Privacy Policy
1. Introduction
1.1 We are committed to safeguarding the privacy of our website visitors, app users and service users.
1.2 This policy explains how Tap App Ltd handles personal data. It covers personal data we control, and it points you to the right place for personal data we process on behalf of our customers. Our two roles are explained in Section 2.
1.3 We use cookies on our website. Where those cookies are not strictly necessary, we ask for your consent when you first visit. Section 12 has the detail.
1.4 You can manage your marketing preferences in your account or by contacting us at privacy@tapapp.co.uk.
1.5 In this policy, “we”, “us” and “our” mean Tap App Ltd. Our details are in Section 16.
2. Our roles: controller and processor
2.1 We act in two different capacities depending on the personal data in question.
2.2 We are the controller for personal data where we decide why and how it is processed. This covers visitors to our website, people who enquire about or buy our services, the named administrators and users our customers register to run their account, people who apply for jobs with us, and people who contact us. This policy governs that processing.
2.3 We are a processor for the personal data our customers put into the Tapapp platform to run their own operations. This covers records of their workers and operatives, location and attendance data captured through the app, the contents of forms and reports, photographs, site information, and any personal data relating to their own customers or residents. For that data our customer is the controller. We process it only on the customer’s documented instructions under a written Data Processing Agreement, and this policy does not govern it.
2.4 If you are a worker, resident or other individual whose data has been entered into Tapapp by one of our customers, please contact that organisation, which is the controller, to exercise your rights. We will help them respond.
2.5 We are registered with the Information Commissioner’s Office under registration number ZA750301.
3. How we use your personal data (controller role)
3.1 This Section sets out the categories of personal data we process as a controller, the purposes, and the legal bases.
3.2 Usage data. We may process data about your use of our website and services. This may include your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and navigation paths, and information about the timing, frequency and pattern of your use. The source is our analytics system. We process it to analyse and improve our website and services. The legal basis is our legitimate interests in monitoring and improving them.
3.3 Account data. We may process your account data, which may include your name and email address. The source is you or your employer. We process it to operate our website, provide our services, keep our services secure, maintain backups and communicate with you. The legal basis is our legitimate interests in the proper administration of our website and business.
3.4 Profile data. We may process the information in your profile, which may include your name, address, telephone number, email address, profile picture, gender, date of birth and employment details. We process it to enable and monitor your use of our website and services. The legal basis is our legitimate interests in the proper administration of our website and business.
3.5 Service data. We may process personal data provided in the course of using our services, which may include files, login details and other personal or business information. The source is you or your employer. We process it to operate our website, provide our services, keep our services secure, maintain backups and communicate with you. The legal basis is our legitimate interests in the proper administration of our website and business. Where we process this data on behalf of a customer, Section 2.3 applies instead.
3.6 Enquiry data. We may process information in any enquiry you submit about our goods or services. We process it to offer, market and sell relevant goods and services to you. The legal basis is our legitimate interests in the proper administration of our website and business.
3.7 Customer relationship data. We may process information about our customer relationships, including contact details, employer, role, and the content of communications between us. The source is you or your employer. We process it to manage and communicate with customers, keep records, and promote our products and services. The legal basis is our legitimate interests in the proper management of our customer relationships.
3.8 Transaction data. We may process information about transactions you enter into with us, which may include your contact details and the transaction details. We process it to supply what you bought and keep proper records. The legal basis is the performance of our contract with you, steps taken at your request before entering a contract, and our legitimate interests in proper administration. We are never given your card details. They are processed and encrypted by the payment provider. We do not store card or sensitive financial information.
3.9 Notification data. We may process information you provide to subscribe to our notifications or newsletters. We process it to send them to you. The legal basis is the performance of our contract with you, or steps taken at your request before entering a contract.
3.10 Correspondence data. We may process information in any communication you send us, including the content and metadata. We process it to communicate with you and keep records. The legal basis is our legitimate interests in proper administration and communication.
3.11 We may process any personal data identified in this policy where needed to establish, exercise or defend legal claims. The legal basis is our legitimate interests in protecting legal rights.
3.12 We may process any personal data identified in this policy where needed to obtain or keep insurance, manage risk, or obtain professional advice. The legal basis is our legitimate interests in protecting our business.
3.13 We may also process your personal data where needed to comply with a legal obligation, or to protect anyone’s vital interests.
3.14 Please do not supply anyone else’s personal data to us unless we prompt you to.
4. Personal data processed within the platform (processor role)
4.1 When our customers use Tapapp, the platform may process, on their behalf and instruction:
(a) Worker and operative records: names, contact details, employment and role details, and login identifiers.
(b) Location data: GPS location captured at job check-in and check-out, and whether a check-in fell inside or outside a geo-fence set by the customer. This confirms attendance and proof of presence at a site.
(c) Time and attendance data: check-in and check-out times, hours, and related records.
(d) Form and report content: answers, notes, signatures, photographs and files captured against a job, which may include images of people or property.
