Privacy Policy
Draft of 16 July 2026 · Not in force
Written from a review of the source code, not by a lawyer. Items marked
LIKE THIS are questions of fact that must be settled before
publication. This describes the service as intended at launch; see
docs/privacy-gaps.md for which statements depend on code that has not shipped.
- Who the data controller is
- What data we process
- Purposes and legal bases
- Who we share data with
- Transfers outside the EEA
- How long we keep data
- Your rights
- Age limit and children
- Alcohol content and geo-blocking
- Automated decisions
- Cookies and on-device storage
- Security
- Changes
- Contact and complaints
1. Who the data controller is
The controller for the personal data described here is COMPANY NAME, company number REG. NUMBER, POSTAL ADDRESS.
You can reach us about privacy at EMAIL.
RESOLVE: no DPO appointed. Likely not required under Art. 37, but the assessment should be documented. If the controller is established outside the EEA, an Art. 27 representative in the EEA is mandatory.
2. What data we process
Data you give us
| Data | When | Required? |
|---|---|---|
| Email address | Registration | Yes |
| Password (stored only as a bcrypt hash, never in clear text) | Registration | Yes, unless you use Google sign-in |
| Username | Registration | Yes — shown publicly on leaderboards |
| Display name, avatar, bio, home city | Profile | No |
| Date of birth | Onboarding | Yes — see section 8. Cannot be changed once set |
| Home country | Onboarding/profile | Yes — determines what content you see, see section 9 |
| Consent to sponsor marketing | Onboarding | No — optional, and you can win prizes without it |
| Full name, email and postal address | Only when you claim a prize | Yes, to ship the prize |
Data created by using the service
- In-app activity: quiz answers and points, weekly activity check-ins ("streaks"), leaderboard positions, collectable badges, challenges and tournaments, event check-ins, and friend-feed events.
- Device data: a device identifier, platform (iOS/Android/web), OS and app version, and last sign-in time. Recorded at every login.
- Push token if you enable notifications.
- IP address in server logs, and when submitting quiz answers.
- A Stripe customer ID if you buy Premium. We never receive or store your card number — payment happens at Stripe.
If you use the form on the website
If you request access with your email address on taptober.com, it is forwarded to our inbox via our email provider. It is not stored in any database, and we use it only to reply to you. The basis is legitimate interests (Art. 6(1)(f)) — you contacted us.
What we don't do
Verified in the code as of 16 July 2026:
- We use no analytics and no tracking pixels.
- We use no advertising ID (IDFA/AAID) and share nothing with ad networks.
- We do not collect your location. The app never asks for location access.
- Camera is used only for QR scanning, and photo access only for your avatar.
- We do not sell personal data.
About "beer badges": Taptober does not record what or how much you drink. The collectable badges are unlocked by quizzes and activity, and a "streak" is a tap on an activity button — not a drinking log.
3. Purposes and legal bases
| Purpose | Data | Legal basis (GDPR Art. 6) |
|---|---|---|
| Create and run your account, deliver the game | Account, profile, activity | Contract, Art. 6(1)(b) |
| Leaderboards and social features | Username, points, city/country | Contract, Art. 6(1)(b) |
| Sending and delivering prizes | Name, email, postal address | Contract, Art. 6(1)(b) |
| Age-gating alcohol-related content | Date of birth | Legal obligation, Art. 6(1)(c) |
| Geo-blocking alcohol advertising | Home country | Legal obligation, Art. 6(1)(c) |
| Push notifications | Push token | Consent, Art. 6(1)(a) — revocable any time |
| Sponsor marketing | Email, consent flag | Consent, Art. 6(1)(a) |
| Security, debugging and anti-cheat | IP, device data, error logs | Legitimate interests, Art. 6(1)(f) |
| Premium payment | Stripe customer ID | Contract, Art. 6(1)(b) |
4. Who we share data with
We share only what is necessary, and only with processors bound by an Art. 28 data processing agreement.
| Recipient | What they get | Why | Where |
|---|---|---|---|
| Hetzner | All stored data (server and database hosting) | Hosting | Helsinki, Finland — EEA |
| Cloudflare R2 | Encrypted database backups | Backup | REGION NOT PINNED |
| Sentry | Error reports. Configured not to send personal data | Error monitoring | EU OR US INSTANCE? |
| Expo (650 Industries) | Push token and notification content | Push notifications | USA |
| Stripe | Payment details you enter with them | Payment | USA |
| Sign-in verification (only if you use Google sign-in) | Login | USA | |
| EMAIL PROVIDER — CONFIRM | Your email address and the content of emails we send you | Sending email | CONFIRM |
| The organiser of the festival you join | Username, points, activity within their festival | Running the festival | EEA |
RESOLVE: are organisers independent controllers or processors? This decides whether an Art. 26 joint-controller arrangement is needed. The question is real: organisers can push notifications to their attendees and see activity data.
