PRIVACY

Privacy policy

Effective 1 January 2026. We collect almost nothing about shoppers and the bare minimum about merchants. Here is the long form.

Who we are

TapReceipt B.V. (KVK 89124021), Hemonystraat 11, 1074 BK Amsterdam, the Netherlands. We are the data controller for the personal data described on this page. Our Data Protection Officer can be reached at dpo@tapreceipt.com.

What we collect

Two distinct flows produce two distinct sets of data — and we keep them separated by design.

  • From merchants: account email, billing details, terminal metadata, receipts created via the API. These are personal data of the merchant’s representatives, not their shoppers.
  • From shoppers (people who tap): nothing identifiable. The puck issues a one-way signed URL; the resulting receipt page does not require a login or set tracking cookies.
  • Operational telemetry: aggregated request counts, error rates and tap counts per puck. No IP-level retention beyond a 24-hour rolling window for anti-abuse.

How we use it

We use personal data to operate, improve and bill for the service. Specifically:

  • To deliver receipts to wallets and to keep the URL resolving for at least seven years.
  • To provide the merchant dashboard and customer support.
  • To detect abuse, fraud and tampered pucks.
  • To meet our own legal obligations (tax, accounting, audit).

We never use personal data for advertising. We do not sell, rent or barter it.

Sharing

We share data with a short list of sub-processors required to run the service: cloud hosting, payment processing, email delivery and customer-support tooling. The full list is in our DPA, kept current and version-controlled.

We do not share merchant data with other merchants and we never share shopper data with anyone, because we do not collect any.

Retention

  • Receipts: seven years, the EU statutory minimum for tax records.
  • Account data: until you close the account, plus 30 days of soft-deletion for recovery.
  • Logs: 30 days for application logs, 24 hours for IP-bearing access logs.
  • Backups: rolling 35-day window, encrypted, geographically redundant within the EU.

Your rights

Under the GDPR you have the right to access, correct, port and erase your personal data. To exercise any of these, write to privacy@tapreceipt.com. We respond within thirty days, usually within five.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

International transfers

Personal data is stored in the European Union. Where a sub-processor is outside the EU, we rely on Standard Contractual Clauses and we keep an active assessment of supplementary measures.

Contact

Privacy questions: privacy@tapreceipt.com. DPO: dpo@tapreceipt.com. Postal: TapReceipt B.V., Hemonystraat 11, 1074 BK Amsterdam, NL.