TapCard

Privacy Policy

Last updated: 2026-05-24Version 1.0

1. Who we are

This Privacy Policy applies to TapCard ("we", "us", "our"), operated by:

We are committed to protecting your privacy in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and, where applicable, the General Data Protection Regulation (GDPR) for users in the European Economic Area.

2. Information we collect

2.1 Information you provide

When you register a TapCard, we collect:

  • Name (primary and optional secondary)
  • Email address
  • Phone numbers (optional)
  • Job title and company (optional)
  • Profile photo (optional)
  • Social media links (optional)
  • Address (optional)
  • Bio (optional)
  • PIN (stored as a one-way hash; we cannot recover it)

2.2 Information collected automatically

  • IP address (for security and abuse prevention)
  • Browser type and version
  • Device type and operating system
  • Pages viewed and actions taken
  • Timestamps of access
  • Card view counts

2.3 Cookies

We use only essential cookies required for authentication and session management. We do not use tracking or advertising cookies.

3. How we use your information

We use your information to:

  • Provide and maintain the TapCard service
  • Display your digital business card to people who scan or visit it
  • Authenticate you via magic link emails
  • Respond to your inquiries
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations
  • Send service-related notifications (account changes, security alerts)
  • Send marketing communications (only with your explicit opt-in consent)

4. Legal basis for processing (GDPR)

For users in the European Economic Area, we process personal data under the following legal bases:

  • Contract: To provide the service you signed up for
  • Consent: For marketing communications and optional features
  • Legitimate interest: For security, fraud prevention, and service improvement
  • Legal obligation: To comply with applicable laws

5. Sharing your information

5.1 Public information

By design, your TapCard is publicly accessible to anyone with the URL. Information you choose to display on your card is visible to the public. You can control what information is shown.

5.2 Third-party service providers

We share data with the following processors:

  • Supabase (database and authentication) — data is stored in Sydney, Australia (ap-southeast-2 region)
  • Lovable Cloud (application hosting and email delivery) — emails sent from noreply@notify.tapcard.me

These providers are bound by data processing agreements and only process data on our instructions.

5.3 Legal disclosure

We may disclose information when required by law, court order, or to protect our rights, users, or the public.

5.4 We do not sell your data

We do not sell, rent, or trade your personal information.

6. International data transfers

Your data is primarily stored in Sydney, Australia. As we operate globally, your data may be transferred to and processed in other countries when accessed by users abroad or processed by our service providers. We take appropriate safeguards (such as Standard Contractual Clauses where applicable) to protect your data during international transfers.

7. Data retention

  • Active card data: Retained while your card is active
  • Inactive accounts: Retained for 24 months after last activity, then anonymized or deleted
  • Consent logs: Retained for 5 years to demonstrate compliance
  • Backups: May be retained up to 90 days after deletion

8. Your rights

8.1 All users

You can:

  • Access the personal information we hold about you
  • Correct inaccurate information
  • Delete your account and associated data
  • Withdraw marketing consent at any time
  • Request a copy of your data in a portable format

8.2 EEA users (GDPR)

Additionally, you have the right to:

  • Object to processing based on legitimate interests
  • Restrict processing in certain circumstances
  • Lodge a complaint with your local data protection authority

8.3 Australian users

You can lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au if you believe we have breached the Australian Privacy Principles.

8.4 How to exercise your rights

Contact us at hello@tapcard.me. We will respond within 30 days (GDPR) or a reasonable time frame (Australian Privacy Act).

9. Security

We implement reasonable technical and organizational measures to protect your data, including:

  • Encryption in transit (HTTPS/TLS)
  • Encryption at rest for sensitive fields
  • One-way hashing of PIN codes
  • Access controls and authentication
  • Regular security reviews

No system is completely secure. If we become aware of a data breach that may cause serious harm, we will notify affected users and relevant authorities as required by law (within 72 hours for GDPR; in accordance with the Notifiable Data Breaches scheme for Australia).

10. Children's privacy

TapCard is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13. If you are between 13 and 16 (or the digital consent age in your country), you may use TapCard with the consent of a parent or guardian.

If you believe a child under 13 has provided us with personal information, contact us at hello@tapcard.me and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on this page
  • Updating the "Last updated" date
  • Sending an email notification for significant changes
  • Requesting re-consent where required by law

12. Contact us

For privacy-related questions or to exercise your rights: