1. Introduction

TapMyTag ("we," "our," or "us") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your data when you use our NFC tag management platform and services.

We understand that you trust us with sensitive information, including medical data, emergency contact details, and personal identification. This trust is the foundation of our service, and we take our responsibility to protect your data with the utmost seriousness.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Full name and display name
• Email address
• Date of birth (optional)
• Authentication credentials (managed by our OAuth provider)
• Account creation and last login timestamps

2.2 NFC Tag Profile Data

For each NFC tag you register, we collect and store:

• Medical Information: Medical conditions, allergies, medications, blood type, medical devices, healthcare provider details, insurance information
• Emergency Contacts: Names, phone numbers, relationships, and email addresses of emergency contacts
• Personal Information: Contact details, business information, identification data
• Tag Metadata: Tag unique identifiers, activation status, creation dates, template types
• Template Assignment: Each tag is automatically assigned a template based on your product purchase. Template assignments and any subsequent changes by administrators are logged for security and audit purposes. You can view your template assignment history in your account.

2.3 Usage Data

• Page views and navigation patterns
• Device information (browser type, operating system)
• IP addresses and general location data
• Support ticket communications

3. How We Use Your Information

We use your personal information exclusively for the following purposes:

• Service Delivery: To operate and maintain your NFC tag profiles, display public emergency information, and facilitate tag management
• Emergency Response: To provide critical medical and contact information to first responders and emergency personnel when your tag is scanned
• Account Management: To authenticate users, manage subscriptions, and provide customer support
• Platform Improvement: To analyze usage patterns, improve our services, and develop new features
• Security: To detect and prevent fraud, abuse, and security incidents
• Legal Compliance: To comply with applicable laws, regulations, and legal processes

We never sell, rent, or trade your personal information to third parties for marketing purposes.

4. Data Sharing and Disclosure

4.1 Public Profile Information

When you activate a tag with a public profile, certain information you designate as public will be accessible to anyone who scans the tag or visits the profile URL. This is essential for emergency response scenarios. You have full control over what information is included in public profiles.

4.2 Service Providers

We may share your information with trusted third-party service providers who assist us in operating our platform:

• Cloud Infrastructure: AWS, TiDB Cloud for secure data storage
• Authentication: Manus OAuth for secure login management
• Email Services: AWS SES for transactional emails and notifications

All service providers are contractually bound to protect your data and use it only for the specific purposes we authorize.

4.3 Legal Requirements

We may disclose your information when required by law, court order, or government regulation, or when we believe disclosure is necessary to:

• Comply with legal obligations
• Protect our rights, property, or safety
• Prevent fraud or abuse
• Protect the safety of our users or the public

5. Data Security and Confidentiality

We implement comprehensive security measures to protect your personal information:

5.1 Technical Safeguards

• Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption
• Access Controls: Role-based access controls ensure only authorized personnel can access sensitive data
• Authentication: Multi-factor authentication and OAuth 2.0 for secure user authentication
• Network Security: Firewalls, intrusion detection systems, and regular security audits
• Database Security: Encrypted database connections, parameterized queries to prevent SQL injection

5.2 Organizational Safeguards

• Employee confidentiality agreements and security training
• Limited access to personal data on a need-to-know basis
• Regular security awareness training for all staff
• Incident response procedures and breach notification protocols
• Annual third-party security assessments

5.3 Medical Data Protection

We recognize that medical information is particularly sensitive. We implement additional safeguards for health-related data:

• Medical data is stored separately with enhanced encryption
• Access to medical information is logged and audited
• Medical data is only displayed when explicitly authorized by the tag owner
• We comply with applicable health information privacy regulations

6. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy:

• Active Accounts: Data is retained while your account remains active
• Inactive Accounts: Accounts inactive for 3 years may be archived or deleted after notification
• Deleted Accounts: Upon account deletion, personal data is permanently removed within 30 days, except where retention is required by law
• Support Records: Support ticket communications are retained for 7 years for quality assurance and legal compliance

7. Your Privacy Rights

You have comprehensive rights regarding your personal information:

7.1 GDPR Rights (EU/EEA Users)

• Right of Access: Request a copy of all personal data we hold about you
• Right to Rectification: Correct inaccurate or incomplete personal data
• Right to Erasure: Request deletion of your personal data ("right to be forgotten")
• Right to Restriction: Limit how we use your personal data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing of your personal data
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

For detailed GDPR compliance information, see our GDPR Compliance Documentation.

7.2 Exercising Your Rights

To exercise any of these rights:

• Visit your Account Settings page
• Submit a support ticket through the platform
• Contact our Data Protection Officer at [email protected]

We will respond to all requests within 30 days as required by GDPR.

8. International Data Transfers

TapMyTag operates globally, and your data may be transferred to and processed in countries outside your country of residence. We ensure that all international data transfers comply with applicable data protection laws through:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions for transfers to countries with equivalent data protection
• Appropriate safeguards to protect your data during international transfers

9. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Maintain your login session
• Remember your preferences
• Analyze platform usage and performance
• Improve user experience

You can control cookie preferences through your browser settings. Note that disabling cookies may affect platform functionality.

10. Children's Privacy

TapMyTag is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected information from a child under 13, please contact us immediately at [email protected].

Parents and guardians may create and manage NFC tags on behalf of minors, maintaining full control over the information shared.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings. We will notify you of material changes by:

• Posting the updated policy on our website with a new "Last Updated" date
• Sending email notifications to registered users for significant changes
• Displaying prominent notices on the platform

Your continued use of TapMyTag after changes become effective constitutes acceptance of the updated Privacy Policy.

12. Contact Information

For privacy-related questions, concerns, or to exercise your rights, please contact:

13. Supervisory Authority

If you are located in the EU/EEA and believe we have not addressed your privacy concerns adequately, you have the right to lodge a complaint with your local data protection supervisory authority.

For users in Ireland, the supervisory authority is: