Privacy statement

This statement explains which personal data Link A Tap processes, why, for how long, and with which parties.

Last updated: 27 April 2026

1. Data controller

Link A Tap
Saturnusstraat 21
2402 AD Alphen aan den Rijn, Nederland
Chamber of Commerce: 33235351 — VAT: NL002093851B89
For privacy questions, use the contact page.

2. Data we process

2.1 Account and order

  • Name, email address, phone number (optional)
  • Billing address and — if different — shipping address
  • VAT number and Chamber of Commerce number (business customers only)
  • When signing in via Google: your Google account identifier, name and email address from your Google profile

2.2 Order and invoice data

  • Order contents, your card design, uploaded or AI-generated logos
  • Amount, currency, payment status and a reference to the Stripe payment
  • Shipping details and track & trace number via MyParcel/PostNL
  • Invoices (PDF) — required by law to be retained for at least 7 years

2.3 Use of your cards

When someone taps an NFC card or scans the QR code, we record per scan: timestamp, IP address, user agent and (if supplied) the referring URL. We show this data to you, the card owner, in your dashboard so you can see how often your cards are used. We do not use this data for profiling or marketing.

2.4 Cookies and sessions

We only set functional cookies: a session cookie to remember your order flow, an authentication cookie when you are logged in, and a security token to protect forms against abuse. No analytics cookies, no tracking, no marketing cookies, no advertising partners. A cookie banner is therefore not required.

2.5 Server logs

Our web server records standard access logs per request: timestamp, IP address, requested URL, status code and user agent. We use these logs for security, troubleshooting and aggregated visitor statistics (processed with GoAccess, server-side, without cookies). We do not use the logs for profiling or marketing and we do not share them with third parties.

3. Purposes and legal bases

  • Performance of the contract — processing orders, payments, printing, shipping, invoicing and providing customer service.
  • Legal obligation — retaining invoices and accounting records as required by tax law.
  • Legitimate interest — showing scan statistics to the card owner, preventing fraud and securing the service.
  • Consent — if you use AI logo generation, your keywords and any uploaded image are sent for processing; this happens only at your initiative.

4. Processors and third parties

We run on our own infrastructure in the Netherlands. For specific functions we do, however, use the following external processors:

  • Stripe Payments Europe Ltd. (Ireland) — payment processing. We do not receive credit-card or bank details; these are provided directly to Stripe. We only receive a reference and the payment status.
  • MyParcel BV / PostNL — shipping. Name, address, phone number and email address are shared to create labels and track & trace.
  • Google Ireland Ltd. — (a) optional sign-in via Google; (b) address suggestions while you fill in your billing or shipping address (Google Places). When used, your input is sent to Google.
  • OpenAI Ireland Ltd. — only when you use AI logo generation or improvement: your keywords and/or uploaded image are sent to OpenAI to generate a logo.
  • European Commission (VIES) — when you enter a foreign EU VAT number, that number is sent to the official VIES validation service to verify its validity.

Where the GDPR requires it, a data-processing agreement is in place with each of these parties. Any transfer outside the EEA takes place only under the European Commission's standard contractual clauses.

In the event of a business acquisition, merger or sale of business activities, customer data may be transferred to the acquiring party. We notify customers at least 30 days in advance via the last known email address, so that they can exercise their rights before the transfer if they wish.

5. Retention periods

  • Invoices, order data and payment data: 7 years (statutory tax retention period).
  • Account and related customer data: as long as your account is active. After cancellation we retain only the legally required accounting records.
  • NFC card scan events: 13 months; afterwards anonymised or deleted.
  • Server access logs: 12 months; deleted afterwards.
  • Uploaded and generated logos: until you delete them or cancel your account.
  • Messages submitted via the contact form: 1 year after the last contact.

6. Security

Connections use TLS (HTTPS). We do not store passwords ourselves — authentication runs through Google OAuth. Access to administration is restricted and logged. We make reasonable efforts to secure your data, but full security on the internet can never be guaranteed.

7. Your rights

Under the GDPR you have the right to access, rectification, erasure, restriction of processing, data portability and objection. You can submit a request via the contact page; we respond within four weeks. You may also lodge a complaint with the Dutch Data Protection Authority.

8. Changes

We may update this privacy statement. For substantive changes we publish a clear notice on the website. The date at the top shows when the text was last updated.