Privacy Policy
Last updated: 29 June 2026This policy explains how Cogniqor BV ("Cogniqor", "we", "us"), operating the TapPass platform, processes personal data as a controller: for visitors to tappass.ai, account holders and users of the platform, prospects, and people who contact us.
1. Who we are
Cogniqor BV
Venneborglaan 85, 2100 Antwerp, Belgium
Company number (KBO) 1033.796.306 · VAT BE 1033.796.306
Data protection contact / DPO: dpo@tappass.ai
2. Controller and processor roles
For data that our customers send through the platform ("Customer Data"), the customer is the controller and we act as a processor on their instructions under our Data Processing Agreement (available on request via dpo@tappass.ai). This policy does not govern that data; the customer's own privacy notice does. For account, billing and website data, we are the controller, as described below.
3. How TapPass is deployed
TapPass is available in two deployment models, which affect where Customer Data is processed:
- Hosted (SaaS) — the default and current model. TapPass is operated by Cogniqor and runs on Google Cloud in the European Union (Belgium region). Customer Data sent through the platform is processed and stored on our EU infrastructure, and Cogniqor acts as your processor under the Data Processing Agreement. We apply encryption in transit and at rest for credentials and secrets, redaction of sensitive content before it is persisted, EU data residency, and a tamper-evident audit trail.
- Self-hosted / private deployment — available for enterprise customers. TapPass runs within your own environment or cloud; Customer Data stays within your perimeter, and Cogniqor does not access it except where you explicitly grant access for support.
Unless your contract states otherwise, you are using the hosted (SaaS) model.
4. What we collect, why, and on what basis
- Account and identity: name, business email, company, role, password hash, authentication identifiers, and single sign-on identity (Google, Microsoft) when used. Basis: performance of a contract.
- Usage, device and log data: IP address, device/browser data, in-product usage events (via PostHog, EU, within the application) and error/diagnostic data (via Sentry, EU). Basis: our legitimate interest in a secure, reliable and improving service.
- Communications and support: emails, support requests and metadata. Basis: legitimate interest / contract.
- Prospect and marketing data: business contact and interaction data held in our CRM. Basis: legitimate interest (B2B) and, where required, consent.
- Meeting and call notes: where we use a meeting-notes assistant to transcribe or summarise calls, we process attendee names and call content. We inform attendees and obtain consent where required. Basis: legitimate interest / consent.
- Billing data: invoicing and contact details. Basis: contract and legal obligation.
- Customer Data (processor role): processed only on the customer's instructions under the DPA (see section 2). In the hosted model, sensitive content is redacted before it is persisted, and the audit trail stores redacted fragments, counts and metadata rather than raw prompts or responses.
5. Sub-processors and service providers
Sub-processors of Customer Data (hosted model), also listed at trust.tappass.ai: Google Cloud (hosting and database, EU), Cloudflare (edge security and TLS, EU/global), Resend (transactional email, US), PostHog (product analytics, EU), Sentry (error monitoring, EU), OpenAI (powers the in-product assistant, US), and identity providers Google and Microsoft (single sign-on, when enabled). Additional AI model providers — Anthropic, Google Gemini, Mistral (EU), Groq (US), and DeepSeek, Moonshot (Kimi), MiniMax and Alibaba Qwen (China) — are engaged only when you enable that model with your own key (BYOK).
Other service providers we use to run our own business, which process our business data (not the data you put into TapPass):
- Google Workspace — email and productivity (EU)
- Slack — internal communication (US)
- HubSpot — customer relationship management (US)
- Granola — meeting notes and call transcription (US)
- Yuki — accounting and bookkeeping (EU)
- Revolut — business payments (EU)
- GitHub, and AI coding assistants — code hosting and development (US)
- Aikido — code and cloud security (EU)
- Linear — product and project management (US)
- Better Stack — uptime monitoring and status page (EU/US)
We may update this list as our providers change. We do not sell personal data.
6. International transfers
We host the production Service and its database in the EU (Google Cloud, Belgium). Some providers are established outside the EU (for example Resend, Cloudflare, HubSpot and Granola in the United States, and certain model providers in the United States or China when a customer enables them). Where personal data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses and appropriate safeguards.
7. Retention
We keep personal data only as long as necessary. Account data is kept for the duration of the relationship and a reasonable period afterwards; audit and security logs for 12 months (with personal data minimised and erasable on request); product analytics anonymised; support communications up to 24 months; marketing data until you object or withdraw consent; and billing and accounting records as required by Belgian law (currently 7 years).
8. Your rights
Under the GDPR you have the right to access, rectify, erase, restrict and port your personal data, to object to processing based on legitimate interests or for direct marketing, and to withdraw consent at any time. To exercise these rights, contact dpo@tappass.ai. We respond within one month. You may also lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorite de protection des donnees, Rue de la Presse 35, 1000 Brussels).
9. Security
We apply appropriate technical and organisational measures, including encryption in transit (TLS) and at rest for credentials and secrets, access controls, EU hosting and a tamper-evident, hash-chained audit trail. We do not currently hold SOC 2 or ISO 27001 certification and do not represent otherwise; we will complete security questionnaires and share documentation on request.
10. Cookies
Our website (tappass.ai and its subdomains) uses only strictly necessary cookies — for security and bot-protection via Cloudflare and Cloudflare Turnstile, and app session in the product at eu.tappass.ai. We do not set analytics, advertising or cross-site tracking cookies on this website, so no cookie-consent banner is shown. Product-usage analytics (PostHog, EU) operates within the TapPass application, not on this marketing website. Some pages load third-party web fonts (Google Fonts) that may receive your IP address to render the site. You can block or delete cookies in your browser settings; strictly necessary cookies cannot be switched off without affecting the site.
11. Changes
We may update this policy. We will post the new version and update the date above; for material changes we will give reasonable notice.
12. Contact
Cogniqor BV, Venneborglaan 85, 2100 Antwerp, Belgium. Data protection: dpo@tappass.ai.