Privacy Policy

Effective date: July 6, 2026

TapInFlow (“we”, “us”) operates tapinflow.com. This policy explains what data we collect, why, and how we protect it.

Who we are & our role

TapInFlow is provided by an independent individual operator established in Spain, who is the data controller for this Service. For privacy matters you can contact the controller at hello@tapinflow.com; the operator’s full legal details are available on request. Because the controller is established in the European Union (Spain), no Article 27 EU representative is required.

We act as a data controller for your account information and for our self-hosted site analytics. We act as a data processor for the content of your interactive sessions and for participant responses: these are processed on your behalf and under your instructions as the host, and you are the controller of that content.

Legal basis (GDPR). We rely on: performance of a contract (to provide the Service to account holders); your consent (for opt-in analytics, which you can withdraw at any time); our legitimate interests (security, fraud prevention, and maintaining the Service), balanced against your rights; and legal obligation (Article 6(1)(c)) for retaining transaction records required by tax and accounting law.

Where your data is stored & international transfers. The Service is hosted on Amazon Web Services in the United States (US East region), and some processors (AI question generation, transactional email) are also located in the United States. Your personal data is therefore transferred outside the EEA. For these transfers we rely on the European Commission’s Standard Contractual Clauses, together with the EU–US Data Privacy Framework where the relevant provider is certified under it.

Your right to complain. If you are in the EEA or UK, you have the right to lodge a complaint with a data protection authority — in particular the Spanish Agencia Española de Protección de Datos (AEPD), our lead supervisory authority, or the authority in your own country — though we ask that you contact us first so we can help.

1. Data We Collect

Information you provide

  • Account data — email address, display name, and authentication credentials (including Google OAuth tokens).
  • Session content — topics, uploaded materials, and AI-generated questions you create.
  • Participant responses — answers and nicknames submitted during live sessions.

Information collected automatically

  • Usage data — pages visited, features used, session timestamps.
  • Device data — browser type, operating system, screen size, IP address.

Payment data

Payments are processed by Paddle.com Market Ltd (our Merchant of Record). We never receive or store your credit card number, bank account details, or other payment credentials. Paddle independently collects and processes payment data under its own Privacy Policy.

2. How We Use Your Data

  • Provide, operate, and maintain the Service.
  • Generate AI-powered questions, insights, and reports.
  • Process payments and manage subscriptions via Paddle.
  • Send transactional emails (verification codes, account notifications).
  • Improve the product based on aggregated, anonymized usage patterns.
  • Detect and prevent fraud, abuse, and security threats.

3. AI Processing

To generate your questions, insights and reports, we send session content (your topic and any materials you provide) and participant responses to a third-party AI provider over an encrypted API. We send only the minimum content needed for these features, and we do not use your content to train any AI model.

For the international edition, our AI provider is OpenAI (via the OpenAI API), which processes the content in the United States. OpenAI states that content submitted through its API is not used to train its models by default, and that API data may be retained for a limited period (up to 30 days) for abuse and misuse monitoring before deletion, except where a shorter or zero-retention arrangement applies. Because OpenAI is located outside the EEA, these transfers rely on OpenAI’s Data Processing Addendum and the Standard Contractual Clauses (and the EU–US Data Privacy Framework where applicable). OpenAI’s processing of the data we send is governed by its own terms, which we do not control. If we change our AI provider, we will update this policy.

4. Third-Party Services

We share data with the following categories of service providers:

ProviderPurpose
PaddlePayment processing (Merchant of Record)
OpenAI (OpenAI API, US region)AI question generation and analysis
Amazon Web ServicesCloud hosting
ResendTransactional email delivery (verification, password reset)
GoogleOAuth authentication (Google Sign-In)

We do not sell your personal data to any third party.

5. Cookies and Site Analytics

Essential storage. We use a small amount of strictly necessary browser storage (a login token, your language preference, a participant nickname, and your cookie-consent choice) required for authentication, language, and session management. We do not use third-party tracking or advertising cookies.

Self-hosted analytics (opt-in). We operate our own analytics on infrastructure we control, using the open-source Umami software hosted at analytics.tapinflow.com. We run Umami without setting cookies, and it records page-level activity (URL visited, referrer, browser type, approximate country from IP). To count unique visitors it generates privacy-preserving session identifiers using a rotating salt; these are not intended to directly identify individual visitors. Analytics data stays within our environment and is never shared with, sold to, or accessed by any third party.

How we apply this depends on your region. For visitors in the EU / EEA / UK, analytics is opt-in and off by default — the Umami script does not load until you choose “Accept All” in the consent banner. For visitors in other regions, where prior consent is not required, we enable this cookie-free, non-identifying measurement by default on a legitimate-interest basis and do not show a banner. In both cases you can change or withdraw your choice at any time via the “Cookie Settings” link in the footer. We determine your region from your browser’s timezone (no IP is sent anywhere) and treat any European or undetectable timezone as opt-in.

We do not use Google Analytics, Facebook Pixel, advertising tags, or any other third-party tracking service. See the Cookie Policy for the full technical breakdown.

