Privacy Policy

Last updated: January 2026

1. Introduction

TagTrek ("we", "our", or "us") is operated from England, United Kingdom. We are the data controller responsible for your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use the TagTrek mobile application, website, and related services (together, the "Service").

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Information We Collect

2.1 Account Information

When you create an account, we collect information provided by your chosen sign-in method (Apple, Google, or Facebook). This typically includes your email address, display name, and profile picture. You may also set a display name manually.

2.2 Tag Information

Information you provide about your tagged items, including: item name and description, item photo, home address, temporary address (e.g. hotel while travelling), contact details (phone number, email address, WhatsApp number), custom messages for each tag mode, and reward information for lost items.

2.3 Scan Data

When someone scans one of your tags, we record the scan timestamp, a one-way hash of the scanner's IP address (the raw IP address is never stored), the scanner's browser user-agent string, and the HTTP referer header. This data helps you know when and how often your tags are scanned, and helps us prevent abuse.

2.4 Messaging Data

If a finder starts an anonymous conversation about your tag, we store the chat messages exchanged between you and the finder, the finder's chosen display name (which defaults to "Finder"), and message timestamps and read status. Finders are not required to create an account or provide any personal information beyond a display name.

2.5 Device and Notification Data

If you enable push notifications, we store your device's push notification token, device type (iOS or Android), and your notification preferences (e.g. which events trigger notifications, quiet hours settings).

2.6 Session Data

When a finder verifies themselves via CAPTCHA to view a tag page, we create a temporary session containing a hashed IP address and user-agent string. These sessions expire automatically after 30 minutes of inactivity and are used solely to prevent automated access and URL sharing.

2.7 Subscription Data

We store your subscription tier (free or premium) to determine which features and advertising settings apply to your account. Payment processing is handled entirely by Apple (App Store) or Google (Google Play); we do not receive or store your payment card details.

3. How We Use Your Information

We process your personal data on the following lawful bases under UK GDPR Article 6:

3.1 Contract Performance

To provide the TagTrek service: creating and managing your tags, delivering scan notifications, facilitating anonymous messaging between finders and tag owners, managing your account and subscription.

3.2 Legitimate Interests

To maintain the security and integrity of our Service: rate limiting to prevent abuse, CAPTCHA verification to block automated access, IP hashing for session validation and anti-sharing protection, and monitoring for prohibited conduct.

3.3 Consent

Where we rely on your consent, including: delivering personalised advertisements (you are asked for consent via the GDPR consent prompt and, on iOS, the App Tracking Transparency prompt), and sending push notifications to your device. You may withdraw consent at any time (see Section 12).

3.4 What We Do Not Do

We do not use your data for research or analytics purposes. We do not engage in profiling or automated decision-making. We do not sell, rent, or trade your personal data to any third party.

4. Advertising

Users on the free tier may see advertisements served by Google AdMob. If you are on the premium tier, no advertisements are shown.

On iOS, we request your permission via Apple's App Tracking Transparency (ATT) prompt before enabling personalised ads. If you decline, only non-personalised ads are shown. On Android, Google may collect the Android Advertising ID (AD_ID) for ad personalisation.

Google AdMob may collect device information, ad interaction data, and identifiers to serve and measure advertisements. You can opt out of personalised advertising through your device's privacy settings or by upgrading to a premium subscription.

For more information, see Google's Privacy Policy.

5. Third-Party Services

We use the following third-party services to operate TagTrek:

  • Supabase — Database hosting, user authentication, file storage (photos and avatars). Data is hosted in the United States.
  • Expo (Expo Application Services) — Push notification delivery to your device.
  • Cloudflare — CAPTCHA verification (Turnstile) to prevent automated and bot access to tag pages.
  • Google AdMob — Advertisement serving for free-tier users.
  • RevenueCat — Subscription and in-app purchase management. RevenueCat receives your anonymous app user ID and purchase transaction data from the App Store or Google Play to manage your subscription status. RevenueCat does not receive your name, email, or other personal details.
  • Apple, Google, Facebook — OAuth authentication only. We receive your name, email, and profile picture during sign-in; these providers do not receive your TagTrek usage data from us.

We do not sell your personal data to any third party. Data is shared with the services above only to the extent necessary to operate the Service.

6. International Data Transfers

Our database and backend services are hosted by Supabase in the United States. Where your personal data is transferred outside the United Kingdom, we ensure that the recipient country or organisation provides a standard of data protection that is not materially lower than that provided under UK law, relying on appropriate safeguards such as standard contractual clauses or adequacy decisions.

7. Data Retention

  • Account and profile data: Retained until you delete your account.
  • Tag data: Retained until you delete the tag or your account.
  • Scan records: Retained indefinitely (contain only hashed IP addresses, not raw IPs).
  • Conversations and messages: Conversations are automatically archived after 30 to 90 days. Messages are soft-deleted (hidden from view) rather than permanently erased, and are removed when your account is deleted.
  • Rate limit records: Automatically deleted after 1 hour.
  • Finder sessions: Automatically expire after 30 minutes of inactivity.
  • Push notification tokens: Retained until your device is unregistered or the token becomes invalid.

When you delete your account, all associated data (profile, tags, conversations, messages, and notification tokens) is permanently deleted.

8. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

  • Right of access — Request a copy of the personal data we hold about you.
  • Right to rectification — Request correction of inaccurate or incomplete data.
  • Right to erasure — Request deletion of your personal data (you can also delete your account directly in the app).
  • Right to restriction — Request that we limit how we process your data.
  • Right to data portability — Request your data in a structured, machine-readable format.
  • Right to object — Object to processing based on legitimate interests.
  • Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at support@tagtrek.app. We will acknowledge your request within 30 days and respond within one month as required by law. If we need more time (up to two additional months for complex requests), we will inform you within the initial one-month period.

If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

9. Data Security

We take appropriate technical and organisational measures to protect your personal data, including:

  • Encryption of all data in transit (HTTPS/TLS).
  • Row-level security policies ensuring users can only access their own data.
  • One-way hashing of IP addresses — raw IP addresses are never stored.
  • Anonymous finder identification via tokens rather than personal accounts.
  • Automatic session expiry for CAPTCHA-verified access (30 minutes).
  • Rate limiting on all public endpoints to prevent abuse.

10. Children's Privacy

TagTrek is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us and we will promptly delete it.

11. Cookies and Local Storage

The TagTrek mobile app uses on-device storage (AsyncStorage) to store your authentication session, GDPR consent status, and notification preferences. This data remains on your device and is not transmitted to third parties.

The TagTrek finder web page uses a browser cookie and localStorage to store your CAPTCHA verification session token. This cookie expires after 30 minutes and is used solely to maintain your verified access to a tag page.

12. Privacy Controls Available to You

TagTrek gives you control over your data and visibility:

  • Private Mode: Hide all tag information from finders unless the tag is set to Lost mode.
  • Contact visibility toggles: Choose independently whether to show your phone, email, or WhatsApp on each tag.
  • Address control: Choose to display a temporary address instead of your home address while travelling.
  • Notification settings: Control which events trigger notifications and set quiet hours.
  • GDPR consent: Grant or withdraw consent for data processing via the in-app consent prompt.
  • ATT consent (iOS): Grant or deny app tracking permission for personalised ads.
  • Account deletion: Permanently delete your account and all associated data from the app settings.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. If the changes significantly affect how we process your data, we will prompt you to review and re-consent via the in-app GDPR consent mechanism.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights, you can reach us at: