Privacy Policy
Effective: 11 May 2026
This is the privacy policy for Tap In Tap Out, the mobile app available at tapintapout.com.au and on the App Store / Google Play. We've written it in plain English. If something isn't clear, email us and we'll explain.
Note for legal review. This document is a working draft prepared for a closed beta. Before launching to the public App Store you should have it reviewed by a lawyer familiar with the Australian Privacy Principles (APPs) and any platform-specific requirements.
1. Who we are
Tap In Tap Out ("we", "us") is operated by [Entity name here], based in Queensland, Australia. You can reach us at hello@tapintapout.com.au.
2. What we collect
We only collect what we need to run the app:
- Account info you give us: email address (used as your login), name, nickname, date of birth, gender, who you're interested in, bio, and an optional profile photo.
- Location data: your device's GPS coordinates when you open the app or tap into a moment. Used to figure out which venues are near you and whether you're physically in range to tap in. Location is not stored historically. We only keep the lat/lng of an active tap-in for as long as that tap-in exists.
- Tap-in data: the venue or pin you tap into, the radius, the time you tapped in, the time you left or tapped out, your intent (chat / friends / dating / open), and your per-tap-in share flags.
- Messages: the contents of chats you send to other users. Stored while the conversation exists. Either user can delete the entire conversation, which removes every message immediately.
- Blocks and reports: the user IDs of people you have blocked, and the reason / notes attached to any reports you file.
- Push notification token: if you allow push notifications, we store the Expo push token issued by your device so we can send notifications for new messages.
- Technical info: device type and operating system version, collected by analytics tools used to keep the app running.
We do not collect: your contact list, your photos library (we only read the photo you explicitly pick), your call or SMS history, your browsing history outside the app, or your precise location while the app is closed.
3. How we use it
- Show you who is physically tapped into the same venue or moment.
- Filter people out of your view based on your blocks and theirs.
- Deliver messages to the right person and notify them.
- Enforce the rules (e.g. responding to reports of harassment).
- Improve the app, debug issues, prevent abuse.
We do not use your data to train AI models, sell to advertisers, or build a marketing profile of you.
4. Who we share it with
We use a few service providers to run the app. Each one only gets the minimum they need to do their job.
- Supabase (database, auth, file storage): hosts your account, tap-ins, messages, and profile photo. Servers located in the AWS Australia (Sydney) region.
- Resend (transactional email): sends you the one-time sign-in codes.
- Expo / Google / Apple (push notifications): receives a push token and the notification payload (sender name + a short message preview).
- Cloudflare (web infrastructure): edge proxies and DDoS protection for the website.
We will only share your personal information outside this list if we are required to by law, in a way you have explicitly consented to, or as part of a sale or transfer of the business (in which case we'll notify you first).
5. How long we keep it
- While your account exists: as long as you keep it.
- After you delete your account: we delete your profile, tap-ins, messages, blocks, push tokens, and reports within 30 days. Some records may persist longer in backups, which are deleted on rolling schedules.
- After you tap out of a moment or chat: that data is removed immediately, on both your side and the other user's side.
You can delete your account at any time from Settings → Delete account. That triggers an immediate cascade deletion across all data linked to your user ID.
6. Your rights
Under the Australian Privacy Principles you have the right to:
- Ask us what personal information we hold about you.
- Correct anything inaccurate.
- Delete your account (already a one-tap action in the app).
- Lodge a complaint with the Office of the Australian Information Commissioner (oaic.gov.au) if you think we've mishandled your data.
To request access or correction, email hello@tapintapout.com.au.
7. Security
We use industry-standard practices: row-level security on every database table, encrypted-at-rest storage, encrypted-in-transit connections (HTTPS / TLS), and no shared passwords (we use one-time email codes). No system is perfect, but we take it seriously.
If we ever have a breach affecting your data, we'll notify you and the OAIC in line with the Notifiable Data Breaches scheme.
8. Children
Tap In Tap Out is for users 18 and over. We don't knowingly collect data from anyone under 18. If you believe a child has signed up, email us and we'll remove the account.
9. Changes
We may update this policy. If we change anything material, we'll notify you in-app or by email. The "Effective" date at the top reflects the latest version.
10. Contact
Email hello@tapintapout.com.au for anything in this policy.