Privacy Policy

Effective date: 26 June 2026 · Last updated: 26 June 2026

Tapara Limited (NZBN 9429053591470) (“Tapara”, “we”, “us”, “our”) respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, share, and protect your information when you use the Tapara mobile application and related services (“Services”).

This policy applies to all users of the Services, including consumers and merchants. We comply with the New Zealand Privacy Act 2020.

1. Information We Collect

1.1 Information You Provide

All users:

  • Full name
  • Email address
  • PIN (stored as a bcrypt hash — we never store your PIN in plain text)

Consumers additionally:

  • Bank pre-selection (which bank you choose for payments — used to pre-fill the open banking payment flow)
  • Passkey/biometric registration data (WebAuthn credentials for biometric login)

Merchants additionally:

  • Business name, category, and description
  • Bank account number (for receiving payments)
  • Contact details (phone number, business address)
  • Staff members added to your business (name and email)

1.2 Information Collected Automatically

  • Transaction data: Date, time, amount, payment method, merchant, payment status, and transaction reference for every payment made through the platform.
  • NFC check-in data: When you tap an NFC tag at a merchant, we record the check-in event.
  • Loyalty data: Your membership at each merchant, visit count, total spend, current tier, and any vouchers earned or redeemed.
  • Device information: Device model, operating system version, and app version. We do not collect advertising identifiers.
  • Usage data: App interactions for the purpose of diagnosing errors and improving the service (e.g. crash reports).

1.3 Information from Third Parties

  • Open banking provider: When you make a bank payment, our open banking provider processes the transfer and provides us with payment status updates. We receive the payment outcome (success/failure/pending) and a transaction reference. We do not receive your bank login credentials.

2. How We Use Your Information

We use your personal information for the following purposes:

  • Providing the Services: Processing payments, managing your account, facilitating NFC check-ins, and operating loyalty programmes.
  • Payment facilitation: Transmitting payment instructions to our open banking provider on your behalf.
  • Loyalty programmes: Tracking your membership, visit count, spend, and tier progression at each merchant. Automatically applying eligible benefits and issuing vouchers.
  • Communication: Sending account verification emails, payment confirmations, and service notifications.
  • Legal and regulatory compliance: Fulfilling our obligations under New Zealand law, including responding to lawful requests from authorities and maintaining records required under the Tax Administration Act 1994.
  • Fraud prevention and security: Monitoring for unusual transaction patterns, enforcing payment limits, and protecting the integrity and security of the platform.
  • Service improvement: Analysing aggregated, non-identifying usage data to improve app performance and features.

We do not use your personal information for:

  • Targeted advertising.
  • Selling or renting to third parties for marketing purposes.
  • Profiling for automated decision-making.

3. How We Share Your Information

We share your personal information only in the following circumstances:

3.1 Third-Party Service Providers

Provider Purpose Data shared
Open banking provider Bank payment processing Payment amount, your bank selection, merchant bank account, payment reference
Resend Transactional email delivery Email address, email content (verification codes, payment confirmations)
Cloud infrastructure providers Hosting and data storage All data stored on the platform (encrypted at rest)

These providers process data on our behalf and are contractually required to protect your information and use it only for the specified purpose.

3.2 Merchants

When you transact with or join a merchant’s loyalty programme on Tapara, the merchant can see:

  • Your first name.
  • Your transaction history with that merchant.
  • Your loyalty membership data (tier, visit count, spend, vouchers).

Merchants cannot see your email address, bank details, or your activity at other merchants.

3.3 Legal Requirements

We may disclose your information if required by law, regulation, court order, or a lawful request from a government agency. We may also disclose information where we reasonably believe disclosure is necessary to protect the rights, property, or safety of Tapara, our users, or the public.

3.4 No Sale of Data

We do not sell, rent, or trade your personal information to any third party for any purpose.

4. Data Retention

4.1 Financial Records

We retain transaction records and financial data for up to 7 years from the date of your last transaction or the closure of your account, whichever is later. This is required under the Tax Administration Act 1994 for financial records and is consistent with the limitation period under the Limitation Act 2010 for contractual claims.

4.2 Non-Financial Data

Non-financial data (such as notification preferences, app settings, and device information) is retained only as long as your account is active or as needed to provide you with the Services. Upon account deletion, non-financial data is deleted or anonymised within 30 days.

4.3 Account Deletion

When you request account deletion:

  • Your name, email address, and bank details are anonymised (replaced with non-identifying values).
  • Your loyalty memberships are deactivated.
  • Transaction records and financial data are retained for up to 7 years as described above but are no longer associated with identifiable personal information.

5. Data Storage and Security

  • All data is stored on servers located in Singapore (cloud infrastructure).
  • Data is encrypted at rest and in transit using TLS.
  • Sensitive credentials (PIN, refresh tokens) are hashed or encrypted before storage.
  • On your device, sensitive data (authentication tokens, passkey credentials) is stored in the operating system’s secure storage (iOS Keychain / Android Keystore) via encrypted MMKV.
  • Access to production systems is restricted to authorised Tapara personnel.

While we take reasonable steps to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

6. Your Rights

Under the New Zealand Privacy Act 2020, you have the right to:

  • Access your personal information held by Tapara.
  • Request correction of any inaccurate or incomplete personal information.
  • Request deletion of your account (subject to the data retention obligations described in section 4).

To exercise any of these rights, contact us at enquiries@tapara.co.nz. We will respond to your request within 20 working days.

7. Children’s Privacy

The Tapara Services are not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected information from a child under 16, we will take steps to delete that information.

8. International Data Transfers

Your data may be stored on servers located outside New Zealand (currently Singapore). Where data is transferred internationally, we ensure that appropriate safeguards are in place, including encryption and contractual requirements on service providers to maintain the confidentiality and security of your data.

9. Cookies and Analytics

The Tapara mobile app does not use cookies. The Tapara website (tapara.co.nz) may use cookies for basic analytics. You can manage cookie preferences through your browser settings.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Where changes are material, we will provide notice via the app or email before the changes take effect. Your continued use of the Services after changes take effect constitutes acceptance of the updated policy.

11. Complaints

If you believe we have breached the Privacy Act 2020 or mishandled your personal information:

  1. Contact us first: Email enquiries@tapara.co.nz. We will investigate and respond within 20 working days.
  2. Privacy Commissioner: If you are not satisfied with our response, you may lodge a complaint with the Office of the Privacy Commissioner at privacy.org.nz or by calling 0800 803 909.

12. Contact

Tapara Limited
Email: enquiries@tapara.co.nz
NZBN: 9429053591470

home Home person Consumers storefront Businesses mail Contact