Back

Privacy Policy

of Qent Technologies UG for the Qent platform (mobile app and web application at qent.tech) As of: February 2026

1. Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) is: Qent Technologies UG, Hackermühlstr. 4, 84130, Dingolfing, Germany Email: impressum@qent.tech Website: www.qent.tech

2. Overview of Data Processing

We process personal data of our users only to the extent necessary to provide a functional platform and our content and services. The processing of personal data is regularly carried out only with the consent of the user or when processing is permitted by law.

3. Legal Bases for Processing

The processing of personal data is based on the following legal bases: a) Art. 6(1)(a) GDPR — Consent of the user (e.g., location data, analytics, push notifications) b) Art. 6(1)(b) GDPR — Performance of a contract or pre-contractual measures (e.g., registration, profile management, QR code functionality, chat, ticketing) c) Art. 6(1)(f) GDPR — Legitimate interests of the provider (e.g., platform security, fraud prevention, technical optimization) d) Art. 6(1)(c) GDPR — Compliance with legal obligations (e.g., tax retention requirements)

4. Registration and User Account

During registration, we collect and process the following data: - Email address (required) - Password (stored encrypted, no plaintext access) - First and last name (required) - Phone number (during onboarding) - Position/occupation - Company affiliation Legal basis: Art. 6(1)(b) GDPR (contract performance). Access data is managed via the Supabase authentication service. Passwords are stored exclusively as cryptographic hashes. The provider has no access to plaintext passwords at any time. Deletion: Account data is deleted immediately upon deletion of the user account, unless statutory retention obligations apply.

5. Profile Data and Digital Business Card

Users may voluntarily provide the following profile data: - Profile picture/avatar - Job title and company - Phone number and email address (for the business card) - Social media profiles (e.g., LinkedIn, Instagram, X/Twitter) - Personal website - Lead budget (commercial users only) Legal basis: Art. 6(1)(b) GDPR (contract performance). Providing this data is voluntary. It is displayed to other users when they scan the user's QR code or view the profile in their Wallet. Profile pictures are stored in a Supabase Storage Bucket and served via a secured URL.

6. QR Code Scanning and Contact Management (Wallet)

When scanning another user's QR code, the following data is processed: - Profile data of the scanned user (name, position, company, contact details) - Time of the scan - Device information of the scanning user The scanned contact data is stored in the scanning user's Wallet. The scanned user is not automatically notified about the scan. Legal basis: Art. 6(1)(b) GDPR (contract performance — contact facilitation is a core function of the platform). Export of contact data (vCard): Users can export saved contacts as a vCard file (.vcf). The export takes place locally on the user's device. No data is transmitted to the provider.

7. Events and Ticketing

When using the ticketing system, we process: - Ticket ID and QR code (unique per ticket) - Associated event (name, date, location) - Ticket type (e.g., General, VIP) and seat - Ticket status (valid, redeemed, cancelled) - Time of redemption Legal basis: Art. 6(1)(b) GDPR (contract performance). Ticket QR codes are used for one-time redemption at the event venue. Upon redemption, the ticket status is updated in real time.

8. In-App Messaging (Chat)

The platform offers a messaging function between users. The following data is processed: - Message content (text) - Sender and recipient - Timestamp - Read status Legal basis: Art. 6(1)(b) GDPR (contract performance). Messages are stored in the Supabase database and transmitted via encrypted connections (TLS). Upon deletion of the user account, all associated messages are deleted.

9. Analytics and Statistics Functions

For the provision of interaction statistics, we collect: - Scan events (who scanned the QR code) - Page views and clicks within analytics sessions - Scroll behavior and dwell time - Device information (device type, operating system) - Form interactions Analytics data is processed in pseudonymized form and serves to provide usage statistics for the profile owner. No tracking profiles across multiple websites are created. No data is shared with external analytics providers (e.g., Google Analytics). Legal basis: Art. 6(1)(b) GDPR (contract performance — analytics is a core function for commercial users) and Art. 6(1)(a) GDPR (consent, if the user has activated analytics in the privacy settings). The user can deactivate the collection of analytics data at any time in the privacy settings of the app.

