Legal
Privacy Policy
Last updated: 11 June 2026
1. Who We Are
Tapora is the trading name of a Malta-based business operated by Jon Micallef. We design, 3D-print, and program custom NFC keychains and badges shipped from our EU workshop.
For data protection purposes, Tapora is the data controller for all personal data collected through tapora.io. You can contact us at privacy@tapora.io.
2. Data We Collect
2.1 Account Data
When you create an account, we store your email address, your name (optional), a hashed version of your password (we never store it in plain text), and your shipping and billing address once you place an order. If you sign in with Google, we receive your Google profile email and display name via OAuth.
Legal basis: Contract performance — your account is needed to manage your order, NFC link, and dashboard.
2.2 Order & Payment Data
Orders store your shipping name and address, billing address, the products and customisations you ordered (colour choices, uploaded SVG logo if applicable), and order status. Payment is processed by Viva Payments, a Malta-headquartered payment provider. We pass your name, email, and country code to Viva to initiate a checkout session. We never see or store your card number, CVV, or full card data — these are handled entirely by Viva's PCI DSS-compliant platform.
Legal basis: Contract performance.
2.3 Uploaded Files
If you upload a logo SVG during product configuration, that file is stored on Cloudflare R2 (private, EU-accessible object storage). It is used solely to embed your design into the 3D print. We do not use your upload for any other purpose.
Legal basis: Contract performance.
2.4 NFC Tap Analytics
When someone taps your NFC keychain or badge, we record the NFC short code, a timestamp, the device's user-agent string (browser + OS version), and the HTTP referrer if one is present. This data is stored in our database and shown to you in your dashboard as tap analytics. We do not link tap events to personally identifiable individuals other than the NFC owner.
Legal basis: Legitimate interest — tap analytics are the core service you purchased.
2.5 Site Analytics (PostHog)
With your consent, we use PostHog to collect anonymised page-view and navigation data. PostHog runs on EU servers (eu.posthog.com) and we proxy all events through our own domain so no data touches third-party infrastructure without your knowledge. We use person_profiles: "identified_only", meaning anonymous visitors are not profiled. You can decline analytics cookies at any time using the banner at the bottom of the page, or by contacting us.
Legal basis: Consent (GDPR Article 6(1)(a)). Analytics are only initialised after you accept.
2.6 Blog View Tracking
Blog post pages use a lightweight view counter. A random visitor identifier is generated and stored in a cookie named tapora_vid (valid for 1 year) to deduplicate view counts. This identifier contains no personal data and is not linked to your account or IP address. Legal basis: Legitimate interest (accurate view counts for blog authors).
2.7 Contact & Marketing Forms
When you submit our contact form, newsletter sign-up, or bulk enquiry form, we collect the fields you fill in (name, email, message or enquiry details). Contact enquiries are delivered to our team by Resend (a transactional email service). If you subscribe to our newsletter, your email is added to our audience in Resend. You can unsubscribe at any time using the link in any marketing email.
Legal basis: Consent for newsletter; legitimate interest for contact and enquiry processing.
3. Third-Party Services
| Service | Purpose | Location |
|---|---|---|
| Viva Payments | Payment processing | Malta / EU |
| Resend | Transactional & marketing email | US (SCCs apply) |
| Cloudflare R2 | File storage (SVG / STL / gcode) | EU region |
| PostHog | Site analytics (consent required) | EU (eu.posthog.com) |
| Google OAuth | Optional sign-in method | EU data processing |
Where data is processed outside the EU (Resend), we rely on Standard Contractual Clauses (SCCs) as the transfer mechanism under GDPR Article 46.
4. Cookies
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| authjs.session-token | Essential | Keeps you signed in | 30 days |
| authjs.csrf-token | Essential | Security: cross-site request forgery prevention | Session |
| tapora_vid | Functional | Anonymous blog view deduplication | 1 year |
| ph_* | Analytics (consent) | PostHog session and event tracking | 1 year |
Essential and functional cookies do not require consent. Analytics cookies (ph_*) are only set if you accept via the cookie banner. You can change your preference at any time by clearing your browser localStorage and refreshing the page, or by contacting us.
5. Data Retention
We keep personal data for as long as it is needed for the purpose it was collected:
- Account data — retained while your account is active. You may request deletion at any time (see Section 6).
- Order and billing records — retained for 7 years to comply with EU accounting and tax obligations.
- Uploaded SVG files — retained until your order is fulfilled and dispatched, then removed from active storage.
- NFC tap events — retained indefinitely as they form your dashboard analytics. You may request deletion.
- Contact form submissions — retained for up to 2 years for reference, then deleted.
- Newsletter contacts — retained until you unsubscribe.
6. Your Rights (GDPR)
If you are in the EU or UK, you have the following rights:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure— request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
- Restriction — ask us to limit how we process your data in certain circumstances.
- Portability — receive your data in a machine-readable format.
- Object — object to processing based on legitimate interests.
- Withdraw consent — for analytics, withdraw consent at any time via the cookie banner.
To exercise any of these rights, email privacy@tapora.io. We will respond within 30 days. You also have the right to lodge a complaint with the Malta Information and Data Protection Commissioner (IDPC).
7. Security
All data is transmitted over HTTPS. Passwords are hashed with bcrypt and never stored in plain text. File storage (R2) is private and accessible only via authenticated API calls. We keep our dependencies up to date and follow OWASP security practices. Despite these measures, no internet transmission is 100% secure — if you discover a vulnerability, please disclose it responsibly to privacy@tapora.io.
8. Children's Privacy
Our services are not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.
9. Changes to This Policy
We may update this policy from time to time. Material changes will be notified by email (if you have an account) and/or by a notice on the website. The "last updated" date at the top of this page reflects the most recent revision.
10. Contact
For privacy enquiries: privacy@tapora.io. For general enquiries, use our contact form.