Back to home

Privacy Policy

Effective date: April 16, 2026

TapInFlow (“we”, “us”) operates tapinflow.com. This policy explains what data we collect, why, and how we protect it.

1. Data We Collect

Information you provide

  • Account data — email address, display name, and authentication credentials (including Google OAuth tokens).
  • Session content — topics, uploaded materials, and AI-generated questions you create.
  • Participant responses — answers and nicknames submitted during live sessions.

Information collected automatically

  • Usage data — pages visited, features used, session timestamps.
  • Device data — browser type, operating system, screen size, IP address.

Payment data

Payments are processed by Paddle.com Market Ltd (our Merchant of Record). We never receive or store your credit card number, bank account details, or other payment credentials. Paddle independently collects and processes payment data under its own Privacy Policy.

2. How We Use Your Data

  • Provide, operate, and maintain the Service.
  • Generate AI-powered questions, insights, and reports.
  • Process payments and manage subscriptions via Paddle.
  • Send transactional emails (verification codes, account notifications).
  • Improve the product based on aggregated, anonymized usage patterns.
  • Detect and prevent fraud, abuse, and security threats.

3. AI Processing

Session content and participant responses are sent to third-party AI providers (such as Anthropic) to power question generation and analysis. Data is transmitted securely via encrypted API calls. We share only the minimum data necessary for AI features to function, and these providers do not use your data to train their models.

4. Third-Party Services

We share data with the following categories of service providers:

ProviderPurpose
PaddlePayment processing (Merchant of Record)
AnthropicAI question generation and analysis
Amazon Web ServicesCloud hosting
ResendTransactional email delivery (verification, password reset)
GoogleOAuth authentication (Google Sign-In)

We do not sell your personal data to any third party.

5. Cookies and Site Analytics

Cookies. We use essential cookies only — these are required for authentication, language preferences, and session management. We do not use third-party tracking or advertising cookies. Because these cookies are strictly necessary for the Service to function, no consent banner is required under ePrivacy rules.

Self-hosted analytics. We operate our own analytics on infrastructure we control, using the open-source Umami software hosted at analytics.tapinflow.com. Umami is configured in its cookie-free default mode and records page-level activity (URL visited, referrer, browser type, approximate country from IP) plus a salted hash that rotates every 24 hours to count unique visitors. Analytics data stays within our environment and is never shared with, sold to, or accessed by any third party.

We do not use Google Analytics, Facebook Pixel, advertising tags, or any other third-party tracking service. See the Cookie Policy for the full technical breakdown.

6. Data Retention

  • Account data — retained until you delete your account.
  • Session data — retained for 12 months after creation, then automatically deleted.
  • Payment records — retained as required by applicable tax and accounting laws.
  • Server logs — retained for 30 days.

7. Your Rights

Under the GDPR and similar laws, you may have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — request deletion of your data (“right to be forgotten”). See section 7.1 below for the deletion process and timeline.
  • Portability — receive your data in a structured, machine-readable format.
  • Restriction & objection — limit or object to certain processing activities.
  • Withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email ai@tokenrice.com. We will respond within 30 days.

7.1 Account deletion — what happens and when

You can initiate account deletion at any time by emailing ai@tokenrice.com with the subject “Delete my account”. A self-service option in your account settings is in development; this section describes what happens regardless of which channel you use.

Timeline

  • Immediately — your account is deactivated. You can no longer log in. Active subscriptions are scheduled to cancel at the end of the current billing period (no further charges).
  • Within 14 days — you may recover the account by emailing us before the 14-day window closes. We’ll restore access.
  • After 14 days — your personal data is permanently anonymized. Recovery is not possible after this point.

What is deleted vs retained

DataOutcome
Email, nickname, Google OAuth tokensAnonymized after 14 days — replaced with a non-reversible identifier
Sessions you created, uploaded files, generated questionsPermanently deleted after 14 days
Participant responses (collected during your sessions)Deleted along with the session — participants were always anonymous to us, so no participant identity is involved
Payment records (Paddle Merchant of Record)Retained for 7 years as required by US tax and accounting law (IRS recordkeeping). Linked to the anonymized identifier — not your email or name.
Audit / security logsRetained 30 days, with your user identifier replaced by the anonymized stub

The 7-year payment retention is a legal requirement we cannot waive, and the GDPR explicitly recognises legal-obligation as a lawful basis for retention beyond an erasure request (Article 17(3)(b)). The data we retain is the minimum required by tax law — transaction amounts, dates, jurisdiction for VAT — not your name, email, or session content.

If a self-service deletion option is later added to your account settings, the same timeline and retention rules apply.

8. Data Security

We protect your data with encryption in transit (TLS), secure cloud infrastructure, access controls, and regular security reviews. No method of transmission over the Internet is 100% secure, but we take commercially reasonable steps to safeguard your information.

9. Children

TapInFlow is not intended for children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with data, contact us and we will delete it.

10. Changes

We may update this policy from time to time. Material changes will be posted on this page with a revised effective date. Continued use of the Service after changes constitutes acceptance.

11. Contact

Questions about this policy? Email us at ai@tokenrice.com.