Tap Track

Privacy Policy

Effective date: April 29, 2026

1. Who we are

This Privacy Policy describes how Taptrack LLC, doing business as Tap Track ("we", "us", "our"), collects, uses, and shares information about you when you use the Tap Track website, mobile applications, and related services (collectively, the "Service"). Our iOS and Android applications are distributed through Apple and Google developer accounts held by factiii LLC, an affiliate, on behalf of Taptrack LLC.

If you have questions about this policy or our handling of your data, contact us at production@taptrack.io or by mail at 1417 Harbourtown Circle, Mansfield, TX 76063.

2. Information we collect

We collect the following categories of information:

Account information

Name, email address, phone number, organisation membership, and authentication credentials (password hashes, passkey credentials, magic-link tokens) you provide when you create an account or are invited to one.

Device and technical data

IP address, operating system, browser or app version, device identifier, and basic usage telemetry needed to operate and secure the Service.

Location data

Precise GPS location captured by the mobile application. When you grant "While Using the App" permission, we collect location during active app use to support clock-ins, NFC scans, and map features. When you grant "Always" permission, we additionally collect location while the app is in the background to support geofencing and inspection-arrival features. You can revoke either permission at any time in your device settings.

Camera and photo library

Images and short videos you capture with your device camera or upload from your photo library to attach to projects, inspections, annotations, and other records.

NFC tag reads

When you tap a Tap Track NFC tag, we record the tag's identifier, the timestamp, and your geolocation at the time of the scan.

Biometric authentication

Tap Track uses Face ID, Touch ID, and equivalent device biometrics to unlock the app on supported devices. The biometric template (the mathematical representation of your face or fingerprint) is created, stored, and compared entirely on your device by the iOS or Android operating system — it is never transmitted to or stored by Tap Track's servers, and we receive only a pass/fail result from the OS. The sole purpose of this collection is to authenticate you to the app. Your device's biometric data is retained in accordance with your device operating system's policies; you can remove it by disabling Face ID or Touch ID in your device settings at any time. If you are an Illinois resident, this notice satisfies the written-notice requirements of the Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14/. If you are a Texas resident, this notice satisfies the requirements of the Texas Capture or Use of Biometric Identifiers Act (CUBI).

Push notifications

If you enable notifications, we receive a device push token from Apple or Google so we can deliver alerts about clock-ins, schedule changes, and other events.

Cookies and session data (web)

Our website uses a first-party session cookie to keep you signed in and an anti-CSRF cookie to protect form submissions. We do not use third-party advertising or analytics cookies.

User-generated content

Form submissions, inspection deficiencies, drawings and annotations, field notes, project files, and KML route data you upload or create within the Service.

Integration data

If your organisation enables an integration with a third-party service such as Housecall Pro or Jobber, we exchange the credentials you authorise and synchronise records between that service and Tap Track on your behalf.

3. How we use your information

  • To provide, operate, and maintain the Service.
  • To authenticate you and protect your account.
  • To deliver email and push notifications you have requested or that are necessary to operate the Service.
  • To generate reports, audit logs, and analytics for your organisation.
  • To investigate and prevent fraud, abuse, and security incidents.
  • To comply with legal obligations and respond to lawful requests.
  • To communicate with you about product updates, support, and policy changes.

4. How we share your information

We do not sell your personal information. We share information only as described below:

  • Service providers (sub-processors). We use Resend to deliver email, AWS S3 (or compatible object storage) to host files, Mapbox and MapLibre tile providers to render maps, and Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM) to deliver push notifications. These sub-processors process information solely on our behalf under contractual confidentiality obligations and are required to protect your data to at least the standard described in this policy. A current list of sub-processors is available on request at production@taptrack.io, and we will provide reasonable advance notice before adding a new sub-processor that materially changes how your data is handled. Our App Privacy label in the App Store and Google Play Data Safety section reflect all data types collected by the app and its included SDKs.
  • Third-party integrations you enable. When your organisation enables an integration such as Housecall Pro or Jobber, we exchange information with that provider per your authorisation. Their handling of your data is governed by their own privacy policies.
  • Within your organisation. Information you submit through Tap Track is visible to other authorised members of your organisation in accordance with the role you have been assigned.
  • Legal compliance. We may disclose information when required by law, in response to a valid subpoena or court order, or to protect the rights, property, or safety of Taptrack LLC, our customers, or others.
  • Business transfers. If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership and explain your choices.

5. Mobile permissions

The Tap Track mobile application requests the following device permissions. You can review and revoke any of them in your device settings at any time.

  • NFC. "Scan NFC tags to clock in/out and verify checkpoints." Used to read Tap Track checkpoint tags.
  • Face ID. "Use Face ID to unlock Tap Track." Used for on-device app unlock; biometric data is never transmitted.
  • Camera. "Take photos for projects and inspections." Used to capture photos and short videos that you attach to records.
  • Photo library. "Select photos from your library." Used when you choose to attach an existing photo or video.
  • Location (while in use). "Allow Tap Track to access your location for check-ins and maps." Used during active app use for clock-in verification and map features.
  • Location (always). "Allow Tap Track to track your location for geofencing and inspection arrival." Used in the background only when your organisation has enabled geofence or inspection-arrival workflows you participate in.
  • Notifications. Used to deliver alerts you have opted into.

