TapOwner
Get Free QR Code

Privacy Policy

Last updated: 12 March 2026

TapOwner (“we”, “us”, “our”) is committed to protecting your privacy. This policy explains how we collect, use, and safeguard your information when you use our website, mobile app, and QR code contact service.

1. Who we are

TapOwner is an anonymous contact platform for vehicle owners, operated in the United Kingdom. For data protection purposes, TapOwner is the data controller. You can contact us at privacy@tapowner.app.

2. Information we collect

Account holders (vehicle owners)

  • Email address — for account login and transactional emails (lawful basis: contract)
  • Phone number — encrypted at rest, used to relay messages to you (lawful basis: contract)
  • Vehicle registration — encrypted at rest, used for scanner verification (lawful basis: contract)
  • Display name — optional, shown only to you in your dashboard (lawful basis: contract)
  • Notification preferences — your push, email, and SMS settings (lawful basis: contract)
  • Payment information — processed by Stripe; we never store card details (lawful basis: contract)

Scanners (people contacting vehicle owners)

  • Messages — the text content you send to a vehicle owner (lawful basis: contract)
  • IP address — hashed (one-way) for rate limiting and abuse prevention; the original IP is not stored (lawful basis: legitimate interest — security)
  • Device type — mobile, desktop, or tablet, derived from your browser’s User-Agent (lawful basis: legitimate interest — service improvement)
  • Approximate location — city-level only, derived from IP address when available (lawful basis: legitimate interest — service functionality)

We do not collect the scanner’s name, email, phone number, or precise location. Scanning is anonymous by design.

3. Lawful basis for processing

We process your personal data under the following lawful bases as defined by UK GDPR:

  • Contract — processing necessary to provide the TapOwner service, including account management, message relay, and payment processing
  • Legitimate interest — processing necessary for abuse prevention, rate limiting, security monitoring, and service improvement. We have conducted balancing tests to ensure these interests do not override your rights.
  • Consent — marketing communications are only sent with your explicit opt-in consent, which you can withdraw at any time via your notification settings or by clicking unsubscribe in any email

4. How we use your information

  • To provide the contact relay service (messages between scanners and vehicle owners)
  • To verify scanner identity via the last 4 characters of the registration plate
  • To send you notifications about scans and messages (according to your preferences)
  • To process purchases and deliver orders
  • To prevent abuse, fraud, and spam through rate limiting
  • To improve the service through aggregated, anonymised analytics
  • To send marketing communications (only with your explicit consent)

5. How we protect your data

  • Encryption at rest — phone numbers and vehicle registrations are encrypted using AES-256-GCM with per-field random initialisation vectors
  • Hashed lookups — verification data is stored as SHA-256 hashes; we cannot reverse these to obtain the original values
  • Anonymous scanning — the vehicle owner never sees the scanner’s phone number, email, or precise location
  • Secure transmission — all data in transit is protected by TLS 1.2+

6. Data sharing and international transfers

We share data only with the following third-party processors, all of which are bound by data processing agreements:

  • Stripe — payment processing (US — certified under UK-US Data Bridge)
  • Supabase — authentication (US — Standard Contractual Clauses)
  • Resend — transactional email delivery (US — Standard Contractual Clauses)
  • Railway — application hosting (US — Standard Contractual Clauses)
  • Vercel — web hosting and CDN (US — certified under UK-US Data Bridge)

Where personal data is transferred outside the United Kingdom, we ensure appropriate safeguards are in place through the UK-US Data Bridge, UK International Data Transfer Agreements, or Standard Contractual Clauses (UK Addendum).

We do not sell your personal data to anyone.

7. Data retention

  • Account data — retained while your account is active, deleted within 30 days of account deletion
  • Messages — retained for 12 months, then automatically deleted
  • Scan events — IP hashes are anonymised after 7 days; other scan metadata retained for 12 months
  • Payment records — retained for 7 years as required by UK tax and accounting law

8. Your rights (UK GDPR)

Under the UK General Data Protection Regulation and the Data Protection Act 2018, you have the right to:

  • Access — request a copy of your personal data. You can download your data directly from Settings > Account in your dashboard.
  • Rectification — correct inaccurate data via your dashboard settings
  • Erasure — delete your account and all associated data. You can do this directly from Settings > Account in your dashboard.
  • Portability — export your data in a machine-readable JSON format via Settings > Account
  • Object — opt out of marketing communications at any time via notification settings or by clicking unsubscribe in any marketing email
  • Restrict processing — request we limit how we use your data
  • Withdraw consent — where we rely on consent (e.g. marketing), you can withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, use the self-service options in your dashboard or email privacy@tapowner.app. We will respond within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113.

9. Cookies

We use only essential cookies required for authentication and session management. These are strictly necessary for the service to function and do not require consent under PECR (Privacy and Electronic Communications Regulations).

We use the following cookies:

  • sb-access-token — authentication session token (session cookie, cleared on logout)
  • sb-refresh-token — token refresh for maintaining login (persistent, 30 days)

We do not use any advertising, analytics, or tracking cookies. No third-party cookies are set by our site.

10. Children

TapOwner is not intended for use by anyone under the age of 16. We do not knowingly collect data from children. If you believe a child under 16 has created an account, please contact us at privacy@tapowner.app and we will promptly delete the account.

11. Changes to this policy

We may update this policy from time to time. We will notify account holders of material changes by email at least 14 days before they take effect. The “last updated” date at the top reflects the most recent revision.

12. Contact

If you have questions about this privacy policy or our data practices, contact us at privacy@tapowner.app.

TapOwner
United Kingdom
privacy@tapowner.app