tappi
PricingSign inGet started
tappi

Review management for hospitality. Tap a chip, leave a review.

Product

  • Pricing
  • Sign in

Legal

  • Terms of service
  • Privacy policy
  • Data processing

Company

  • Support
  • Contact

© 2026 Tappi. All rights reserved.

Legal

Data processing agreement

Last updated: 9 May 2026

Pre-launch placeholder. This DPA captures the v1 processor relationship in plain terms. Must be reviewed by a privacy lawyer + harmonized with our master ToS before use in commercial contracts.

1. Roles

The customer is the data controller of all end-customer personal data collected via their Tappi account (rating, feedback, email, name, redemption events). Tappi acts as the data processor on the customer's behalf.

2. Subject matter + duration

The processing relates to the operation of the Tappi service: review prompts, feedback collection, reward issuance + redemption, and supporting analytics. Processing continues for as long as the customer's account is active, plus a 90-day recovery window post-termination.

3. Categories of data + data subjects

Data subjects: end customers of the controller (typically diners, hospitality patrons), and the controller's own staff who use the dashboard.

Categories of data: truncated IP address, user-agent string, scan metadata, optional name + email + textual feedback, reward issuance and redemption records.

4. Subprocessors

The customer authorizes Tappi's use of the subprocessors listed in our privacy policy. We will give 30 days' notice of any addition or replacement, during which the customer may object on reasonable grounds.

5. Confidentiality + security

We commit our personnel to confidentiality, apply the security measures described in the privacy policy (TLS, encryption at rest, service-role isolation, RLS, audit logging), and review controls annually.

6. Data subject requests

We will assist the controller in responding to data-subject requests (access, rectification, erasure, portability) within 30 days of receipt.

7. Breach notification

If we become aware of a personal-data breach, we will notify the controller without undue delay (and within 72 hours where feasible) with the information necessary to fulfill the controller's regulatory obligations.

8. International transfers

Where data is transferred outside the UK / EEA, we rely on the UK International Data Transfer Addendum or the EU Standard Contractual Clauses (as applicable) with our subprocessors.

9. Return + deletion at end of processing

On termination of the controller's account, we will delete all personal data within 90 days. Backups may persist for an additional period not exceeding 30 days, after which all copies are permanently destroyed.

10. Audit + cooperation

We will make available to the controller, upon reasonable written request, the information necessary to demonstrate compliance with this DPA, including the results of our most recent third-party security review.

Contact

DPA questions: hola@automify.xyz.