1. Preamble

1. At Tappo we take data protection seriously and we are dedicated to providing our users with a protected data environment. The present policy aims at safeguarding Tappo’s compliance with data protection and privacy regulations.

2. Introduction

1. The present policy outlines Tappo’s stance on the protection of all personal data, derived from our employees or customers or individuals otherwise related to Tappo.

2. This Policy concerns all members of the Tappo Team. Everyone on the team is responsible for familiarising themselves with this policy. Everyone on the team must also follow the standards set out in this policy when handling personal data.

3. All Tappo employees are obliged to attend training based on the provisions of this policy.

4. Employees have constant access to additional in-house resources (‘Data Protection Internal Guide’) to help them understand data protection law. It is anticipated that they comply with data protection law and this policy at all times. Failure to do so could result in disciplinary action

3. Scope

1. The proper and lawful processing of personal data is of vital importance to Tappo and a shared responsibility amongst all employees. A serious data protection breach by Tappo could result in high fines reaching up to 20 Million euros or 4% of its annual revenue.

2. Tappo constantly ensures that all members of its team remain compliant, through regular training, internal monitoring, and policies.

3. Tappo as a limited company is not obliged to appoint a DPO, as long as its core activities do not involve regular and systematic monitoring of individuals on a large scale or processing, on a large scale, special categories of personal data, or criminal convictions or offences data.

4. Tappo can voluntarily appoint a DPO, which will have to be registered with the information commissioner’s office.

5. Until Tappo chooses to appoint a DPO, all data protection and privacy concerns can be directed to Tappo’s Privacy Manager.

6. Tappo’s Privacy Manager is responsible for maintaining the present policy.

7. Please refer to Tappo’s Privacy Manager or appointed DPO, if you are unsure or require any clarification regarding data protection (see section 9).

4. What Data does Tappo Collect and Process and Why?

1. Tappo aims to provide the best possible services to its users. Some of the data we collect is necessary for our app and website to function properly.

2. Tappo will only allow third party tracking on its website where that is necessary or consented to by the website visitors.

3. Upon registering as a user or merchant or starting your employment with Tappo, you may need to undergo an identity verification. We conduct this externally through Sum and Substance Ltd. Sum and Substance are registered with the Information Commissioner’s Office, are ISO27001 compliant, and support 256bit TLS encryption on all devices. You may find out more about their data protection approach at:
   https://sumsub.com/consent-to-personal-data-processing/.

4. All our current cookies at supertappo.app are used for functional purposes only. Specifically, we may use cookies to operate our open banking ecosystem (namely, Token i.o.). We may use localstorage for the same purposes.

5. User data may be shared with Token i.o. for the operation of open banking, with cookies being stored on Token i.o.’s website.

6. User data may be shared with merchants and other third parties (e.g. banks) so that orders and other instructions (e.g. bookings) given by the users can be completed.

7. We will require your Full Name, address, and bank details upon registration for the operation of the app. We may need to verify your identity to provide full access to the features of the application. In that event we may ask you for proof of ID.

8. We use Google Analytics to better understand our audience and improve our website.

9. We may create statistics based on user activity at the back end of our website. All information will be anonymised or pseudonymised.

10. We may collect data when you use our app to make purchases, orders, money transfers. These might be tracked and used as statistical data to help us better understand how users benefit from Tappo. In such an event, your data will be pseudonymised or anonymised where possible.

11. We want our services to remain secure and so operate based on an SSL encryption. SSL encryption is also known as encryption on transit and it implements 256-bit encryption.

12. All sensitive information stored in Tappo’s database is encrypted using AES. All network transactions between client-side and server-side are protected by JWT.

