taproo

Legal

Privacy Policy

Last updated: 28 April 2026

Taproo ("Taproo", "we", "us", "our") operates the website at taproo.com and the connected QR code, NFC tag and physical product services (together, the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and the rights you have over it under the UK GDPR, the EU GDPR and the Data Protection Act 2018.

For any privacy question, contact us at privacy@taproo.com.

1. Data we collect

  • Account data — email address, display name, hashed password, and (if you sign in with Google or Apple) the basic profile information returned by that provider.
  • Content — the QR codes, NFC payloads, landing pages, links, images and text you create or upload.
  • Order & billing data — shipping address, order history and receipts. Card details are entered directly into our payment processor (Stripe) and are never stored on Taproo's servers.
  • Scan & usage data — anonymous scan counts, timestamps, referring page, browser, device type and approximate location derived from IP.
  • Support data — the contents of any email or contact form you send us.

2. How we use your data

  • To provide, secure and operate the Service and your account.
  • To send transactional emails (sign-up confirmation, password reset, order updates, billing receipts).
  • To process orders, shipping and refunds.
  • To produce the analytics shown in your dashboard.
  • To improve performance, debug issues and detect abuse or fraud.
  • To comply with legal, accounting and tax obligations.

3. Legal bases

We rely on the following legal bases: contract (to deliver the Service you signed up for), legitimate interest (security, fraud prevention, product analytics), consent (optional analytics cookies and marketing emails), and legal obligation (tax records, responding to lawful requests).

4. Sharing your data

We never sell your personal data. We share it only with the processors needed to run Taproo:

  • Lovable Cloud — application hosting and database (EU region where available).
  • Stripe — payment processing for shop orders and subscriptions.
  • Email delivery providers — to send transactional and account emails.
  • Shipping carriers — to fulfil and deliver physical products.

We may also disclose data where required by law, court order, or to protect the rights, property or safety of Taproo, our users, or the public.

5. Retention

We keep account data for as long as your account is active. When you delete your account, we delete your personal data and content within 30 days, except where we must retain certain records (typically up to 7 years for invoices and tax). Anonymous scan analytics may be kept indefinitely in aggregated form.

6. Your rights

Under UK and EU GDPR you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Request deletion of your data ("right to be forgotten").
  • Export your data in a portable format.
  • Object to or restrict certain types of processing.
  • Withdraw consent at any time, where consent is the legal basis.

You can exercise most of these rights directly from your profile settings, or by emailing privacy@taproo.com. We respond within 30 days.

7. International transfers

Where our processors transfer data outside the UK or EEA, those transfers are covered by Standard Contractual Clauses, the UK International Data Transfer Addendum, or an equivalent safeguard recognised by the UK ICO.

8. Security

We use TLS encryption in transit, encryption at rest, hashed passwords, role-based access controls, and audit logging. No system is perfectly secure — please use a strong, unique password and enable any available two-factor options.

9. Children

Taproo is not directed at children under 16. We do not knowingly collect data from children under 16; if you believe a child has provided us data, contact us and we will delete it.

10. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email or by an in-app notice at least 14 days before they take effect.

11. Contact & complaints

Email privacy@taproo.com for any privacy question or to exercise your rights. If you believe we have not handled your data properly, you have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local EU supervisory authority.