Legal

Privacy Policy

Effective date: 1 March 2025

1. Who we are

Tapa is operated by Berican Labs Ltd, a company incorporated in Kenya. We provide NFC and QR-based digital business cards to individuals and enterprises across Africa. References to "Tapa", "we", "us", or "our" in this policy mean Berican Labs Ltd.

For any privacy-related questions, contact us at [email protected].

2. Data we collect

We collect information in two ways: information you give us, and information generated automatically.

Information you provide

  • Account details: name, email address, profile photo
  • Card content: job title, company, phone number, website, social links, bio
  • Organisation details: company name, slug, member email addresses
  • Payment information (processed by our payment provider — we do not store card numbers)

Information generated automatically

  • Scan events: timestamp, card slug, referrer type (NFC, QR, or direct link)
  • Approximate location: country derived from IP address at scan time
  • Visitor hash: a one-way hash of IP + user-agent used to deduplicate unique visitors. We do not store raw IP addresses.
  • Browser and device type (from user-agent string, discarded after hashing)

3. How we use your data

  • To create and maintain your digital card and account
  • To display your public profile when your card is tapped or scanned
  • To provide scan analytics to card holders and organisation admins
  • To operate enterprise features: team management, member access control
  • To send transactional emails (magic-link sign-in, order confirmations)
  • To improve platform reliability and detect abuse

We do not use your data for advertising and we do not sell your data to third parties.

4. Legal basis for processing

We process personal data under the Kenya Data Protection Act, 2019 and, where applicable, the EU General Data Protection Regulation (GDPR). Our lawful bases are:

  • Contract performance — to deliver the service you signed up for
  • Legitimate interests — platform security, fraud prevention, analytics aggregation
  • Consent — for optional features or marketing communications (you can withdraw at any time)

5. Data sharing

We share data only in limited circumstances:

  • Sub-processors: infrastructure providers (database, hosting, email delivery) who process data on our behalf under data processing agreements
  • Organisation admins: if you are a member of an enterprise organisation, the admin can see your name and email address
  • Legal requirements: if we are required to disclose data by law or a valid court order

Public profile data (name, title, links) is visible to anyone who taps or scans your card. You control what appears on your card.

6. Data retention

  • Account data is retained for as long as your account is active
  • Scan records are retained for 24 months then aggregated (raw records deleted)
  • After account deletion, personal data is purged within 30 days
  • Aggregated, anonymised analytics (e.g. platform-wide scan counts) may be retained indefinitely

7. Your rights

Under the Kenya Data Protection Act and GDPR you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your account and associated personal data
  • Object to processing based on legitimate interests
  • Data portability — receive your data in a machine-readable format
  • Withdraw consent at any time where processing relies on consent

To exercise any of these rights, email [email protected]. We will respond within 30 days.

8. Cookies and local storage

We use a session cookie to keep you signed in. We do not use tracking or advertising cookies. Analytics are server-side and do not require client-side cookies.

9. Security

We use industry-standard measures to protect your data: encrypted connections (TLS), hashed visitor identifiers, and access controls on our infrastructure. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security.

10. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email to registered users at least 14 days before taking effect. Continued use of Tapa after that date constitutes acceptance of the revised policy.

11. Contact

Berican Labs Ltd
Nairobi, Kenya
[email protected]