Tagslinger
Log inGet started
Back to home

Privacy Policy

Last updated · May 21, 2026

This Privacy Policy explains how Cloud Hosting Technologies, LLC ("Tagslinger", "we", "us") collects, uses, and shares information when you visit tagslinger.com (the "Site") or use our software-as-a-service platform (the "Service"). For the purposes of GDPR and comparable laws, we act as a data controller for your account-level information and as a data processor for the content you store in the Service. Our principal place of business is Las Vegas, Nevada, USA.

1. Account information

When you sign up we collect the email address associated with your authentication provider (Supabase email/password, Google, Microsoft, or Apple Sign-In). If you sign in with an OAuth provider, we additionally receive your display name and a stable identifier from that provider; we do not receive your password. Owners may optionally provide a workspace name and a chosen URL slug.

2. Service usage data

When you (or another member of your workspace) creates campaigns, edits destinations, writes NFC tags, or views analytics, we store the underlying records — campaign metadata, branding template fields, destination URLs, NFC payloads, and audit log entries — to operate the Service. We log the IP address you used to access the dashboard for the most recent session for abuse prevention; older session IPs are deleted after 30 days.

3. Scan and tap data (anonymous visitors)

When an anonymous end user scans a QR code or taps an NFC tag generated through the Service, our redirect Worker records the following:

  • The short code being scanned (so we can route the redirect).
  • The scanner's IP address (retained for a maximum of 90 days, then permanently deleted).
  • User-Agent header (used to derive aggregate device type, browser, and OS for analytics; the raw string is retained for 90 days).
  • The HTTP referrer, if any (retained for 90 days).
  • The geographic country derived from the IP (retained indefinitely as an aggregate).
  • The timestamp of the scan.

We do not place cookies or fingerprinting scripts on the scanner's device. The IP and User-Agent are processed only on the redirect path and dropped to aggregate summaries after 90 days. We do not sell, share, or transfer raw scan data to third parties.

4. Payment information

All payments are processed by Stripe, Inc. We do not store payment card numbers, CVCs, or any other cardholder data on our infrastructure. We receive from Stripe only the data we need to administer your subscription: customer ID, subscription ID, price ID, plan, status, last-four digits of the card, and billing email. Stripe's privacy practices are governed by stripe.com/privacy.

5. How we use your information

We use the information described above to:

  • Provide and maintain the Service and its features.
  • Render QR images and write NFC payloads on your behalf.
  • Aggregate scan and tap events into the analytics dashboards available in your workspace.
  • Detect abuse, prevent fraud, and enforce the Acceptable Use section of our Terms of Service.
  • Send transactional emails related to your account: signup verification, password resets, billing notifications, and security alerts.
  • Communicate with you about new features, planned downtime, and pricing changes that affect your subscription. You can opt out of non-transactional messages at any time.
  • Comply with legal obligations and respond to lawful requests from authorities.

6. Who we share information with

We do not sell your personal information. We share information only with the following categories of recipients, and only as needed to operate the Service:

  • Supabase (database + auth provider) — stores account, workspace, campaign, and scan records.
  • Vercel (web hosting) — serves the dashboard and APIs.
  • Cloudflare (redirect Worker + edge security) — handles QR scan redirects and rate limiting.
  • Stripe (payments) — processes subscriptions and stores payment methods on your behalf.
  • Sentry / PostHog (error and product analytics, when enabled by the workspace owner) — collect anonymized usage and error data.

Each of the above is contractually bound to handle data only for the purposes for which we engaged them, and to apply commercially reasonable security measures. We may also disclose information to law enforcement or other authorities if we receive a valid legal request.

7. Security

We use industry-standard practices to protect your data, including TLS in transit, Postgres row-level security to isolate workspaces from each other, encrypted secrets in our deployment platform, and two-factor authentication (TOTP) enforced for all SuperAdmin users. No system is perfectly secure, but we strive to minimize the blast radius of any incident.

8. Retention

We retain workspace data (campaigns, scans, members, branding templates) for as long as your workspace is in the Active, Trial, or Offboarding state. When a workspace transitions to Inactive, we keep its data for an additional 30 days as a safety buffer in case you wish to reactivate; after that, we may permanently delete the workspace and its data. See Section 8 of our Terms of Service for the lifecycle details.

IP addresses captured at scan time are retained for a maximum of 90 days, then permanently deleted. Aggregate geographic summaries derived from those IPs are retained indefinitely (these summaries do not identify any individual scanner). Audit log entries are retained for the life of the platform for security and compliance reasons.

9. Your rights

Depending on where you live, you may have the following rights regarding your personal information:

  • Access — request a copy of your account data.
  • Correction — ask us to fix inaccurate information.
  • Deletion — request that we delete your account and associated data.
  • Export — receive a portable copy of your data.
  • Opt out — opt out of non-transactional emails.

To exercise any of these rights, email [email protected] from the email address associated with the workspace owner. We will respond within 30 days.

10. Children

Tagslinger is intended for use by businesses and is not directed at children under 16. If you are under 16, please do not use the Service. If we learn that we have collected information from a child under 16 without parental consent, we will delete that information.

11. International data transfers

Our infrastructure providers operate primarily in the United States. If you access the Service from outside the United States, you understand that your information will be processed in the United States, which may not provide the same level of data protection as your home country. By using the Service you consent to this transfer.

12. Changes to this Policy

We may revise this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the current version. Material changes will be announced via the email associated with the workspace owner and/or via a conspicuous notice on the Service.

13. Contact

Privacy questions? Email [email protected] or write to:

Cloud Hosting Technologies, LLC
Attn: Privacy
Las Vegas, Nevada
USA