Privacy policy

Last updated: March 2026

This Privacy Policy explains how Retap, based in Tilburg, the Netherlands ("Retap," "we," "us," or "our"), collects, uses, stores, and protects personal data when you use our platform, including the business dashboard, customer-facing web application, NFC device, and all related services (the "Service").

We are committed to protecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Dutch Implementation Act (UAVG), and all applicable data protection laws.

By using the Service, you acknowledge that you have read and understood this Privacy Policy.


1. Who We Are

Data Controller: Retap Tilburg, the Netherlands Email: info@retapcard.net Support: support@retapcard.net

For questions about this Privacy Policy or to exercise your data rights, contact us at info@retapcard.net.

2. Roles and Responsibilities

Retap operates in two capacities depending on whose data is being processed:

  • Data Controller — For data of business users (dashboard account holders). We determine the purposes and means of processing your personal data when you create an account, subscribe to a plan, and use the dashboard.

  • Data Processor — For personal data of end customers (consumers who use the Retap app and loyalty cards). When a business uses Retap to manage its loyalty program, the business is the Data Controller for its customers' data, and Retap processes that data on the business's behalf under the terms of our Data Processing Agreement (DPA).

3. What Data We Collect

3.1 Business Users (Dashboard)

Data Category Examples Purpose Account Information Name, email address, password (hashed), phone number Account creation, authentication, communication Business Profile Business name, address, city, postal code, logo, opening hours, category, social media links Displaying your business in the Retap app Payment Data Billing details, subscription status, invoices Processing payments via Stripe (we do not store card numbers) Usage Data Pages visited, features used, session duration, IP address, browser type, device type Service improvement, analytics, security Support Communications Emails, WhatsApp messages, feedback Providing customer support

3.2 End Customers (Retap App)

When end customers use the Retap app, the following data may be collected:

Data Category Examples Purpose Account Information Name, email address, password (hashed), phone number Account creation, authentication Loyalty Data Points earned, stamps collected, offers redeemed, transaction history Operating the loyalty program Card Information Retap card number, card activation status Linking physical cards to accounts Location Data City, approximate geolocation (only when explicitly consented by the user) Showing nearby businesses, location-based features Push Notification Tokens Device push subscription tokens Sending opt-in notifications about offers and updates Usage Data Pages visited, app interactions, IP address, browser type, device type Service improvement and analytics Favorites Saved/bookmarked businesses Personalizing the user experience

3.3 Data We Do NOT Collect

  • We do not collect payment card numbers (handled entirely by Stripe).

  • We do not collect sensitive personal data (racial or ethnic origin, political opinions, religious beliefs, health data, etc.).

  • We do not collect data from children under 16 years of age.

  • We do not track precise GPS coordinates without explicit user consent.

4. Legal Basis for Processing

Under the GDPR, we process personal data based on the following legal grounds:

Legal Basis Applies To Performance of a contract (Art. 6(1)(b)) Processing necessary to provide the Service (account management, transactions, loyalty programs, subscriptions) Legitimate interest (Art. 6(1)(f)) Analytics, service improvement, fraud prevention, security monitoring Consent (Art. 6(1)(a)) Push notifications, marketing communications, geolocation data, cookies Legal obligation (Art. 6(1)(c)) Tax records, invoicing, regulatory compliance

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

5. How We Use Your Data

We use personal data to:

  • Provide the Service — Create and manage accounts, process transactions, operate loyalty programs, display business profiles.

  • Process Payments — Manage subscriptions, generate invoices, handle billing through Stripe.

  • Communicate — Respond to support inquiries, send transactional emails (account confirmation, password reset, subscription updates).

  • Send Notifications — Deliver opt-in push notifications about offers, rewards, and business updates to end customers.

  • Improve the Service — Analyze usage patterns, identify issues, develop new features, optimize performance.

  • Ensure Security — Detect and prevent fraud, unauthorized access, and abuse.

  • Comply with Law — Fulfill legal obligations including tax reporting and regulatory requirements.

We do not use personal data for automated decision-making or profiling that produces legal effects.

6. Data Sharing and Sub-Processors

We do not sell, rent, or trade your personal data to third parties.

We share personal data only with the following categories of service providers (sub-processors) who process data on our behalf:

Sub-Processor Purpose Location Data Processed Supabase Database, authentication, real-time data EU/US (AWS infrastructure) Account data, transaction data, business profiles Stripe Payment processing, subscriptions, invoicing EU/US Billing details, subscription status, invoice data Vercel Web application hosting, CDN EU/US (edge network) Usage data, IP addresses Sentry (if enabled) Error monitoring EU/US Error logs, device metadata

All sub-processors are bound by data processing agreements and are required to implement appropriate technical and organizational security measures.

