Introduction
1.2 This Tap2 Loyal End-Customer Privacy Notice (the “Notice”) describes the processing of personal data of end-customers (“you”) in connection with digital loyalty programs operated by participating merchants (“Merchants”) through the Tap2 Loyal platform (the “Platform”). It supplements, and must be read together with, the Tap2 Privacy Notice available at https://www.tap2.ai/privacy-notice, as well as any Merchant-specific privacy information.
1.3 It describes the data processed, the purposes and legal bases for processing, and the rights available to you under applicable data protection law.
Roles and Responsibilities
2.1 The Merchant operating the loyalty program is the controller for personal data relating to your participation.
2.2 Tap2 B.V. or Tap2 Technologies Ltd (as applicable) primarily acts as processor on behalf of the Merchant, providing the loyalty infrastructure, analytics, and notification services.
2.3 Tap2 may act as an independent controller for limited processing activities, including Platform security, diagnostics, service improvement, or billing-related logs. Where Tap2 acts as controller, this Notice specifies it.
Categories of Personal Data
3.1 The following table summarizes the types of personal and usage data collected and processed by Tap2 in connection with loyalty programs. It outlines the main categories of data, the specific information collected, and any relevant notes regarding its use.
Purposes and Legal Basis
4.1 Operation of the Loyalty Program: Issuing and maintaining the digital card; tracking stamps/points and enabling reward redemption; fraud prevention. Legal basis: performance of a contract or pre-contractual steps; in some cases, the Merchant’s legitimate interest in operating a loyalty scheme.
4.2 Program-Related Communications: Service notifications, changes to terms, operational updates, or reward-related messages. Legal basis: contract performance and/or legitimate interest.
4.3 Marketing and Promotional Communications: Wallet-based promotional messages, targeted campaigns, and (where enabled) geo-based notifications using native Apple/Google Wallet features. Legal basis: consent where required (e.g., direct marketing, geo-based marketing); otherwise, legitimate interest. You may opt out at any time via Wallet settings or by contacting the Merchant.
4.4 Analytics and Service Improvement: Provision of aggregated or pseudonymized dashboards to Merchants; improvement of the Platform; fraud detection; feature usage analysis. Legal basis: legitimate interest of the Merchant and Tap2, provided your rights are not overridden; data may be aggregated or anonymized where appropriate.
4.5 Compliance, Security, and Legal Claims: Security monitoring, incident detection, log analysis; compliance with legal obligations; establishment, exercise, or defense of claims. Legal basis: legal obligation; legitimate interest.
Data Sources
5.1 Data obtained directly from you (e.g., contact details); data generated from your card usage at participating locations; notification interaction data; technical information from Apple Wallet or Google Wallet required for card issuance and updates. Tap2 does not collect payment card data or detailed purchase itemization unless explicitly stated by the Merchant at the point of collection.
Data Sharing and International Data Transfer
6.1 Tap2 and Subprocessors: Merchants share Consumer Data with Tap2 to operate the Platform. Tap2 may engage vetted subprocessors (e.g., cloud hosting, analytics, notification delivery), subject to data protection agreements and security controls. A current list is available through Tap2’s official channels.
6.2 Merchants and Affiliated Entities: Data relating to your card usage is shared with the Merchant operating the program and, where relevant, affiliated franchisees or entities participating in the same program.
6.3 International Transfers: Where data is transferred outside the EEA or UK, Tap2 applies appropriate safeguards (adequacy decisions, standard contractual clauses, or equivalent measures). Details may be requested using the contact information below.
Data Retention
7.1 Loyalty card data is retained for as long as you participate in the program. If inactive for a defined period, the card may be deactivated and data anonymized or deleted, unless retained for legal or accounting purposes.
7.2 Marketing contact details are retained until you withdraw consent or object.
7.3 Security logs and diagnostic data are kept only for the period necessary for security, troubleshooting, and legal compliance.
Your Data Protection Rights
8.1 Subject to applicable law, you may request access, rectification, erasure, restriction, portability, or object to processing based on legitimate interests. You may object at any time to the use of your data for direct marketing, including related profiling. Where processing is based on consent, you may withdraw consent at any time without affecting prior lawful processing.
Exercising Your Rights and Controlling Your Card
9.1 You may remove the loyalty card from Apple Wallet or Google Wallet at any time, which stops further notifications and normal use.
9.2 As the Merchant is typically the controller, rights requests regarding your Consumer Data should generally be directed to the Merchant, whose contact details appear on the card or in-store.
9.3 You may also contact Tap2 for matters within its role as controller or to assist in directing your request to the correct Merchant.
Contact Details
Merchant: as displayed on the loyalty card or in-store.
Tap2: Tap2 B.V. / Tap2 Technologies Ltd Postal address: Kleine Looiersstraat 6B, 6211 JL, Maastricht, The Netherlands Email: dpo@tap2.ai
. Distinction Between Merchant Data and Consumer Data
11.1 “Merchant Data” relates to the Merchant’s business (e.g., business details, staff accounts, configuration settings, aggregated analytics).
11.2 “Consumer Data” relates to you as a loyalty participant (e.g., card identifiers, stamps/points, rewards, contact details).
11.3 Tap2 and the Merchant maintain separate access controls and use Consumer Data solely for the purposes outlined in this Notice and in the Merchant’s own privacy information.
. Changes to this Notice
12.1 This Notice may be updated periodically to reflect changes in the Platform, applicable law, or Merchant participation. The latest version will be made available through Merchant channels or via a link in the loyalty card information. Material changes may be notified through appropriate means (e.g., wallet notification or email, where available).