Introduction
Tap2 B.V. (“Tap2,” “we,” “our,” or “us”) operates the Tap2 Loyalty platform (the “Platform”), providing digital loyalty card services through Apple Wallet and Google Wallet. The Platform is accessible through several domains operated by Tap2, including tap2.ai, tap2.ch, tap2.es, tap2pay.ai, tap2pay.ch, tap2pay.es, tap2pay.it, tap2pay.uk, taptopay.ch, and taptopay.es (collectively, the “Tap2 Websites”).
This Privacy Notice describes how Tap2 collects, uses, processes, discloses, and protects personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
This Privacy Notice applies to personal data of two categories of individuals: (i) business customers (“Merchants”) and their authorized personnel, and (ii) end users who use digital loyalty cards (“Consumers”). Tap2 acts in dual capacities, namely as:
Data Processor on behalf of Merchants, insofar as we process consumer data to deliver loyalty services.
Data Controller for data collected for Platform operation, improvement, and security purposes.
Notwithstanding the foregoing, Tap2 does not process any special categories of personal data under Article 9 GDPR (e.g., data concerning health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, sexual life, or sexual orientation).
For questions regarding this Privacy Notice, the processing of personal data, or the exercise of data subject rights, you may contact our Data Protection Officer at:
Tap2 B.V.
Address: Kleine Looiersstraat 6B, 6211 JL, Maastricht, The Netherlands
Email: dpo@tap2.ai
Definitions
The terms used herein shall have the following meanings:
Personal Data: Any information relating to an identified or identifiable natural person.
Processing: Any operation or set of operations performed on Personal Data, including collection, storage, use, disclosure, or deletion.
Controller: The entity that determines the purposes and means of personal data processing.
Processor: The entity that processes personal data on behalf of a Controller.
Data Subject: An individual whose personal data is processed.
Merchants: Businesses registering and configuring loyalty programs on the Platform.
Consumers: End users who add and interact with loyalty cards in digital wallets.
Categories and Purposes of Data Processing
Merchant Data (Controller): Tap2 processes Merchant data primarily for account management, billing, and Platform enhancement. Such data includes company name, address, contact person details, email address, authentication credentials (hashed and salted passwords), and transactional logs. Processing is conducted pursuant to the performance of a contract and Tap2’s legitimate interests in security and fraud prevention.
Consumer Data (Processor): Where Tap2 acts as Processor on behalf of Merchants, we process consumer data necessary to deliver loyalty programs. This includes identifiers (e.g., wallet pass ID, email), loyalty activity (points balance, stamps collected, reward redemptions), engagement metrics (visit timestamps, transaction values, notification interactions), device and wallet metadata (device type, OS version, wallet identifiers), and location data collected with consent (approximate location at scan or geo-notification triggers). Consumer notification preferences (opt-in/opt-out) are also recorded. Processing is justified by contractual necessity and, where applicable, consent (e.g., for marketing or geo-notifications).
Platform Improvement Data (Controller): Tap2 collects aggregated usage metrics, performance logs, error reports, and fraud detection indicators to improve Platform functionality, develop new features, and monitor security. Such processing is based on Tap2’s legitimate interests in service improvement and security oversight.
Legal Bases for Processing
Tap2 relies on the following legal grounds, in accordance with Articles 6(1)(a), 6(1)(b), and 6(1)(f) GDPR:
Contractual necessity: Processing required for the performance of services requested by Merchants or Consumers.
Consent: Where processing involves geo-location notifications or marketing communications.
Legitimate interests: For analytics, security monitoring, fraud prevention, and Platform improvement.
Processing is conducted fairly, transparently, and in a manner that is adequate, relevant, and limited to what is necessary for the purposes described herein.
Data Sharing and Subprocessors
Merchants are granted access to consumer loyalty data via secure dashboards and APIs. Merchants determine any further sharing with their partners.
Tap2 engages subprocessors to provide Platform functionality. All subprocessors operate under written Data Processing Agreements and implement appropriate technical and organizational security measures. Subprocessors include:
Cloud hosting providers (AWS EU region)
Email and notification services (e.g., Twilio SendGrid)
Analytics providers (e.g., Google Analytics in privacy-enhanced mode)
A current list of subprocessors is available at https://www.tap2.ai/subprocessors.