5. Key principles:

1. In line with the requirements of data protection regulation:

2. We process data lawfully, fairly, and transparently.

   1. Lawful and fair processing under the GDPR can occur indicatively if:

   1. Tappo has obtained a valid Consent from users.

   2. Data of processing is necessary for the performance of a contract with the user.

   3. Processing forms part of our compliance obligations.

   4. Processing is necessary to protect our users’ interests.

   5. Other lawful grounds set out in Art. 6 of the GDPR.

   2. Tappo must determine the legal basis for collecting and processing user personal data prior to doing so.

   3. Transparency requires that users are notified prior to data collection. Tappo will provide privacy notices to users. These will include detailed and precise information regarding the data collection and processing. This information must include: the details of Tappo and its DPO, should it choose to appoint one, the reason and manner in which data will be used, processed, disclosed, protected, and maintained.

   4. Transparency requires that users are notified prior to data collection. Tappo will provide privacy notices to users. These will include detailed and precise information regarding the data collection and processing. This information must include: the details of Tappo and its DPO, should it choose to appoint one, the reason and manner in which data will be used, processed, disclosed, protected, and maintained.

   5. Privacy Notices will be written in simple language and be easily accessible..

3. Data is only collected under lawful reasons for limited purposes, which are clearly identified and stated prior to collection (i.e. purposes that are specified, explicit and legitimate).

1. Processing of data by Tappo must not exceed or contradict these limited purposes.

2. Personal data should not be processed for new or additional purposes other than the ones disclosed prior to collection. For this to be lawful, Tappo is required to notify the data subject and refresh their consent if applicable.

4. We will only collect data that is essential, adequate, relevant, and limited to the reason for processing.

1. Tappo’s employees will only collect and process personal data obtained by Tappo in the course of their employment and not for other unrelated purposes.

2. When the personal data collected and processed is no longer needed, Tappo will ensure that it is deleted or pseudonymised.

5. We will ensure that all data remains accurate and up-to-date.

1. Tappo employees ensure that all incorrect data must either be rectified or destroyed promptly.

2. The relevance of data must be regularly monitored.

6. We store all our data in a form which protects the data subject’s identity and only for as long as necessary for the purposes of processing.

1. Tappo will anonymize or pseudonymised data as soon as possible and permissible by the purposes of processing.

2. Tappo will ensure that no personal data kept in its records exceeds the timeframe necessary for the purposes for which it is kept. This can amount to 7-years post-collection, as this covers the limit for a legal claim to be brought forward. Data may be kept for longer if it is subject to law establishing a longer minimum time.

3. We will destroy or erase from our databases all personal data that is not necessary to remain in our system.

4. Through a privacy notice, Tappo’s users will be aware of the time window for which their data will be kept and the manner in which that was decided.

7. We focus on processing data with integrity, in a secure and safe manner and have implemented technical and organisational measures, accordingly.

1. In accordance with our Information Security Policy, we have established secure technical and organisational measures to prevent and respond to unauthorised or unlawful processing. Through these measures we also prevent accidental erasure or other kinds of damage.

2. Our Information Security Management System as outlined in our Information Security Policy, ensures that all data records, whether kept online or in physical form remain safe. The system also ensures that data collection is secure. In our policy you will find, in accordance with the provisions of ISO27001, how Tappo methodologically addresses issues of Information Security. Our Information Security policy explains how Tappo’s representatives, its body of policies, and measures and controls in place, identify and respond to threats regarding data processing. Our effective Information Security Management System aims at preventing and responding appropriately to technology driven attacks.

3. Tappo remains committed to continuously developing and maintaining safeguards and will regularly examine their effectiveness.

4. We will only share our users personal data with third parties only where that is necessary, always lawful grounds, and under the condition that they have implemented equivalent privacy policies and security measures.

5. We retain all data confidentially, ensuring that only authorised personnel access user personal data.

6. We collect and process data with integrity, ensuring that all information is accurate and relevant to the purpose of collection and processing.

7. Everyone at Tappo has a duty to comply and never avoid or bypass any of the measures established to protect personal data.

8. We process data on the basis that users retain their rights as data subjects and can have access to their own data promptly.

