TAPREF
Legal

Privacy Policy

Last updated: May 8, 2026

This Privacy Policy explains how TapRef ("TapRef", "we", "us") collects, uses, shares, and protects personal data when you use our website, NFC cards, dashboard, and hosted hub pages (the "Service"). We follow the principles of the EU GDPR, Brazil's LGPD (Lei Geral de Proteção de Dados), and the California CCPA/CPRA, regardless of where you live.

Data controller: TapRef, operated remotely from the United States.
Data Protection contact: support@tapref.app

1. What we collect

Information you provide

  • Account data: name, email, password (hashed), business name.
  • Hub content: logos, photos, links, business descriptions, contact info, and anything else you publish on your TapRef page.
  • Order & shipping data: shipping address and order history. Card numbers and CVV are never stored by us — they are handled directly by Stripe.
  • Support & chat: messages you send us by email or through the in-app chat for logged-in customers.

Information collected automatically

  • Tap analytics: when someone taps your card or visits your hub, we record timestamp, approximate location (country / region / city derived from IP — never precise GPS), device type, browser, referrer, and which destination was clicked.
  • IP address: truncated and used for security, rate-limiting, and the geolocation above.
  • Cookies & similar technologies: see Section 6.

Information from third parties

  • Stripe shares limited billing metadata with us (card brand, last 4 digits, country, subscription status) so we can show invoices and manage your plan.

2. Why we use your data (legal bases)

  • To provide the Service — render hubs, route taps, deliver cards, process payments. Legal basis: contract.
  • Analytics for you — show tap counts, geography, device breakdowns inside your dashboard. Legal basis: contract / legitimate interest.
  • Security & abuse prevention — detect bots, enforce rate limits, prevent fraud. Legal basis: legitimate interest.
  • Product improvement — aggregated, non-identifying usage stats to fix bugs and prioritize features. Legal basis: legitimate interest.
  • Communications — transactional emails (order updates, billing). Marketing emails only with your consent and you can unsubscribe anytime. Legal basis: consent / contract.
  • Legal compliance — tax, accounting, and responding to lawful requests. Legal basis: legal obligation.

We do not sell your personal data. We do not use your hub content or customer feedback to train AI models.

3. Who we share data with

We share data only with the processors strictly needed to run the Service:

  • Stripe, Inc. — payment processing and subscription management.
  • Hosting & infrastructure providers — server hosting, database, file storage, email delivery, and DDoS protection.
  • Authorities — when required by valid legal process.
  • Successors — if TapRef is acquired or merged, your data may transfer to the acquiring entity under the same protections.

Each processor is bound by contractual confidentiality and security obligations and processes data only on our instructions.

4. International transfers

TapRef is operated from the United States. If you access the Service from the EU, UK, Brazil, or elsewhere, your data may be transferred to and processed in the US. Where required, we rely on appropriate safeguards such as the Standard Contractual Clauses or equivalent mechanisms recognized under GDPR and LGPD.

5. How long we keep data

  • Account & hub data: for the life of your account.
  • After account deletion: we delete most personal data within 30 days. Some records (invoices, transaction logs) are retained for up to 5 years to comply with tax and accounting obligations.
  • Tap analytics: raw events are pruned periodically; aggregated, non-identifying stats may be kept indefinitely.
  • Support chats & emails: up to 24 months after the last interaction.
  • Backups: data may persist in encrypted backups for up to 90 days after deletion.

6. Cookies & tracking

We use a small number of first-party cookies and similar technologies:

  • Essential — login session, CSRF protection, language preference. These cannot be disabled.
  • Analytics — to measure tap counts, page views, and aggregate device/country breakdowns shown in your dashboard. We do not use Google Analytics, Facebook Pixel, or third-party advertising trackers.
  • Stripe — when you check out, Stripe may set its own cookies for fraud prevention.

You can clear cookies through your browser at any time.

7. Your rights

Under GDPR, LGPD, CCPA/CPRA, and similar laws, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete your data (subject to legal retention obligations).
  • Export your data in a portable format (CSV / JSON).
  • Object to or restrict certain processing.
  • Withdraw consent at any time, where processing is based on consent.
  • Lodge a complaint with your local supervisory authority — the ANPD (Brazil), your national DPA (EU/UK), or the California Attorney General.

To exercise any of these rights, email support@tapref.app from the address tied to your account. We respond within 15 days (LGPD) or 30 days (GDPR/CCPA).

8. Security

  • All traffic is served over HTTPS / TLS.
  • Passwords are hashed with industry-standard algorithms; we never see them in plain text.
  • Payment data is tokenized by Stripe and never touches our servers.
  • We restrict internal access to personal data on a need-to-know basis.

No system is perfectly secure. If we ever discover a breach affecting your data, we'll notify you and the relevant authorities within the timeframes required by law.

9. Children

TapRef is not intended for children under 13 (or 16 in the EU / 18 in Brazil). We do not knowingly collect personal data from minors. If you believe a minor has provided us data, contact us and we'll delete it.

10. Hub visitors

When someone taps your TapRef card or visits your hosted hub, TapRef acts as a data processor on your behalf for the analytics described in Section 1. As the business publishing the hub, you act as the data controller for the content you collect through feedback forms and similar tools. You are responsible for displaying any privacy notices required for that content under your local law.

11. Changes to this policy

We may update this policy as the Service evolves. If changes are material, we'll notify you by email or through the dashboard at least 14 days before they take effect. The "Last updated" date at the top always reflects the current version.

12. Contact

For any privacy question, request, or concern, write to support@tapref.app.