Legal

Privacy Policy

Last updated 13 July 2026

This explains what we hold about you, why, and who else can see it. The short version: we record far less than you probably expect, we do not track anyone across the web, and we have never sold data to anybody.

Who we are

taproute is an independent business operated from Israel. We decide how the data described here is handled. In data-protection language, we are the controller. Payments are handled by our merchant of record, Polar, which processes your billing details directly; we never see or store your card number.

For anything on this page (a question, a request to see your data, a complaint) write to info@taproute.io. A person reads that inbox, and we will come back to you within 30 days.

If you scanned a code

Most people who meet taproute never sign up for it. They just point a phone at a code on a menu or a package. If that is you, this is everything that happens.

We record that the code was scanned, the country it was scanned in, whether the phone was iOS, Android or something else, and the time. That is the entire record.

We do not store your IP address. We do not record your city or precise location, we do not set a cookie on you, we do not fingerprint your device, and we do not build a profile of you or link your scans together. Nothing we keep can identify you.

The owner of the code sees the same thing we do: totals by country and by device type. They cannot see who you are, because we never learned it.

Your browser is then sent straight to the destination the owner chose. What happens on that destination is governed by their privacy policy, not ours.

What we collect from customers

If you hold an account, we hold the following.

Your account

  • Your name and email address.
  • Your profile picture, if you chose to sign in with Google and Google provided one.
  • Sign-in records (including the IP address and the browser or device a session was started from) so we can keep you signed in, show you your active sessions, and notice suspicious access.

What you create

  • Your codes and the destinations they point at.
  • Any custom domain you connect, any logo or artwork you upload, and any page you ask us to host.
  • Product details you enter, and the settings for any API keys or notification endpoints you set up.

Your usage

  • The scan records described above, grouped under your workspace.
  • Your credit balance and the history of purchases and scans it is made of.

When you contact us

  • Your email and whatever you chose to put in it.

Keeping the service safe

  • We use IP addresses for security and anti-abuse: to rate-limit sign-ups and requests so the service cannot be flooded, and, if someone reports an abusive link, to log where that report came from, so a bad actor cannot bury a rival under false reports. These uses are for protection, not to profile you, and we do not link them into a picture of you.

What we never do

  • We do not sell your data, or the data of anyone who scans your codes. Not to advertisers, not to brokers, not to anybody.
  • We do not run advertising and we carry no advertising or analytics trackers on the scan path.
  • We do not track people across other websites, and we do not buy data about you from anyone else.
  • We do not read your destinations for our own purposes. We check them against a known-threat list to protect people from malware and phishing, and that is all.

Why we are allowed to hold it

Where the GDPR or Israel's Privacy Protection Law applies, our grounds are these:

  • To give you the service you asked for: your account, your codes, your analytics, your receipts. Without this data there is no product.
  • Our legitimate interest in keeping the service safe: screening destinations for malware and phishing, acting on abuse reports, preventing fraud.
  • Legal obligation: keeping records of sales for tax purposes.

We do not rely on consent for any of this, because we do not do anything with your data that would require it. We do not send marketing email unless you ask us to.

Cookies

We use five cookies, all of them strictly necessary and none of them for tracking. Because there is no non-essential cookie to consent to, we show a short notice rather than an "accept / reject" wall. Full details are on our Cookie Policy.

  • Your sign-in session: keeps you logged in. Without it you could not use an account.
  • Your workspace: remembers which workspace you were last looking at.
  • Your theme: remembers whether you chose light or dark.
  • Your language: remembers whether you chose English or Hebrew.
  • Your cookie notice: remembers that you have seen the notice, so we do not show it again.

There are no advertising cookies, no analytics cookies, and no third-party cookies. Scanning a code sets no cookie at all.

Who else sees it

We use a small number of companies to run the service. Each one only receives what it needs to do its job.

  • Cloudflare: hosts the service and stores its data. Everything described on this page lives there.
  • Polar: takes payments, as the merchant of record. They receive your billing details directly. We never see or store your card number.
  • Resend: sends the service emails you need, such as your sign-in link. They receive your email address.
  • Google: checks destination URLs against its known-threat list so we can block malware and phishing. It receives the destination address, not anything about you. If you choose to sign in with Google, Google also confirms your identity to us.

These providers operate in the United States and Europe among other places, so your data may be handled outside Israel. We only use providers that commit to appropriate safeguards for such transfers.

We will also disclose data where the law genuinely requires it. If we are legally free to tell you that it happened, we will.

Data you collect from your own visitors

If you use taproute to host a page with a form on it, the details your visitors submit are yours, not ours. We only store them on your behalf and hand them back to you. In data-protection language, you are the controller and we are your processor.

That means it is on you to have a lawful basis for collecting them and to tell your visitors what you are doing. We will not use those details for anything of our own, and we will delete them when you tell us to. The terms for this processing are set out in our Data Processing Addendum.

How long we keep it

  • Your account and your codes: for as long as your account is open. Delete your account and they go with it.
  • Scan records: 24 months, then removed. They are not tied to any person, so this is a housekeeping limit rather than a privacy one.
  • Purchase records: seven years, because Israeli tax law requires us to keep them.
  • Abuse reports: 12 months.

When you delete your account, your codes stop resolving and your data is removed. Export anything you want to keep first. After deletion we cannot recover it.

Your rights

You can ask us to:

  • Show you what we hold about you.
  • Correct anything that is wrong.
  • Delete your account and the data in it.
  • Export your codes, destinations and scan history. You can do this yourself from your account at any time, and you do not need a balance to do it.
  • Object to something we are doing, or ask us to restrict it.

Email info@taproute.io and we will act within 30 days. We will not charge you for it and we will not make you jump through hoops.

If you think we have handled your data badly and we have not put it right, you can complain to the Israeli Privacy Protection Authority, or, if you are in the EU or UK, to your local data protection regulator.

Security

Traffic is encrypted in transit. Access to the systems holding your data is limited to what is needed to operate and support the service. Payment card details never reach us at all.

No service can promise perfect security. If a breach ever affects your data, we will tell you and the relevant regulator, promptly and without playing it down.

Children

taproute is not intended for children. You must be at least 16 to hold an account, and we do not knowingly collect data from anyone younger. If you believe a child has given us data, write to info@taproute.io and we will delete it.

Changes to this policy

If we change this policy in a way that materially affects you, we will email account holders at least 30 days before it takes effect. The date at the top of this page always tells you when it last changed.

We will not use a policy change to start selling data or tracking scans. Those are commitments, not defaults.