Privacy Policy

Last updated: 8.2.2026

1. Who we are

This Privacy Policy describes how TapLoyal (“we”, “us”, “our”) processes information in the TapLoyal mobile application and related services. The service runs on Google Cloud / Firebase infrastructure.

Important: Customers use TapLoyal without creating an account. We do not collect customer names, emails or phone numbers. However, to make the loyalty feature work (count visits and enforce cooldown), we use a pseudonymous device identifier (see Section 2.2).

2. What data we collect

2.1 Business / admin accounts

• Account identifiers: email address, Firebase Authentication UID.
• Business profile data: business name, logo, contact details, links, reward description and configuration.
• Content you submit: images and other media stored in Firebase Storage.

2.2 Customers (end users) — no account

Customers can scan a QR code or tap an NFC tag to interact with a business and collect visits. Customers are not required to register or provide personal details.

• Pseudonymous device identifier (hashed): to prevent abuse and to count visits, the backend creates a pseudonymous identifier by hashing a stable app/device signal (e.g. Firebase installation ID or an equivalent token).
• Loyalty/visit data: visit counters and timestamps stored under a pseudonymous identifier.
• No direct identification: we do not collect names, emails, phone numbers or addresses of customers.

2.3 Push notifications (optional)

If enabled, Firebase Cloud Messaging (FCM) is used to deliver notifications. FCM tokens are technical device identifiers.

2.4 Diagnostics & security

• Crash diagnostics: Firebase Crashlytics may collect crash logs, stack traces, app version and device/OS information.
• Security logs: minimal technical logs for abuse prevention and auditing.

3. Purposes and legal bases (GDPR)

• Provide the service: QR/NFC loyalty features (Art. 6(1)(b)).
• Security & abuse prevention: cooldowns and rate limiting (Art. 6(1)(f)).
• Legal compliance: statutory obligations (Art. 6(1)(c)).

4. Information shown to businesses

Businesses see only aggregated statistics. No personal customer identifiers are shared.

Businesses see aggregated statistics such as total visits, number of readers and completion counts. They do not receive customer device identifiers, hashes or FCM tokens.

5. Sharing and processors

• Infrastructure: Google Firebase / Google Cloud (Authentication, Firestore, Storage, Functions, FCM, Crashlytics).
• Legal disclosures: when required by law.

Depending on the context, we act as a data controller for business/admin account data and as a service provider (processor) for pseudonymous loyalty data processed on behalf of businesses using TapLoyal.

5A. Payments and subscriptions (Google Play)

TapLoyal offers optional paid subscriptions for business/admin users. Payments are processed exclusively by Google Play Billing.

• We do not receive or store full payment card details.
• Google processes payment information (such as billing account identifiers, purchase tokens and transaction status) in accordance with its own privacy policies.
• We may store a subscription status (e.g. active, expired) and a purchase reference token to unlock premium features and for accounting or fraud prevention.

For more information, see: Google Privacy Policy .

6. Retention

• Security and audit logs: typically up to 30 days.
• Business/admin account data: stored while the account is active. After deactivation, data is typically deleted within 30 days, unless longer retention is required by law.
• Inactive admin accounts: may be automatically deactivated after approximately 120 days of inactivity.
• Monthly aggregated statistics: kept for up to 36 months (or less) to provide historical analytics.
• Loyalty/visit data (pseudonymous): stored while the related business profile is active or until it is deleted/reset.

7. Your rights

EU/EEA (GDPR)

You may request access, rectification or deletion of your personal data (primarily business/admin account data).

California (CCPA/CPRA)

We do not sell personal information.

8. Children

The service is not directed to children under 13.

9. Security

We apply industry-standard security measures including encrypted connections and access controls.

10. Permissions used by the app

• Camera – QR code scanning.
• NFC – reading NFC tags.
• Internet – backend communication.
• Notifications – optional push messages.

11. Data deletion

Business/admin accounts: request deletion at madalar2@gmail.com.

Customers do not have accounts. Uninstalling the app removes locally stored data, but pseudonymous loyalty records stored on our servers may remain to prevent abuse and to keep visit counts. Customers may request deletion of their pseudonymous loyalty record by contacting us at madalar2@gmail.com.

12. Changes

We may update this policy and will revise the “Last updated” date.

13. Contact

madalar2@gmail.com