Tappin
Privacy Policy

How Tappin handles personal data.

This policy explains what data Tappin may collect, why it is used, how long it may be retained, and how people can exercise their privacy rights.

tappin Privacy Policy

Effective date: February 23, 2026
Last updated: February 23, 2026

This Privacy Policy explains how tappin ("we", "us", "our") collects, uses, discloses, and protects personal data when you use the tappin mobile application and related services (the "Service").

1. Who We Are

Controller (for most processing described in this Policy):

  • Entity: Tappin
  • Address: Lyckselevägen 34H, Vällingby, 16267, Stockholm, Sweden
  • Contact: support@tappinpro.com
  • Data protection contact (if appointed): data@tappinpro.com

If you are in the EEA/UK, this section identifies the organization responsible for deciding why and how your personal data is processed.

2. Scope

This Policy applies to personal data processed through:

  • tappin iOS and Android apps;
  • in-app support requests;
  • authentication and account services;
  • notification and analytics integrations used by the Service.

This Policy does not cover third-party services you access via links or third-party login providers, which are governed by their own privacy notices.

3. Personal Data We Collect

3.1 Data you provide directly

  • Account identifiers and credentials (for example, email address, password login, or social sign-in identifiers).
  • Profile data (for example, display name, avatar image upload).
  • Activity content you create (activity names, invite/friend codes, tap-ins, optional notes, optional vibes, reactions).
  • Support request content (subject, message, email, timestamps, status).
  • Settings and preferences (for example, reminder and privacy toggles).

3.2 Data collected automatically

  • Push notification token and platform metadata.
  • Technical and usage telemetry from enabled SDKs (for example, app events for analytics).
  • Basic service logs for security, troubleshooting, and abuse prevention.

3.3 Data we infer or derive

  • Participation summaries (for example, counts, streaks, weekly/monthly attendance metrics).
  • Friend/activity relationship metadata (for example, shared activity counts).

3.4 Sensitive data notice

tappin is not intended to collect special-category data by default, but users may voluntarily include sensitive information in free-text fields (for example, health/wellness context in notes or support requests). Please avoid sharing highly sensitive data unless necessary.

4. Sources of Personal Data

We collect personal data from:

  • you (directly in app);
  • authentication providers you choose (for social login);
  • service integrations required to deliver app functionality (for example, push and email providers).

Where EEA/UK law applies, we rely on one or more legal bases under Article 6 GDPR / UK GDPR:

Purpose Data Used Legal Basis
Create and manage account, authenticate users account identifiers, login credentials, session identifiers Contract (Art. 6(1)(b))
Deliver core social/activity features profile data, activities, tap-ins, reactions, friends/invites Contract (Art. 6(1)(b))
Deliver push reminders and friend updates based on settings push token, settings, membership/activity data Contract (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f)) for service reliability
Customer support and incident handling support request content, account identifiers Contract (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f))
Security, abuse prevention, integrity, debugging identifiers, logs, device and event metadata Legitimate interests (Art. 6(1)(f))
Optional analytics (product improvement) event metadata, app usage events Consent where required; otherwise Legitimate interests (Art. 6(1)(f))
Legal compliance and enforcement any relevant records Legal obligation (Art. 6(1)(c)); Legitimate interests (Art. 6(1)(f))

If we process special-category data (for example, health-related information voluntarily supplied in notes/support), we will only do so where a valid Article 9 condition applies.

6. How We Share Personal Data

We do not sell personal data for money.

We may share personal data with the following categories of recipients:

  • Infrastructure/data hosting providers (for app backend, storage, and service operations).
  • Authentication and identity providers (for login and account security).
  • Email delivery providers (for magic links and support workflows).
  • Push notification providers (for push delivery).
  • Analytics/error tooling providers (when enabled, for product reliability and improvement).
  • Professional advisors and authorities where required by law or to establish, exercise, or defend legal claims.

Current third-party subprocessors/services used by app design

  • Convex (backend/database functions and storage)
  • Better Auth (authentication flow)
  • Resend (transactional email for magic links/support)
  • Expo push services (push token/message routing)
  • PostHog (analytics; when configured)
  • Sentry (error monitoring; currently disabled in runtime code unless enabled)

We require processors/service providers to process personal data under contractual safeguards and appropriate confidentiality/security obligations.

7. International Data Transfers

Some providers may process data outside your country, including outside the EEA/UK. When required, we use recognized safeguards (for example, adequacy decisions, Standard Contractual Clauses, or equivalent lawful transfer mechanisms).

8. Data Retention

We retain personal data only as long as needed for the purposes above, unless a longer period is required by law.

Retention criteria include:

  • account lifecycle (active, deactivated, deleted);
  • legal and compliance obligations;
  • dispute resolution and enforcement needs;
  • security and fraud-prevention requirements.

Current operational retention model (to finalize in production policy process):

  • Account/profile/activity/friendship records: retained while account remains active and for a defined post-closure period.
  • Support requests: retained for support operations, auditability, and legal defense windows.
  • Push tokens: retained while valid/active and removed when stale or account deleted.
  • Analytics logs: retained according to analytics provider retention settings and internal minimization policy.

9. Your Privacy Rights

Depending on your location, you may have rights to:

  • know/access personal data;
  • correct inaccurate data;
  • delete personal data;
  • restrict or object to certain processing;
  • data portability;
  • withdraw consent (where processing relies on consent);
  • non-discrimination for exercising rights;
  • opt out of sale/share or limit sensitive-data use where applicable.

How to exercise rights

Contact: data@tappinpro.com
Support channel: https://tappinpro.com/support

We may verify your identity before fulfilling requests and may deny requests where lawful exemptions apply.

Account deletion method

Users can request account deletion directly in-app from Settings. To reduce accidental or unauthorized deletion, users must confirm by typing their account email in the deletion confirmation modal. After deletion completes, a confirmation email is sent to the account email address (when available). We may retain limited records where required for legal, security, fraud-prevention, or compliance purposes.

10. US State Privacy Disclosures (including California)

For residents of applicable US states (including California), we provide:

  • categories of personal information collected;
  • purposes of use;
  • categories of recipients/disclosures;
  • rights request methods;
  • retention principles;
  • non-discrimination statement.

California-specific statements

  • We do not sell personal information for monetary consideration.
  • If our practices are deemed "sharing" under California law for cross-context behavioral advertising, we will provide the required opt-out mechanisms.
  • If we process sensitive personal information beyond permitted purposes, we will provide the right to limit as required.
  • We honor applicable rights to know, delete, correct, and non-discrimination.
  • Deletion requests are available in-app and via support/privacy contact channels.

11. Children and Age Restrictions

The Service is not directed to children under 13. If we learn we collected personal data from a child under 13 without required authorization, we will delete it as required by law.

If your jurisdiction requires a higher digital age of consent, additional age-gating or parental consent controls may apply.

12. Security

We implement technical and organizational measures designed to protect personal data, including access controls, authentication controls, and service-provider security controls. No method of transmission or storage is completely secure.

13. Automated Decision-Making

tappin does not use solely automated decision-making that produces legal or similarly significant effects on users.

14. Changes to This Policy

We may update this Policy from time to time. We will post the updated version and update the "Last updated" date. Where legally required, we will provide additional notice or seek consent.

15. Contact and Complaints

Questions or requests:

  • data@tappinpro.com

If you are in the EEA/UK, you may also lodge a complaint with your local data protection authority.