tapgift.

Legal

Privacy Policy

Last updated May 22, 2026

01What Tapgift is

Tapgift is a Shopify app that lets a buyer (the “Sender”) send a physical gift to someone else (the “Recipient”) by entering only the Recipient's phone number at checkout. We text the Recipient a private link where they can enter their own shipping address.

02Data we collect

  • Sender data — name, email, phone (from your Shopify order) and the personal message you write.
  • Recipient data — phone number (entered by the Sender), name and shipping address (entered by the Recipient), and an optional thank-you note.
  • Merchant data — Shopify shop domain, store name, access token (encrypted at rest), and aggregate metrics about gift orders.
  • Operational logs — timestamps, event types, IP address and user agent of the device used to claim the gift, and SMS delivery receipts from Twilio.

03Why we collect it

Strictly to operate the gifting flow: text the Recipient, accept their address, update the order in Shopify, and notify the Sender of the outcome. We do not sell data or use it for advertising.

04Where we send data

  • Twilio — sends SMS to Recipients and Senders. Twilio receives the phone number and message body.
  • Google Places — validates the Recipient's typed address. The search query and the resolved place are sent to Google.
  • Shopify — receives the verified shipping address and applies it to your order.
  • Resend — sends fallback emails to Senders.

05Retention

Gift records are kept for 90 days after the gift is claimed, expired, or refunded, then automatically deleted. Aggregate metrics (counts, percentages — no PII) are kept indefinitely.

06Your rights (GDPR, CCPA)

Recipients and Senders may request a copy of, or deletion of, their data by emailing privacy@tapgift.app. Merchants whose shops are installed with Tapgift can also use Shopify's built-in GDPR webhooks (customers/data_request, customers/redact, shop/redact) — Tapgift implements these per Shopify policy.

07Security

All data is encrypted in transit. Merchant Shopify access tokens are encrypted at rest (AES-256-GCM). Tapgift runs on Vercel and Supabase, both SOC 2 Type II certified.

08Children

Tapgift is not intended for users under 18. If a phone number belonging to a minor is entered, the Recipient or their guardian may request immediate redaction.

09SMS terms

Every SMS includes “Reply STOP to opt out.” Replying STOP terminates further Tapgift messaging to that number. Tapgift is registered for A2P 10DLC.

10Changes

We will update this page if our practices change. Material changes will be communicated to merchants via in-app banner.

11Contact

privacy@tapgift.app