introduction

TAP2 is committed to safeguarding the privacy and personal data of all our users, employees, partners, and third-party vendors. This Privacy and Data Protection Policy outlines our practices for collecting, processing, retaining, and securing personal data in compliance with the General Data Protection Regulation (GDPR), Data Protection Act 2018 (DPA), and other applicable laws.

This policy applies to all personal data collected through our platforms, including when users make purchases, subscribe to services, or interact with TAP2 for any other business purposes.

 1. Data Collection and Processing 

1.1. What Data We Collect

We collect and process two types of personal data:

• Order Information: Name, billing address, shipping address, payment information (e.g., credit/debit card details, PayPal), email address, and phone number.
•  Device Information: IP address, browser type, and interaction data to help us optimize our services and screen for potential risk or fraud.

1.2. Purpose of Data Processing

TAP2 processes personal data to:

• Fulfil orders, process payments, and arrange for shipping.
• Communicate with users regarding orders, updates, and offers.
• Screen for fraud and improve the performance of our platform through analytics.
• Support marketing efforts in line with user preferences.

1.3. Legal Basis for Processing

We collect and process data based on:

• Contractual Obligations: Data is required to fulfill orders and provide services.
• Legitimate Interests: TAP2 processes personal data to improve services, prevent fraud, and maintain communication with users.
• Consent: Marketing and other secondary uses require explicit consent from the user, which can be withdrawn at any time.

 2. Data Retention and Deletion 

2.1. Retention Periods

• Financial Data: Retained for 6 years + 1 year to comply with HMRC regulations.
• Customer Data (Order Information): Retained while the customer remains active, plus 2 years or until a deletion request is submitted.
• Personal Identification Data: Retained for 5 years after the end of the customer relationship due to regulatory requirements.
• Non-customer Data: Retained for 2 years unless a deletion request is submitted.

2.2. Data Deletion

Once the retention period is complete, personal data will be anonymized or securely deleted. Paper records containing confidential information are disposed of as confidential waste using cross-cut shredding and incineration.

 3. Rights of Data Subjects 

3.1. Data Access, Rectification, and Erasure

Users have the right to:

• Access personal data held by TAP2.
• Request corrections to inaccurate data.
• Request the deletion of personal data when it is no longer required.

3.2. Data Portability and Objection

Users can request the transfer of their data to another service provider or object to data processing in specific circumstances, such as marketing activities.

3.3. Submitting a Request

All Data Subject Access Requests (DSARs) must be submitted to the Data Protection Officer at TAP2 via customerservice@tap-2.com. Requests will be processed within 30 days.

 4. Data Security and Breach Response 

4.1. Security Measures

TAP2 follows industry best practices and PCI-DSS standards to protect personal data. This includes using encryption technologies (e.g., SSL and AES-256) for sensitive information such as payment data.

4.2. Breach Response Plan

In the event of a data breach, TAP2 will promptly notify affected individuals and relevant regulatory bodies (e.g., the ICO) within the legally required timeframe. Regular security audits and vulnerability assessments are conducted to prevent breaches.

 5. Data Transfers and Third-Party Processors 

5.1. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), TAP2 ensures adequate protection through Standard Contractual Clauses (SCCs) and Data Processing Agreements (DPAs). Third-party providers, including payment processors, must also adhere to these standards.

5.2. Third-Party Vendor Compliance

TAP2 works with third-party vendors who process personal data to deliver services (e.g., payment gateways, and shipping providers). TAP2 ensures that these vendors comply with GDPR and local privacy laws through explicit agreements.

 6. Cookies and Tracking 

6.1. Cookie Usage

TAP2 uses cookies to personalize user experiences, track browsing behaviour, and enable essential functionalities such as login persistence. Users must provide explicit consent for the use of non-essential cookies, and a clear opt-out mechanism is provided.

6.2. Do Not Track

TAP2 honours 'Do Not Track' signals received from browsers. No additional data collection will occur from users who have enabled this setting.

 7. Employee Responsibilities and Training 

7.1. Staff Training and Awareness

All employees handling personal data receive regular training on data protection responsibilities, GDPR requirements, and security protocols. This training is monitored for effectiveness, and non-compliance may result in disciplinary actions, including dismissal.

7.2. Accountability

Employees are responsible for ensuring the security and proper use of personal data. Any breaches or failure to comply with this policy can lead to disciplinary proceedings and, in severe cases, termination of employment.

 8. Changes to This Policy 

TAP2 reserves the right to amend this policy at any time. Material changes will be communicated to users promptly, and the latest version will always be available on our website.

 Contact Information 

For questions, requests, or complaints about this policy, please contact the Data Protection Officer at customerservice@tap-2.com, or write to us at:
TAP2 Ltd
Southmeads House
Brent Road
Berrow, Somerset
TA8 2JU, United Kingdom