Legal
Privacy Policy
Last updated: 1 April 2026 · Effective immediately
Tapnly is committed to protecting your privacy. This policy explains what data we collect, why we collect it, and how we handle it — in plain language, not legal jargon.
1. Who we are
Tapnly is an NFC-powered review automation service based in Ibiza, Spain. We help businesses collect genuine Google reviews by integrating with their payment terminals.
For questions about this policy, contact us at info@tapnly.com.
2. What data we collect
2a. Merchant data (businesses using Tapnly)
- Business name and contact email address
- Google Review URL provided during setup
- Payment terminal identifier (TID) for myPOS integration
- Subscription and billing information (processed via our payment provider)
- Tap analytics: number of NFC taps, timestamps, and conversion rates
2b. Customer data (end customers who tap the terminal)
When a customer taps the terminal after payment, Tapnly broadcasts a URL via NFC. We do not collect, store, or process any personal data about the customer at the point of tap. No name, no email, no device identifier, no payment data.
If a customer follows the URL and leaves a review on Google, that data is governed by Google's own privacy policy — not ours.
2c. Website visitors (tapnly.com)
- Email address if submitted via the waitlist form
- Basic analytics data via Vercel Analytics (page views, referrers — no personal identifiers)
3. Why we collect this data
- To provide the service — merchant setup, NFC configuration, and terminal integration require your business name and review URL
- To show you analytics — tap counts and conversion rates help you understand how the service is performing
- To manage your subscription — billing and account management
- To communicate with you — service updates, support responses, and (with consent) product news
4. Legal basis for processing (GDPR)
For merchants in the European Economic Area, we process your data under the following lawful bases:
- Contract performance — processing necessary to deliver the Tapnly service you signed up for
- Legitimate interests — product analytics and service improvement
- Consent — marketing communications (you can unsubscribe at any time)
5. Data sharing
We do not sell your data. We share data only with:
- myPOS — to process payments and integrate with your terminal (their privacy policy applies)
- Vercel — our hosting provider (data processed in the EU/US under GDPR-compliant terms)
- Supabase — our database provider (EU region, GDPR compliant)
- Payment processors — for subscription billing only
All third-party providers are under data processing agreements that comply with GDPR requirements.
6. Data retention
- Merchant account data is retained for the duration of your subscription plus 90 days after cancellation
- Tap analytics are retained for 24 months
- Waitlist email addresses are retained until you unsubscribe or request deletion
- Billing records are retained for 7 years as required by Spanish tax law
7. Your rights (GDPR)
If you are based in the EU or EEA, you have the right to:
- Access — request a copy of the data we hold about you
- Correction — ask us to correct inaccurate data
- Deletion — ask us to delete your data ("right to be forgotten")
- Portability — receive your data in a machine-readable format
- Objection — object to processing based on legitimate interests
- Restriction — ask us to limit how we use your data
To exercise any of these rights, email us at info@tapnly.com. We will respond within 30 days.
8. Cookies
Tapnly.com uses minimal cookies:
- Strictly necessary — session management and security (cannot be disabled)
- Analytics — anonymous page view data via Vercel Analytics (no personal identifiers, no cross-site tracking)
We do not use advertising cookies or share data with ad networks.
9. Security
We take reasonable technical and organisational measures to protect your data, including encrypted data transmission (HTTPS), access controls, and regular security reviews. No payment card data is ever processed or stored by Tapnly — all payments are handled directly by myPOS.
10. International transfers
Tapnly is operated from Spain (EU). Some of our infrastructure providers (Vercel, Supabase) may process data outside the EU. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.
11. Changes to this policy
We may update this policy from time to time. We will notify active merchants of material changes by email at least 14 days before they take effect. The date at the top of this page always shows when it was last updated.
12. Contact us
For any privacy-related questions, requests, or complaints:
If you are not satisfied with our response, you have the right to lodge a complaint with the Spanish data protection authority (AEPD) at