Privacy Policy
Last updated: 27 March 2026
TAGVU-TAILORMADE ("TAGVU", "we", "us") is committed to protecting the privacy and personal data of our users. This Privacy Policy explains how we collect, use, store, and share your personal data when you use the TAGVU platform (app.tag.vu, backstage.tag.vu, api.tag.vu, developers.tag.vu) and our mobile applications.
This policy is written in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and Belgian data protection law (Law of 30 July 2018).
1. Data Controller
For all data protection inquiries, complaints, or to exercise your rights, please contact our DPO at privacy@tag.vu.
2. What Data We Collect
2.1 Account Data
When you create an account, we collect:
- Name (first name, last name)
- Email address
- Phone number (optional, required for SMS notifications)
- Password (stored securely hashed, never in plain text)
- Language and timezone preferences
- Profile picture (optional)
- Authentication provider (if using social login: Google, Apple, Facebook)
2.2 Tag Data
When you create and manage Tags, we store:
- Tag identifiers (NFC UID, QR code)
- Tag name and description
- Solution type and configuration
- Profile content (text, images, documents you upload)
- Tag status (active, lost, paused, deactivated)
- Ownership and co-ownership records
2.3 Scan Data
When a Tag is scanned (by you or a finder), we collect:
- Timestamp of the scan
- Approximate location (if the scanner's browser provides geolocation and permission is granted)
- Device type and browser information (User-Agent)
- IP address (anonymized after processing)
- Finder-submitted information (if the finder fills in a contact form)
2.4 Transaction Data
When you make purchases, we collect:
- Billing address
- Shipping address
- Order details and history
- Payment method identifiers (we do not store full card numbers; these are held by Stripe)
- VAT number (for B2B customers)
2.5 Technical Data
We automatically collect:
- IP address
- Browser type and version
- Operating system
- Referring URL
- Pages visited and interaction data
- Session duration
- Error reports and performance metrics
2.6 Communication Data
- Email correspondence with support
- Notification preferences
- Notification delivery logs (sent, delivered, read)
3. Legal Bases for Processing
We process your personal data based on the following legal grounds under GDPR:
| Purpose | Legal Basis (GDPR Article) |
|---|---|
| Account creation and management | Contract performance (Art. 6(1)(b)) |
| Tag profile management and scan responses | Contract performance (Art. 6(1)(b)) |
| Order processing and delivery | Contract performance (Art. 6(1)(b)) |
| Payment processing | Contract performance (Art. 6(1)(b)) |
| Scan location tracking (Lost mode) | Legitimate interest (Art. 6(1)(f)) |
| Platform security and abuse prevention | Legitimate interest (Art. 6(1)(f)) |
| Analytics and service improvement | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Medical data processing | Explicit consent (Art. 9(2)(a)) |
| Legal and tax obligations | Legal obligation (Art. 6(1)(c)) |
| Cookie-based analytics (non-essential) | Consent (Art. 6(1)(a)) |
| SMS/push notifications | Consent (Art. 6(1)(a)) |
4. How We Use Your Data
- To provide and maintain the TAGVU Platform and services.
- To process your transactions and send related communications (order confirmations, shipping updates).
- To notify Tag owners when their Tags are scanned.
- To facilitate the finder contact process when Tags are in Lost mode.
- To provide customer support and respond to inquiries.
- To improve our Platform through aggregated, anonymized analytics.
- To send marketing communications (only with your consent; you can opt out at any time).
- To detect and prevent fraud, abuse, and security threats.
- To comply with legal obligations (tax records, law enforcement requests).
- To facilitate B2B services (team management, batch operations, reporting).
5. Data Processors and Third Parties
We share your personal data with the following categories of service providers (data processors) who process data on our behalf under Data Processing Agreements:
| Processor | Purpose | Data Location |
|---|---|---|
| Supabase (Pty) Ltd | Database, authentication, file storage | EU (Frankfurt) |
| Stripe, Inc. | Payment processing | EU/US (EU adequacy) |
| Resend, Inc. | Transactional email delivery | US (DPF certified) |
| Twilio, Inc. | SMS notifications | US (DPF certified) |
| Cloudflare, Inc. | CDN, DNS, file storage (R2), DDoS protection | Global (EU primary) |
| Sentry (Functional Software, Inc.) | Error monitoring and performance | US (DPF certified) |
| Vercel, Inc. | Application hosting, edge functions | EU (Frankfurt) / Global Edge |
| Upstash, Inc. | Caching (Redis), rate limiting | EU (Frankfurt) |
| Inngest, Inc. | Background job processing | US (DPF certified) |
We do not sell your personal data to any third party. We may share data with law enforcement or regulatory authorities when required by law or when necessary to protect our rights, safety, or the rights and safety of others.
