Privacy Policy
How WORQABLE BV (operator of QRabl) collects, uses, and protects your personal data.
This Privacy Policy describes how WORQABLE BV (the operator of QRabl) processes personal data. It applies to qrabl.com, qrabl.eu, the QRabl platform, our marketing properties, and our consumer-facing scan pages.
1. Who we are (the controller)
WORQABLE BV, a private limited company incorporated under Belgian law, with registered seat at Kerkstraat 120, 2060 Antwerp, Belgium, registered with the Crossroads Bank for Enterprises under number 0746.698.674, VAT BE 0746.698.674. The Company is the data controller for the personal data described in this Privacy Policy.
For full corporate identification, see the Imprint.
Contact for data protection matters: privacy@qrabl.eu.
Data Protection Officer: appointment in progress; the interim contact for data-protection matters is privacy@qrabl.eu.
2. The three data flows we describe in this notice
This Privacy Policy covers personal data we collect in three distinct flows:
(a) Account data and operational data — you, our customer. When you sign up for QRabl, use our marketing properties, contact support, or pay for the Service, we are the controller for that data.
(b) Content you upload to the platform — third-party personal data on labels, in supply-chain records, in your knowledge base. When you process personal data through the Service (for example, supply-chain participant names, scan-event photos, customer-of-yours email addresses), you are the controller and we are the processor. The terms of that processing are set out in the Data Processing Agreement, not in this Privacy Policy.
(c) Consumer scan data — when consumers scan a QR code we generated, on a product label. We are the controller for the analytics dataset of those scans (anonymised IP, country, device type). For details specific to consumers scanning labels, see the End-Consumer Privacy Notice.
The remainder of this document focuses on flow (a) — your account data — and on the consumer-side flow (c).
3. What we collect about you (account data)
Account information. Name, email address, hashed password, company name, billing address, VAT number, Peppol Participant ID, language preference.
Subscription and payment data. Plan, billing cycle, invoices, payment metadata (the actual card data is held by our PCI-scope payment service provider, not by us).
Authentication data. Login timestamps, IP address at login, device-type session information, optional MFA configuration.
Operational data. Pages visited, features used, session duration. We use cookieless analytics (self-hosted Umami) — no analytics cookies, no third-party trackers.
Content you create. Labels, products, custom fields, knowledge-base documents you upload. We process this content solely to provide the Service to you.
Support correspondence. Tickets you open, emails you send, attachments.
API and webhook usage. API keys (we hash and never see the plaintext after creation), webhook delivery logs.
BYOK keys (Enterprise). If you provide your own Anthropic or OpenAI API key, we encrypt it at rest with AES-256-GCM. We never display the plaintext after creation.
Audit logs. Tamper-evident records of significant operations on your account (signing-key rotations, plan changes, GDPR consent decisions, sub-processor configuration changes). See §11.
Marketing and consent state. If you opt in, your marketing-email subscription state. Always: a record of consent grants, revocations and history (the consent log).
4. Why we process and the legal basis
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Providing and maintaining the Service to you | Contract (Art. 6(1)(b)) |
| Account creation and authentication | Contract (Art. 6(1)(b)) |
| Processing payments and invoicing | Contract + Legal obligation (Art. 6(1)(b) + (c)) |
| Sending transactional emails (password reset, invoice, etc.) | Contract (Art. 6(1)(b)) |
| Marketing emails (newsletter, product updates) | Consent (Art. 6(1)(a)) — opt-in via double opt-in |
| Cookieless platform analytics (Umami) | Legitimate interest (Art. 6(1)(f)) — recital 47, Umami stores no PII and no cookies |
| Compliance with legal obligations (tax, accounting, regulatory inquiries) | Legal obligation (Art. 6(1)(c)) |
| Security, fraud prevention, abuse handling | Legitimate interest (Art. 6(1)(f)) |
| Audit-log retention (signed operations) | Legal obligation under sectoral regulations + Art. 17(3)(b) |
| Responding to support requests | Legitimate interest (Art. 6(1)(f)) |
| Consumer-side scan analytics | Legitimate interest (Art. 6(1)(f)) of the label owner; balanced against the consumer's right to information — see End-Consumer Privacy Notice |
For Track & Trace participants who scan with optional location sharing, the legal basis is consent (Art. 6(1)(a)) — captured via the consent gate before first scan.
5. Cookies and tracking
We use only essential cookies (authentication session, locale preference, consent state). We use cookieless analytics (self-hosted Umami) and set no analytics cookies. We do not use Google Analytics, Facebook Pixel, advertising trackers, or any third-party tracking cookies. See the Cookie Policy for the full inventory.
6. Sub-processors
We engage the sub-processors listed on our Subprocessors page at qrabl.eu/legal/subprocessors. The list is updated whenever sub-processors change; we provide at least 30 days' prior notice for additions, and the affected customer may object per §4.4 of the Algemene Voorwaarden.
The categories of sub-processors used today are: hosting and infrastructure, transactional and marketing email, cookieless analytics, billing, bot protection, error monitoring (opt-in), AI inference (Anthropic) and embeddings (OpenAI), translation (DeepL), and image search (Pexels). See the Subprocessors page for current details, residency, and transfer mechanism.
We do not sell your personal data.
7. International data transfers
Our primary infrastructure is in Germany (Hetzner Falkenstein), entirely within the European Economic Area.
For two specific functions — AI inference (Anthropic) and embeddings (OpenAI) — we transfer data to US sub-processors. Such transfers are made under one or more of the following legal mechanisms (per Chapter V GDPR):
- the European Commission's adequacy decision for the EU-US Data Privacy Framework (Decision 2023/1795), where the recipient is DPF-certified;
- Standard Contractual Clauses under Implementing Decision (EU) 2021/914 (Module 2: controller-to-processor), incorporated as Annex 2 to our DPA;
- supplementary measures, including encryption in transit and contractual prohibitions on training on customer inputs.
