Tap Links Privacy Policy
Operator: Mace Design LLC (a New York limited liability company) d/b/a “Tap Links”
Effective date: 2026-05-18 · Version: 1.3
Summary
- When someone taps a Tap Links device, we do not ask for or collect their name, email address, phone number, or login.
- We record routine request metadata (IP address, timestamp, device ID, browser type) and retain only as long as needed for analytics, abuse prevention, and security investigations.
- We do not sell personal information, share it for advertising, or track users across other websites.
This summary is informational and subject to change. In a conflict between this summary and the formal text below, the formal text controls.
1. Scope and definitions
This Privacy Policy describes how Mace Design LLC, doing business as “Tap Links” (“Tap Links,” “we,” “us,” or “our”), collects, uses, discloses, and protects personal information in connection with:
- The Service: our cloud dashboard at
dashboard.taplinks.com, our marketing website attaplinks.com, our manufacturing pipeline, and our NFC hardware redirect infrastructure on*.taplinks.com. - The Hardware: physical NFC-enabled devices (including tiles, pucks, and other custom shapes) and accessories that we manufacture in Brooklyn, New York, and ship to customers.
“Personal information” has the meaning given by the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (“CCPA/CPRA”): information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
This Policy is written for a US audience. We do not currently market the Service to consumers or businesses outside the United States. If you sign a customer contract with us as a non-US entity, additional privacy terms may apply by separate addendum (e.g., a Data Processing Addendum).
2. Who is the data controller / business?
For the purposes of CCPA/CPRA and similar US state privacy laws, Mace Design LLC is:
- The business with respect to personal information about (a) visitors to
taplinks.com, (b) people who fill out our contact form, and (c) people who hold an account on our dashboard (i.e., users who log in with a magic link). - A service provider with respect to personal information that a customer’s end users generate when they tap a Tap Links device that the customer has configured. In that capacity, we process tap data on the customer’s behalf and subject to the customer’s instructions in the dashboard and in the Master Services Agreement.
Where Tap Links acts as a service provider, the customer (the business that purchased the devices) is the relevant CCPA/CPRA business and is responsible for providing notice to its own customers, employees, or visitors about the devices’ purpose and any data processing.
3. Categories of personal information we collect
We collect or process the following CCPA/CPRA categories of personal information.
3.1 From people who tap a Tap Links device (end-user tap data)
When a person taps an NFC-enabled phone (or another NFC reader) on a Tap Links device, the phone opens a URL hosted on *.taplinks.com. The request reaches our infrastructure and is logged. We record:
| Field | CCPA/CPRA category | Source | Purpose |
|---|---|---|---|
| IP address of the requesting device | Identifiers, Internet/network activity | The request itself (HTTP CF-Connecting-IP header) |
Security, abuse detection, duplicate-tap suppression (24-hour window) |
| Approximate geographic region (city / country) | Geolocation (not precise) | Derived by Cloudflare from IP | Aggregate analytics, abuse detection |
| User-Agent string | Internet/network activity | The request itself | Debugging, abuse detection |
| Device UID and tap timestamp | Identifiers, Internet/network activity | The request itself | Counting taps, supplying analytics to the device owner |
| Referrer (when present) | Internet/network activity | The request itself | Debugging, abuse detection |
We do not collect names, email addresses, phone numbers, payment information, precise geolocation, advertising identifiers, biometric information, sensitive personal information as defined by the CCPA/CPRA, or any other identifier beyond what is listed above from people who tap a device.
In practice we retain tap event data, including the IP address, for as long as the Service operates. We do not currently run an automated process that deletes or aggregates tap records on a fixed schedule. We will delete a specific tap record on a verified request where we can identify it (see § 7).
See also: Tap Privacy Notice, written specifically for end users.
