Legal

Data Processing Addendum

Last updated 15 July 2026

When you use taproute to collect personal data from your own visitors, through a hosted page or a form, that data is yours, and we handle it only on your instructions. This addendum sets out the GDPR Article 28 terms for that arrangement. It forms part of, and is governed by, our Terms of Service.

Who is who

For personal data your visitors submit to you through taproute (form entries on a hosted page, and similar), you are the controller and we are your processor. You decide why and how that data is collected; we only store and return it on your behalf.

This is different from the data described in our Privacy Policy, where we are the controller, for example your own account details. Payments are handled by Polar as merchant of record, and card details never reach us.

What we process for you

  • Subject matter: hosting taproute for you and storing what your visitors submit.
  • Duration: for as long as your account is open, then per the deletion terms below.
  • Nature and purpose: storing, displaying back to you, and deleting on your instruction the entries collected through your pages and forms.
  • Types of data: whatever your form asks for, typically a name, email or message. You control the fields, so you decide the categories.
  • Categories of data subject: the visitors who submit your forms.

You must have a lawful basis for collecting this data and must tell your visitors what you do with it. We will not use it for any purpose of our own.

Our commitments as processor

  • Only on your instructions. We process this personal data only to provide the service and as you direct, not for our own purposes.
  • Confidentiality. People with access are bound to keep it confidential.
  • Security. We apply appropriate technical and organisational measures: encryption in transit and access limited to what is needed to run and support the service.
  • Sub-processors. We use the sub-processors listed below, place equivalent data-protection obligations on them, and stay responsible to you for their performance.
  • Breach notice. If a personal-data breach affecting your data occurs, we will notify you without undue delay so you can meet your own reporting duties.

Sub-processors

We use a small, stable set of providers to run the service. Each receives only what it needs.

  • Cloudflare: hosting, edge compute and data storage (United States / global). Everything the service stores lives here.
  • Polar: payments, as merchant of record (United States / EU). Receives billing details directly; we never see card numbers.
  • Resend: transactional email such as sign-in links (United States). Receives the recipient email address.
  • Google: checks destination URLs against a known-threat list, and confirms identity if you sign in with Google (United States). Receives the destination URL, not your visitors' submissions.

If we add or change a sub-processor, we will update this list. Material changes are announced to account holders with reasonable notice so you can object.

International transfers

These providers operate in the United States and Europe among other places, so personal data may be processed outside your country. Where a transfer needs a safeguard under the GDPR, such as the Standard Contractual Clauses, we rely on the appropriate mechanism offered by the provider.

Helping you meet your duties

Taking into account the nature of the processing, we will give you reasonable help to respond to requests from your visitors to see, correct, export or delete their data, and to meet your security, breach-notification and impact-assessment obligations. Most of this you can do yourself from your account; for anything else, write to info@taproute.io.

Return and deletion

You can export or delete the entries collected through your pages at any time. When you close your account, this data is deleted, unless we are required by law to keep specific records (for example, sales records for tax). Export anything you need first. After deletion we cannot recover it.

Accepting this addendum

This addendum applies automatically when you use taproute to process your visitors' personal data, and forms part of our Terms of Service. If your organisation needs a countersigned copy for its records, write to info@taproute.io and we will arrange one.