6. Data Retention
We retain personal data only as long as necessary for the purposes described in this policy, or as required by law. Our retention periods are:
| Data Category | Retention Period |
|---|---|
| Account data | Duration of account + 30 days after deletion request |
| Tag profiles | Duration of ownership + 90 days after deactivation |
| Scan data (aggregate) | 36 months |
| Scan data (IP address) | Anonymized after 30 days |
| Finder-submitted data | 12 months or until resolved by owner |
| Transaction/invoice data | 7 years (Belgian tax law) |
| Communication logs | 24 months |
| Medical data | Duration of consent; deleted upon withdrawal |
| Error/performance logs | 90 days |
| Audit logs | 5 years (compliance) |
| Inactive accounts (no login) | Flagged after 18 months; deleted after 24 months with prior notice |
7. Your Rights
Under the GDPR, you have the following rights regarding your personal data. You can exercise these rights by contacting us at privacy@tag.vu or through the Privacy & Data section in your Account settings.
Right of Access (Art. 15): You can request a copy of the personal data we hold about you.
Right to Rectification (Art. 16): You can request correction of inaccurate or incomplete personal data. You can also update most data directly in your Account settings.
Right to Erasure (Art. 17): You can request deletion of your personal data, subject to legal retention obligations. Account deletion is available in Settings > Delete Account.
Right to Data Portability (Art. 20): You can request your data in a structured, commonly used, machine-readable format (JSON). Data export is available in Settings > Data Export.
Right to Object (Art. 21): You can object to processing based on legitimate interest, including profiling and direct marketing.
Right to Restrict Processing (Art. 18): You can request restriction of processing in certain circumstances (e.g., while we verify accuracy of contested data).
Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of prior processing.
We will respond to all requests within 30 days. In complex cases, this may be extended by an additional 60 days with notification to you. There is no fee for exercising your rights, unless requests are manifestly unfounded or excessive.
9. International Data Transfers
Our primary database is hosted in the EU (Frankfurt, Germany) via Supabase Cloud. Some of our processors are based in the United States. For these transfers, we rely on:
- EU-US Data Privacy Framework (DPF): For processors certified under the DPF (Stripe, Resend, Twilio, Sentry, Inngest).
- Standard Contractual Clauses (SCCs): Where applicable, as a supplementary safeguard.
- Adequacy Decisions: We prioritize processors in jurisdictions with EU adequacy decisions.
We ensure that all international transfers of personal data comply with Chapter V of the GDPR and provide an adequate level of protection for your data.
10. Children's Privacy
The TAGVU Platform is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16 without verifiable parental consent.
Where Tags are used for minors (e.g., children's pet Tags, children's luggage Tags), we require that the Account be held by a parent or legal guardian who is at least 18 years old. The parent/guardian is the data controller for the child's information stored on the Tag.
If we discover that we have collected personal data from a child under 16 without appropriate consent, we will delete it promptly. If you believe a child has provided us with personal data without parental consent, please contact us at privacy@tag.vu.
11. Medical Data (Special Category Data)
TAGVU offers Medical Alert Tag solutions that may involve the processing of health-related data, which constitutes special category data under Article 9 GDPR.
11.1 Explicit Consent
Medical data is processed exclusively on the basis of explicit consent (Art. 9(2)(a) GDPR). When you create a Medical Alert Tag, you will be asked to provide specific, informed consent for the processing and display of your health information.
11.2 Access Controls
Medical data access is strictly controlled:
- Emergency scan: Limited critical information (allergies, blood type, emergency contacts) is shown to any scanner.
- Full medical profile: Only accessible to verified healthcare professionals (via RIZIV/INAMI verification) and authorized caregivers with explicit Tag owner consent.
- Caregiver access: Granted by the Tag owner through invitation, with configurable access levels.
11.3 Withdrawal of Consent
You may withdraw your consent for medical data processing at any time through your Tag settings. Upon withdrawal, we will delete the medical data from the Tag profile within 48 hours. Note that this does not affect the lawfulness of processing based on consent before its withdrawal.
12. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption in transit (TLS 1.3) and at rest (AES-256).
- Secure password hashing (bcrypt via Supabase Auth).
- Row-Level Security (RLS) on all database tables.
- Role-based access control (RBAC) with least-privilege principles.
- Rate limiting on all API endpoints.
- Regular security audits and vulnerability assessments.
- EXIF metadata stripping from uploaded images.
- Audit logging for sensitive operations.
- Incident response procedures aligned with NIS2 requirements.
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Belgian Data Protection Authority within 72 hours and inform affected individuals without undue delay, in accordance with Articles 33 and 34 GDPR.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page.
- Notify registered users via email at least 30 days before changes take effect.
- Where changes require consent, obtain fresh consent before applying the new processing.
14. Complaints
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the supervisory authority:
Gegevensbeschermingsautoriteit (GBA)
Autorite de protection des donnees (APD)
Drukpersstraat 35 / Rue de la Presse 35
1000 Brussels, Belgium
Phone: +32 (0)2 274 48 00
Email: contact@apd-gba.be
Website: www.gegevensbeschermingsautoriteit.be
We encourage you to contact us first at privacy@tag.vu so we can try to resolve your concern directly.
15. Contact
For any questions about this Privacy Policy or our data practices, contact us:
TAGVU-TAILORMADE
Data Protection Officer: privacy@tag.vu
General support: support@tag.vu
Website: tag.vu