3.2 From visitors to our marketing website and dashboard
When you load a page on a Tap Links website (new.taplinks.com, the taplinks.com apex once migrated, or page navigations within dashboard.taplinks.com), we record a first-party page-view event so we can understand basic traffic. We log: a salted, irreversible hash of your IP address (we do not store your raw IP for website analytics), the host and page path (without query string), the referring site’s host if any, an approximate city/region/country derived from your IP by Cloudflare, a coarse client classification (e.g., “browser”), and a timestamp. We do not log device taps here (those are covered in § 3.1), file/asset requests, API or admin traffic, or known bots.
This is first-party analytics: the data stays in our own infrastructure and is used only in aggregate (e.g., total page views, unique visitors per day, top pages, country, referrer) to operate and improve the sites. It is not sold or shared, not used for advertising, and not used to track you across other sites. We retain page-view events for 13 months and then delete them.
Opting out. You can stop first-party page-view logging on your device by visiting taplinks.com/__notrack, which sets a small preference cookie that suppresses logging (visit taplinks.com/__track to reverse it). We also honor a Global Privacy Control signal as described in our Cookie Notice.
Separately, our hosting provider (Cloudflare) processes routine connection metadata to deliver the sites, and we may run Cloudflare Web Analytics, a cookieless, privacy-preserving product that does not track individuals across sites. See Cookie Notice and Cloudflare’s privacy documentation.
If you submit our contact form (a Tally embed), the information you provide (typically a name, email address, and message body) is collected by Tally on our behalf and routed to a Tap Links email inbox.
3.3 From dashboard users (our customers’ team members)
If you have a login on dashboard.taplinks.com, we collect:
| Field | CCPA/CPRA category | Source | Purpose |
|---|---|---|---|
| Email address | Identifiers | Provided by you or by your client administrator | Authentication, account communication |
Role (owner, admin, member) |
Professional information | Set by client administrator | Authorization |
| Magic-link tokens (UUID) | Identifiers (transient) | Generated by us | Authentication; expire after 30 minutes |
| Session cookie token (UUID) | Identifiers (transient) | Generated by us | Authentication; expire after 7 days or on sign-out |
last_login_at timestamp |
Internet/network activity | Set by us on each sign-in | Account hygiene |
| Activity in the dashboard (clicks, edits, link history) | Internet/network activity | Generated by your use of the dashboard | Service operation, debugging, audit |
We retain dashboard user records for as long as the account exists; we do not currently run an automated deletion of user records after an account ends, and we will delete them on a verified request (see § 7). Session rows expire after 7 days; they are deleted immediately on sign-out and expired rows are removed opportunistically during normal operation. Magic-link sign-in tokens are deleted the moment they are used; an unused token becomes invalid after 30 minutes and is then removed.
3.4 From customers (business contact information)
When you become a Tap Links customer, we collect business contact information about you and the people at your company who interact with us: name, email address, phone number (if you provide it), company name, billing address, shipping address, and any preferences you communicate.
We retain customer business-contact and financial records (invoices, correspondence) for as long as the relationship and our tax, accounting, and legal obligations require; in practice we do not run an automated deletion of these records. Records subject to subpoena, litigation hold, or insurance claims are retained until the hold is lifted.
3.5 From manufacturing operations
Our manufacturing systems track each NFC chip we produce: its 7-byte UID, the order and lot it belongs to, the date it was bound to a physical device, and which customer it was shipped to. This data does not contain personal information about end users; it is associated with the customer who purchased the device.
Tap Links NFC devices ship cryptographically locked with AES-128 by default. The locking key is not retrievable by our customer-facing infrastructure and is never visible to our marketing site, dashboard, or redirect logic. Customers may opt out of Tap Links locking under their Order if they prefer to ship devices unlocked or to manage their own cryptographic posture. See Security Overview for the high-level architecture; more detail is available to customer security teams under NDA.
4. How we use personal information
We use the personal information described above to:
- Operate the Service: route NFC taps to the correct destination URL, render dashboard pages, send magic-link sign-in emails, deliver tap analytics to the device owner, and maintain the infrastructure on which the Service runs.
