Effective date: April 24, 2026
This Privacy Policy describes how Addvantage LLC (“we,” “us,” or “our”) collects, uses, and discloses personal information in connection with the Taprly service (the “Service”), which includes our website, web application, NFC cards, and related features.
California residents have additional rights and should review our California Privacy Notice for state-specific disclosures.
We collect the following categories of personal information. We have limited the list to data practices the Service actually performs today.
You choose what appears on your public profile. This typically includes some or all of the following, all of which become visible to anyone who has your profile URL or taps your NFC card (unless you set your profile to Private):
Everything in this section is self-published. You control what is included and can edit or remove it at any time from the dashboard.
When you upload a profile photo or cover image, we process the image server-side with a standard image library that re-encodes it to WebP format. This process strips embedded metadata (for example, EXIF camera data, GPS tags, and color profiles). We store the re-encoded image, its size, dimensions, and a cryptographic checksum.
When a Card is tapped and resolves to a profile URL, we record a minimal event that contains:
We also store the Card's aggregate scan count and the timestamp of its most recent scan.
We maintain an audit log of sensitive actions (for example, account creation, sign-in attempts, password changes, Card claims, and administrative actions). These log entries may include the actor's user identifier, the action performed, the target of the action, a hashed IP address, a truncated user-agent string, and structured metadata about the action.
If you email us, we retain the message and any attachments to respond to your request and to maintain a record.
Unless you expressly publish it on your profile, we do not collect: Social Security numbers, driver's license numbers, government identification numbers, payment-card numbers, bank-account numbers, precise geolocation, biometric identifiers, health information, or information about your racial or ethnic origin, religious beliefs, union membership, genetic data, or sex life. The Service is not designed to process “sensitive” or “special category” personal information.
We use the information described above to:
We do not use your information to serve advertising, build cross-context behavioral advertising profiles, or train artificial-intelligence models.
By design, information on a profile with the visibility setting “Public” or “Unlisted” is viewable by anyone who has the URL, including anyone who taps your NFC card. “Public” additionally signals to search-engine crawlers that the page may be indexed; “Unlisted” signals the opposite but does not prevent the URL from being shared or posted elsewhere. A “Private” profile is viewable only by you when signed in, and an NFC card pointing to a private profile will display an unavailable state to visitors.
We disclose personal information only in the circumstances listed below. We do not sell personal information, and we do not share it for cross-context behavioral advertising (as those terms are used in California and other U.S. state privacy laws).
We rely on a small number of vendors (processors or service providers under state privacy laws) that process personal information on our behalf under a written contract. The following providers are in scope for the current deployment:
| Provider | Role | Data they receive |
|---|---|---|
| Database hosting (e.g. managed PostgreSQL) | Stores account, profile, and log data | All categories listed in Section 2, except raw IP addresses (which we never store) |
| Object storage (S3-compatible, e.g. Cloudflare R2 or AWS S3) | Stores re-encoded profile images | Image file bytes and our storage keys |
| Transactional email provider (Resend or equivalent) | Delivers verification, reset, and security emails | Recipient email address, subject, body |
| Rate-limit store (Upstash Redis or equivalent) | Enforces abuse-protection counters | Abstract rate-limit keys (e.g. hashed IPs, user identifiers) and short-lived counters |
| Application hosting and CDN | Serves the Service | Connection metadata, HTTP request/response data, geographic routing |
Operator note: this table must be updated when processors are added or changed. Each processor must be under a data-processing agreement before it is connected to production data.
We may disclose personal information when we reasonably believe disclosure is required or appropriate to:
We disclose your profile information to the persons you choose to share it with. For example, your profile is designed to be sharable — tapping your NFC card, sharing your profile URL, or letting a visitor download your contact card all result in your publicly displayed information being transferred to that visitor's device.
The Service uses a small number of strictly necessary cookies:
HttpOnly, Secure (in production), and SameSite=Lax. It expires after seven days of inactivity.The Service does not use advertising cookies, cross-site tracking cookies, third-party analytics cookies, or similar technologies by default. If we later add analytics, we will update this Policy and surface a cookie control where required.
We retain personal information only as long as we need it.
We may retain information longer where we have a continuing legal obligation or legitimate business need (for example, ongoing security investigation or pending legal matter).
We take reasonable and appropriate technical and organizational measures to protect personal information. Current measures include:
No service can guarantee perfect security. You also play a role — choose a unique password, keep your devices up to date, and notify us promptly if you notice anything unusual.
The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided personal information to us, please contact us at privacy@taprly.app and we will take appropriate steps to delete it.
We operate the Service from the United States. If you access the Service from another country, you understand that personal information we process will be stored and handled in the United States, which may not provide the same level of data protection as your home country. By using the Service, you consent to that transfer.
Operator note: this Service is not designed or marketed to EU/UK/EEA residents. If your user base materially includes such residents, a separate GDPR/UK-GDPR disclosure and legal-basis analysis is required before relying on the text above.
Depending on where you live, you may have the right to:
To exercise any of these rights, email us at privacy@taprly.app. We will verify your identity (typically by confirming control of the account email) and respond within the timeframe required by applicable law.
You can also manage most of your information directly in the dashboard: edit profile fields, change visibility, release or revoke NFC cards, and delete content.
California residents have additional rights under the California Consumer Privacy Act, as amended (CCPA/CPRA). See our California Privacy Notice for a state-specific disclosure of categories collected, purposes, retention, and how to exercise your rights.
We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date at the top and, where practical, notify you through the Service or by email. Your continued use of the Service after the changes take effect constitutes your acceptance of the revised Policy.
Privacy questions or requests: privacy@taprly.app. Mailing address: Addvantage LLC, 1029 NE 58th St, Oakland Park, FL 33334-4156, USA.