Privacy Policy

For any privacy question, contact us at privacy@tiptap.cx. For legal matters, contact legal@tiptap.cx. For product help, contact support@tiptap.cx.

TipTap is the controller of: personal information collected through the Website; personal information that Companies and Agents submit to register and operate their accounts; and the limited technical information automatically logged when a Tipper visits the Tipping Flow (such as IP address and user-agent string, logged on TipTap's server). Stripe is the independent controller of all payment information that a Tipper enters on Stripe's hosted checkout page; TipTap does not collect or store that information. When TipTap processes personal information on behalf of a Company under a Data Processing Addendum (for example, ticket-attribution data drawn from the Company's Helpdesk), TipTap acts as a processor for that Company.

This policy applies to the three surfaces of the Service:

• The Website, used by prospects, customers, partners, and other visitors.

• The Dashboards, used by Companies (typically administrators or customer experience leaders at integrated businesses) and by Agents (the support agents who receive Tips).

• The Tipping Flow, used by Tippers (end customers of integrated Companies) at the point of leaving a Tip.

It does not apply to third-party websites or services that we do not control, including Helpdesks such as Zendesk, Intercom, Freshdesk, or Gorgias, or to Stripe's own services. Those services have their own privacy policies.

Defined terms. Capitalized terms used in this policy - including Service, Website, Dashboards, Tipping Flow, Company, Agent, Tipper, Website Visitor, Helpdesk, Tip, Gross Tip, Commission, Agent Share, Stripe, and Stripe Connected Account - have the same meanings given to them in the TipTap Terms of Service (the "Terms"), unless otherwise defined in this policy. In the event of any conflict between this policy and the Terms with respect to a defined term, the Terms control.

We collect personal information directly from you, automatically through your use of the Service, and from third parties such as Stripe and integrated Helpdesks. The categories of information we collect depend on which surface of the Service you use.

Website Visitors. When you visit the Website, we automatically collect:

• Device and connection data: IP address, user agent, operating system, browser type and version, language, time zone, referring URL, and pages viewed.

• Usage data: clicks, scroll behavior, navigation paths, session duration, and similar interaction data.

• Cookies and similar identifiers: including identifiers set by analytics, session replay, and advertising technologies. See the Cookies and Tracking Technologies section.

• Information you submit through forms: for example, name, work email, company name, job title, phone number (if provided), scheduling preferences, and any message you include when you request a demo, book a call, subscribe to updates, or contact us. Call and demo bookings are facilitated by GoHighLevel as our scheduling and CRM provider; the information you submit through the booking form is stored by TipTap and processed on our behalf by GoHighLevel.

Companies. When a Company registers and uses the Dashboard, we collect:

• Account information: company name, billing address, country, the names, email addresses, job titles, and login credentials of the Company users authorized to access the Dashboard.

• Integration information: the Helpdesk(s) connected, OAuth tokens and configuration data needed to maintain the integration, agent identifiers, and ticket events such as the moment a ticket is marked solved.

• Communication information: support requests, feedback, and other messages exchanged with TipTap.

• Usage data: how Company users interact with the Dashboard, including pages visited, features used, and audit-log events such as logins, configuration changes, and exports.

• Billing information: because TipTap does not charge Companies, we typically do not collect payment instruments from Companies. Where a Company opts into a paid feature in the future, billing information will be collected and processed by Stripe.

Agents. When an Agent registers and uses the Dashboard, we collect:

• Account information: name, email address, login credentials, country, the Company the Agent is associated with, and an identifier matching the Agent's record in the Helpdesk.

• Identity verification data: Stripe Connect requires identity information (such as name, date of birth, address, government identifier, and in some cases identity documents) to comply with Know Your Customer (KYC) and other obligations. This information is collected and held by Stripe, not by TipTap. We receive only a confirmation of the verification status and limited descriptive fields.

• Payout information: bank account details for payouts are collected and held by Stripe, not by TipTap.

