Legal
Privacy Policy
Last updated June 3, 2026
01What Tapgift is
Tapgift is a Shopify app that lets a buyer (the “Sender”) send a physical gift to someone else (the “Recipient”) by entering only the Recipient's email address at checkout — or by sharing a private gift link themselves. The Recipient opens the link and enters their own shipping address.
02Data we collect
- Sender data - name and email (from your Shopify order) and the personal message you write.
- Recipient data - email address (entered by the Sender when the Sender chooses email delivery), and the name and shipping address the Recipient enters on the claim page.
- Merchant data - Shopify shop domain, store name, access token (encrypted at rest), and aggregate metrics about gift orders.
- Operational logs - timestamps, event types, the IP address and user agent of the device used to claim the gift, and email delivery / bounce events from our email provider.
03Why we collect it
Strictly to operate the gifting flow: email the Recipient (or give the Sender a link to share), accept the Recipient's address, update the order in Shopify, and notify the Sender of the outcome. We do not sell data or use it for advertising.
04Where we send data
- Resend - our email provider. Sends the gift notification and reminders to Recipients, and order updates to Senders. Resend receives the recipient/sender email address and the message body (which includes the claim link).
- Google Places - validates the Recipient's typed address. The search query and the resolved place are sent to Google.
- Shopify - receives the verified shipping address and applies it to your order.
05Retention
Gift records are kept for 90 days after the gift is claimed, expired, or refunded, then automatically deleted. Aggregate metrics (counts, percentages — no PII) are kept indefinitely.
06Your rights (GDPR, CCPA)
Recipients and Senders may request a copy of, or deletion of, their data by emailing privacy@tapgift.app. Merchants whose shops are installed with Tapgift can also use Shopify's built-in GDPR webhooks (customers/data_request, customers/redact, shop/redact) — Tapgift implements these per Shopify policy.
07Security & data protection
All data is encrypted in transit (TLS) and at rest. Merchant Shopify access tokens are additionally encrypted at the application layer (AES-256-GCM). Tapgift runs on Vercel and Supabase, both SOC 2 Type II certified, and database backups are encrypted.
Access control. We follow least privilege: production data is accessible only to authorized operators, protected by strong passwords and multi-factor authentication. Application secrets are stored as encrypted environment variables, never in source code. Access to systems holding personal data is logged at the infrastructure layer (Supabase, Vercel) and material actions on a gift are recorded in an in-app event audit log.
Incident response. If we become aware of a personal-data breach, we contain it, assess its scope, and notify affected merchants without undue delay — and within 72 hours where required by law — together with Shopify where the breach involves merchant customer data, followed by a remediation review.
08Children
Tapgift is not intended for users under 18. If an email address belonging to a minor is entered, the Recipient or their guardian may request immediate redaction.
09Email opt-out
Every gift email we send to a Recipient includes a one-click unsubscribe link and our physical mailing address, as required by the U.S. CAN-SPAM Act. Unsubscribing immediately stops further Tapgift emails to that address. Our emails are strictly transactional (gift delivery and reminders) — we never send marketing email.
10Changes
We will update this page if our practices change. Material changes will be communicated to merchants via in-app banner.