Privacy Policy

1. Who we are

Scanlayer provides a physical engagement intelligence platform: dynamic QR and NFC smart links, placement-level analytics, routing rules, and optional event guest features (such as photo albums and invitations).

For privacy-related requests, contact us at [email protected].

2. Roles: controller vs processor

• Our website and account services. When you visit our marketing site, register, or manage workspaces, we act as the data controller for account and billing-related data.
• Customer-operated experiences. When your organization uses Scanlayer for smart links, placements, analytics, or event guest pages, you are typically the data controller for end-user (visitor/guest) data, and we process that data on your behalf as a processor, according to your instructions and our agreement with you.

3. Data we collect

Account and workspace data

Name, email address, authentication identifiers (including OAuth provider data if you sign in that way), workspace membership, billing-related records where applicable, and support communications.

Platform usage and analytics

Smart link and placement configuration, routing rules, scan/tap events (such as timestamp, placement identifier, device type, referrer, and coarse location when enabled), dashboard activity logs, and technical logs needed for security and reliability.

Event guest experiences

When enabled by an event organizer, we may process guest-provided content (for example photos), optional name or email (including via invite links), upload metadata, and album notification preferences. Organizers control what fields are collected and how albums are published.

Website visitors

IP address, browser type, pages viewed, and cookie identifiers as described in our Cookie Settings page.

4. How we use data

• Provide, secure, and improve the Scanlayer service
• Measure placement performance and generate analytics for customers
• Apply routing rules and deliver redirects or guest experiences
• Send service, security, and (where permitted) product communications
• Send event album or invitation emails when requested by the organizer or guest flow
• Comply with law and enforce our Terms of Service

5. Legal bases (EEA/UK)

Where GDPR or UK GDPR applies, we rely on one or more of: contract performance, legitimate interests (service operation, security, product improvement), consent (where required—for example non-essential cookies or certain marketing), and legal obligation.

6. Sharing and subprocessors

We use trusted infrastructure and service providers (for example hosting, email delivery, object storage, and analytics) that process data only to deliver the service. We do not sell personal data.

Customers may configure destinations (URLs, review links, landing pages) that receive visitors after a scan or tap; those third parties have their own privacy practices.

7. International transfers

Data may be processed in countries other than your own. Where required, we use appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms.

8. Retention

We retain data for as long as needed to provide the service, meet legal obligations, resolve disputes, and enforce agreements. Customers may delete or export certain data depending on plan features. Event guest media retention follows organizer settings and operational backups.

9. Security

We apply administrative, technical, and organizational measures appropriate to the risk, including access controls, encryption in transit, and monitoring. No method of transmission or storage is 100% secure.

10. Your rights

Depending on your location, you may have rights to access, rectify, erase, restrict, object, or port your personal data, and to withdraw consent where processing is consent-based. You may also lodge a complaint with a supervisory authority.

Account holders can manage much of their data in the dashboard. For other requests, email [email protected]. Guests of a customer event should contact the event organizer first; we will assist organizers where we act as processor.

11. Children

Scanlayer is a business service not directed at children under 16. Organizers are responsible for lawful collection when guest experiences involve minors.

12. Changes

We may update this policy from time to time. We will post the revised version on this page and update the “Last updated” date. Material changes may be communicated through the service or by email where appropriate.