Aller au contenu principal
QronoPlay
QronoPlay

Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

Data processing agreement applicable to B2B customers using QronoPlay to collect and process personal data through their QR code marketing campaigns.

This translation is provided for information purposes only. The French version is legally binding.

Preamble

This data processing agreement (the “DPA” or “Agreement”) is entered into between:

  • The Customer, the legal entity subscribing to the QronoPlay service, acting as controller within the meaning of Article 4(7) GDPR (the “Controller (RT)” or “Customer”).
  • SAS Jalimani, SIREN 833 142 631, publisher of the QronoPlay service, acting as processor within the meaning of Article 4(8) GDPR (the “Processor (ST)” or “QronoPlay”).

This DPA is concluded pursuant to Article 28 of Regulation (EU) 2016/679 (GDPR) and forms an integral part of the QronoPlay service agreement. In the event of any conflict between the DPA and the Terms of Use, the DPA shall prevail on data protection matters.

Article 1 — Definitions

  • Controller (RT): the entity that determines the purposes and means of processing (Art. 4(7) GDPR).
  • Processor (ST): the entity that processes data on behalf of the Controller (Art. 4(8) GDPR).
  • Sub-processor: a third-party provider engaged by the Processor to perform specific processing activities.
  • Personal data: any information relating to an identified or identifiable natural person (Art. 4(1) GDPR).
  • Processing: any operation performed on personal data (collection, recording, storage, consultation, erasure, etc.; Art. 4(2) GDPR).
  • Data subjects: the natural persons whose personal data are processed in connection with the service.
  • Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data (Art. 4(12) GDPR).

Article 2 — Subject matter and duration

Subject matter: QronoPlay processes personal data on behalf of the Customer in connection with the SaaS QR code marketing games service (advertising lotteries, instant-win games, engagement games).

Duration: this DPA applies for the entire term of the service agreement, plus a 6-month retention period for winners in line with the retention policy (CNIL recommendation IS001).

Article 3 — Nature and purpose of processing

QronoPlay processes personal data exclusively for the following purposes set by the Customer:

  • Lead collection (email, first name, last name, optional phone) through the games configured by the Customer.
  • Random drawing and prize allocation for advertising lotteries.
  • Technical storage required to operate the service.
  • Anti-fraud measures (deduplication, multi-account detection, rate limiting).
  • Production of anonymised statistics for the Customer’s dashboard.

Article 4 — Categories of personal data

  • Identification data: email, first name, last name, phone (optional, depending on Customer configuration).
  • IP location data: IP address anonymised at /24 upon collection (never stored in clear text).
  • Technical metadata: user-agent, deviceHash, participation timestamp.
  • Game data: campaign code, win status, prize allocated where applicable.
  • Consent data: timestamped records of the consents given (GDPR, partner marketing).

No special-category data within the meaning of Article 9 GDPR (health, religion, sexual orientation, etc.) is processed.

Article 5 — Categories of data subjects

  • Players participating in the games via QR code or direct link.
  • Winners of the prizes awarded by the Customer.

Article 6 — Customer obligations (Controller (RT))

The Customer shall:

  • Define the purposes of processing and determine the applicable legal basis (Art. 6 GDPR).
  • Inform its players in accordance with Articles 13 and 14 GDPR (privacy notices, retention periods, rights).
  • Ensure that all required consents have been collected (in particular for direct marketing, Art. 7 GDPR).
  • Maintain the record of processing activities concerning it (Art. 30 GDPR).
  • Carry out a data protection impact assessment (DPIA) where required by Article 35 GDPR.
  • Document any instructions given to QronoPlay regarding the processing.
  • Cooperate with QronoPlay to handle data subject requests and supervisory authority controls.

Article 7 — QronoPlay obligations (Processor (ST))

QronoPlay shall:

  • Process personal data only on documented instructions from the Customer, including with regard to transfers outside the EU, save where required to do so by law (in which case QronoPlay shall inform the Customer beforehand).
  • Ensure the confidentiality of personal data: confidentiality undertaking signed by every employee and sub-processor with access to the data.
  • Implement appropriate technical and organisational measures (TOM) within the meaning of Article 32 GDPR (see Article 8).
  • Assist the Customer in complying with its obligations regarding security, personal data breach notifications, DPIAs and prior consultation of the CNIL (Art. 32 to 36 GDPR).
  • Cooperate with the CNIL or any competent supervisory authority upon request.
  • At the end of the agreement, return or delete personal data at the Customer’s choice, together with written certification (see Article 14).
  • Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR.

Article 8 — Technical and organisational measures (TOM)

QronoPlay implements the following measures to ensure a level of security appropriate to the risk (Art. 32 GDPR):

  • Sovereign hosting in France: OVH Roubaix servers (France).
  • Encryption: TLS 1.3 for data in transit, AES-256 for data at rest.
  • Access control: access restricted to authorised personnel through multi-factor authentication (MFA), RBAC roles and least-privilege principle.
  • Logging: access and operation logs retained for a maximum of 12 months.
  • Backups: daily encrypted backups, restoration tested regularly.
  • Segregation: isolation of environments (production, staging, development) and logical isolation of data between Customers.
  • Audit: regular review of access and logs, periodic penetration tests.
  • Training: GDPR and security awareness for staff at hiring and at regular intervals.
  • Anonymisation: IP addresses are anonymised at /24 upon collection.
  • Business continuity: documented incident recovery procedures.

