Privacy Policy
Last updated: May 13, 2026
1. Who we are
TapTag (“TapTag”, “we”, “our”, “us”) operates the website https://taptag.biz and the related digital business card service. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and what your rights are under the EU/UK GDPR, the California Consumer Privacy Act (CCPA/CPRA) and similar laws.
For privacy-related requests you can contact us at privacy@taptag.biz.
2. Data we collect
Account information
- Email address and (if you sign up with email + password) a hashed password.
- When you sign in with Google, GitHub or LinkedIn we receive the email address, profile name and avatar URL that the provider returns. We do not receive your provider password.
Profile content you choose to publish
- Username, full name, company/role, short bio.
- Phone number, contact email, website.
- Profile photo and banner image.
- Links to your social profiles and any custom links.
- Theme preferences and link ordering.
Everything in this category is published on your public profile at /your-username and is therefore visible to anyone with the URL. Don't add anything you don't want public.
Usage analytics
- Aggregated profile views and link-click counts for the owner of each profile.
- Coarse device class (mobile vs desktop) and HTTP referrer only when the visitor has accepted analytics cookies.
We do not store IP addresses, precise location, fingerprints, or any data that personally identifies a profile visitor.
Cookies and local storage
- Essential: a Supabase auth session token stored in
localStorage so you stay signed in. - Analytics: a single preference flag (
taptag-consent-v1) that records your cookie choice. Analytics events are only sent when this flag is set to accepted. - Marketing: not currently used. The cookie preferences dialog lists this category for future transparency only.
3. How we use your data
- To operate your account and render your public profile.
- To send transactional email (verification, password reset, security alerts).
- To show you analytics on your own profile (view counts, link clicks).
- To detect abuse — for example to action user-submitted reports — and to enforce our terms of service.
- To improve the product (aggregate, anonymous usage trends).
We do not sell personal data and we do not share it with advertisers. We do not use your content to train third-party AI models.
4. Legal basis (GDPR Art. 6)
- Contract (Art. 6(1)(b)) — providing the service you signed up for.
- Legitimate interests (Art. 6(1)(f)) — preventing abuse, securing the platform, improving features. You can object at any time using the contact email above.
- Consent (Art. 6(1)(a)) — analytics and marketing cookies, which are off by default and require an affirmative opt-in via the cookie preferences dialog.
- Legal obligation (Art. 6(1)(c)) — when we must retain records for tax, fraud or regulatory reasons.
5. Who we share data with
We use a small number of trusted infrastructure providers acting as data processors on our behalf:
- Supabase (database, authentication, file storage) — data may be stored in their EU or US regions.
- Vercel (hosting, edge runtime, image generation) — globally distributed CDN.
- Google / GitHub / LinkedIn — only if you choose to sign in with that provider.
Each processor is bound by a data-processing agreement and only handles data to deliver their service. We never sell or rent personal data to third parties.
6. International transfers
If you access TapTag from outside the country where our infrastructure providers store data, your information may be transferred internationally. We rely on Standard Contractual Clauses (SCCs) and equivalent safeguards required by GDPR Chapter V.
7. Data retention
- Active accounts: we keep your data for as long as your account exists.
- Soft-deleted accounts: when you delete your account from Settings, your profile is hidden immediately and a 30-day recovery window begins. After 30 days the row is purged and the email becomes reusable.
- Analytics events: retained for 24 months, then aggregated and the raw rows are deleted.
- Audit log: actions taken by administrators are retained for 24 months for security and accountability.
8. Your rights
Subject to applicable law you have the right to:
- Access the personal data we hold about you — request it any time via Settings → Export your data. The export is a single JSON file containing your profile, links, analytics events, and account metadata.
- Rectify inaccurate data — edit it directly in the dashboard.
- Erase your data — the “Delete account” action in Settings starts a 30-day soft delete; after that window your data is hard-deleted.
- Restrict or object to processing based on legitimate interests.
- Portability — the JSON export above is machine-readable and reusable.
- Withdraw consent for analytics cookies via the cookie preferences dialog in the site footer or on any public profile.
- Lodge a complaint with your local data protection authority (e.g. your country's DPA in the EU, the ICO in the UK).
To exercise any right, email privacy@taptag.biz. We aim to respond within 30 days.
9. Children
TapTag is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has signed up, contact us and we will delete the account.
10. Security
All traffic is served over HTTPS. Passwords are hashed by Supabase Auth (bcrypt). Administrative actions are logged. We follow the principle of least privilege: routine queries use a user-scoped token, and only specific server-side endpoints use the elevated service role key.
No system is 100% secure. If you discover a vulnerability, please email privacy@taptag.biz before disclosing it publicly.
11. Changes to this policy
We will update the “Last updated” date at the top of this page when this policy changes. Material changes will be announced by email or via an in-app notice before they take effect.