← Back to home

Privacy Policy

Last updated: April 26, 2026

1. Introduction

Tappy ("we," "our," or "us") operates the tappy.sh website and the Tappy platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. For personal data processed in connection with the Service, Tappy is the controller for account, billing, website, and product analytics data, and acts as a processor where customers use Tappy to process data from their own connected sources.

2. Information We Collect

Account Information

When you create an account, we collect your name, email address, and authentication credentials. We use Clerk for authentication and do not store passwords directly.

Usage Data

We automatically collect information about how you interact with the Service, including pages visited, features used, and actions taken. This helps us improve the product.

Data Source Connections

When you connect external data sources (databases, spreadsheets, SaaS tools, websites), we store the connection credentials securely. We query your data sources on your instructions. Some source data is processed transiently in memory or short-lived caches, while data you choose to upload, save, materialize as an API/Web Source, place into a document, or freeze as a snapshot is stored until you delete it or close your account.

Document Content

We store the documents you create on our platform, including text, code blocks, data block configurations, rendered outputs, document images, uploaded files, chat history, and frozen snapshots. This is necessary to provide the Service.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Execute data queries and code on your behalf
  • Send you service-related communications
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

We do not sell your personal information. We do not use your document content or connected data to train machine learning models.

Lawful bases

Where UK GDPR or GDPR applies, our main lawful bases are: contract necessity to provide the Service you request; legitimate interests for security, abuse prevention, service improvement, and basic business operations; consent for optional product analytics and OAuth connections; and legal obligation for tax, accounting, compliance, and lawful requests.

4. Sub-processors

We use the following third-party services ("sub-processors") to operate the platform. A current, authoritative list is also published at /trust.

  • Clerk — Authentication, session management, and user directory.
  • Anthropic — Claude models that power chat, narrative generation, code generation, and analysis. Inputs are not used to train Anthropic models under our commercial terms.
  • OpenAI — Supplementary AI models for specific tasks. Inputs are not used for model training under our API terms.
  • OpenRouter — Routing selected non-Anthropic AI model requests to model providers chosen in the product.
  • Exa — Web search used by AI features to retrieve public information.
  • Firecrawl — Structured web scraping for Web Sources.
  • E2B — Isolated sandboxes for executing generated Python/JavaScript code. Sandboxes are destroyed after each run.
  • Stripe — Payment processing, subscription management, and billing.
  • Railway — Application hosting and deployment.
  • PlanetScale — Managed Postgres database for account and document storage.
  • Upstash — Managed Redis for caching and rate limiting.
  • PostHog — Optional product analytics, only after you grant analytics consent.
  • Sentry — Error monitoring, diagnostics, and performance telemetry with PII scrubbing.
  • Amazon Web Services — SES for transactional and scheduled email delivery; S3 for uploaded file and document-export storage.
  • Google, Microsoft, HubSpot — Where you connect these accounts, we use their OAuth APIs to read the specific resources you grant access to. Scopes are kept minimal.

A Data Processing Agreement (DPA) is available on request by contacting privacy@tappy.sh.

5. Google User Data

Tappy's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We access Google Drive files only through the file picker (scope drive.file) — we do not request read access to your entire Drive. Google Sheets selected by you are accessed as Drive files and exported in a readable workbook format. We use Google user data only to show, query, analyze, refresh, and include the selected files or sheets in your Tappy documents, and to provide user-facing AI features that you request.

We do not sell Google user data, do not use it for advertising, and do not use it to train machine-learning models. We do not allow humans to read Google user data unless you ask us to troubleshoot a specific issue, it is necessary for security or abuse investigation, or we are required to do so by law. Transfers are limited to sub-processors needed to provide the Service, such as hosting, storage, and AI model providers acting on your instructions. You can revoke Google access in Tappy or from your Google Account permissions page, and account deletion removes stored Google OAuth tokens and saved Google file references from our systems.

6. AI-Generated Content

The Service uses AI models to generate text, code, SQL, charts, and analysis. AI outputs may contain errors, omissions, or inaccuracies. You are responsible for reviewing AI outputs before relying on or acting on them. Do not use the Service to make consequential decisions (medical, legal, financial, safety-critical) without independent verification.

7. Data Security

We implement industry-standard security measures to protect your information. All data connections use OAuth2 or encrypted credentials. Data is encrypted in transit (TLS 1.2+) and at rest. Code execution happens in isolated sandboxes that are destroyed after each run.

However, no method of electronic storage or transmission is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

8. Data Retention & Deletion

We keep the minimum data needed to run the Service and no longer. When you delete your account, we delete the data below within 30 days, except where retention is required by law. Frozen document snapshots are retained until you explicitly delete them.

Data categoryRetention while account is activeAfter deletion
Profile (name, email, auth records)Life of accountDeleted within 30 days
Documents, notes, workspace knowledge, chat historyLife of accountDeleted within 30 days
OAuth tokens + encrypted source credentialsUntil you disconnect the sourceDeleted within 30 days
Materialized API / web source rowsUntil you delete the sourceDeleted within 30 days
Uploaded files, document images, and code-output filesUntil you delete the file, block, document, or accountDeleted within 30 days
Short-lived query, schema, and analysis cachesUsually minutes to 30 days depending on cache typeExpired automatically or cleared during account deletion where user-scoped
Credit balance + credit transaction logLife of accountDeleted within 30 days
Billing records (invoices, payment history, held by Stripe)7 years (tax law)Retained for up to 7 years
Security / abuse logs12 months (fraud prevention)Up to 12 months
Encrypted database backupsRolling 35 daysOverwritten within 35 days

To delete your account and data, follow the instructions at /data-deletion or email privacy@tappy.sh.