Tap2 may disclose personal data where required by law, court order, or to protect rights, safety, or property. Personal data is never shared for marketing purposes without explicit consent.
International Data Transfers
In circumstances whereby personal data is transferred outside your jurisdiction, Tap2 shall implement appropriate safeguards pursuant to the GDPR, thereby ensuring a level of protection substantially equivalent to that afforded within the European Economic Area. Such transfers shall occur only insofar as the destination country has been deemed adequate by the European Commission, the transfer is subject to EU Standard Contractual Clauses together with any necessary supplementary measures, or other safeguards under Article 46(2) GDPR are in place.
Transfers may occur without standard safeguards only under the limited conditions of Article 49 GDPR, including where you have provided explicit consent, the transfer is necessary for contractual purposes, for important public interest, for the establishment, exercise, or defense of legal claims, to protect vital interests, or where permitted from a public register. Where no other legal basis exists, a transfer may take place only if it is occasional, concerns a limited number of data subjects, is necessary for compelling legitimate interests of Tap2 not overridden by your rights, and is accompanied by the safeguards prescribed under Article 49 GDPR.
Data Retention
Retention periods are established in accordance with applicable legal obligations, operational requirements, and legitimate business purposes. Merchants’ account data are retained for the duration of the account’s existence and subsequently for a period necessary to meet financial and record-keeping obligations. Consumers’ personal data are maintained for as long as the loyalty program remains active and are anonymized or erased upon the Merchant’s request or following a period of inactivity consistent with data minimization principles. Aggregated analytical data are preserved only for as long as necessary to fulfil the company’s reporting and business intelligence objectives, after which they are securely deleted or anonymized.
Security Measures
Tap2 implements appropriate technical and organizational measures to ensure the security, confidentiality, and integrity of personal data, protecting it against unauthorized access, alteration, disclosure, or loss. Personal data is encrypted both in transit and at rest using industry-standard encryption protocols, and access to production systems and databases is strictly limited to authorized personnel with a legitimate operational need. These controls are supported by regular security testing, monitoring, and vulnerability management activities. Where feasible, Tap2 applies pseudonymization and data minimization techniques to further safeguard personal data, including in connection with analytics and service optimization.
Data Subject Rights
Data Subjects are entitled to exercise their rights under the General Data Protection Regulation (“GDPR”), to the extent applicable. These rights include the ability to request access to their personal data, to seek rectification or erasure of such data, to obtain restriction of processing, and to receive their data in a structured, commonly used, and machine-readable format where the right to data portability applies. Where processing is based on consent, Data Subjects have the right to withdraw that consent at any time, without affecting the lawfulness of processing carried out prior to such withdrawal. Data Subjects also retain the right to object, at any time, to the processing of their personal data for direct marketing purposes, including profiling related to such marketing activities.
Any request to exercise these rights should be addressed to the Data Protection Officer at dpo@tap2.ai.
Tap2 will assess and respond to each request without undue delay and, in any event, within one month of its receipt, in accordance with the GDPR.
Consent Management
When a consumer elects to add a payment card to a digital wallet and chooses to enable notifications, such actions constitute a clear and informed manifestation of consent to the associated processing of personal data for those purposes. The administration and control of geolocation permissions, including the extent to which location data may be accessed or utilized, are managed directly by the wallet platform in accordance with its own privacy settings and user permissions framework.
Data Breach Notification
Tap2 has established and maintains a formally documented personal data breach response plan designed to ensure timely and effective management of any incident involving personal data. In the event of a personal data breach, Tap2 will, where feasible, notify the competent Supervisory Authority without undue delay and, in any event, within seventy-two (72) hours of becoming aware of the breach. Furthermore, where the breach is likely to result in a high risk to the rights and freedoms of individuals, Tap2 will promptly inform the affected Data Subjects, providing clear and transparent information regarding the nature of the breach, its potential consequences, and the measures undertaken or proposed to mitigate its adverse effects.
Local Storage and Session Data
Our app does not use cookies for tracking or advertising purposes. To provide core functionality, we store certain information on your device using localStorage (via Capacitor Storage), strictly necessary for the operation of the app. The following keys may be stored:
Updates to this Privacy Notice
Tap2 conducts an annual review of this Privacy Notice to ensure its continued accuracy and compliance with applicable data protection laws. Any material amendments arising from such review will be duly communicated to Merchants through the Platform or by email, and may also be published on Tap2’s official website.