(e) Site and contact data: site addresses, site contacts, and access information.
(f) Any other personal data the customer chooses to enter, which in some cases may relate to the customer’s own residents or service users.
4.2 The customer decides the lawful basis for this processing and is responsible for telling the individuals concerned.
4.3 Some content may include special category data, for example health information in a housing or maintenance context, or photographs. Where this happens we process it only on the customer’s instruction, and on the basis that the customer, as controller, has a lawful condition for it under Article 9 of the UK GDPR. We do not use it for any purpose of our own.
4.4 We make a Data Processing Agreement and a list of our sub-processors available to customers on request. Contact privacy@tapapp.co.uk.
5. Artificial intelligence features
5.1 Some Tapapp features use artificial intelligence. For example, our form builder can generate a draft form or checklist from a description you provide.
5.2 When you use an AI feature, the content you submit is processed to produce the output you asked for. Do not enter personal data into an AI feature unless it is needed for the task.
5.3 AI features may rely on a third-party AI provider acting as our sub-processor. That provider processes the content only to return the output, under terms that prohibit using it to train their own models. Our sub-processors are listed in the document referred to in Section 4.4.
5.4 Our AI features produce drafts and suggestions for a person to review. They do not make decisions that produce legal or similarly significant effects about any individual without human involvement. If we ever introduce such automated decision-making, we will apply the safeguards required by Articles 22A to 22D of the UK GDPR, including telling you, giving you a route to human review, and letting you contest the outcome.
5.5 AI output can be wrong or incomplete. You are responsible for checking it before you rely on it.
6. Providing your personal data to others
6.1 We may disclose your personal data to any member of our group of companies where reasonably necessary for the purposes and on the legal bases in this policy.
6.2 We may disclose your personal data to our insurers and professional advisers where reasonably necessary to obtain or keep insurance, manage risk, obtain advice, or establish, exercise or defend legal claims.
6.3 We may disclose your personal data to our suppliers and sub-processors where reasonably necessary to deliver our services. We use third-party providers for hosting, analytics, email, payments and AI features. We keep a current list of these providers and the personal data they process, available to customers on request, including notice of changes, at privacy@tapapp.co.uk.
6.4 Payments are handled by our payment provider. We share transaction data with them only as needed to process payments and refunds and to deal with related queries.
6.5 We may disclose your personal data where needed to comply with a legal obligation, to protect anyone’s vital interests, or to establish, exercise or defend legal claims.
7. International transfers
7.1 We are based in the United Kingdom and your personal data is primarily processed here.
7.2 Our infrastructure is hosted with Amazon Web Services. Depending on the services used, personal data may be processed in the United Kingdom, the European Economic Area or the United States.
7.3 Where we transfer personal data outside the United Kingdom, we rely on one of the following, as appropriate:
(a) a transfer to a country covered by UK adequacy regulations,
(b) the UK International Data Transfer Agreement, or the UK Addendum to the European Commission standard contractual clauses, or
(c) where the recipient is certified, the UK Extension to the EU-US Data Privacy Framework.
7.4 Before relying on a safeguard we carry out a transfer risk assessment to satisfy ourselves that protection in the destination is not materially lower than under the UK GDPR.
7.5 You can ask us which transfer mechanism applies to a particular transfer.
7.6 Personal data you submit for publication through our website or services may be available over the internet worldwide. We cannot prevent its use or misuse by others.
8. Retaining and deleting personal data
8.1 We do not keep personal data for longer than necessary for the purposes for which we hold it.
8.2 We retain personal data as follows:
(a) Account and profile data: for the life of the account and up to 12 months after it closes, then deleted or anonymised.
(b) Customer relationship and enquiry data: up to 24 months after last contact, unless you become a customer.
(c) Correspondence and support data: up to 24 months.
(d) Billing and transaction records: 6 years, to meet tax and accounting law.
(e) Website usage and analytics data: up to 14 months.
(f) Data we process on behalf of a customer in the platform: for the term of that customer’s contract and the period set out in our Data Processing Agreement, then deleted or returned on the customer’s instruction.
8.3 Where we must keep personal data longer to comply with a legal obligation, or to protect anyone’s vital interests, we will.
9. Security of personal data
9.1 We take appropriate technical and organisational measures to secure your personal data and to prevent its loss, misuse or alteration.
9.2 We store personal data on secure servers and devices, and in secure record-keeping systems.
9.3 We store your name, contact information and passwords in encrypted form.
9.4 Data sent between your browser and our servers is protected with encryption. We are never given your card details, which are processed and encrypted by the payment provider. We do not store card or sensitive financial information.
9.5 You accept that transmission of data over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet.
9.6 You are responsible for keeping your password confidential. We will not ask you for it except when you log in.
9.7 We keep procedures to detect, investigate and respond to personal data breaches. Where we act as a controller and a breach is likely to risk people’s rights, we will report it to the ICO within 72 hours where required, and tell affected individuals where the law requires. Where we act as a processor, we will notify the affected customer without undue delay so they can meet their own duties, as set out in our Data Processing Agreement.