10. Location Data

The app can access location data with the user's consent. This is used for: - Location-based event recommendations - Distance calculation to event venues - Location information in analytics sessions (only during active sessions) Legal basis: Art. 6(1)(a) GDPR (express consent). Location sharing is handled via the operating system's permission request (iOS/Android). The user can revoke location sharing at any time in the device settings or in the app's privacy settings. Location data is not permanently stored but only processed for the duration of the respective request.

11. Camera Access

The app requires access to the device camera exclusively for scanning QR codes. No photos or videos are taken or stored. Camera access only occurs during active use of the scanner function. Legal basis: Art. 6(1)(b) GDPR (contract performance — QR code scanning is a core function). The camera permission is requested by the operating system and can be revoked at any time in the device settings.

12. Biometric Authentication (Face ID / Fingerprint)

The app offers the option to log in using biometric methods (Face ID, Touch ID, or fingerprint). Important: No biometric data is transmitted to the provider or to third parties. Biometric authentication takes place exclusively locally on the user's device via the operating system's security APIs (iOS Keychain / Android Keystore). The provider only stores the information whether the user has activated biometric login (as a yes/no value in the encrypted device storage). Legal basis: Art. 6(1)(a) GDPR (consent — activation is voluntary).

13. Two-Factor Authentication (2FA)

The user can optionally activate two-factor authentication using TOTP (Time-based One-Time Password). A secret key is generated and stored encrypted in the database. A time-based code is requested with each login. Legal basis: Art. 6(1)(a) GDPR (consent) and Art. 6(1)(f) GDPR (legitimate interest in the security of user accounts).

14. Push Notifications

With the user's consent, we send push notifications via the Expo Push Notification Service. A device-specific push token is transmitted to our server. No personal data is shared with third parties in the content of push notifications. Legal basis: Art. 6(1)(a) GDPR (consent). The user can deactivate push notifications at any time in the device settings.

15. Wallet Integration (Apple Wallet / Google Pay)

The app offers the option to add digital business cards and tickets to Apple Wallet or Google Pay. During this integration, the following data is transmitted to Apple Inc. or Google LLC: - Name and contact details (for the Wallet card) - QR code data - Event information (for tickets) Legal basis: Art. 6(1)(a) GDPR (consent — use is voluntary). Processing by Apple or Google is carried out in accordance with their privacy policies: Apple: https://www.apple.com/legal/privacy/ Google: https://policies.google.com/privacy

16. Third-Party Providers and Data Processing

We use the following third-party providers to deliver our services: a) Supabase Inc. Purpose: Database, authentication, file storage, real-time functions, Edge Functions Data: All user data stored in the app Server location: EU (Frankfurt, Germany) Legal basis: Art. 28 GDPR (data processing agreement) Privacy: https://supabase.com/privacy b) Twilio Inc. Purpose: SMS verification for phone number confirmation (Twilio Verify) Data: Phone number, verification code Server location: USA Legal basis: Art. 6(1)(b) GDPR (contract performance) Privacy: https://www.twilio.com/legal/privacy Guarantees: EU-US Data Privacy Framework c) Resend Inc. Purpose: Sending transactional emails (confirmation emails, password reset) Data: Email address, name Server location: USA Legal basis: Art. 6(1)(b) GDPR (contract performance) Privacy: https://resend.com/legal/privacy-policy d) Cloudflare Inc. Purpose: Content Delivery Network (CDN), DDoS protection (via Supabase) Data: IP address, access data Server location: Worldwide (nearest edge server) Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security and availability) Privacy: https://www.cloudflare.com/privacypolicy/ e) Expo (Software Mansion S.A.) Purpose: Push notifications, over-the-air updates Data: Push token, device information Server location: USA Legal basis: Art. 6(1)(a) GDPR (consent for push) / Art. 6(1)(b) GDPR (updates) Privacy: https://expo.dev/privacy f) Stripe Inc. Purpose: Payment processing for event tickets (Stripe Connect) Data: Payment method details, transaction amounts, email address Server location: USA / EU Legal basis: Art. 6(1)(b) GDPR (contract performance) Privacy: https://stripe.com/privacy Guarantees: EU-US Data Privacy Framework, PCI DSS certified Data processing agreements (DPA) pursuant to Art. 28 GDPR or comparable guarantees exist with all named third-party providers.

