Effective date: April 24, 2026
This California Privacy Notice supplements our Privacy Policy and applies to California residents as defined by the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (together, the “CCPA”). Capitalized terms used but not defined here have the meanings given in the CCPA.
In the last 12 months, we have collected the following CCPA categories of personal information about users of the Service. The right-hand column identifies the specific data elements that fall within each category.
| CCPA category | What we actually collect within this category |
|---|---|
| Identifiers (§ 1798.140(v)(1)(A)) | Email address, account identifier, session identifier, a salted hash of the visitor IP address (not the raw IP), and any identifiers a user chooses to publish on their profile (for example, additional email addresses or phone numbers). |
| Customer records (§ 1798.140(v)(1)(B)) | Name (if the user provides one), phone number(s) the user publishes on their profile, and similar contact information. |
| Commercial information (§ 1798.140(v)(1)(D)) | If the Service begins accepting payments, records of products or services purchased. Not currently collected. |
| Internet or similar network activity (§ 1798.140(v)(1)(F)) | Session metadata, user-agent string (stored in session and audit records), a coarse user-agent family and referrer host (stored in Card scan telemetry), and approximate country code from CDN headers. |
| Geolocation data (§ 1798.140(v)(1)(G)) | Approximate country code derived from a CDN header at the time a Card is tapped. We do not collect precise geolocation. |
| Visual information (§ 1798.140(v)(1)(H)) | Profile photo and optional cover image that the user uploads. Embedded metadata (EXIF, GPS, ICC) is removed during server-side re-encoding before storage. |
| Professional information (§ 1798.140(v)(1)(I)) | Job title, company, and location, if the user publishes them on their profile. |
| Inferences (§ 1798.140(v)(1)(K)) | Limited operational inferences drawn from the data above (for example, a classification of the tapping device as iOS, Android, desktop, bot, or unknown, for abuse detection). |
| Sensitive personal information (§ 1798.140(ae)) | Not collected. We do not collect Social Security numbers, driver's license numbers, state identification numbers, passport numbers, financial account numbers with required security codes, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, genetic data, biometric identifiers, health information, or information about sex life or sexual orientation. The account password is hashed at the time of collection and is used solely for authentication. |
We disclose personal information for business purposes to the following categories of recipients. The processor categories are described in more detail in Section 5.1 of the Privacy Policy:
We do not sell personal information for monetary or other valuable consideration, and we do not share personal information for cross-context behavioral advertising, as those terms are defined in the CCPA. We have not sold or shared personal information (as so defined) in the preceding 12 months.
We do not sell or share the personal information of consumers under 16 years of age, and we do not knowingly collect personal information from consumers under 13 years of age.
As noted above, we do not collect sensitive personal information in the ordinary operation of the Service. Account passwords are hashed at the time of collection and used only to authenticate you. Because we do not collect or use sensitive personal information outside the uses enumerated in CCPA § 1798.121(d) and 11 CCR § 7027(m) (which are narrow exceptions that do not trigger an opt-out right), the right to limit use and disclosure of sensitive personal information does not currently apply to the Service. If that changes, we will update this notice and provide the required controls.
We retain personal information only as long as reasonably necessary for the purposes disclosed in Section 4. Category-level retention periods are set out in Section 7 of the Privacy Policy. In summary: account and profile data are retained while your account is active; Card scan telemetry is retained for up to 90 days; audit logs are retained for up to 2 years; verification and password-reset tokens are deleted on use or expiry (minutes to hours).
If you are a California resident, you have the following rights:
To submit a request, email privacy@taprly.app with the subject line “California privacy request” and indicate which right you are exercising.
Verification. We verify your identity by confirming control of the email address on file and may ask for additional information reasonably necessary to match your request to our records. We do not collect government identification to verify a request.
Authorized agents. You may use an authorized agent to submit a request on your behalf. If you use an agent, we will ask for written authorization signed by you and will separately verify your identity.
Timing. We will confirm receipt of your request within 10 business days and respond to verifiable requests within 45 calendar days (extendable by an additional 45 days where reasonably necessary and with notice to you).
Appeals. If we deny your request in whole or in part, we will explain why. If you disagree, reply to our response and we will reconsider; you may also contact the California Attorney General.
We will not discriminate against you for exercising your California privacy rights. We do not offer financial incentives in exchange for personal information.
We provide a just-in-time notice at the point of collection at sign-up, profile setup, and image upload. The categories collected at each of those points and the purposes are described in Sections 2–4 of this notice, with additional detail in the Privacy Policy.
Questions about this notice or about your California privacy rights: privacy@taprly.app. Mailing address: Addvantage LLC, 1029 NE 58th St, Oakland Park, FL 33334-4156, USA.