9. Tappo will not send any kind of personal data outside the UK, unless this is necessary and mandatory security safeguards are in place.

10. Tappo is responsible for demonstrating compliance with data protection regulations at all times.

6. Consent

1. Valid consent is a base under the GDPR on which Tappo can process personal data lawfully. Consent can be given either explicitly or by action. This section outlines Tappo’s understanding of a valid consent in accordance with data protection law.

2. For consent to be valid, it must be active. Any agreement to collection and processing through pre-ticked boxes, absence or action, or any sort of inactivity cannot and will not be accepted as valid consent.

3. Consent will always only be valid for the specific issue agreed upon and never for peripheral matters. All consent documents must be stored individually based on the matters they relate to.

4. Tappo will ensure at all times that users and employees whose data are stored and processed by Tappo will be able to easily withdraw their consent. Following such action, withdrawal will take immediate effect.

5. If additional reasons for processing occur to the originally agreed upon, Tappo will refresh its consent request.

6. Tappo will need an explicit consent, i.e. not merely by action but by expressed words, in order to process special category Data, should that event occur. This is subject to an easily understandable Privacy Notice to which the data subject will have to explicitly agree.

7. Tappo will always keep an active and well-maintained record of all Consent it has captured, as evidence of its compliance.

8. Tappo Pay Ltd is the registered agent of Moneyhub Financial Technology Ltd (“Moneyhub”) who is authorised and regulated by the Financial Conduct Authority under the Payment Services Regulations 2017 (reg. no. 809360) for the provision of payment services. Head office Regus House, 1 Friary, Temple Way, Bristol, BS16EA. Email: support@moneyhub.co.uk.

7. Reporting a Personal Data Breach

1. Tappo is required to report all Personal Data Breaches resulting in a risk to the information commissioner’s office, within 72 hours from the point of notice. In serious instances, Tappo will notify the users or employees affected by the breach.

2. Everyone at Tappo that notices or suspects a Data Breach, should contact the DPO or the designated point of contact for Personal Data Breaches. Any evidence regarding the breach should be maintained.

8. Transfer limitation

1. In accordance with the GDPR, Tappo will not make accessible or transfer any of the data collected in the UK to countries outside the EEA that do not maintain an equivalent data protection regime- as approved by the European Commission.

2. Tappo’s team is international. This means that members of our team are located in countries outside the EEA and equivalent approved countries. In the event that they will need to access personal data collected in the UK for lawful purposes, Tappo will first implement Binding Corporate Rules, which will be approved by the Data Protection Authority. Tappo will never share, send, or allow access to personal data collected in the UK to individuals located in an unauthorised country without lawful authorisation.

9. User and Employee rights and requests

1. If a Tappo user or employee makes any request regarding their personal data, Tappo will have to verify their identity. Tappo will not engage with third parties in the management of a user or employee’s personal data. Tappo has a month to respond to these requests.

2. All requests relevant to a user or employee’s personal data must be reported to a Tappo’s DPO or Privacy Manager or other senior member of Tappo.

3. All individuals (You) from whom Tappo collects personal data have certain rights.

1. Tappo must inform such persons about the collection and use of their personal data.

2. You have the right to access their own personal data and supplementary information.

3. You have the right to rectify inaccurate data or complete information

4. You have the right to object to processing, where there is no overriding legitimate grounds for processing.

5. You have the right to ‘be forgotten’ and ask Tappo to erase all personal data held about you. This can apply when:

6. You may have the right to restrict processing in specific cases. This will allow Tappo to keep your data but not use it in any way.

7. You have the right to request all the data that Tappo holds in a downloadable and easily accessible format, to reuse with other service providers.

8. To raise a complaint or ask a question regarding data protection, directly with us you can contact Tappo at: info@supertappo.com or by calling 020 8064 0110.

