Legal
Data Processing Agreement
Last updated: June 11, 2026
This agreement supplements our Terms of Service and is entered into automatically when you use TappedIN if GDPR, CCPA, or an equivalent regulation applies to your store.
1. Definitions
- Controller means you, the merchant, who determines the purposes and means of processing shoppers' personal data.
- Processor means TappedIN, which processes personal data on the Controller's behalf.
- Personal data means any information relating to an identifiable natural person, as defined under applicable law.
- Sub-processor means any third party engaged by TappedIN to process personal data in connection with the service.
2. Scope and nature of processing
TappedIN processes the following categories of personal data on your behalf:
| Category | Purpose |
|---|---|
| Search queries | Returning product results; improving ranking quality |
| Click and conversion events | Dashboard analytics; personalised re-ranking |
| Session identifiers (cookie) | Maintaining search state within a browsing session |
| Merchant contact details | Account management; billing; support |
Processing is carried out for the duration of the contract between the parties.
3. Processor obligations
TappedIN agrees to:
- Process personal data only on documented instructions from the Controller, unless required by law.
- Ensure that persons authorised to process personal data are bound by appropriate confidentiality obligations.
- Implement technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction.
- Assist the Controller in responding to data subject access, erasure, and portability requests within the timeframes required by applicable law.
- Notify the Controller without undue delay (and within 72 hours where feasible) upon becoming aware of a personal data breach.
- Delete or return all personal data upon termination of the contract, unless retention is required by law.
4. Sub-processors
TappedIN currently uses the following categories of sub-processors:
| Category | Location | Purpose |
|---|---|---|
| Cloud infrastructure | EU / US | Hosting and computation |
| Payment processor | EU / US | Billing only; no search data shared |
| Transactional email | EU | Sending account and alert emails |
We will notify you of any intended changes to sub-processors at least 14 days in advance. If you object, you may terminate without penalty.
5. International transfers
Where personal data is transferred outside the European Economic Area, TappedIN relies on Standard Contractual Clauses (SCCs) as adopted by the European Commission, or equivalent mechanisms recognised under applicable law.
6. Security measures
TappedIN maintains the following technical and organisational measures:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
- Role-based access controls and least-privilege principles for all staff.
- Regular security testing and vulnerability assessments.
- Documented incident response and breach notification procedures.
7. Audit rights
You may request an audit of TappedIN's data processing activities once per calendar year with 30 days' written notice. TappedIN may satisfy audit requests by providing relevant third-party certifications or attestations.
8. Contact
Data protection queries can be directed to privacy@betappedin.app.