- Authenticate dashboard users (the magic-link flow described in our Security Overview).
- Detect, prevent, and respond to abuse: duplicate-tap suppression, rate-limiting, fraud investigations, account compromise detection.
- Communicate with our customers: respond to support requests, send transactional account notices, send invoices once billing is enabled.
- Improve the Service: investigate bugs, debug client reports, plan capacity. We aggregate or de-identify data before using it for product improvement wherever feasible.
- Comply with legal obligations: respond to lawful requests from government authorities, enforce our Terms of Service, defend ourselves in disputes.
We do not use personal information for:
- Cross-context behavioral advertising
- Profiling for automated decision-making that produces legal or similarly significant effects
- Targeted marketing to people who tap devices
- Training general-purpose machine learning models without contractual permission
5. Disclosure of personal information
We do not sell personal information (as “sell” is defined by the CCPA/CPRA) and we do not share personal information for cross-context behavioral advertising. In the 12 months preceding the Effective Date, we have not sold or shared personal information.
We disclose personal information only as follows:
5.1 To customers (about their own devices)
A customer can see, in their dashboard: - The total number of taps on each device they own. - The most recent tap timestamp for each device. - Aggregate tap-time-series data (e.g., taps per day) for devices in their account.
A customer does not see the IP address, User-Agent, region, or any other identifier of an individual person who tapped one of their devices. The dashboard only shows aggregate counts and most-recent-tap times.
5.2 To sub-processors
We use a small number of vendors to operate the Service. Each one is subject to data processing terms in its standard terms of service that limit use of personal information to performing services for us. They are listed in our Subprocessors page and include:
- Cloudflare, Inc.: primary infrastructure provider.
- Resend, Inc. (transactional email): magic-link sign-in emails, customer-facing service notices.
- Google LLC (Google Workspace): operator email, calendar, business documents.
- Tally.so: contact form on the marketing website.
- Cloudflare Web Analytics: privacy-preserving traffic analytics on the marketing site (no cookies, no cross-site tracking).
If we add or change a sub-processor that processes personal information in a material way, we will update the Subprocessors page. Customers with a signed Data Processing Addendum can request advance notice of sub-processor changes as set out in that addendum.
5.3 To service providers and contractors
We may share personal information with our accountants, lawyers, insurers, and other professional advisors when reasonably necessary for the operation or defense of our business. These parties are bound by professional obligations of confidentiality.
5.4 In connection with a corporate transaction
If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred to the successor or acquirer as part of that transaction, subject to standard confidentiality protections and to the terms of this Policy.
5.5 To comply with law or protect rights
We may disclose personal information when we have a good-faith belief that disclosure is necessary to: - Comply with applicable law, valid legal process, or a binding request from a government authority. - Enforce or apply our Terms of Service, Acceptable Use Policy, or other applicable agreements. - Detect, prevent, or address fraud, abuse, security, or technical issues. - Protect the rights, property, or safety of Tap Links, our customers, end users, or the public.
Where lawful and practical, we attempt to give the affected user or customer advance notice of a legal demand so that they can seek to challenge it.
6. Cookies and similar technologies
See Cookie Notice for the full inventory. In short:
- Marketing site (
taplinks.com): no tracking or analytics cookies set by us. One optional opt-out cookie (tl_notrack) is set only if you visit/__notrack. Cloudflare Web Analytics is cookieless. The Tally contact form may set its own cookies; see Tally’s privacy documentation. - Dashboard (
dashboard.taplinks.com): one strictly necessary session cookie (session_token) used to keep you signed in.HttpOnly,Secure,SameSite=Strict. No analytics or advertising cookies. - Device redirect path (
*.taplinks.com/<UID>): no cookies. We do not set tracking cookies on people who tap devices.
7. Your privacy choices
7.1 California residents (CCPA/CPRA)
California residents have the following rights with respect to personal information we hold about them:
- Right to know. You can ask us to tell you (1) the categories of personal information we have collected about you, (2) the categories of sources, (3) the business or commercial purpose for collecting it, (4) the categories of third parties to whom we disclose it, and (5) the specific pieces of personal information we have about you.
