Back to Home
ScanMePass Legal

GDPR Compliance

Our commitment to protecting the rights of EU/EEA data subjects and complying with the General Data Protection Regulation.

Last updated: March 30, 2026

1. Our Commitment to GDPR

ScanMePass is committed to full compliance with the General Data Protection Regulation (EU) 2016/679 ('GDPR'). We act as both a Data Controller — when we process data for our own business purposes — and as a Data Processor — when we process personal data on behalf of event organizers. We have implemented comprehensive policies, processes, and technical measures to ensure GDPR compliance across all our operations.

2. Lawful Basis for Processing

  • Contractual necessity: Processing required to fulfil our service agreement with event organizers and to provide attendees with their QR passes.
  • Legitimate interests: Processing for fraud prevention, platform security, and service improvement where these interests are not overridden by your rights.
  • Consent: Where required, we obtain explicit and informed consent before processing personal data, such as for marketing communications.
  • Legal obligation: Processing necessary to comply with applicable laws, such as tax record keeping or responding to lawful requests from authorities.

3. Data Subject Rights Under GDPR

  • Right of Access (Article 15): You may request a copy of all personal data we hold about you, along with information about how it is processed.
  • Right to Rectification (Article 16): You may request correction of inaccurate personal data without undue delay.
  • Right to Erasure (Article 17): You may request deletion of your personal data where it is no longer necessary, consent is withdrawn, or processing is unlawful.
  • Right to Restrict Processing (Article 18): You may request that we limit processing of your data in certain circumstances.
  • Right to Data Portability (Article 20): You may receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.
  • Right to Object (Article 21): You may object to processing based on legitimate interests or for direct marketing purposes.
  • Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to solely automated decisions that significantly affect you.

4. Data Controller vs. Data Processor

When ScanMePass collects and processes data for its own purposes (such as account management, billing, and platform improvement), we act as a Data Controller. When we process attendee data on behalf of an event organizer, we act as a Data Processor under a Data Processing Agreement (DPA). Event organizers using ScanMePass are responsible as Data Controllers for ensuring their use of our platform complies with GDPR, including obtaining appropriate consents from their attendees.

5. Data Processing Agreements

In compliance with Article 28 of GDPR, we enter into Data Processing Agreements (DPAs) with all event organizers who process EU/EEA personal data through our platform. These agreements set out the scope, nature, and purpose of processing, our obligations as a processor, security measures we implement, and subprocessor arrangements. Event organizers may request a DPA by contacting info@scanmepass.com.

6. International Data Transfers

ScanMePass operates primarily from India. If your data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions for the recipient country, or other legally recognised transfer mechanisms under GDPR Chapter V.

7. Data Breach Notification

In the event of a personal data breach, ScanMePass will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible, as required by Article 33 GDPR. Where the breach is likely to result in a high risk to affected individuals, we will notify those individuals without undue delay as required by Article 34 GDPR. We maintain an internal data breach register as required by Article 33(5).

8. Data Minimisation and Purpose Limitation

We adhere to the GDPR principles of data minimisation and purpose limitation. We only collect personal data that is adequate, relevant, and limited to what is necessary for the specified event management purposes. Personal data collected for one event is not used for other events without fresh consent, and we do not retain data beyond the period necessary to fulfil the stated purpose.

9. Privacy by Design and Default

ScanMePass incorporates privacy by design and by default principles as required by Article 25 GDPR. This means privacy considerations are built into our systems from the ground up, access to personal data is restricted to those with a legitimate need, default settings ensure minimal data collection, and we conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities.

10. Subprocessors

  • Amazon Web Services (AWS) — Cloud infrastructure and data hosting.
  • Google Analytics — Anonymised platform usage analytics.
  • Stripe — Payment processing.
  • SendGrid / Nodemailer via SMTP — Transactional email delivery.
  • Sentry — Application error monitoring.

11. How to Exercise Your Rights

To exercise any of your GDPR rights, please submit a written request to info@scanmepass.com with the subject line 'GDPR Data Request'. We will respond within 30 days. We may ask you to verify your identity before processing your request. There is no charge for exercising your rights, except where requests are manifestly unfounded or excessive. If you are dissatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.

If you have any questions about this document, please contact us at info@scanmepass.com or call us at +91 91061 93379.

Privacy PolicyTerms of ServiceCookie PolicyGDPR