Privacy Policy

Version 1.5 — Effective June 1, 2026

Privacy Policy

Effective Date: 2026-06-01 Last Updated: 2026-06-01

1. Introduction

Tapp Networks LLC ("Company," "we," "us," or "our") operates TappHQ (the "Platform"). This Privacy Policy describes how we collect, use, disclose, and protect your information when you access or use the Platform. By using the Platform, you consent to the practices described in this Privacy Policy. If you do not agree with this Privacy Policy, you must not use the Platform.

2. Data Controller and Data Processor Roles

The Company acts in two distinct capacities with respect to personal data:

Data Controller: The Company is the data controller for account data, including your name, email address, organization information, and billing data. As data controller, the Company determines the purposes and means of processing this data.

Data Processor: The Company acts as data processor for organization content data — including documents, credentials, agent configurations, integration data, AI inputs and outputs, and any other content you upload to or generate through the Platform. Processing of this data is governed by the Data Processing Agreement available at tapphq.com/legal/dpa.

3. Information We Collect

3.1 Account Information

We collect information you provide during account registration and use, including: name, email address, country, organization name, and role within your organization.

3.2 Billing Information

Payment processing is handled by Stripe. We do not store full credit card numbers. Stripe may collect and process payment card data in accordance with its own privacy policy and PCI DSS requirements.

3.3 Organization Content

Content you and your organization upload to or create on the Platform, including: documents, files, agent configurations, compliance data, credentials stored in encrypted form, integration configurations, and any other materials you provide.

3.4 Usage Data

We use PostHog for product analytics, subject to your cookie consent preferences. Usage data may include: pages visited, features used, interactions with UI elements, session duration, and other behavioral data. PostHog analytics are opt-out — you may disable analytics tracking through the Cookie Preferences panel.

3.5 Error and Performance Data

We use Sentry for error monitoring and performance tracking. Sentry is classified as strictly necessary and does not require consent. Sentry collects: error reports, stack traces, browser and OS information, and performance metrics. Sentry data is used solely for platform reliability and debugging.

3.6 Authentication and Account Security

We use Supabase, Inc. as our authentication provider. Account credentials, session tokens, multi-factor authentication factors, and recovery codes are managed by Supabase under their SOC 2 Type II certified infrastructure.

When you sign in, we issue a JSON Web Token (JWT) with limited claims about your account: your active organization, your role within that organization, and whether you hold platform-administrator privileges. Permission decisions are made server-side at request time.

Multi-factor authentication is available on every plan. When enabled, we generate eight single-use recovery codes that we store in hashed form (Node scrypt with per-code salt). Recovery codes are shown to you once at enrollment and are not retrievable afterward.

We log authentication events — sign-in, sign-out, MFA enrollment, MFA step-up verification, recovery-code use, MFA admin reset, and organization-wide MFA enforcement toggles — in our internal audit log. Audit log entries include the actor, action, target resource, and timestamp. We retain authentication audit logs for the duration of your account and provide them to organization administrators on request.

For details about our subprocessors and authentication infrastructure, see our Subprocessor List at tapphq.com/legal/subprocessors.

3.7 AI Interaction Data

When you use AI features, your inputs (prompts, documents, data) are sent to Anthropic Claude and potentially other third-party AI providers for processing. AI providers may process this data in accordance with their own privacy policies and data processing agreements.

3.8 Integration Data

When you connect third-party services (such as HubSpot, Google Workspace, or ClickUp), the Platform accesses and processes data from those services as authorized by you through the integration configuration.

3.9 Communication Data

We collect data from your communications with us, including: support requests, feedback, and email correspondence.

3.10 Cookie Data

See our Cookie Policy at tapphq.com/legal/cookies for detailed information about cookies and similar technologies used by the Platform.

