Last Updated: November 19, 2025

Legal Basis for Data Processing

Under Article 6 of the GDPR, we process personal data based on the following lawful grounds:

• Contractual Necessity (Article 6(1)(b)): We process user data to fulfill our contractual obligations when customers purchase and register NFC tags.
• Legitimate Interests (Article 6(1)(f)): We process certain data for legitimate business interests, including fraud prevention and service improvement.
• Consent (Article 6(1)(a)): For non-essential processing activities, we obtain explicit, freely given, specific, and informed consent.
• Legal Obligation (Article 6(1)(c)): We process data when required by Irish or EU law.

Data We Collect and Process

• Account Information: Name, email address, and authentication credentials
• Tag Registration Data: Unique tag identifiers, registration dates, and tag types
• Template Assignment Data: Automatically assigned templates based on product purchase, template change history with administrator ID, timestamp, and reason for audit purposes
• Profile Content: User-generated public profile information
• Administrative Data: For admin-managed accounts, invitation status and claim records

Your Rights Under GDPR

TapMyTag fully supports all rights granted to data subjects under Chapter III of the GDPR:

• Right to Access (Article 15): Request a copy of all personal data we hold about you
• Right to Rectification (Article 16): Update your account information and profile content
• Right to Erasure (Article 17): Delete your account and all associated data
• Right to Restrict Processing (Article 18): Temporarily restrict processing while disputes are resolved
• Right to Data Portability (Article 20): Export your data in a machine-readable format
• Right to Object (Article 21): Object to processing based on legitimate interests

Data Retention Policies

• Active Accounts: Data retained for the duration of the customer relationship
• Inactive Accounts: Accounts inactive for 3 years receive deletion notice
• Deleted Accounts: Permanent deletion within 30 days
• Backup Systems: Deleted data purged from backups within 90 days

Data Security Measures

We implement appropriate technical and organizational measures as required by Article 32 of the GDPR:

• Encryption of data in transit (TLS 1.3+) and at rest
• Role-based access control with audit logging
• Secure OAuth authentication with multi-factor support
• Regular security audits and vulnerability assessments
• Incident response plan for data breach notification

Data Protection Officer

Under Article 37 of the GDPR, we have appointed a Data Protection Officer:

Supervisory Authority

The Data Protection Commission (DPC) is Ireland's national supervisory authority for GDPR compliance. You have the right to lodge a complaint with the DPC:

Contact Information

For questions, concerns, or requests related to data protection and privacy:

• General Inquiries: [email protected]
• Data Protection Officer: [email protected]
• Website: www.tapmytag.ie/privacy