We may also disclose personal data when required by law, court order, or governmental authority, or when necessary to protect our rights, property, or safety.

7. International Data Transfers

Some of our sub-processors may process data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, including:

  • EU Standard Contractual Clauses (SCCs)

  • Adequacy decisions by the European Commission

  • Sub-processor certifications and compliance frameworks

8. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy:

Data Type Retention Period Active account data For the duration of the account/subscription Account data after deletion Deleted within 30 days of account closure, except where legally required Transaction/loyalty data For the duration of the account; exportable before deletion Payment and invoice records 7 years (Dutch tax law obligation) Usage analytics Aggregated and anonymized after 12 months Support communications 2 years after last interaction Push notification tokens Until the user unsubscribes or the token expires

9. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of Access (Art. 15) — Request a copy of the personal data we hold about you.

  • Right to Rectification (Art. 16) — Request correction of inaccurate or incomplete data.

  • Right to Erasure (Art. 17) — Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.

  • Right to Restriction (Art. 18) — Request that we limit the processing of your data in certain circumstances.

  • Right to Data Portability (Art. 20) — Receive your data in a structured, commonly used, machine-readable format, or request transfer to another controller.

  • Right to Object (Art. 21) — Object to processing based on legitimate interest, including for direct marketing purposes.

  • Right to Withdraw Consent — Withdraw consent at any time for processing based on consent (e.g., push notifications, marketing emails).

How to exercise your rights: Send an email to info@retapcard.net with the subject line "Privacy Request." We will respond within 30 days as required by the GDPR. We may ask you to verify your identity before processing your request.

Right to Lodge a Complaint: If you believe your data protection rights have been violated, you have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

10. Cookies and Tracking Technologies

10.1 What We Use

Cookie Type Purpose Required? Essential/Authentication Keeping you logged in, session management, security Yes (necessary for the Service) Preferences Language settings, UI preferences Yes (functional) Analytics Understanding how the Service is used, page views, feature usage Optional (legitimate interest)

10.2 What We Do NOT Use

  • We do not use advertising or tracking cookies.

  • We do not use third-party ad networks.

  • We do not participate in cross-site tracking.

10.3 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies may prevent certain features of the Service from functioning properly.

11. Push Notifications

End customers may opt in to receive push notifications through the Retap web application. Push notification tokens are stored securely and are used solely to deliver:

  • Offer and reward notifications from businesses the customer has interacted with.

  • Account-related updates (e.g., points earned, rewards available).

Customers can revoke push notification consent at any time through their device or browser settings. Upon revocation, the token is deactivated and no further notifications are sent.

12. Data Security

We implement appropriate technical and organizational measures to protect personal data, including:

  • Encryption of data in transit (TLS/HTTPS).

  • Encryption of data at rest.

  • Hashed passwords (never stored in plain text).

  • Role-based access controls.

  • Regular security reviews and dependency updates.

  • Row-Level Security (RLS) on database tables to isolate business data.

While we take reasonable precautions, no system is completely secure. We cannot guarantee absolute security of your data.

13. Data Processing Agreement (DPA)

Where Retap acts as a Data Processor on behalf of a business (Data Controller), the processing is governed by a Data Processing Agreement in accordance with Article 28 of the GDPR. The DPA covers:

  • Subject matter and duration of processing.

  • Nature and purpose of processing.

  • Types of personal data and categories of data subjects.

  • Obligations and rights of the controller and processor.

  • Security measures and sub-processor management.

  • Data breach notification procedures.

A copy of the DPA is available upon request at support@retapcard.net.

14. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify the relevant supervisory authority (Autoriteit Persoonsgegevens) within 72 hours of becoming aware, where the breach is likely to result in a risk to the rights and freedoms of individuals.

  • Notify affected individuals without undue delay where the breach is likely to result in a high risk.

  • Notify affected business customers (Data Controllers) without undue delay so they can fulfill their own notification obligations.

15. Children's Privacy

The Retap Service is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us at info@retapcard.net.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes via email at least 30 days before they take effect. The "Last updated" date at the top of this page indicates the most recent revision.

17. Contact Us

If you have any questions about this Privacy Policy, your personal data, or wish to exercise your rights, please contact us:

Retap Tilburg, the Netherlands

Email: info@retapcard.net
Support: support@retapcard.net
WhatsApp: Available 24/7

For complaints regarding data protection, you may also contact the Dutch Data Protection Authority: Autoriteit Persoonsgegevens Website: autoriteitpersoonsgegevens.nl