TapBy
Privacy & Security

Privacy Policy

Your trust matters. Here's exactly how TapBy collects, uses, and protects your data — transparently and honestly.

Last updated: March 16, 2026

Password HashingRequest VerificationRate LimitingTransport EncryptionContent SecurityInput ValidationUpload VerificationPrivacy-Friendly Analytics

1. Data We Collect

  • Account data — full name, email address, phone number, and a securely hashed password. We never store passwords in plain text.
  • Profile data — job title, company, bio, social-media links, and an optional profile photo.
  • Usage data — anonymised profile-view counts and irreversibly hashed visitor identifiers. We never store raw IP addresses.
  • Device data — browser type and approximate location (country level only) for abuse prevention.
  • NFC tag metadata — tag identifier, activation status, and write timestamps.

2. How We Use Your Data

  • Display your digital profile to people who tap your TapBy.
  • Authenticate you and keep your account secure.
  • Send transactional emails such as password-reset links and activation confirmations.
  • Generate aggregated, anonymised analytics so you can see how many times your profile has been viewed.
  • Detect and prevent abuse to protect the platform and its users.

3. How We Protect Your Data

Security is built into every layer of TapBy. Here is how we keep your data safe:

  • Password security — all passwords are irreversibly hashed using an industry-standard algorithm before storage. They are never stored or logged in plain text.
  • Request verification — every state-changing request is verified to prevent cross-site forgery attacks.
  • Abuse prevention — automatic rate limiting is applied to sensitive endpoints such as login, registration, and password reset to guard against brute-force attacks.
  • Transport security — all traffic is encrypted in transit and our servers enforce strict transport-security policies.
  • Content security — browser-level security policies restrict what resources can be loaded, mitigating injection attacks.
  • Input validation — all user-supplied data is validated and sanitised before processing to prevent injection and manipulation.
  • Upload verification — uploaded files are validated at the binary level — not just by file extension — and stored in access-controlled private storage.
  • Access control — server-side middleware ensures that unauthenticated and unauthorised requests are rejected before any business logic runs.
  • Privacy-friendly analytics — visitor data is irreversibly anonymised before storage. No raw personal identifiers are ever persisted in analytics.

4. Data Sharing

We do not sell your personal data. We share data only with the infrastructure providers necessary to run the service:

  • Hosting provider — serves the application, runs server-side logic, and stores uploaded files.
  • Database provider — stores account and profile data in an encrypted-at-rest database.
  • Cache provider — supports rate limiting and session management.
  • Email provider — delivers transactional emails such as password resets and activation links.

All providers are bound by their own privacy policies and data-processing agreements. We never share data with advertising networks or data brokers.

5. Profile Visibility

Your profile is public by default — anyone who taps your TapBy or visits your profile URL can see the information you choose to display. You can deactivate your TapBy at any time from the dashboard, which immediately hides your profile and returns a "TapBy deactivated" message to visitors.

6. Data Retention

We retain your account and profile data for as long as your account is active. If you delete your account through the dashboard, we permanently remove your profile data, uploaded photos, and associated NFC-tag bindings within 30 days. Anonymised, aggregated analytics may be retained indefinitely as they cannot be linked back to you.

7. Cookies & Local Storage

TapBy uses only essential cookies required for authentication and request verification. We do not use tracking cookies, advertising pixels, or third-party analytics scripts. Specifically:

  • Session cookie — a secure, encrypted cookie that keeps you signed in.
  • Verification cookie — a secure cookie used to validate state-changing requests.

Because these cookies are strictly necessary for the service to function, no cookie-consent banner is required under most regulations.

8. Account Deletion

You can delete your account at any time from Dashboard → Settings → Delete Account. This action requires your current password for verification and is irreversible. Upon deletion we remove your profile, uploaded photos, and NFC-tag associations. The NFC tag itself is returned to the available pool and can be re-assigned.

9. Children's Privacy

TapBy is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us immediately and we will delete it.

10. Changes to This Policy

We may update this policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For material changes we will notify registered users by email.

11. Contact Us

If you have any questions about this Privacy Policy or our data practices, please reach out:

  • Email — privacy@tapby.app
  • General enquiries — hello@tapby.app