A Transfer Impact Assessment template is available as Annex 3 to the DPA. Customers may request the completed TIA for a specific sub-processor at privacy@qrabl.eu.
8. Data retention
| Data category | Retention period | Notes |
|---|---|---|
| Account data | Duration of account + 30 days post-termination | Then permanent deletion subject to §11 |
| Billing and invoicing data | 7 years | Belgian tax + accounting legal obligation |
| Audit logs | 10 years | §11 |
| Cookieless analytics (Umami aggregates) | Indefinite, no PII | No identification possible |
| Consumer scan analytics (qr_analytics) | 24 months | Then anonymisation of remaining identifiers |
| AI conversation logs (consumer chat) | 30 days | Then automatic deletion |
| Support correspondence | Up to 5 years | Closed tickets archived; reopen forces extension |
| Marketing list | Until you opt out, then a 30-day suppression record | |
| Backups | Per your plan-specific schedule | Customer-controlled where applicable; otherwise 30-day rolling |
| Demo / waitlist data | Until deletion is requested | Self-service via the unsubscribe / privacy@ flow |
The full retention schedule is at /docs/compliance/retention-schedule (internal canonical document).
9. Your rights under GDPR
You have the rights listed in Articles 15-22 GDPR:
- Right of access (Art. 15) — request a copy of the data we hold about you. The dashboard provides a self-service export at Settings → Privacy & Data → Export My Data.
- Right to rectification (Art. 16) — correct inaccurate data via Settings → Profile or by contacting privacy@qrabl.eu.
- Right to erasure (Art. 17) — see §11 (audit log retention).
- Right to restrict processing (Art. 18).
- Right to data portability (Art. 20) — JSON export via Settings → Privacy & Data.
- Right to object (Art. 21) — to processing based on legitimate interest.
- Right to withdraw consent (Art. 7(3)) — in particular for marketing emails (Settings → Communications) and for Track & Trace location sharing.
- Right to complain (Art. 77) — see §10.
You can exercise most of these rights in-product (Settings → Privacy & Data). For everything else, contact privacy@qrabl.eu. We respond within 30 days, extendable by up to 60 days for complex requests (Art. 12(3) GDPR).
10. Right to lodge a complaint
If you believe our processing of your personal data infringes the GDPR, you may lodge a complaint with the supervisory authority of your country of habitual residence. The Belgian supervisory authority is:
Gegevensbeschermingsautoriteit / Autorité de protection des données (GBA / APD) Drukpersstraat 35, 1000 Brussels, Belgium +32 2 274 48 00 contact@apd-gba.be www.gegevensbeschermingsautoriteit.be
We always appreciate the chance to address your concerns directly first, via privacy@qrabl.eu.
11. Audit-log retention and the right to erasure
We retain a tamper-evident audit log of significant operations on the Service (signing-key rotations, plan changes, consent decisions, sub-processor configuration changes). This audit log is anchored daily into the Bitcoin blockchain via OpenTimestamps, providing an independent integrity proof.
The audit log is required for compliance with multiple EU regulations the platform serves, in particular Regulation (EU) 2023/1542 (Battery), Regulation (EU) 2024/1781 (ESPR), and the traceability provisions of Regulation (EU) 2024/1689 (AI Act). Retention of these logs is grounded in GDPR Article 17(3)(b) (compliance with a legal obligation) and supports our customers' downstream regulatory obligations.
When you delete your account, your business data is removed within 30 days. Your audit-log records are retained for the regulator-required period (typically 10 years). If you require complete purge of audit-log records as well, contact privacy@qrabl.eu — our team can perform a manual re-anchor of the audit chain without your records, typically within 5-10 business days.
12. Automated processing and AI features
Some Service features use AI to generate content for you or for consumers who scan your products:
- Consumer chat on labels — uses Anthropic Claude by default to answer consumer questions about scanned products. This is content generation, not automated decision-making within Art. 22 GDPR.
- Dashboard copilot — assists you in your own dashboard with content generation and search.
- Auto-translation — translates label content to other locales; you review and approve before publishing.
- Anomaly detection in Track & Trace — rule-based threshold checks (not ML); outputs are alerts to a human operator, not automated decisions.
Under the EU AI Act (Regulation (EU) 2024/1689), our consumer-facing AI is "limited-risk" and is subject to Art. 50 transparency requirements. From 2 August 2026, the consumer chat widget will display a persistent disclosure that the user is interacting with an AI system.
We do not — and our AI sub-processors do not — use your content to train, fine-tune, or evaluate AI models.
13. Security
We implement appropriate technical and organisational measures to protect personal data, in line with Art. 32 GDPR. The detailed Technical and Organisational Measures (TOMs) are published as Annex 1 to our DPA. Highlights: TLS 1.3 in transit, full-disk encryption at rest on EU-resident infrastructure, Row-Level Security in the database, AES-256-GCM for sensitive secrets (BYOK keys), append-only audit logs anchored to Bitcoin, role-based access controls.
14. Children
The Service is offered to businesses only and is not directed at children. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact privacy@qrabl.eu.
15. Changes to this Privacy Policy
We may update this Privacy Policy. Material changes are notified at least 30 days in advance via email or in-platform notification. Each version is identified by a version number and effective date at the top of this document.
16. Contact
For any questions about this Privacy Policy or your personal data:
WORQABLE BV — privacy@qrabl.eu — Kerkstraat 120, 2060 Antwerp, Belgium.
For full corporate identification: Imprint.