Back

Privacy Policy

Last updated: 18 June 2026

1. Who We Are

Tapcarry ("Tapcarry", "we", "us", "our") is a digital loyalty platform operated by:

Nicklas Sharma, Holzmeisterstrasse 24, Top 93, 5071 Salzburg, Austria — support@tapcarry.com

Nicklas Sharma acts as the data controller within the meaning of the EU General Data Protection Regulation (GDPR / Regulation (EU) 2016/679) for personal data processed through the Tapcarry platform.

2. What Tapcarry Does

Tapcarry provides brick-and-mortar businesses (cafés, restaurants, retail stores and similar) with a B2B SaaS platform to run digital stamp-card loyalty programmes via Apple Wallet. No app download is required by end-customers.

Tapcarry interacts with two distinct groups of people:

  • (A) Business operators — companies or individuals who subscribe to Tapcarry and operate loyalty programmes for their customers.
  • (B) End-customers — consumers of those businesses who receive and use digital stamp cards via Apple Wallet.

The rights and data-handling rules for these two groups differ, and this policy explains both clearly.

3. Data We Collect

3.1 Business Operators (Admins)

When you create and use a Tapcarry account on behalf of a business, we collect:

  • Your name and email address
  • Your business name and any business details you provide
  • Subscription and billing information — payment card details are handled exclusively by Paddle.com Market Limited (our Merchant of Record) and are never stored by Tapcarry
  • Account activity logs (login timestamps, feature usage)

3.2 End-Customers (Stamp Card Recipients)

When a business operator runs a loyalty programme through Tapcarry, their customers may receive a digital stamp card delivered via Apple Wallet. In connection with this, we may process:

  • Name and/or email address, if provided by the business operator or directly by the customer
  • Stamp card activity: stamps issued, rewards redeemed, pass interactions
  • Apple Wallet pass delivery metadata (e.g. device push token used to update the pass)

Important: For end-customer data, Tapcarry acts as a data processor on behalf of the business operator, who is the data controller for their own customers. Business operators are responsible for maintaining a lawful basis for collecting their customers' data and for informing those customers in accordance with GDPR Articles 13 and 14.

3.3 Automatically Collected Data

When you visit the Tapcarry website or use the platform, we automatically collect:

  • Aggregated, anonymised usage statistics via Vercel Analytics. This data is only collected if you have accepted our cookie policy. This service uses no cookies, collects no personal data, and performs no cross-site tracking. No individual user can be identified from this data. Collection is based on your consent under GDPR Article 6(1)(a), which you may withdraw at any time through your cookie preferences.
  • A strictly necessary session cookie set by our authentication provider (Supabase) to keep you logged in. This cookie contains no personal data beyond a session identifier and is deleted when you log out or your session expires.

4. How We Use Your Data

We use the data we collect to:

  • Create and maintain your Tapcarry account
  • Deliver, operate, and improve the loyalty programme service
  • Process payments and manage your subscription (via Paddle)
  • Send transactional communications: account confirmations, password resets, pass update notifications
  • Analyse platform performance through anonymised, aggregate analytics
  • Comply with Austrian tax, accounting, and legal obligations
  • Respond to support enquiries and GDPR requests

We do not use your data for advertising, profiling, or automated decision-making that produces legal or similarly significant effects.

5. Legal Basis for Processing (GDPR Article 6)

Purpose Legal basis
Account creation and service delivery Art. 6(1)(b) — performance of a contract
Payment processing and billing Art. 6(1)(b) — performance of a contract
Transactional communications Art. 6(1)(b) — performance of a contract
Platform analytics (Vercel Analytics) Art. 6(1)(f) — legitimate interest (anonymised data; no impact on individuals)
Tax and accounting records Art. 6(1)(c) — compliance with a legal obligation
Stamp card delivery and pass updates Art. 6(1)(b) — contract between operator and Tapcarry; Art. 6(1)(f) — legitimate interest of the operator
Responding to GDPR requests Art. 6(1)(c) — compliance with a legal obligation

6. Third-Party Service Providers

We share data only with the following carefully selected processors, and only to the extent necessary to provide the service:

Provider Role Data location Transfer safeguard
Supabase, Inc. Database hosting and authentication eu-west-3 (Frankfurt, Germany) EU-based processing — no transfer
Paddle.com Market Limited Payment processing / Merchant of Record UK / Ireland UK adequacy decision; Standard Contractual Clauses
Vercel Inc. Platform hosting and anonymised analytics EU servers; US-headquartered company Standard Contractual Clauses (SCCs)
Apple Inc. Apple Wallet pass delivery USA Standard Contractual Clauses (SCCs)

We do not sell, rent, or trade your personal data to any third party.