9. You have the right to withdraw your consent at any time, where processing is based on consent.

10. You have the right to complain to the Information Commisioner’s Office. Find out more at:
    https://ico.org.uk/make-a-complaint/

11. You have the right to object to processing that could lead to damage or distress to you or someone else.

12. You have the right to object to Automated Processing decisions.

13. You have the right to access a copy of a data security agreement in the event that Tappo transfers your personal data outside of the EEA.

10. Accountability

1. As per our Information Security Policy Tappo is responsible for establishing the necessary technical and organisational measures to remain compliant with data protection law. Tappo must be able to demonstrate this at all times.

2. Tappo will consider privacy at the initial stages and throughout the development of its products.

3. Tappo will regularly train its team on privacy law through repeated courses and will have evidence of the successful training completion.

4. Tappo’s privacy measures are tested periodically to ensure standards are met.

11. Record keeping

1. Tappo will constantly ensure its records are complete, accurate, and uptodate.

2. This includes all evidence documenting consent.

3. A complete record consists at least of:

• Name and contact details of the person responsible for managing Tappo’s privacy concerns (DPO or other).

• Specific and detailed information on:

• The Personal data types,

• Target data subjects,

• Processing activities and purposes,

• What third parties the data is shared with,

• Where the data is being stored,

• Details if the data has been transferred abroad,

• Data retention periods,

• The security measures in place.

• The security measures in place.

12. Automated Processing and Decision Making

1. ADM is not allowed by the GDPR with the following exceptions:

• The user or employee consents

• ADM is permitted by law

• ADM is necessary for the performance of a contract.

2. If Tappo engages in ADM, users and employees affected will be notified in clear and simple language so that they may provide Tappo with processing consent or object to the processing. The notice will include the rationale behind the decision making, its importance, relevance, and potential consequences. Users and employees affected have the right to request human intervention in the processing, voice their opinion, or question the outcome.

3. Prior to an ADM or any kind of Automated Processing, Tappo will ensure it has completed a Data Protection Impact Assessment.

13. Direct marketing

1. We are subject to certain rules and privacy laws when marketing to our customers.

2. For example, user consent is required for electronic direct marketing (for example, by email, text or automated calls). The limited exception for existing customers known as “soft opt-in” allows organisations to send marketing texts or emails if they have obtained contact details in the course of a sale to that person, they are marketing similar products or services, and they gave the person an opportunity to opt out of marketing when first collecting the details and in every subsequent message.

3. The right to object to direct marketing must be explicitly offered to the Data Subject in an intelligible manner so that it is clearly distinguishable from other information.

4. A Data Subject’s objection to direct marketing must be promptly honoured. If a customer opts out at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.

14. Cookies

1. Tappo may use cookies to understand its users’ online activity. However, the collection of cookies can lead to identifying or rendering an individual identifiable without their consent or other legal ground.

2. Tappo must obtain user’s consent before collecting any cookies, except for strictly necessary cookies.

3. For the consent to be valid, Tappo must explain thoroughly the use of each cookie and what it tracks to the user in easily understandable language.

4. All consent given must be documented and stored.

5. Data subjects must be allowed to use Tappo’s services even without the use of non-essential for the website and app’s operation cookies.

6. The option to withdraw consent for cookies’ use must be easily accessible.

15. Sharing Personal Data

1. Within Tappo, employees may share personal data with other employees whose position in the company requires them to access the data.

2. Tappo will only share personal data with third parties when it is lawful to do so, with the appropriate security measures in effect. Specifically, we may share personal data with third parties where:

1. It is necessary for Tappo to share the information as part of a valid contract.

2. Users and employees have read and understood a privacy notice under which data sharing is agreed upon, where applicable.

3. The entity we share the personal data with has implemented and is compliant with equivalent security standards, policies, and procedures.

4. Sharing does not violate geographical restrictions to non-authorised countries.

16. Changes to this Privacy Standard

1. Tappo will ensure the present document is regularly updated. The policy was first drafted on the 1st of August 2020 and focuses on Tappo’s operation within the UK.