Privacy Policy

Who this applies to

Two groups use tapitfindit: owners, who create an account and set up tags; and finders, who tap or scan a tag and may contact the owner. This policy covers both.

Information we collect

From owners

• Account: your email address and a securely hashed password. If you enable two-factor authentication, an encrypted authenticator secret and hashed recovery codes.
• Tag details you enter: item name, and optionally a phone number, email, address, flight number, hotel name, reward note, and an item photo. You choose which of these are shown publicly on the scan page; the rest stay private.
• Preferences: notification settings and default tag values.

From finders

• Scan events: the time of the scan, a coarse location derived from the network (country and, where available, city), and the browser user-agent. We do not collect precise location unless a finder explicitly chooses to share it.
• Messages: any message and optional reply contact a finder submits through the contact form, which we relay to the owner.

From your device

• Cookies and analytics: on our marketing site we use cookies for analytics, but only after you accept them via our consent banner. Non-essential cookies are off by default. The dashboard uses a strictly-necessary session cookie to keep you logged in.

How we use it

• To operate your account and the tags and scan pages you create.
• To notify you when one of your tags is scanned, and to relay finder messages to you.
• To secure accounts (authentication, lockout, fraud prevention).
• To improve the product, where you have consented to analytics.

Where the GDPR applies, our lawful bases are: performance of a contract (running the service), legitimate interests (security and relaying messages), and consent (analytics cookies).

What finders see

A scan page shows only the fields the owner marked public. Private fields are filtered out on our servers and are never sent to a finder’s device. The owner’s email is never shown to a finder; messages are relayed without revealing it.

Who we share it with

We do not sell personal information. We use a small set of providers to run the service:

• Cloudflare — hosting, database, storage, and network (including coarse geolocation).
• Resend — sending transactional email (verification, password reset, scan and relay notifications).
• Google Tag Manager / Analytics — website analytics, only with your consent.
• Apple Push Notification service — push notifications, if you use the iPhone app.

Some providers may process data outside Australia. We take reasonable steps to ensure they protect your information consistently with this policy.

Retention

We keep account and tag data while your account is active. Scan history is retained to show you activity; we may limit how far back scan history is shown on lower plans. When you delete a tag or your account, the associated tags, fields, photos, and scans are deleted.

Your rights and choices

• Access, correct, or delete your account and tags at any time from your dashboard.
• Control which tag fields are public, and turn notifications on or off.
• Withdraw analytics consent at any time via “Cookie settings”.
• Request a copy of your data, or lodge a complaint with us or with the Office of the Australian Information Commissioner (OAIC).

Security

Passwords are hashed with a strong, salted key-derivation function and never stored in plain text. Two-factor secrets are encrypted at rest. All traffic is served over HTTPS. Access to owner data is scoped to the authenticated owner. No system is perfectly secure, but we take reasonable steps to protect your information.

Children

tapitfindit is not directed to children under 16, and we do not knowingly collect their personal information.

Changes

We may update this policy. Material changes will be posted here with a new “last updated” date.

Contact

Questions or requests: TODO: privacy contact email. Operated by TODO: legal entity name and ABN.