6. Data Retention

  • Account data — retained until you delete your account.
  • Session data (sessions, questions, uploaded files, and participant responses) — retained until you delete the session or delete your account. We do not automatically delete sessions on a fixed schedule; you remain in control of how long your content is kept. When you delete a session, or when your account deletion completes (see section 7.1), that content is permanently deleted.
  • Payment records — retained as required by applicable Spanish tax and accounting law (see section 7.1), then deleted. Paddle, as Merchant of Record, is the seller of record and keeps the primary invoicing records.
  • Server logs — retained for 30 days.

7. Your Rights

Under the GDPR and similar laws, you may have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — request deletion of your data (“right to be forgotten”). See section 7.1 below for the deletion process and timeline.
  • Portability — receive your data in a structured, machine-readable format.
  • Restriction & objection — limit or object to certain processing activities.
  • Withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email hello@tapinflow.com. We will respond within 30 days.

7.1 Account deletion — what happens and when

You can delete your account at any time from your account settings (the “Danger zone”), or by emailing hello@tapinflow.com with the subject “Delete my account”. For your security, deleting from account settings requires you to re-confirm (re-enter your password, or confirm via an emailed link if you sign in with Google). This section describes what happens regardless of which channel you use.

Timeline

  • Immediately — your account is deactivated. You can no longer log in. Active subscriptions are scheduled to cancel at the end of the current billing period (no further charges).
  • Within 14 days — the account is deactivated or in a pending-deletion state and you can recover it yourself using the recovery link in the farewell email we send when deletion starts.
  • After 14 days — a background clean-up task permanently anonymises your personal account data and deletes the sessions you created and their responses. Recovery is not possible after this point.

What is deleted vs retained

DataOutcome
Email, nickname, Google OAuth tokensAnonymized after 14 days — replaced with a non-reversible identifier
Sessions you created, uploaded files, generated questionsPermanently deleted after 14 days
Participant responses (collected during your sessions)Deleted along with the session. Participants join without a TapInFlow account or email, and their responses are not intentionally linked to any TapInFlow account, so no participant login identity is involved
Payment records (Paddle Merchant of Record)Retained as required by applicable Spanish tax and accounting law (generally up to 6 years under the Spanish Commercial Code). Paddle, as Merchant of Record, holds the primary invoicing and tax records. Linked to the anonymized identifier — not your email or name.
Audit / security logsRetained 30 days, with your user identifier replaced by the anonymized stub

This payment-record retention is a legal requirement we cannot waive, and the GDPR explicitly recognises legal-obligation as a lawful basis for retention beyond an erasure request (Article 17(3)(b)). More generally, records that are necessary for tax, accounting, payment, refund, fraud-prevention or the establishment or defence of legal claims may be kept after deletion where the law requires or permits it. Any data kept for these reasons is limited to that purpose and is deleted once the applicable legal retention period ends. The data we retain here is the minimum required by tax law — transaction amounts, dates, jurisdiction for VAT — not your name, email, or session content.

Paddle, as Merchant of Record, independently holds its own payment records; to exercise data-subject rights over data Paddle controls, you may also need to use Paddle’s own process (see Paddle’s privacy policy).

8. Data Security

We protect your data with encryption in transit (TLS), secure cloud infrastructure, access controls, and regular security reviews. No method of transmission over the Internet is 100% secure, but we take commercially reasonable steps to safeguard your information.

9. Children

You must be at least 16 years old to create an account or act as a host, and accounts are not available to anyone under 16. We do not knowingly collect personal data from account holders under 16.

Participants join without a TapInFlow account or email, and analytics is off unless a visitor opts in, so we do not track participants by default. A participant’s responses are not intentionally linked to a TapInFlow account, though they may be associated with the nickname they choose, the session, and ordinary server logs — so they are pseudonymous rather than strictly anonymous. Where a host runs a session for an audience that may include people under 16 (for example, in a classroom), the host is the controller for that participant data and is responsible for verifying age and for obtaining any parental or school consent required by applicable law, as well as providing appropriate privacy notices. The Service is not designed to comply, on a host's behalf, with child-specific regimes such as the UK Age-Appropriate Design Code or the US COPPA.

Participants who are minors may only use a session under the direction and authorisation of a parent, legal guardian, school or other authorised educational institution. Hosts are responsible for providing any required notices and obtaining any legally required authorisation before inviting minors. Participant responses are not used for advertising or profiling, and are not used to train AI models.

United States. TapInFlow is not intended for independent use by children under 13. A child under 13 may participate only where the session is provided by a school or another authorised organisation in an educational context and that organisation has obtained, or can provide, the legally required authorisation.

If you believe someone under 16 has provided us with personal data other than through a host-run session, contact us at hello@tapinflow.com and we will delete it promptly.

10. Changes

We may update this policy from time to time. We will provide appropriate notice before material changes take effect. Where a change affects the purpose or scope of processing and applicable law requires consent, we will request new consent before applying the change. Ordinary clarifications are notified by updating the effective date at the top of this page; we do not rely on continued use as a substitute for any consent the law requires.

11. Contact

Questions about this policy? Email us at hello@tapinflow.com.