Privacy Policy
Effective: [LAUNCH_DATE] · Last updated: [LAUNCH_DATE]
Tapora ("we", "us", "our") provides a credit card recommendation app that helps
you choose which of your own credit cards earns the best rewards at nearby merchants.
This Privacy Policy explains what information we collect, why, how we protect it,
and your choices.
This policy is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA)
of Canada and Apple's and Google's respective platform requirements.
1. Information we collect
1.1 Information you provide
- Email address — only if you choose to sign in. Used solely to authenticate you and sync your card list across devices. We never send marketing emails without your explicit opt-in.
- Cards you own — you select cards from a built-in catalog (e.g. "Amex Cobalt", "CIBC Dividend Visa Infinite"). We do not ask for, collect, store, or transmit your actual credit card numbers, expiry dates, CVVs, or any payment-related information.
1.2 Information collected automatically
- Approximate device location — used in real time to find merchants near you. Collected only while the app is open and only if you grant permission. Not stored on our servers.
- Device language and OS version — for diagnostics and crash reporting.
1.3 Information from third parties
We rely on the following third-party services to operate Tapora. Each receives a limited subset of your data:
| Service | What it receives | Purpose |
|---|
| Google Places API (Google LLC) | Your approximate location and search query text | Return nearby or matching merchants |
| Logo.dev (Logo.dev Inc.) | Domain name of merchants displayed | Fetch merchant brand logos |
| Supabase (Supabase Inc.) | Your email address and the IDs of cards you've selected | Authentication and cross-device sync |
| Resend (Resend Inc.) | Your email address | Deliver sign-in verification codes |
These providers process data on our behalf under their own privacy policies and data processing agreements.
2. How we use your information
We use the information we collect to:
- Detect merchants near your location and identify the right reward category
- Recommend the highest-earning card from your saved list for that category
- Authenticate sign-in requests via short-lived 6-to-8-digit codes
- Synchronize your saved card list across your own devices
- Diagnose crashes and improve product reliability
We do not:
- Sell your data to anyone, ever
- Use your data for advertising or build behavioural profiles
- Share your card list with banks, advertisers, affiliates, or any third party
- Track you across other apps or websites
3. Data retention
- Your email and card list are retained until you delete your account (see Section 6) or 24 months after your last sign-in, whichever comes first.
- Location data is processed only in real time and is never written to our servers.
- Sign-in codes expire after 1 hour or upon use.
4. Data security
- All data in transit between the app and our backend uses HTTPS / TLS encryption.
- Our backend (Supabase) enforces row-level security so your card list is only accessible by your authenticated session.
- We use a publishable key in the mobile app that has read/write access only to your own rows, never to other users' data.
- We never see, store, or process credit card numbers — there is nothing payment-sensitive to leak.
5. Children's privacy
Tapora is not directed at children under 13. We do not knowingly collect data from
children under 13. If you believe a child under 13 has used Tapora, contact us at
the email below and we'll delete the account.
6. Your rights and choices
Under PIPEDA you have the right to:
- Access the personal information we hold about you
- Correct inaccurate information
- Delete your account and all associated data
- Withdraw consent by signing out and uninstalling the app
- Withdraw location permission at any time via your device's settings
To exercise any of these rights, email privacy@tapora.ca. We respond within 30 days.
7. International users
Tapora is operated from Canada and primarily serves Canadian users. If you use Tapora
from outside Canada, your information will be transferred to and processed in Canada
and the United States (where some sub-processors operate). By using Tapora you
consent to this transfer.
8. Changes to this policy
We'll notify you of material changes via in-app notice or email at least 30 days
before they take effect. Continued use of Tapora after changes take effect indicates
acceptance.
9. Contact
Tapora
Email: privacy@tapora.ca
Website: https://tapora.ca
For complaints, you may also contact the Office of the Privacy Commissioner of Canada
at priv.gc.ca.