- Right to delete. You can ask us to delete personal information we have collected from you, subject to exceptions under CCPA/CPRA §1798.105(d) (e.g., we may need to keep records for security, fraud prevention, legal compliance, or to complete a transaction).
- Right to correct. You can ask us to correct inaccurate personal information we hold about you.
- Right to opt out of sale or sharing. We do not sell or share personal information for cross-context behavioral advertising. You do not need to opt out because there is nothing to opt out of, but you may submit an opt-out request and we will confirm.
- Right to limit use of sensitive personal information. We do not collect sensitive personal information as defined by the CCPA/CPRA.
- Right of non-retaliation. We will not retaliate against you for exercising any of these rights.
To exercise these rights, email hello@taplinks.com with the subject line “Privacy request, California.” Include:
- Your full name and email address (so we can locate any account).
- The specific right you are exercising.
- Any information that helps us verify your identity (e.g., the email address you used to dial into a device-owner account, or, if you tapped a device and want a copy of the tap record, the approximate date and city of the tap).
We will verify your identity to a degree of certainty that matches the sensitivity of the data and the request. We will respond within 45 days; if more time is needed (up to a further 45 days), we will tell you within the first 45 days and explain why. We will not charge a fee for the first request in a 12-month window.
Authorized agents. You may use an authorized agent to submit a request on your behalf. We may require the agent to provide written permission from you and we may require you to verify your identity directly.
7.2 All visitors
You can:
- Stop visiting our website.
- Sign out of your dashboard account at any time (Sign Out link at the top right of the dashboard).
- Ask us to delete your dashboard account by emailing hello@taplinks.com. Account deletion typically takes 30 days to propagate through our backups.
- Stop tapping Tap Links devices. Each tap is a discrete event; we do not maintain a persistent identifier for any individual person who taps devices.
If you are an end user who tapped a device and would like the tap record removed, we will honor your request to the extent we can identify the tap (typically: approximate date, approximate region, and the device owner’s business). Because we do not collect personally identifying information from tapping, we may not be able to identify your specific tap with certainty.
8. Data security
We follow industry-standard practices for an organization of our size:
- TLS in transit; no unencrypted endpoints.
- Magic-link sign-in (no password reuse risk).
- Two-step click verification on magic links to defeat email-scanner prefetch attacks (Mimecast, Proofpoint, Microsoft Defender for O365, Barracuda).
HttpOnly,Secure,SameSite=Strictsession cookies.- AES-128 cryptographic locking on NFC devices by default, with key management designed so that the customer-facing application has no runtime access to keys.
- Separation of production and staging databases, with auditable rollback runbooks for client-data operations.
For the full security architecture, see our Security Overview.
No system is perfectly secure. We will notify affected customers and, where required, regulators or affected individuals, if we discover a breach of security that involves their personal information. Notice will be given consistent with applicable state breach-notification laws (including New York General Business Law § 899-aa and California Civil Code § 1798.82).
9. Children
The Service is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will delete it. If you believe we have collected information from a child under 13, please email hello@taplinks.com.
10. Changes to this Policy
We may update this Privacy Policy from time to time. When we do, we will update the “Effective date” at the top of this page and, for material changes, we will provide reasonable notice (e.g., a notice on the dashboard, an email to dashboard account holders, or a banner on the marketing site) before the change takes effect.
A change is “material” if it (1) expands the categories of personal information we collect, (2) expands the purposes for which we use personal information in a way you would not expect, (3) introduces a sale, sharing, or new category of recipient that you would not expect, or (4) reduces your rights or available choices.
11. Contacting us
By email: hello@taplinks.com (for privacy questions or requests) or hello@taplinks.com (for legal notices).
By mail:
Mace Design LLC Attn: Privacy 276 Greenpoint Ave., Unit 9306 Brooklyn, NY 11222