9. Your Rights

Depending on your jurisdiction (including under GDPR and the UK GDPR), you may have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your information
  • Export your data in a portable format (via the in-app export or by emailing us)
  • Object to or restrict certain processing of your data
  • Lodge a complaint with your local supervisory authority

To exercise any of these rights, contact privacy@tappy.sh. We respond within 30 days.

10. California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the CPRA, grants you additional rights:

  • Right to know the categories and specific pieces of personal information we collect, use, disclose, and sell/share.
  • Right to delete personal information we collect from you.
  • Right to correct inaccurate personal information.
  • Right to opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioural advertising.
  • Right to non-discrimination for exercising these rights — we will not charge you a different price or provide a lower-quality Service.

To exercise any California Privacy right, email privacy@tappy.sh. We may need to verify your identity before actioning the request.

11. Data Breach Notification

In the unlikely event of a personal-data breach that poses a risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority (ICO in the UK, or the lead EU DPA) without undue delay and, where feasible, within 72 hoursof becoming aware of the breach. Notices will describe the nature of the breach, the categories and approximate number of data subjects affected, likely consequences, and the measures we've taken or propose to take. We maintain a written incident-response runbook to support this commitment.

12. International Data Transfers

Tappy is operated from the United Kingdom and uses sub-processors located in the United States, the European Union, and the United Kingdom. Where personal data is transferred outside the UK/EEA, we rely on Standard Contractual Clauses (SCCs) or equivalent adequacy mechanisms offered by the relevant sub-processor.

13. Product analytics & your choices

We use privacy-friendly product analytics (PostHog, hosted in the EU) to understand how the product is used. You control analytics with the cookie banner and in-app Settings:

  • Essential — auth, billing, and security logs only. Always on; required to operate the Service.
  • Anonymous usage stats — page views and aggregate feature-use counts. Not tied to your account.Tells us what's used overall; we cannot see what an individual user did.
  • Help us improve — opt-in separately. Identified usage tied to your account, including accepted/rejected suggestion metadata, so we can fix specific pain points and see where users get stuck. We do not include prompts, document text, or source data in these analytics events.

We never sell or share analytics data, never use cross-site advertising, and never record sessions or keystrokes. You can change your consent choices any time from the in-app Settings (optional categories can be withdrawn independently, per GDPR Art. 7(3)).

What events we may capture (with your consent)

Non-exhaustive list — all values listed are metadata. We do not send prompts, chat messages, document text, source row data, URLs, filenames, SQL, schemas, hostnames, API keys, OAuth tokens, cookies, or request headers to PostHog.

  • $pageview — URL path (no query strings)
  • document_created / document_opened — creation source and count buckets
  • chat_message_sent — model tier, whether attachments used. No message text.
  • chat_model_switched — previous and new model id
  • source_connected / source_removed / source_tested / source_refreshed — provider type, success flag, and count buckets only
  • web_source_extracted / api_source_discovered — success, auth kind, and row/table/column buckets only
  • suggestion_decided — accept/reject action, suggestion-count bucket, block type, and suggestion type only. No suggested content.
  • share_link_created / share_link_updated — access mode and allowed-recipient count bucket only
  • export_started / export_completed — kind (csv/pdf/pptx), duration bucket, and document-size bucket
  • plan_viewed, checkout_started, plan_upgraded / plan_downgraded
  • credits_exhausted, rate_limited — to help us understand usage patterns

14. Cookies & local storage

We use the absolute minimum of cookies required to run the Service. No cross-site tracking, no advertising cookies, no third-party analytics cookies.

Cookies we set or that are set on our behalf

CookieSet byPurposeCategory
__session / __clerk_*ClerkKeeps you signed in. Required.Essential
__stripe_mid, __stripe_sidStripeFraud prevention during checkout. Set only on billing pages.Essential

That's it. We deliberately do not set a cookie for analytics — our product-analytics provider (PostHog) is configured to use browser localStorage only, and it only runs after you grant analytics consent in the cookie banner.

What we store in localStorage

  • Your privacy-consent preferences.
  • The AI model you picked in the chat selector (pure UI state).
  • PostHog's anonymous/identified distinct ID (only if you granted analytics).

You can revoke analytics consent at any time in the in-app Settings privacy preferences, or by clearing localStorage for tappy.sh in your browser's developer tools. Account deletion instructions are at /data-deletion.

15. Children

The Service is not intended for users under the age of 16. We do not knowingly collect information from children under 16.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

17. Security Contact

If you believe you've found a security issue in Tappy, please report it privately to security@tappy.sh. We appreciate responsible disclosure and will respond within 5 business days. Please give us a reasonable opportunity to investigate and remediate before public disclosure.

18. Contact Us

The data controller is TAPPY LTD, a company registered in England and Wales. Company number: 17188908. Registered office: 167-169 Great Portland Street, London, England, W1W 5PF.

If you have any questions about this Privacy Policy, contact us at privacy@tappy.sh.