Privacy Policy – TapToPay

Last updated: 14 November 2025
Operated by: Joelsa Ltd (Company No. 09425232)

Joelsa Ltd ("we", "us", "our") operates the TapToPay mobile application and the website joelsapos.com (the "Service"). We are committed to protecting your privacy and complying with the UK GDPR, the Data Protection Act 2018, the EU GDPR (where applicable), and all other relevant data protection laws.

This Privacy Policy explains how we collect, use, store, and protect your personal information when you use TapToPay and our related services.

1. Information We Collect

TapToPay is designed to collect and store the minimum amount of personal data necessary. We do not collect card numbers, CVC, PINs, or other sensitive payment details. All payment data is processed directly by Stripe.

1.1 Email Address

We collect your email address when you:

• Sign up for a TapToPay merchant account.
• Log into the app.

We use your email address to:

• Create and manage your TapToPay user account.
• Identify you in our merchant database.
• Connect you to a Stripe account via Stripe Connect.
• Send essential account-related communications (for example, onboarding reminders or legal notices).

1.2 Merchant Account Metadata

When you connect to Stripe using TapToPay, we may store limited metadata, such as:

• Your Stripe Connected Account ID.
• Your onboarding status (for example, complete / incomplete).
• Basic integration status flags (for internal system tracking).

1.3 Device & Technical Information (Non-Personal)

We may collect anonymous technical information about the device you use, such as:

• Device model and operating system version.
• App version.
• Crash logs and basic diagnostics.

This data does not identify you personally and is used only to improve performance, troubleshoot issues, and enhance security.

1.4 Data We Do Not Collect

We do not collect or store:

• Card numbers or CVC codes.
• Payment card PINs.
• Bank account numbers.
• Billing or shipping addresses.
• Phone numbers.
• Location data (GPS).
• Any "special category" sensitive data (for example, health, religion, political opinions).
• Your end-customers’ card details or personal data (payments are handled directly by Stripe).

2. Stripe & PCI Compliance

TapToPay uses Stripe services (including Stripe Terminal, Stripe Connect, and Tap to Pay APIs) to process payments and manage merchant accounts.

2.1 We Do Not See or Store Card Data

All card-present payment data is handled directly by Stripe. Stripe is responsible for:

• Collecting and encrypting card data.
• Processing and authorising payments.
• Storing payment information (when applicable).
• Maintaining PCI DSS (Payment Card Industry Data Security Standard) compliance.

This means TapToPay never stores or has direct access to raw card data from you or your customers.

2.2 Stripe’s Security & Policies

Stripe is a PCI DSS Level 1 certified service provider. For more information about how Stripe handles data and security, please refer to:

• https://stripe.com/privacy
• https://stripe.com/docs/security

3. How We Use Your Information

3.1 To Provide the TapToPay Service

We use your data to:

• Create and maintain your TapToPay merchant profile.
• Authenticate your access to the app.
• Connect your account to Stripe using Stripe Connect.
• Manage onboarding flows and track completion status.
• Enable you to accept payments via Stripe-based technology.

3.2 To Comply With Legal and Regulatory Requirements

We may use your information where necessary to:

• Prevent fraud or misuse of the Service.
• Respond to lawful requests from regulators or law enforcement.
• Maintain business records, accounting, and audit logs.

We do not use your data for advertising, profiling, or selling to third parties.

4. Legal Basis for Processing (UK GDPR / EU GDPR)

We process your personal data under the following legal bases:

4.1 Contractual Necessity

We need to process your email and merchant data to provide the TapToPay Service and fulfil our contract with you.

4.2 Legitimate Interests

We may process data where it is in our legitimate interests to do so, and our interests are not overridden by your rights, including:

• Improving and securing the Service.
• Preventing fraud or abuse.
• Understanding service performance and usage patterns in an anonymised way.

4.3 Legal Obligations

In some cases, we are legally required to process certain data (for example, record-keeping and compliance with financial regulations).

5. Data Storage & Security

5.1 Where We Store Your Data

Your email and merchant details are stored in secure databases with:

• Restricted access controls.
• Appropriate security measures and encryption in transit.
• Regular server maintenance and monitoring.

5.2 Retention Period

We retain your personal information only for as long as necessary to:

• Provide and maintain your TapToPay account.
• Comply with applicable laws and regulations.

As a general rule, if your account remains inactive for more than 24 months, we may securely delete or anonymise your information, unless we are required to keep it longer for legal reasons.

5.3 Data Deletion

You may request deletion of your account data at any time (see Section 7). Note that some data may need to be retained if required by law or for dispute resolution.

6. Sharing of Data

We do not sell or rent your personal data.

6.1 Service Providers – Stripe

We share limited information with Stripe for the purpose of:

• Creating or managing your connected account.
• Processing your payments and payouts.
• Complying with applicable financial regulations.

6.2 Legal Requirements

We may disclose your data where required to do so by law or a valid legal request (for example, a court order or regulator). Where possible and lawful, we will notify you before doing so.

7. Your Rights

Under the UK GDPR and, where applicable, the EU GDPR, you have the following rights:

• Right of access – to know what data we hold about you.
• Right to rectification – to correct inaccurate or incomplete data.
• Right to erasure – to request that we delete your personal data (subject to legal or regulatory requirements).
• Right to restrict processing – in certain circumstances.
• Right to object – to certain types of processing.
• Right to data portability – to receive your data in a structured, commonly used format.
• Right to withdraw consent – where processing is based on consent.
• Right to lodge a complaint – with your local data protection authority, such as the Information Commissioner’s Office (ICO) in the UK.

To exercise any of these rights, please contact us at: support@joelsapos.com.

8. Children’s Privacy

TapToPay is intended for business users aged 18 and over. We do not knowingly collect personal information from children. If you believe that a child has provided us with personal data, please contact us and we will take appropriate steps to delete it.

9. International Data Transfers

Stripe and other infrastructure providers may process data in multiple jurisdictions. Where personal data is transferred outside the UK or European Economic Area (EEA), appropriate safeguards are used, such as Standard Contractual Clauses (SCCs) or equivalent legal mechanisms.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect legal, technical, or business changes. When we do, we will update the "Last updated" date at the top of this page. We encourage you to review this page periodically.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how your data is handled, please contact:

📧 Email: support@joelsapos.com
🧑‍💼 Company: Joelsa Ltd (Company No. 09425232)