4. How We Use Your Information

We use the information we collect for the following purposes:

  • Service provision: To provide, operate, maintain, and improve the Platform and its features.
  • Billing: To process payments, manage subscriptions, and handle billing-related communications.
  • Service emails (mandatory): To send transactional emails necessary for Platform operation, including account confirmations, security alerts, billing notifications, and system updates. These emails cannot be opted out of as they are essential to Platform operation.
  • Product updates (default on, opt-out): To send product update communications, including new features, improvements, and Platform news. These communications are enabled by default but you may opt out through your notification preferences.
  • Promotional communications (opt-in only): To send promotional offers, marketing materials, and other communications. These are sent only with your explicit opt-in consent.
  • Co-marketing with partners (anonymized/aggregated): To share anonymized and aggregated data with business partners for co-marketing purposes. Individual users are never identified. You may opt out of inclusion in co-marketing data through your privacy settings.
  • Analytics and improvement: To analyze usage patterns using anonymized and aggregated data to improve the Platform, develop new features, and inform business decisions including benchmarking and marketing.
  • Error monitoring: To identify, diagnose, and resolve technical issues and errors.
  • Security: To detect, prevent, and address fraud, abuse, and security threats.
  • Legal compliance: To comply with applicable laws and regulations, including tax, regulatory, and breach notification requirements.

5. Legal Bases for Processing (GDPR)

For users in the European Economic Area ("EEA"), United Kingdom ("UK"), and other jurisdictions that require a legal basis for processing, we process personal data on the following bases:

  • Performance of a contract: Processing necessary to provide the Platform, manage accounts, and process billing, as set forth in the Terms of Service.
  • Legitimate interests: Processing for purposes of anonymized analytics, error monitoring, security, and Platform improvement, where such interests are not overridden by your data protection rights.
  • Consent: Processing of PostHog analytics cookies (where consent is required by applicable law), marketing emails, and co-marketing data sharing. You may withdraw consent at any time.
  • Legal obligation: Processing necessary to comply with tax, regulatory, and breach notification requirements.

6. Data Sharing and Disclosure

We may share your information in the following circumstances:

  • Subprocessors: We use subprocessors to provide the Platform. See our Subprocessor List at tapphq.com/legal/subprocessors for the current list of subprocessors.
  • AI providers: Your inputs to AI features are processed by Anthropic Claude and potentially other third-party AI providers, as necessary to provide AI functionality.
  • Third-party integrations: When you connect third-party services, data is shared with those services as authorized by your integration configuration.
  • Law enforcement and legal proceedings: We may disclose information if required by law, subpoena, court order, or governmental regulation, or if we believe disclosure is necessary to protect our rights, protect your safety or the safety of others, or investigate fraud.
  • Business transfers: In connection with a merger, acquisition, sale of assets, reorganization, or bankruptcy, your information may be transferred to the acquiring entity without prior notice to you.

We do not sell personal information. We may share anonymized and aggregated data with co-marketing partners. You may opt out of inclusion in such data sharing through your privacy settings or by contacting privacy@tapphq.com.

7. International Data Transfers

The Platform's infrastructure is based in the United States. Our primary service providers (Vercel, Railway, Supabase, Anthropic, Stripe, Resend) are US-based companies. If you access the Platform from outside the United States, your information will be transferred to and processed in the United States.

For transfers of personal data from the EU/EEA or UK to the United States, we rely on: (a) the EU-U.S. Data Privacy Framework and UK Extension thereof, where the recipient is certified; and (b) the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914), Modules 2 and 3, where DPF certification is not available. See our Subprocessor List for the specific transfer mechanism applicable to each subprocessor. The UK International Data Transfer Addendum is incorporated for UK transfers where required.

8. Data Retention

  • Active accounts: We retain your data for the duration of your account.
  • Deleted accounts: Upon account deletion, organization content data is purged immediately. Certain data may be retained in encrypted backups for a limited period consistent with our backup rotation schedule.
  • Billing records: Billing and transaction records are retained as required by applicable tax and financial regulations.
  • Audit logs: Audit log data is retained as required by applicable law and our internal compliance requirements.