17. Data Transfer to Third Countries

Some of our third-party providers (Twilio, Resend, Cloudflare, Expo, Stripe) are based in the USA. Data transfer to the USA is based on: a) The EU-US Data Privacy Framework (adequacy decision of the European Commission pursuant to Art. 45 GDPR), if the respective provider is certified; b) Standard Contractual Clauses of the European Commission (Art. 46(2)(c) GDPR), if no adequacy decision exists. The main database (Supabase) is located in the EU (Frankfurt, Germany region).

18. Local Data Storage on the Device

The app stores the following data locally on the user's device: - Authentication tokens (in the encrypted device storage / Secure Store) - Biometric settings (yes/no value in Secure Store) - Offline queue (unsent actions when there is no internet connection) - Cached data to improve loading times No cookies in the traditional sense are used. Local data storage is carried out via AsyncStorage (unencrypted, for non-sensitive data) and Expo SecureStore (encrypted, for sensitive data such as tokens). Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in the functionality of the app).

19. Storage Duration and Deletion

Personal data is only stored for as long as is necessary for the respective processing purposes: - Account data: Until deletion of the user account by the user - Chat messages: Until deletion of the user account - Analytics data: 12 months after collection, then anonymized - Scan/contact data in Wallet: Until manual deletion by the user - Ticket data: 6 months after the event - Transaction logs: 10 years pursuant to commercial and tax retention obligations (§ 257 HGB, § 147 AO) - Server log files: 30 days Upon deletion of the user account, all personal data is immediately deleted, unless statutory retention obligations apply. Deletion can be performed via the app settings (Danger Zone).

20. Rights of the Data Subject

You have the following rights under the GDPR: a) Right of access (Art. 15 GDPR): You have the right to request information about your personal data stored by us. b) Right to rectification (Art. 16 GDPR): You have the right to have incorrect data corrected and incomplete data completed. You can do this directly in the profile settings of the app. c) Right to erasure (Art. 17 GDPR): You have the right to request the deletion of your personal data, provided no statutory retention obligations apply. You can independently delete your account and all associated data at any time in the app (Settings > Danger Zone > Delete Account). d) Right to restriction of processing (Art. 18 GDPR): Under certain conditions, you have the right to request the restriction of the processing of your data. e) Right to data portability (Art. 20 GDPR): You have the right to receive your data in a structured, commonly used, and machine-readable format. The app offers a data export function in JSON and PDF formats. f) Right to object (Art. 21 GDPR): You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on Art. 6(1)(f) GDPR. g) Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on your consent, you may withdraw it at any time with effect for the future. For most processing activities, you can do this directly in the privacy settings of the app (Settings > Privacy). To exercise your rights, contact us at: info@qent.tech

21. Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement (Art. 77 GDPR).

22. Data Security

We take appropriate technical and organizational measures to protect your personal data, in particular: - Encrypted data transmission (TLS/HTTPS) for all connections - Cryptographic hash procedures for passwords - Encrypted local storage of sensitive data (Expo SecureStore) - Row-Level Security (RLS) in the database — users can only access their own data - Two-factor authentication (optional) - Rate limiting for protection against brute-force attacks - Regular security updates

23. Protection of Minors

The platform is not intended for persons under 16 years of age. We do not knowingly collect personal data from children under 16. If we discover that data from minors under 16 has been collected, it will be immediately deleted.

24. Changes to This Privacy Policy

We reserve the right to adapt this privacy policy to comply with changed legal requirements or in the event of changes to our data processing. The current version is available at any time in the app and at qent.tech/datenschutz. In the event of significant changes, we will inform users by email or in-app notification.

25. Newsletter and Contact Form (Website)

a) Newsletter We offer a newsletter on our website. When you subscribe, we process your email address for the purpose of sending the newsletter. Legal basis: Art. 6(1)(a) GDPR (consent). You can unsubscribe at any time via the link in each email or by contacting us at info@qent.tech. Upon unsubscription, your email address is immediately deleted from our newsletter distribution list. b) Contact Form When you use the contact form on our website, we process the data you provide (name, email address, message) for the purpose of responding to your inquiry. Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) and Art. 6(1)(f) GDPR (legitimate interest in customer communication). Your data will be deleted after your inquiry has been fully processed, unless statutory retention obligations apply.

As of: March 2026 | Qent Technologies UG | impressum@qent.tech