Privacy Policy

This policy explains how 2taps.de processes your personal data under the GDPR and German data protection law.

1. Controller

2taps — address and contact see Legal Notice.

2. Data We Process

a) Business owner account

• Name, email address, password hash
• Business name, URL slug, locale, brand colours, optional logo
• Plan and billing status (via Stripe)

Legal basis: contract performance (Art. 6(1)(b) GDPR).

b) End-customer data of your customers

If you use 2taps to issue loyalty cards to your customers, the following data may be processed depending on the selected signup mode:

• Anonymous mode: only a random card identifier — no personal data.
• Form mode: name, email, optional phone number, consent to processing.

Legal basis: consent (Art. 6(1)(a)) or contract with the end customer (Art. 6(1)(b)). You as the business owner are the controller for your customers' data; 2taps acts as a processor under Art. 28 GDPR.

c) Technical data

• IP address, timestamp, requested URL, browser/OS (in server logs)
• Session cookies (login state, locale) — strictly necessary, no consent required

Legal basis: legitimate interest in operation and security (Art. 6(1)(f) GDPR). Logs are deleted or anonymised after 14 days.

3. Recipients / Processors

We share your data with third parties only where required for contract performance or by law:

• Hetzner Online GmbH (hosting, servers located in Germany) — data processing agreement in place.
• Stripe Inc. / Stripe Payments Europe Ltd. (payments). When you upgrade a plan, name, email and card details are sent to Stripe directly. 2taps only stores a reference ID and plan status. Privacy: stripe.com/privacy
• Postmark (ActiveCampaign LLC) — sending verification and notification emails. Privacy: postmarkapp.com/eu-privacy
• Apple Inc. — Apple Wallet PassKit.
• Google LLC — Google Wallet (if enabled).

4. Third-Country Transfers

Stripe, Apple and Google are US providers. Transfers are based on the EU-US Data Privacy Framework and Standard Contractual Clauses (SCC). Copies of the SCC are available on request.

5. Retention

• Account data: deleted irrevocably within 30 days of account deletion (except where statutory retention obligations apply).
• Billing data: 10 years (§ 147 AO).
• Server logs: 14 days.

6. Your Rights

Under GDPR you have the right to:

• Access (Art. 15)
• Rectification (Art. 16)
• Erasure (Art. 17) — available in your profile under "Danger zone"
• Restriction of processing (Art. 18)
• Data portability (Art. 20) — export your account data as JSON from your profile
• Object (Art. 21) to processing based on legitimate interest
• Complain to a supervisory authority (Art. 77)

7. Cookies

2taps uses strictly necessary cookies only:

• 2taps_session — login session, encrypted, HTTP-only, SameSite=Lax
• XSRF-TOKEN — CSRF protection
• card_* (on public customer pages) — remembers the card ID for 5 years so the customer can find their card on return visits

No tracking, marketing or analytics cookies are set, so no consent banner is needed.

8. Encryption

All traffic is TLS 1.2+ encrypted, with HSTS (2 years), HTTP/2, and bcrypt password hashing.

9. Data Processing Agreement

If you use 2taps to manage customer data commercially, we conclude a DPA under Art. 28 GDPR with you. Contact hello@2taps.de.

10. Contact

For any privacy questions: hello@2taps.de.