8.4 Community Learning Program — Disclaimer and Limitation of Liability

Anonymized data contributed through the Community Learning Program is used to improve platform-wide AI capabilities, including but not limited to grant writing assistance, brand content generation, compliance recommendations, job description drafting, and organizational assessments. Contributed data undergoes automated redaction and human review prior to inclusion in any training corpus.

Notwithstanding the foregoing, TappHQ makes no representation or warranty, express or implied, regarding the accuracy, reliability, completeness, or suitability of any AI-generated output, whether or not such output was informed by community learning data. All AI-generated content is provided "as is" without warranty of any kind.

TappHQ shall not be liable for any direct, indirect, incidental, consequential, or special damages arising from: (a) any organization's use of or reliance on AI-generated content; (b) decisions made based on AI-generated recommendations, assessments, or drafted materials; (c) any failure of the anonymization process, notwithstanding TappHQ's commercially reasonable efforts to redact identifying information; or (d) any third party's use of outputs derived from anonymized community learning data.

Each organization is responsible for independent review and verification of all AI-generated content prior to use in any regulatory, financial, legal, or public-facing context. The Community Learning Program does not create a fiduciary, advisory, or professional services relationship between TappHQ and any participating organization.

9. Your Rights

9.1 All Users

Regardless of your location, you have the right to: access your personal data, correct inaccurate data, request deletion of your data, and manage your communication and cookie preferences.

9.2 EU/EEA/UK Users (GDPR)

If you are located in the EU, EEA, or UK, you have additional rights under the General Data Protection Regulation, including: the right of access (Article 15), rectification (Article 16), erasure (Article 17), restriction of processing (Article 18), data portability (Article 20), objection to processing (Article 21), and the right to withdraw consent at any time. You also have the right to lodge a complaint with your local data protection supervisory authority.

9.3 California Users (CCPA/CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act and California Privacy Rights Act, including: the right to know what personal information is collected, the right to delete personal information, the right to correct inaccurate information, the right to opt out of the sale or sharing of personal information, and the right to non-discrimination for exercising your rights.

9.4 Other Jurisdictions

Users in other jurisdictions may have additional rights under applicable local data protection laws. We will comply with all applicable data protection laws.

9.5 How to Exercise Your Rights

You may exercise your rights through the in-app privacy settings (Settings → Privacy) or by contacting us at privacy@tapphq.com.

10. CCPA/CPRA Specific Disclosures

We do not sell personal information as defined by the CCPA. We may "share" personal information (as defined by the CCPA) with co-marketing partners using anonymized and aggregated data. You may opt out of this sharing via the "Do Not Sell or Share My Personal Information" link available in the Platform's privacy settings. The categories of personal information collected and the purposes of collection are described in Sections 3 and 4 of this Privacy Policy.

11. Children's Privacy

The Platform is intended for users who are at least eighteen (18) years of age. We do not knowingly collect personal information from children under the age of 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe we have collected information from a child under 18, please contact us at privacy@tapphq.com.

12. Data Security

We implement technical and organizational measures designed to protect your information, including: encryption of data in transit using TLS, JWT-based authentication issued by Supabase Auth (SOC 2 Type II), role-based access controls enforced at request time against database-resident permissions, multi-factor authentication with hashed recovery codes, database-enforced tenant isolation using PostgreSQL Row-Level Security, encrypted credential storage using AES-256-GCM, append-only audit logging with SHA-256 hash chaining, and regular security reviews. No method of transmission over the internet or method of electronic storage is completely secure, and we cannot guarantee absolute security.

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will: (a) notify the relevant supervisory authority within seventy-two (72) hours of becoming aware of the breach, in accordance with GDPR Article 33; and (b) notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with applicable law.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email and may require your re-acceptance of the updated Privacy Policy. For non-material changes, continued use of the Platform after the effective date constitutes acceptance. The effective date of the current version is indicated at the top of this document.

15. Contact

For questions or concerns regarding this Privacy Policy or our data practices, please contact:

  • Privacy inquiries: privacy@tapphq.com
  • General legal inquiries: legal@tapphq.com

Tapp Networks LLC