Public Beta

Join us

TapRewardBeta
Join beta

Legal

Privacy Policy

Last updated: 10 April 2026

This policy explains what personal data TapReward collects, how we use it, who we share it with, and the rights you have over it. We've tried to keep this readable rather than buried in legalese. If anything isn't clear, email us at hello@tapreward.co.

1. Who we are

TapReward ("we", "us", "our") is a UK-based loyalty platform for independent coffee shops and small merchants. We're the data controller for the personal data described in this policy, unless we're acting as a data processor on behalf of a merchant (see Section 6).

You can reach us at hello@tapreward.co.

2. What data we collect

Website visitors

When you visit tapreward.co, we collect:

  • Your IP address and approximate location (city, region, country) derived from it
  • Browser user agent, screen resolution, and referrer URL
  • Pages you view, time on page, scroll depth, and which calls-to-action you click
  • Any UTM parameters from marketing campaigns that brought you here
  • A derived "visitor fingerprint" — a hash of your IP + user agent + screen resolution used to recognise you across page views

We also perform a reverse DNS lookup on your IP address, which can sometimes reveal the name of the organisation whose network you're connecting from. We use this to understand which kinds of businesses are interested in TapReward.

Merchants

When you register a merchant account, we collect:

  • Business name and number of locations
  • Your email address and a securely hashed password (we never store passwords in plain text)
  • Your location names and addresses
  • Your Stripe customer ID and subscription status (we do not store card details — those live with Stripe)
  • Logo image if you upload one
  • Email verification status and the time you last signed in

Customers of merchants

When a customer taps an NFC tag at a participating merchant's counter, we collect their email address (required to identify their stamp card) and optionally their first name. We then track:

  • The stamps they've collected at that specific merchant
  • The rewards they've earned and redeemed
  • The times of their visits
  • A device fingerprint used for offline stamp sync and fraud prevention
  • Whether they've opted in to marketing nudge emails

For customer data, TapReward acts as a data processor on behalf of the merchant. The merchant is the data controller — they decide what happens to their customers' data, and customers should contact the merchant directly with data requests. TapReward will act on instructions from the merchant in line with our processing agreement.

Contact form submissions

If you use the contact form on our website, we collect the name, email, organisation, and message you provide, along with your IP address, so we can respond.

3. How we use your data

We use the data above for these purposes:

  • Providing the service — authenticating you, processing payments via Stripe, running the loyalty programme, sending verification and reward emails
  • Improving the product — understanding which pages and features are used, which calls-to-action work, and which visitors are likely to become customers
  • Sales and outreach — contacting businesses that visit our site and appear to be a good fit for TapReward (you can ask us to stop at any time)
  • Security and fraud prevention — detecting abusive patterns, preventing stamp fraud, enforcing rate limits
  • Legal compliance — meeting our tax, accounting, and regulatory obligations

4. Our legal basis (UK GDPR)

  • Contract — for processing merchant accounts, subscription billing, and core loyalty programme functions
  • Legitimate interest — for visitor analytics, sales outreach to business visitors, security, and fraud prevention. We've weighed this against your rights and believe it's proportionate; you can object at any time by emailing us
  • Consent — for marketing nudge emails sent to customers of merchants (opt-in at stamp collection, with an unsubscribe link in every email)
  • Legal obligation — for tax records, invoices, and fraud reporting

5. Cookies and similar technologies

We don't use traditional tracking cookies. We do use:

  • sessionStorage — to remember your visitor session ID between page views during a single visit
  • localStorage — to store merchant login tokens and offline stamp data
  • IndexedDB — to queue stamps offline and sync them when connectivity returns

These are strictly necessary to run the loyalty programme and don't require cookie consent under PECR.

6. Who we share data with

TapReward does not sell personal data. We share data only with the third-party processors needed to run the service:

ProcessorPurposeLocation
SupabaseDatabase and authentication storageEU (London)
VercelApplication hosting and edge deliveryEU (Ireland)
ResendTransactional and marketing email deliveryEU (Ireland)
StripeSubscription billing and payment processingUK / US (with UK addendum)
ip-api.comIP geolocation for visitor analyticsEU
HostingerDomain registration and inbound emailEU

All processors are bound by data processing agreements. Where data is transferred outside the UK/EU, we rely on adequacy decisions or Standard Contractual Clauses.

We may also disclose data if required by law, court order, or to protect our rights and the safety of our users.

7. How long we keep data

  • Merchant accounts and their data: for as long as the account is active, plus 6 years after closure for tax and accounting records
  • Customer loyalty data: controlled by the merchant. Customers can request deletion through the merchant
  • Visitor analytics: 12 months, then anonymised or deleted
  • Contact form submissions: 24 months
  • Email verification tokens: 7 days

8. Your rights under UK GDPR

You have the right to:

  • Access — ask for a copy of the personal data we hold about you
  • Rectification — have inaccurate data corrected
  • Erasure — ask us to delete your data (subject to legal retention requirements)
  • Restriction — ask us to limit how we use your data
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interest, including analytics and sales outreach
  • Withdraw consent — for anything we rely on consent for, at any time

To exercise any of these rights, email hello@tapreward.co. We'll respond within one month.

If you're unhappy with how we handle your data, you have the right to complain to the UK Information Commissioner's Office at ico.org.uk.

9. Security

We protect your data with industry-standard measures: HTTPS everywhere, hashed passwords (bcrypt), signed JWT tokens, parameterised SQL queries, rate limiting on public endpoints, and restricted API keys. Access to production systems is limited to essential personnel.

No system is perfectly secure. If we become aware of a breach affecting your personal data, we'll notify you and the ICO within 72 hours as required by UK GDPR.

10. Children

TapReward is not intended for children under 13. We do not knowingly collect data from children. If you're a parent or guardian and believe we have data about your child, contact us and we'll delete it.

11. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top shows when it was last changed. Material changes will be communicated to merchants by email. Continuing to use TapReward after changes means you accept the updated policy.

12. Contact us

Questions about this policy or your data? hello@tapreward.co