PRIVACY · PRIVATNOST
Privacy Policy
1. Roles — controller and processor
The customer who purchases qrmoment.app is the data controller for media content and data from their event. Harmony is the data processor — we operate the platform, host content, and provide admin tools. Legal basis: GDPR Art. 28.
2. What data we process
For the customer: email, names, optional password, event history. For guests: the nickname they typed (optional) and media content they uploaded. We do not ask guests to identify themselves and we use no third-party trackers.
3. Guest consent
When a guest scans the QR code at the event, they land on the event page. A short notice above the upload button explains that their content is shared only with the customer. By choosing a file and uploading, the guest gives consent to the processing.
4. Content ownership
All media content remains the property of the person who created it. The customer receives a usage right (view, download, print, share) under the agreement with their guests. Harmony does not use your content for marketing, for training AI models, or for anything other than serving it back to the customer.
5. Retention
Media content is automatically deleted at the end of the retention window that comes with the chosen tier (Edition: 30 days, Collection: 180 days after the event date). The customer can delete any individual content, or the whole event, earlier via the admin panel. After deletion, data is removed within 7 days, including from backup copies. Exception: fiscalised invoices and the data they contain (customer name/address, service description, date, amount) are retained for 11 years from the date of issuance, in accordance with the Croatian Fiscalisation Act (NN 89/25) and the Accounting Act. This data is held by our authorised fiscalisation service provider (see point 7).
6. Guest rights
Guests can delete their own content via the ✕ button shown next to their uploads on the same device they uploaded from. For anything else (removal of other people's content, download, nickname correction) the guest contacts the customer directly, since the customer is the data controller. Harmony does not remove content at the request of third parties without instruction from the customer.
7. Where data is stored and who processes it
All application infrastructure is hosted within the European Union. Under GDPR Art. 28, we rely on the following subprocessors: · Hetzner Online GmbH (Germany) — application servers in Falkenstein and photo storage on Hetzner Object Storage. · Neon (EU region, Amsterdam) — managed Postgres database for event metadata. · Resend (EU region) — delivery of email (signup, magic links, receipts). · Stripe Payments Europe, Ltd. (Ireland) — card payment processing; processes the customer email and transaction data (not gallery content). · Solo (Inforba d.o.o., Croatia) — invoice issuance and fiscalisation; processes customer name/address and invoice data, retained for 11 years per the Croatian Fiscalisation Act. · Cloudflare, Inc. (US/EU) — Turnstile bot-protection on the signup form; processes IP address and basic browser fingerprints solely to verify non-bot behaviour. With the exception of Stripe and Cloudflare (US-based providers operating under the EU Standard Contractual Clauses for international transfers), all data remains within the EU. Access is restricted to authorised personnel of the named subprocessors, under confidentiality obligations.
8. Cookies
We use only strictly necessary cookies required for the platform to function (e.g. admin login). We do not use advertising, analytics, or tracking cookies, so no additional consent is required.
9. Security and encryption
Photos and videos are stored encrypted at rest (Hetzner Object Storage, AES-256 storage-layer encryption, on by default). All traffic between your device, our servers, and our storage travels exclusively over TLS (HTTPS). Login cookies are httpOnly, secure, and same-site. Administrative access is SSH-key-based and scoped by role. We run no tracking tools or third-party analytics — we only see what the service needs to function.
10. Contact
For questions about privacy, deletion, or correction of your data, write to info@harmony.com.hr. For content of a specific event (guests' uploads), contact the customer directly — they decide over their event.