• Tip and payout history: the amount, currency, time, ticket reference, and any optional review the Tipper left for the Agent, for each Tip received, and the resulting payout balance and history. We do not associate the Tipper's name, email, or payment details with the Tip record shown to the Agent, because TipTap does not have them.

• Usage data: how the Agent interacts with the Dashboard, including logins, pages viewed, features used, and audit-log events.

Tippers. TipTap does not collect or store the Tipper's name, email address, or payment information. Tippers enter all such information (cardholder name, billing email, billing address, card number, expiration date, security code, and any other payment detail) on Stripe's hosted checkout page during payment. Stripe collects and processes that information as an independent controller under its own terms and privacy notice. TipTap never receives the Tipper's name, email, billing address, card number, security code, or bank account information from Stripe, and never receives the Tipper's name or email from the integrated Helpdesk.

The only information TipTap processes in connection with a Tipper is:

• Non-sensitive transaction descriptors received from Stripe after a Tip is processed - for example, the Stripe transaction identifier, the Gross Tip amount, the currency, the card brand, the last four digits of the card, the country of issue, and the success or failure status. These descriptors do not, on their own, identify the Tipper.

• A ticket reference received from the integrated Helpdesk - used to attribute the Tip to the correct ticket and Agent. The Helpdesk integration does not pass the Tipper's name or email to TipTap; the post-resolution invitation to leave a Tip is delivered to the Tipper through the Helpdesk's existing reply mechanism (so the Helpdesk, which already has the Tipper's contact details, delivers the invitation on TipTap's behalf without disclosing those details to TipTap).

• An optional review or message that the Tipper voluntarily writes for the Agent in the Tipping Flow. TipTap does not request the Tipper's name, email, or other identifying information at this step, and Tippers are asked not to include personal information in the review. TipTap stores the review and shares it with the Agent and the Company.

• Device and connection data automatically logged by TipTap's server when the Tipper visits a Tipping Flow page - for example, IP address, user agent, language, and time zone. This data is captured in server logs and used only for security, fraud prevention, and minimal operational analytics. No third-party analytics, session-replay, or advertising trackers operate on the Tipping Flow, and no non-essential cookies are set there. See the Cookies and Tracking Technologies section.

We do not knowingly collect any of the following from any user, and we ask you not to submit them through the Service: government-issued identifiers (except where Stripe collects them as part of KYC), health information, precise geolocation, biometric data, account login credentials for any other service, or content that reveals racial or ethnic origin, political opinions, religious beliefs, trade union membership, sex life, or sexual orientation.

We collect personal information from three sources:

• Directly from you, when you submit a form, register for an account, configure a Helpdesk integration, leave a Tip, or contact us.

• Automatically, through cookies, SDKs, server logs, and similar technologies when you use the Service.

• From third parties, including Stripe (for transaction status, KYC results, and payout events), the integrated Helpdesks (for ticket and agent identifiers and ticket resolution events), our analytics and advertising vendors (for aggregated audience data), our CRM (for contact-routing data), and publicly available sources (for outbound business development).

We use personal information for the purposes set out below. Where the EU General Data Protection Regulation ("GDPR") or the UK General Data Protection Regulation ("UK GDPR") apply, our legal basis for each purpose is identified in parentheses.

• Provide and operate the Service: create and authenticate accounts, route Tips, attribute Tips to the correct Agent, settle funds through Stripe, send transactional messages, and provide customer support. (Legal basis: performance of a contract; legitimate interests.)

• Secure the Service and prevent fraud: monitor for suspicious activity, investigate possible AUP violations, detect chargeback abuse, protect against attacks, and maintain audit logs. (Legal basis: legitimate interests; legal obligation; performance of a contract.)

• Comply with law: including tax, anti-money-laundering, sanctions, and accounting obligations; respond to lawful requests from regulators, courts, and law enforcement. (Legal basis: legal obligation.)

• Communicate with you: send service announcements, security notices, and material policy changes; respond to inquiries; conduct customer research. (Legal basis: performance of a contract; legitimate interests.)