Article 9 — Sub-processors

The Customer authorises QronoPlay to use the sub-processors listed below (status as of 5 May 2026):

  • OVH SAS — France — server hosting and storage.
  • Resend, Inc. — United States (DPF) — transactional email delivery.
  • Mollie B.V. — Netherlands — payment processing.
  • Stripe Payments Europe Ltd. — Ireland — payment processing (legacy).
  • Tawk.to LLC — United States (DPF) — live visitor chat support.
  • Cloudflare, Inc. — United States (DPF) — CDN, DNS, anti-DDoS protection.
  • Twilio Ireland Ltd. — Ireland — SMS delivery (optional, depending on Customer configuration).
  • n8n.jalimani.com — France — internal automation workflows (self-hosted by SAS Jalimani).

QronoPlay shall inform the Customer by email prior to any addition or replacement of a sub-processor. The Customer shall have 15 days from notification to object on reasoned grounds. Where a legitimate objection cannot be resolved, the Customer may terminate the service agreement without penalty.

QronoPlay shall impose on each sub-processor, by written contract, the same data protection obligations as those set out in this DPA. QronoPlay shall remain fully liable to the Customer for the performance of the sub-processor’s obligations.

Article 10 — Transfers outside the EU

Personal data are stored exclusively in France (OVH Roubaix). Some sub-processors may process personal data in the United States (Resend, Tawk.to, Cloudflare) or outside France within the EU (Mollie, Stripe, Twilio).

  • Transfers to the United States are framed by the EU–US Data Privacy Framework (DPF) certification where the sub-processor adheres to it.
  • Failing that, transfers are framed by the European Commission’s Standard Contractual Clauses (SCCs) (Decision 2021/914) and, where applicable, by additional measures (encryption, pseudonymisation).

The Customer may at any time request the detailed list of transfers and applicable safeguards at [email protected].

Article 11 — Personal data breach notification

QronoPlay shall notify the Customer of any personal data breach affecting data processed on its behalf within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR.

The written notification (email + message in the admin) shall include:

  • The nature of the breach and the date it was discovered.
  • The categories and approximate number of data subjects affected.
  • The categories and approximate volume of personal data concerned.
  • The likely consequences of the breach.
  • The measures taken or proposed to remedy the breach and mitigate its effects.
  • The point of contact dedicated to handling the incident.

QronoPlay shall assist the Customer with its notification obligations to the CNIL and, where applicable, to the data subjects (Art. 33 and 34 GDPR).

Article 12 — Assistance with data subject rights

QronoPlay provides the Customer with the tools necessary to handle data subject requests under Articles 15 to 22 GDPR (access, rectification, erasure, restriction, portability, objection, automated decisions).

  • Export and erasure scripts available in the admin platform.
  • Turnaround time: 5 business days from the Customer’s written request.
  • If a data subject contacts QronoPlay directly, the request is forwarded to the Customer without delay and without any substantive response.

Article 13 — Audit and inspection

The Customer (or an independent third-party auditor it appoints, subject to an equivalent confidentiality undertaking) may audit QronoPlay’s compliance with the obligations of this DPA once per year at most, on written request and with 30 days’ notice.

The audit shall be conducted during business hours, without disruption to operations, and in compliance with the confidentiality of QronoPlay’s other customers.

Audit costs shall be borne by the requesting Customer, unless a material non-compliance attributable to QronoPlay is found, in which case QronoPlay shall bear the reasonable costs.

QronoPlay may, as an alternative, provide a recent independent audit report (such as ISO 27001, SOC 2, or external pentest) covering the requested scope.

Article 14 — Return / destruction of personal data

At the end of the service agreement, and unless retention is required by law, the Customer shall choose between:

  • Return: structured export of personal data (CSV/JSON) within 30 days of the written request.
  • Certified destruction: irreversible deletion of personal data within 30 days, accompanied by a written certificate of destruction.

Backups: personal data contained in backups shall be destroyed no later than 90 days after expiry of the backup retention cycle.

Failing instructions from the Customer within 30 days after the end of the agreement, QronoPlay shall by default proceed with certified destruction of the personal data.

Article 15 — Liability

Each party shall be liable for damage caused by its non-compliance with the GDPR obligations applicable to it. QronoPlay is liable, as processor, in accordance with Article 82 GDPR for damage resulting from breaches attributable to its own acts or omissions or to those of its sub-processors.

QronoPlay’s overall liability under this DPA is limited under the conditions set out in the Terms of Use, except in cases of gross negligence, wilful misconduct, or where applicable law imposes broader liability.

Article 16 — Amendment of the DPA

Any amendment to this DPA must be accepted in writing by both parties (email with acknowledgement of receipt or signed addendum).

QronoPlay may unilaterally amend the DPA to comply with regulatory developments (GDPR, ePrivacy, CNIL/EDPB decisions, case law). In that case, the Customer shall be notified at least 30 days before entry into force. In the event of material disagreement, the Customer may terminate the service agreement without penalty.

Article 17 — Contact / Governing law

QronoPlay DPO: [email protected]
General contact: [email protected]
Address: SAS Jalimani, [adresse à compléter par Nicolas]
SIREN: 833 142 631

This DPA is governed by French law and the GDPR. Any dispute regarding its interpretation or performance falls within the exclusive jurisdiction of the courts of Cherbourg-en-Cotentin, France, subject to mandatory rules of jurisdiction.

Effective date: upon signature of the QronoPlay service agreement.

This document is provided as a standard template. For specific needs (Enterprise, regulated industries), a tailored addendum may be negotiated.

Useful links: Privacy Policy · Terms of Use · Contest Rules · Contact.

Last updated :
Back to home

© 2025 QronoPlay • [email protected]

vv177860162