PlusQuality GmbH, Schorenweg 8, 78333 Stockach, Germany • Email: info@plusquality.de • Websites: plusquality.de, cleverqm.de Data protection officer: not appointed; not required.
Delivery via Vercel (sub‑processors incl. AWS; EU region preferred). Operations currently supported by AI Solutio GmbH as our processor; Vercel acts as sub‑processor. Purposes: delivery, stability, security, performance. Legal bases: Art. 6(1)(f) GDPR (legitimate interest in secure, performant operations) and, where required for contract performance (e.g., checkout/booking), Art. 6(1)(b) GDPR.
Data: IP address, date/time, requested URL, referrer, user agent, status codes. Our access: we have access to operational logs for up to 24 hours for troubleshooting/security; afterwards we have no access. Provider note: Our host Vercel, acting as our processor, may retain logs for longer to ensure operations and security; retention follows Vercel’s policies. We do not access older logs. Legal basis: Art. 6(1)(f) GDPR (operations/security). Longer retention only where required to handle security incidents or for legal defense.
Data: name, email, phone (optional), company/practice name, message; headers/metadata. Purpose: handling enquiries, communication, record‑keeping. Legal basis: Art. 6(1)(b)/(f) GDPR. Retention: 12 months after closure. Recipient: Serverprofis GmbH (email/SMTP) as processor.
Data: information required to schedule the appointment (e.g., name, email, time slot). Legal basis: Art. 6(1)(b) GDPR. Embed notice: Loading the embedded calendar may set technically necessary cookies and may involve transfers to third countries; cookie/banner settings can be managed in Calendly. Recipient: Calendly (EU/US).
For payment processing we transmit the necessary order and payment data to Stripe. Stripe also processes certain data as an independent controller (e.g., fraud prevention, legal obligations), but primarily acts as a processor. Legal basis: Art. 6(1)(b) and (c) GDPR.
We run our product/customer database on Supabase (Postgres; Auth enabled) in the EU region Frankfurt (AWS). Data: contact details, account identifiers, auth identifiers (e.g., email/OAuth; no plaintext passwords), usage/product usage metadata, prospective customer/practice contact and address; in the future, employee training/instruction status. Purposes: account management and contract performance, support, operations, and security. Legal bases: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR; for employee data: §26 BDSG under German law. Recipients: Supabase (processor); internal need‑to‑know and admin access by AI Solutio and their development subcontractor. Region/transfers: EU Frankfurt fixed; any telemetry/sub‑processors outside the EU will be assessed and, where needed, safeguarded (e.g., EU SCC/DPF). Retention: per our retention policy; backups per backup policy.
We use Umami for website analytics. Implementation: client‑side script (cloud.umami.is) for reach measurement; no personal profiling; no cookies per Umami concept. Legal basis: Art. 6(1)(f) GDPR. If this changes (e.g., cookies/identifiers or different data flows), we will deploy a consent banner and update this section. Separation: independent from the QR tracking below.
We use QR codes in marketing/information campaigns. Current state: campaign‑level QR codes without personal or practice‑level linkage. When scanned/visited, we collect server‑side request metadata (e.g., IP, timestamp)—partly anonymised—and campaign parameters (e.g., source/medium/QR ID); data is stored in Supabase. Purpose: performance measurement and pre‑preparing content/forms. Legal basis: Art. 6(1)(f) GDPR. Planned: practice‑specific QR codes; separate information and—where required—consent. Retention: typically 12 months; see our data inventory.
For customer acquisition and to inform potential users, we may inform about our products via postal direct marketing. Legal bases: Art. 6(1)(f) GDPR (legitimate interest in direct marketing). Data: addresses, names, roles/functions, contact channels (e.g., email addresses, phone numbers), where applicable the practice name. Origin/source: named per medium. Notice under Art. 14 GDPR: information provided at the latest upon first contact or within one month. Recipients: internal sales/marketing teams; processors for mailing/CRM (e.g., lettershop, print/postal service providers, CRM system) under Art. 28 GDPR. Retention & suppression lists: stored until objection or for a maximum of 24 months after the last interaction (review), then deletion; objections are processed in a suppression list (solely to ensure no further marketing is sent). Profiling/automated decisions: no profiling with legal effect; no automated individual decisions within the meaning of Art. 22 GDPR. Objection: You may object to the processing of your data for direct marketing at any time (Art. 21(2) GDPR), e.g., by email to widerspruch@plusquality.de; after an objection we will no longer use your data for marketing purposes.
When using the providers named above, transfers to third countries (in particular the USA) may occur; we use appropriate safeguards (e.g., EU Standard Contractual Clauses and/or participation in an adequacy framework). For Supabase, the EU region is configured; any telemetry/sub-processors are assessed.
Contact inquiries: 12 months. Server logs: 1 day. Invoice/booking records: 8–10 years (legal obligations). Account data: as long as the account is active; thereafter typically 24 months of inactivity (review) and deletion/archiving in accordance with our policy. Campaign/QR raw data: 3–6 months (aggregation preferred). More precise details are set out in the data inventory/deletion policy.
You have the rights of access, rectification, erasure, restriction, data portability and objection (Arts. 15–21 GDPR) as well as the right to lodge a complaint with a supervisory authority (for us, typically Baden-Württemberg).
TLS/HTTPS, access restrictions, logging, regular updates; backups according to the state of the art; data protection by design and by default. For details, see our TOMs.
Last updated: 06 Oct 2025