Privacy Policy
Last updated: June 9, 2026
This Privacy Policy explains how Griffith Software Labs LLC, a limited liability company organized under the laws of the State of Wyoming, USA, which operates the Tapline service ("Tapline", "we", "us", "our"), collects, uses, and shares personal data when you visit tapline.sh, create an account, or use our market-data API and related services (the "Services"). It also describes your rights and how to exercise them.
For the personal data described here, Tapline is the data controller. Our payment processing is handled by Paddle (see Section 5), which acts as Merchant of Record and as a controller for the payment and buyer data it collects.
1. Who this applies to
This policy applies to visitors to our website and to customers and authorized users of the Services. It does not apply to third-party websites or services we link to, which have their own policies.
2. The personal data we collect
Information you provide:
- Account data — name, email address, company name, and account credentials when you register.
- Billing data — name, billing address, and country, and the transaction records associated with your purchases. Card and payment-instrument details are collected and processed by Paddle, not by us; we do not store full payment-card numbers.
- Enquiry data — when you submit our request-access or contact form, the name, email address, phone number, company, and message you choose to provide so we can respond.
- Communications — the content of messages, support requests, and feedback you send us.
Information collected automatically:
- Technical and usage data — IP address, browser type, device and operating-system information, referring pages, the API endpoints and dashboard features you use, request volumes, timestamps, and log data, collected to operate, secure, and improve the Services.
- Cookies and similar technologies — see Section 9.
3. How the API itself handles data
The Services return structured market data — such as listing attributes, nightly rates, availability, and review information — compiled from publicly available short-term-rental and vacation-rental sources. The Services are built to deliver listing- and market-level data for analytics, pricing, and monitoring, not to profile or identify individuals. Some outputs — for example, public guest-review content — may include limited personal data, such as a reviewer's display name or the text of a review, that the source has already made publicly available. We do not enrich, cross-reference, or use this data to identify individuals or to build advertising profiles, and we do not sell it; we process API requests only to fulfil your query and to keep operational logs. Where an output contains personal data, you act as the controller for your use of that output and are responsible for handling it lawfully — including providing any required notices and establishing a legal basis — as set out in our Terms of Service.
4. How and why we use personal data
| Purpose | Examples | Legal basis (GDPR/UK GDPR) |
|---|---|---|
| Provide the Services | Create and manage your account, authenticate API keys, deliver responses | Performance of a contract |
| Billing and payments | Process subscriptions and renewals via Paddle, maintain transaction records | Performance of a contract; legal obligation |
| Support and communication | Respond to requests, send service and security notices | Performance of a contract; legitimate interests |
| Security and fraud prevention | Detect, investigate, and prevent abuse, fraud, and unauthorized access | Legitimate interests; legal obligation |
| Improve the Services | Analyze usage trends, debug, and develop features | Legitimate interests |
| Marketing (optional) | Send product updates where you have opted in | Consent (withdrawable at any time) |
| Legal compliance | Meet tax, accounting, and other legal obligations; respond to lawful requests | Legal obligation |
Where we rely on legitimate interests, we have balanced those interests against your rights.
5. How we share personal data
We do not sell your personal data. We share it only with the following categories of recipients, and only as needed:
- Paddle — our payment processor and Merchant of Record, for checkout, billing, tax, fraud prevention, and buyer support. See Paddle's Privacy Policy.
- Hosting and infrastructure — Hetzner Online GmbH (Germany), to host and run the Services.
- Contact-form delivery — Formspree (Formspree, Inc., United States), which receives and relays the details you submit through our request-access or contact form (such as your name, email, phone, company, and message) so we can respond. See Formspree's Privacy Policy.
- Professional advisers and authorities — lawyers, accountants, auditors, and regulators or law enforcement where required by law or to protect our rights.
- Business transfers — a successor entity in connection with a merger, acquisition, or sale of assets, subject to this policy.
Apart from the contact-form provider above, we currently do not use third-party analytics, advertising, email-marketing, or customer-support processors; ongoing support is handled directly by our team on our own infrastructure. If we introduce such a provider, we will update this policy and our sub-processor list beforehand. These providers process personal data on our behalf under contracts that require appropriate safeguards. We keep an up-to-date list of sub-processors and can provide it on request.
6. International transfers
We and our providers may process personal data in countries other than yours. Where we transfer personal data out of the UK, EEA, or other regulated regions, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or an adequacy decision.
7. How long we keep personal data
We keep personal data only as long as necessary for the purposes above:
- Account data — for the life of your account and a short period after closure.
- Billing and tax records — for the period required by applicable tax and accounting law (commonly up to 6–7 years).
- Technical and log data — typically up to 12 months, unless needed longer for security or legal reasons.
- Marketing data — until you opt out or after a period of inactivity.
We may retain anonymized or aggregated data, which no longer identifies you, without time limit.
8. Your rights
Depending on where you live, you may have the right to: access a copy of your personal data; correct inaccurate data; delete your data; restrict or object to processing; data portability; and withdraw consent at any time. To exercise any of these, email [email protected]. We will respond within the time required by applicable law (generally one month under GDPR/UK GDPR, or 45 days under California law).
EEA/UK residents: you may lodge a complaint with your local supervisory authority.
California residents (CCPA/CPRA): you have the right to know what personal information we collect and how we use and disclose it, to request deletion or correction, and to not be discriminated against for exercising these rights. We do not sell or "share" personal information for cross-context behavioral advertising as those terms are defined under California law.
9. Cookies
We use strictly necessary cookies to run the site and authenticate your session. We do not currently use third-party advertising or analytics cookies. If we add non-essential cookies in the future, we will request your consent and update this section. You can also manage cookies through your browser settings.
10. Security
We use technical and organizational measures appropriate to the risk — including encryption in transit, access controls, and monitoring — to protect personal data. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.
11. Children
The Services are not directed to, and we do not knowingly collect personal data from, anyone under 18. If you believe a child has provided us personal data, contact us and we will delete it.
12. Changes to this policy
We may update this policy from time to time. We will post the new version with an updated date and, for material changes, provide additional notice. Continued use of the Services after the effective date constitutes acceptance.
13. Contact us
Griffith Software Labs LLC (operator of Tapline)
30 N Gould St Ste N, Sheridan, WY 82801, USA
Privacy enquiries and data-rights requests: [email protected]