7. Data Retention

Data type Retention period
Business account data (admin profiles, business info) Retained while your account is active
End-customer stamp card data Retained while the business operator account is active
Data after subscription cancellation Retained until you explicitly delete your account
Data after account deletion Permanently deleted within 30 days of account deletion
Anonymised analytics data (Vercel) 12 months rolling window
Billing records Up to 7 years to comply with Austrian tax law (§ 132 BAO)

Note on cancellation vs. deletion: Cancelling your subscription does not delete your account or data. Your data is retained so you can reactivate your account at any time. To permanently delete your data, you must use the Delete Account function in your account settings.

8. International Data Transfers

Your data is primarily processed within the European Economic Area (EEA). Where transfers to third countries occur (e.g. to Vercel or Apple in the USA), we ensure appropriate safeguards are in place, specifically the Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46(2)(c).

9. Your Rights Under GDPR

You have the following rights in relation to your personal data:

Right What it means
Right of access (Art. 15) Request a copy of the personal data we hold about you
Right to rectification (Art. 16) Ask us to correct inaccurate or incomplete data
Right to erasure (Art. 17) Ask us to delete your data ("right to be forgotten")
Right to restriction (Art. 18) Ask us to limit how we process your data
Right to data portability (Art. 20) Receive your data in a structured, machine-readable format
Right to object (Art. 21) Object to processing based on legitimate interests
Right to withdraw consent (Art. 7(3)) Where processing is based on consent, withdraw it at any time without affecting prior processing

To exercise any of these rights, contact us at support@tapcarry.com. We will respond within 30 days. We may ask you to verify your identity before processing your request.

You also have the right to lodge a complaint with the Austrian Data Protection Authority: Österreichische Datenschutzbehörde (DSB), Barichgasse 40–42, 1030 Vienna, Austria — dsb.gv.at | dsb@dsb.gv.at

10. Cookies

Tapcarry sets the following cookies:

Cookie Purpose Duration Consent required? Legal basis
Session cookie Authentication — keeps you logged in to your account Session / until logout No — strictly necessary Art. 6(1)(b) GDPR
Language preference cookie Remembers your preferred language (English or German) 1 year No — strictly necessary Art. 6(1)(f) GDPR
Analytics consent cookie Records whether you have accepted or declined analytics data collection 12 months No — strictly necessary to record your consent decision Art. 6(1)(c) GDPR

A note on Vercel Analytics: Vercel Analytics itself does not set cookies and does not collect personal data. However, we only activate it after you have accepted our cookie policy. The analytics consent cookie above is what stores that decision. You may withdraw your consent at any time through your cookie preferences — this will not affect any data collected prior to withdrawal.

We do not use advertising, tracking, remarketing, or profiling cookies.

11. Data Processing Agreement for Business Operators

If you are a business operator using Tapcarry to manage loyalty programmes for your own customers, you are acting as a data controller for your customers' personal data. Tapcarry acts as your data processor for that data.

By agreeing to our Terms of Service, you also agree to our Data Processing Agreement (DPA), which governs how Tapcarry processes end-customer data on your behalf in accordance with GDPR Article 28.

The Data Processing Agreement is incorporated into Tapcarry's Terms of Service as Schedule A, available at Terms of Service. By accepting the Terms of Service, business operators also accept the DPA.

12. Children's Data

Tapcarry is a B2B platform intended for use by businesses and their adult representatives. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected data from a minor, please contact us immediately at support@tapcarry.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, technology, or legal requirements. When we make material changes, we will notify you by email or by posting a notice on the Tapcarry dashboard at least 14 days before the changes take effect.

The "Last updated" date at the top of this document indicates when it was last revised. Your continued use of Tapcarry after changes take effect constitutes acceptance of the revised policy.

14. Contact

For any questions, GDPR requests, or data protection concerns:

Nicklas Sharma, Holzmeisterstrasse 24, Top 93, 5071 Salzburg, Austria — support@tapcarry.com

© 2026 Tap Carry. All rights reserved.