10. Your rights
10.1 This Section summarises your rights under data protection law. Some are complex. For full detail, read the law and the guidance from the ICO.
10.2 Your principal rights are:
(a) the right to access,
(b) the right to rectification,
(c) the right to erasure,
(d) the right to restrict processing,
(e) the right to object to processing,
(f) the right to data portability,
(g) the right to complain to a supervisory authority, and
(h) the right to withdraw consent.
10.3 You have the right to confirmation of whether we process your personal data and, where we do, access to it and certain further information. We will provide a first copy free of charge, though we may charge a reasonable fee for further copies. You can access your data in your profile when logged in.
10.4 You have the right to have inaccurate personal data corrected and incomplete data completed.
10.5 In some cases you have the right to have your personal data erased without undue delay, for example where it is no longer needed, where you withdraw consent, where you object, where it is processed for direct marketing, or where it was processed unlawfully. Exceptions apply, including where processing is needed for freedom of expression, to comply with a legal obligation, or to establish, exercise or defend legal claims.
10.6 In some cases you have the right to restrict processing, for example where you contest accuracy, where processing is unlawful but you oppose erasure, where we no longer need the data but you need it for legal claims, or where you have objected pending verification.
10.7 You have the right to object to processing based on our legitimate interests, on grounds relating to your situation. We will stop unless we show compelling legitimate grounds that override your interests, or the processing is for legal claims.
10.8 You have the right to object to processing for direct marketing at any time. If you object, we will stop.
10.9 Where our basis is consent or contract and processing is automated, you have the right to receive your personal data in a structured, commonly used, machine-readable format, unless it would adversely affect others.
10.10 Where our basis is consent, you can withdraw it at any time. Withdrawal does not affect processing before it.
10.11 If you consider that our processing infringes data protection law, you can complain to the Information Commissioner’s Office, the UK supervisory authority, at ico.org.uk. If the EU GDPR applies to a particular activity, you may instead complain to the supervisory authority in your EU country of residence or work.
10.12 You also have the right to complain to us directly about how we process your personal data. We will acknowledge your complaint within 30 days and tell you the outcome. Contact privacy@tapapp.co.uk.
10.13 You can exercise your rights by contacting us in writing, through our support form, or at privacy@tapapp.co.uk.
11. Children
11.1 Our website, our subscriptions and our direct accounts are intended for adults aged 18 or over. In our controller capacity we do not knowingly collect children’s data and will delete any we find.
11.2 Where we process data on behalf of a customer, that data may relate to people of any age, including children, if the customer chooses to enter it. The customer is the controller and is responsible for the lawful basis and any extra protections children’s data requires under the UK GDPR. Our Data Processing Agreement covers this.
12. Cookies
12.1 A cookie is a small file containing an identifier sent by a web server to your browser and stored by it, then sent back to the server on later visits.
12.2 Cookies may be persistent or session cookies. A persistent cookie remains until it expires or you delete it. A session cookie expires when you close your browser.
12.3 We ask for your consent before setting non-essential cookies. Certain low-risk analytics and functionality cookies may be set without consent where the law allows, and we will tell you about them.
12.4 We use cookies for authentication, keeping you logged in, personalisation, security, analysis of how our website and services are used, and remembering your cookie preferences.
12.5 We use Google Tag Manager and Google Analytics to understand how our website is used. Analytics cookies are set on the basis described in 12.3. Google’s privacy policy is at google.com/policies/privacy.
12.6 Most browsers let you refuse or delete cookies. See your browser’s help pages, for example for Chrome, Firefox, Safari and Edge. Blocking cookies will affect the usability of many websites, and you may not be able to use all features of ours.
12.7 You can manage your cookie preferences on our website at any time.
13. Amendments to this policy
13.1 We may update this policy by publishing a new version on our website.
13.2 Check this page from time to time for changes.
13.3 We may notify you of significant changes by email or a notice on our website.
14. Updating your information
14.1 Please tell us if the personal data we hold about you needs to be corrected or updated.
15. Third party websites
15.1 Our website includes links to third-party websites.
15.2 We have no control over, and are not responsible for, the privacy practices of third parties.
16. Our details
16.1 This website is owned and operated by Tap App Ltd.
16.2 We are registered in England and Wales under number 11666887. Our registered office is Great Woodland Farm, Woodland Road, Lyminge, Folkestone, Kent CT18 8DW, United Kingdom.
16.3 Our principal place of business is Unit 33, Sir Thomas Longley Road, Rochester, Kent ME2 4DP, United Kingdom.
16.4 You can contact us by post at the address above, through our website contact form, by telephone on +44 800 208 8911, or by email at privacy@tapapp.co.uk.
17. Data protection registration
17.1 We are registered with the UK Information Commissioner’s Office.
17.2 Our registration number is ZA750301.
All-in-One App to Simplify Your Business Operations
Whether you manage field staff, compliance, or customer jobs, Tapapp keeps everything in one place.