6. Data retention

We retain your account and the records you create for as long as your account is active. When you request deletion, we acknowledge the request within 72 hours and complete deletion of active account records within thirty (30) days. Encrypted backups that may contain residual copies of your data are purged on a rolling cycle within 90 days of your deletion request. The following categories are retained beyond the 30-day window:

  • Audit logs and security records may be retained for up to seven (7) years to support legal compliance and security investigations.
  • Anonymised, aggregated analytics may be retained indefinitely; this data does not identify you.
  • Information we are legally required to retain (for example, tax records) may be retained for the period required by law.
  • Records subject to a legal hold, an active regulatory investigation, or an active dispute between you and us are retained until the hold or dispute is resolved. We will notify you if this applies to your deletion request.

7. Security

We protect your information using industry-standard safeguards: TLS 1.2+ in transit; passwords stored as one-way hashes via a maintained authentication library; role-based access controls; tamper-evident audit logging; and routine review of administrative access. No system is perfectly secure, and we encourage you to use a strong, unique password and to enable available account-protection features such as passkeys.

8. Children's privacy

Tap Track is a workplace management tool intended exclusively for use by adults as part of their employment. We do not direct the Service to children, and users must be at least 18 (or the age of majority in their jurisdiction) to create an account, as stated in our Terms of Service. We do not knowingly collect personal information from children under 13 years of age (or under 16 in California, the European Economic Area, the United Kingdom, and Switzerland). If you believe a minor has provided us with personal information, please contact us at production@taptrack.io and we will delete it promptly.

9. International transfers

Tap Track is operated from the United States, and information we collect is stored on servers located in the United States. If you access the Service from the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with data-protection requirements that differ from those of the United States, your information will be transferred internationally. Where required, we rely on Standard Contractual Clauses approved by the European Commission, the UK International Data Transfer Agreement (IDTA), or equivalent mechanisms recognised by the applicable jurisdiction.

10. Your rights — California (CCPA / CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we have collected about you.
  • Request deletion of your personal information.
  • Correct inaccurate personal information.
  • Opt out of the sale or sharing of personal information. We do not sell or share your personal information for cross-context behavioural advertising.
  • Limit our use of sensitive personal information.
  • Not be discriminated against for exercising your rights.

Under the CPRA, "sensitive personal information" includes your precise geolocation. We treat the precise GPS location described in section 2 as sensitive personal information and use it only for the purposes described there (clock-in verification, NFC scans, map features, geofencing, and inspection-arrival workflows). We do not use sensitive personal information to infer characteristics about you. To limit our use and disclosure of your sensitive personal information, email production@taptrack.io with the subject line "Limit Sensitive Data Use" or write to us at the address in section 13. We will honour your request within 15 business days.

Global Privacy Control. Tap Track does not sell or share your personal information for cross-context behavioural advertising. Any Global Privacy Control (GPC) opt-out preference signal received from your browser or device is treated as a valid opt-out of sale and sharing under the CCPA/CPRA and is honoured automatically — no separate request is required.

To exercise any of these rights, email production@taptrack.io from the email address on file. We may need to verify your identity before fulfilling certain requests. You may also designate an authorised agent to act on your behalf.

10a. Your rights — other US states

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Delaware, New Hampshire, New Jersey, Maryland, Minnesota, Nebraska, Rhode Island, Indiana, and Kentucky have rights under their respective state privacy laws that include, to the extent applicable: the right to know or access the personal data we hold about you; the right to correct inaccurate data; the right to delete your personal data; the right to obtain a portable copy of your data; and the right to opt out of the sale of personal data, targeted advertising, and certain profiling decisions. We do not sell personal data, serve targeted advertising, or use automated profiling that produces legal or similarly significant effects. To exercise any of these rights, email production@taptrack.io from the email address on your account. We will respond within the timeframe required by your state's law (generally 45 days, with a possible 45-day extension where permitted). We will not discriminate against you for exercising these rights.

11. Your rights — EEA, UK, and Switzerland (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, Taptrack LLC is the controller of your personal information for the purposes of the General Data Protection Regulation and equivalent laws.

Where Taptrack LLC processes personal data on behalf of an organisation that has subscribed to the Service (for example, an employer using Tap Track to manage its workforce), that organisation is the data controller and Taptrack LLC acts as a data processor. In those cases, the organisation's own privacy notice governs the processing of its employees' and contractors' data, and the organisation is responsible for ensuring a valid legal basis for that processing. Our Data Processing Agreement, available on request at production@taptrack.io, governs our obligations as a processor under the GDPR and equivalent laws.

Our lawful bases for processing are: (a) performance of our contract with you or your organisation; (b) our legitimate interests in operating, securing, and improving the Service, where those interests are not overridden by your rights; (c) your consent, where required (for example, for non-essential cookies or push notifications); and (d) compliance with legal obligations.

You have the right to access, rectify, erase, restrict, port, and object to processing of your personal information; to withdraw consent at any time; and to lodge a complaint with your local supervisory authority. The right to erasure may be limited where retention is necessary for the establishment, exercise, or defence of legal claims, for compliance with a legal obligation, or for other grounds permitted under Article 17(3) of the GDPR — see section 6 above for the specific exceptions. To exercise these rights, contact production@taptrack.io.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through the Service and update the "Effective date" above. We encourage you to review this page periodically.

13. Contact us

For privacy-related questions or to exercise any right described above:

  • Email: production@taptrack.io
  • Mail: Taptrack LLC, 1417 Harbourtown Circle, Mansfield, TX 76063
  • To request account deletion specifically, see our Delete Account page or email production@taptrack.io.