meaning of article 22 of the GDPR.
12. Policy changes
dndsoftware reserves the right to amend this privacy policy at any time, particularly to reflect:
- legal and regulatory developments;
- changes to the Service;
- changes in processing practices.
Any substantial change is notified by email or via an in-Service notification. The last update date is shown at the top of this page.