1. Who the data controller is

The controller for the personal data described here is COMPANY NAME, company number REG. NUMBER, POSTAL ADDRESS.

You can reach us about privacy at EMAIL.

RESOLVE: no DPO appointed. Likely not required under Art. 37, but the assessment should be documented. If the controller is established outside the EEA, an Art. 27 representative in the EEA is mandatory.

2. What data we process

Data you give us

Data created by using the service

If you use the form on the website

If you request access with your email address on taptober.com, it is forwarded to our inbox via our email provider. It is not stored in any database, and we use it only to reply to you. The basis is legitimate interests (Art. 6(1)(f)) — you contacted us.

What we don't do

Verified in the code as of 16 July 2026:

About "beer badges": Taptober does not record what or how much you drink. The collectable badges are unlocked by quizzes and activity, and a "streak" is a tap on an activity button — not a drinking log.

3. Purposes and legal bases

4. Who we share data with

We share only what is necessary, and only with processors bound by an Art. 28 data processing agreement.

RESOLVE: are organisers independent controllers or processors? This decides whether an Art. 26 joint-controller arrangement is needed. The question is real: organisers can push notifications to their attendees and see activity data.

5. Transfers outside the EEA

The database and application run in Finland, inside the EEA. Some processors are nonetheless US-based (Expo, Stripe, Google). Transfers there rely on the European Commission's Standard Contractual Clauses and/or the EU–US Data Privacy Framework.

RESOLVE: the Cloudflare R2 backup region is set to "auto", which does not guarantee EU storage. The backups contain the entire database. This must either be pinned to the EU or described accurately here — it is a Chapter V question.

6. How long we keep data

Note that a deleted account may remain in encrypted backups for up to 30 days before those backups rotate out.

7. Your rights

You have the right to:

You exercise these in the app under Profile, or by contacting us at EMAIL. We respond within 30 days.

DEPENDS ON UNSHIPPED CODE: deletion and export do not exist in the API as of 16 July 2026. These statements are untrue until built, and a privacy policy that promises them without them existing is itself a breach.

8. Age limit and children

The minimum age to use Taptober is 18. Taptober is not intended for children, and we do not knowingly collect data about anyone under 18.

We ask for your date of birth during onboarding, and a date of birth that makes you younger than 18 is rejected — it is not stored. Your date of birth cannot be changed once set: an age limit you can walk past by declaring a new birthday is not an age limit.

Alcohol-related content, such as the beer catalogue and age-restricted prizes, is additionally blocked for users who do not meet the age limit in their country (18, or 21 in the USA).

If you are a parent and believe your child has created an account, contact us at EMAIL and we will delete it.

9. Alcohol content and geo-blocking

Under the Norwegian Alcohol Act § 9-2, alcohol advertising is prohibited in Norway. Brewery content is therefore not shown to users whose home country is Norway, Sweden, Finland, Iceland, South Africa or Russia. Users in France see product information only, per the Loi Évin.

The block is driven by the home country you declare.

RESOLVE: home country is self-reported and user-editable, so the block is declared, not proven. The code itself warns against using this field as the sole basis for a legal geo-block.

10. Automated decisions

Two things are decided automatically:

You can always contact us to have a decision reviewed by a human.

RESOLVE: the code contains a complete automatic cheat ban that disables an account with no human review, triggered among other things by a shared IP address — i.e. shared wifi. It is currently not wired up and never runs. Wiring it up without human review would breach Art. 22, and this section would need rewriting.

11. Cookies and on-device storage

Our websites set no cookies, and we have no tracking tools. That is why there is no consent banner.

In the app, your sign-in keys are stored in the phone's secure storage. In the organiser portal they are stored in the browser's localStorage. This is necessary to keep you signed in, and is cleared when you sign out.

On taptober.com we store your language choice (taptober-lang) in the browser's localStorage, so the page remembers whether you want Norwegian, English or German. It is the only thing the website stores on your device, and it never leaves your browser.

The font on our websites is served from our own server, not from Google Fonts. Loading fonts from Google would send your IP address to the USA every time you opened a page.

12. Security

13. Changes

For significant changes we will notify you in the app or by email before they take effect. The date at the top shows when this policy was last changed.