5. Transfers outside the EEA
The database and application run in Finland, inside the EEA. Some processors are nonetheless US-based (Expo, Stripe, Google). Transfers there rely on the European Commission's Standard Contractual Clauses and/or the EU–US Data Privacy Framework.
RESOLVE: the Cloudflare R2 backup region is set to "auto", which does not guarantee EU storage. The backups contain the entire database. This must either be pinned to the EU or described accurately here — it is a Chapter V question.
6. How long we keep data
| Data | Retention |
|---|---|
| Account and profile | As long as the account exists. Deleted when you delete the account |
| Activity and points | Deleted with the account |
| Prize claims (name, address) | MUST BE SET — Norwegian bookkeeping law may require 5 years for prizes actually sent |
| Server logs containing IP | MUST BE SET — 30 days recommended |
| Encrypted backups | 30 days, then deleted automatically |
| Sign-in tokens | 15 minutes (access) / 30 days (refresh) |
Note that a deleted account may remain in encrypted backups for up to 30 days before those backups rotate out.
7. Your rights
You have the right to:
- access the data we hold about you (Art. 15),
- correct data that is wrong (Art. 16),
- delete your account and your data (Art. 17),
- receive your data in a machine-readable format (Art. 20),
- object to processing based on legitimate interests (Art. 21),
- withdraw consent to marketing or notifications at any time, without affecting the lawfulness of processing before withdrawal.
You exercise these in the app under Profile, or by contacting us at EMAIL. We respond within 30 days.
DEPENDS ON UNSHIPPED CODE: deletion and export do not exist in the API as of 16 July 2026. These statements are untrue until built, and a privacy policy that promises them without them existing is itself a breach.
8. Age limit and children
The minimum age to use Taptober is 18. Taptober is not intended for children, and we do not knowingly collect data about anyone under 18.
We ask for your date of birth during onboarding, and a date of birth that makes you younger than 18 is rejected — it is not stored. Your date of birth cannot be changed once set: an age limit you can walk past by declaring a new birthday is not an age limit.
Alcohol-related content, such as the beer catalogue and age-restricted prizes, is additionally blocked for users who do not meet the age limit in their country (18, or 21 in the USA).
If you are a parent and believe your child has created an account, contact us at EMAIL and we will delete it.
9. Alcohol content and geo-blocking
Under the Norwegian Alcohol Act § 9-2, alcohol advertising is prohibited in Norway. Brewery content is therefore not shown to users whose home country is Norway, Sweden, Finland, Iceland, South Africa or Russia. Users in France see product information only, per the Loi Évin.
The block is driven by the home country you declare.
RESOLVE: home country is self-reported and user-editable, so the block is declared, not proven. The code itself warns against using this field as the sole basis for a legal geo-block.
10. Automated decisions
Two things are decided automatically:
- Ranking and prizes. Points and rank are computed automatically on the server based on skill — answers and speed. Prize eligibility is decided automatically from rank, age and country.
- Age-gating and geo-blocking as described above.
You can always contact us to have a decision reviewed by a human.
RESOLVE: the code contains a complete automatic cheat ban that disables an account with no human review, triggered among other things by a shared IP address — i.e. shared wifi. It is currently not wired up and never runs. Wiring it up without human review would breach Art. 22, and this section would need rewriting.
11. Cookies and on-device storage
Our websites set no cookies, and we have no tracking tools. That is why there is no consent banner.
In the app, your sign-in keys are stored in the phone's secure storage. In the organiser portal they are stored in the browser's localStorage. This is necessary to keep you signed in, and is cleared when you sign out.
On taptober.com we store your language choice (taptober-lang) in the browser's
localStorage, so the page remembers whether you want Norwegian, English or German. It is the
only thing the website stores on your device, and it never leaves your browser.
The font on our websites is served from our own server, not from Google Fonts. Loading fonts from Google would send your IP address to the USA every time you opened a page.
12. Security
- All traffic runs over HTTPS.
- Passwords are stored as bcrypt hashes.
- The database runs on a server inside the EEA and is not exposed to the internet.
- Backups are encrypted with AES-256 before leaving the server.
- Data access is scoped per festival and per role.
13. Changes
For significant changes we will notify you in the app or by email before they take effect. The date at the top shows when this policy was last changed.
14. Contact and complaints
Privacy questions: EMAIL
If you believe we process your data unlawfully, you can complain to the Norwegian Data Protection Authority, Datatilsynet, Postboks 458 Sentrum, 0105 Oslo — datatilsynet.no. We would appreciate the chance to fix it first.
Back to taptober.com · © 2026 Taptober