TapRates is a SaaS platform for business review management. We comply with Saudi Arabia's Personal Data Protection Law (PDPL) and the EU General Data Protection Regulation (GDPR).
2. Data We Collect
Account data: name, email, password (PBKDF2-hashed — never stored plaintext)
Review data: star rating, text, category, timestamp, source type (QR/NFC), and an optional phone number if the customer asks the business to follow up
Technical data: IP address (SHA-256 hashed, never stored as plaintext), and a device fingerprint derived from browser/device characteristics (canvas, WebGL renderer, audio, screen attributes) used solely for fraud prevention — never for profiling, advertising, or cross-site tracking. Both are purged after 30 days.
Google Business Profile data (optional): when you connect Google, we request permission to read your reviews and post your replies. This data is never shared with any third party and is never used outside the tenant account that owns it.
We do NOT collect: geolocation, contacts, photos
3. How We Use Data
Deliver the review-management service and its analytics
Protect against fraud and fake reviews
Send service-related notifications only (no marketing)
Process payments via Stripe
Sync Google Business Profile reviews into the tenant dashboard (only when activated by the tenant)
4. Data Sharing
We never sell your data to any third party — ever.
Shared with: Stripe (payments), Resend (email), Google (only when the Google Business Profile integration is active, and strictly for API calls the tenant has authorized)
IP addresses are hashed at ingest and never stored plaintext
Google OAuth tokens are encrypted at rest (AES-GCM) with a secret kept separate from storage
6. Your Rights
Access your data from the dashboard at any time
Edit your data whenever you wish
Delete your account permanently from Settings
Export your data in CSV format
Object to the processing of your data
7. Data Retention
Account data: kept until the account is deleted
Reviews: kept until the account is deleted
Device fingerprints: automatically purged after 30 days
OAuth tokens: deleted immediately when the integration is disconnected
After account deletion: full purge within 30 days
8. Automated decision-making (anti-fraud)
Our fraud protection may automatically flag an individual review as spam (a "shadowban") when hard technical criteria are met — for example, too many reviews from one IP address within an hour, or a match against an abuse word-list. This has no legal effect on the visitor: the review is still stored, only excluded from the statistics, and the business can reverse the flag at any time. The check is rating-neutral — it never treats a low-star review differently from a high-star one. As a data subject you have the right to human intervention (GDPR Article 22); contact support@taprates.app.
9. Cookies
We use a single authentication cookie. No tracking or advertising cookies are set.
10. Exercising your rights
To request an export of the data we hold about you, or to request deletion (Article 17 — right to erasure), use the dedicated request form: /privacy/data-request. The business whose review page you used (data controller) will action your request within 30 days.