1. Who we are
Tappr (“we”, “us”) provides a smart link-management platform at tappr.me. For the purposes of GDPR, the data controller is 【Legal entity name】, 【registered address】. For any privacy question or to exercise your rights, email privacy@tappr.me.
2. What we collect
We only collect what the product actually needs to run:
- Account data — your email address and name, created when you sign up (including via Google sign-in).
- Links & content you create — the short links, collections, A/B tests and any business context you add to the AI Brain.
- Click analytics — when someone opens one of your short links, we record the IP address, user-agent (browser/device), approximate country, device type and referrer of that visit. IP addresses are treated as personal data.
- AI conversations — the messages you send to the AI Brain and the analytics context they run against (see section 7).
- Instagram integration — if you connect Instagram, we store the access token and account username so we can show your profile insights.
- Support messages — anything you send us through the contact form (name, email, message).
- Billing data — subscription and payment status, handled through our payment provider (we do not store full card details).
3. Why we use it, and our lawful basis
- To provide the service (accounts, links, redirects, analytics) — performance of a contract.
- To keep the service secure and prevent abuse (e.g. rate-limiting, spam filtering) — legitimate interests.
- To send you service and account emails — performance of a contract / legitimate interests.
- To provide AI features you choose to use — performance of a contract.
- To meet legal and accounting obligations — legal obligation.
4. Who we share it with (sub-processors)
We use a small number of trusted providers to run Tappr. Each processes only the data it needs, on our instructions, under a data-processing agreement.
| Provider | What it does | Data it processes | Region |
|---|---|---|---|
| Supabase | Database, authentication, hosting of your data | Account data, links, click analytics, AI history | EU / US |
| Vercel | Application hosting & edge network | Request metadata, IP addresses | US (global edge) |
| Groq | AI model provider (the AI Brain, reports, anomaly checks) | Your AI messages + analytics context you run them against | US |
| Resend | Transactional & notification email delivery | Email address, name, message content | US |
| Fanbasis | Payments & subscription billing | Billing and subscription data | US |
| Meta / Instagram | Instagram integration (only if you connect it) | Instagram account ID, username, access token | US |
| Sign in with Google (only if you use it) | Email, name, profile identifier | US |
We do not sell your personal data, and we do not use third-party advertising or cross-site tracking pixels.
5. International transfers
Several of the providers above are based in the United States, so your data may be transferred outside the EU/UK. Where that happens, the transfer is covered by an appropriate safeguard — Standard Contractual Clauses (SCCs) or an adequacy decision (including the EU–US and UK–US Data Privacy Framework where the provider is certified).
6. How long we keep it
- Account data and content — kept while your account is active, and deleted when you delete your account (see section 8).
- Click analytics with IP addresses — retained for up to 90 days, after which IP addresses are automatically removed while aggregate, non-identifying counts may be kept.
- Support messages — kept only as long as needed to handle your request.
- Billing records — kept as long as required for legal and accounting purposes.
7. AI features
The AI Brain, weekly reports and anomaly insights are powered by an AI model provided by Groq. When you use them, the messages you send and the analytics context they run against are sent to Groq to generate a response. Responses are AI-generated and may be inaccurate — treat them as suggestions, not professional advice. We do not use your content to train third-party models.
8. Your rights
Under GDPR / UK GDPR you can:
- Access a copy of your data.
- Delete your account and data — from Settings → Danger Zone, which permanently removes your account, links, analytics and connected integrations.
- Correct inaccurate data (e.g. your name in Settings).
- Object to or restrict certain processing.
- Data portability — request an export of your data.
To exercise any of these, use the in-app controls or email privacy@tappr.me. You also have the right to complain to your local data protection authority (in the UK, the ICO).
9. Cookies
We use only essential cookies needed to keep you signed in and to run the service securely. We do not use analytics or advertising cookies, so no cookie-consent banner is required.
10. Children
Tappr is not directed at children under 16. We do not knowingly collect data from them. If you believe a child has given us data, contact us and we will delete it.
11. Changes
We may update this policy as the product evolves. Material changes will be reflected in the “last updated” date above and, where appropriate, notified to you.