• Marketing the Service to businesses: identify prospective Companies, send outbound communications, run ads, and measure their effectiveness. (Legal basis: legitimate interests; consent where required.)

• Analyze and improve the Service: measure usage, troubleshoot issues, develop new features, train internal models on aggregated or pseudonymized data, and improve usability. (Legal basis: legitimate interests; consent where required for analytics and session replay.)

• Personalize the Service: remember preferences, language, and prior actions. (Legal basis: legitimate interests; consent where required.)

• Enforce our agreements: investigate and respond to breaches of the Terms and the AUP, and protect our rights, property, and the safety of others. (Legal basis: legitimate interests; legal obligation.)

• Business transitions: evaluate, negotiate, or complete a merger, acquisition, financing, sale of assets, or similar transaction. (Legal basis: legitimate interests.)

We do not use personal information to make decisions that produce legal or similarly significant effects about you solely by automated means.

We share personal information only in the circumstances described below.

With Companies. When a Tip is processed, we share the Tip amount, currency, time, ticket reference, and any optional review or message the Tipper wrote with the Company so that the Company can confirm attribution and recognize the Agent. When a Company integrates the Service, we share with the Company aggregated and Agent-level usage data necessary to administer the integration. We do not share the Tipper's name, email, or payment details with the Company through TipTap - TipTap does not have them.

With Agents. We share with each Agent the Tips that have been attributed to that Agent, including the amount, the currency, the time, a reference to the resolved ticket, and any optional review or message the Tipper wrote. We do not share the Tipper's name, email, or payment details with the Agent through TipTap - TipTap does not have them.

With Stripe. We share with Stripe the information needed to initiate and settle payments, including the Gross Tip amount, the currency, the Agent's Stripe Connected Account identifier, and other non-sensitive transaction metadata. Stripe collects payment and Tipper information directly from Tippers in its own hosted checkout, and collects identity verification and payout information directly from Agents in its own onboarding flow.

With Helpdesks. We exchange data with the integrated Helpdesk on the Company's authorization through its administrator. The data we receive from the Helpdesk is limited to ticket identifiers, the Agent assigned to each ticket, ticket-resolution events, and other ticket metadata necessary to operate the Service; we do not receive the Tipper's name or email address from the Helpdesk. The data we send to the Helpdesk typically consists of a reply posted back to the resolved ticket inviting the Tipper to leave a Tip - the Helpdesk, which already has the Tipper's contact details, delivers the invitation to the Tipper without disclosing those details to TipTap.

With our subprocessors. We use the following subprocessors to operate the Service. Each is bound by a written contract that imposes appropriate confidentiality and data-protection obligations.

• Stripe - Payment processing, KYC, payouts, tax forms (USA + global).

• Amazon Web Services (us-east-1) - Backend hosting and PostgreSQL database (USA).

• Vercel - Website and platform frontend hosting (USA / global edge).

• Google Workspace - Internal email and documents (USA).

• Google Analytics 4 - Website and product analytics, Website and Dashboards only (USA).

• Google Tag Manager - Tag management, Website and Dashboards only (USA).

• Microsoft Clarity - Session replay and heatmaps, Website and Dashboards only (USA).

• Meta Pixel - Advertising attribution, Website only (USA).

• GoHighLevel - CRM, outbound marketing, and call/demo scheduling (USA).

With professional advisors. We may share information with our auditors, lawyers, accountants, and insurers, in each case under appropriate confidentiality obligations.

For legal reasons. We may disclose information when we believe in good faith that disclosure is required by law, by lawful request from a public authority, or to protect the rights, property, or safety of TipTap, our users, or others, or to investigate fraud or violations of our Terms.

In a business transaction. If TipTap is involved in a merger, acquisition, financing, sale of assets, or bankruptcy, personal information may be transferred to the counterparty subject to standard confidentiality obligations. Where the transaction would materially change how your information is handled, we will notify you.

With your consent. We will share personal information for any other purpose with your consent.

We do not sell your personal information for money. To the extent the Meta Pixel operating on the Website results in disclosures of identifiers to Meta for cross-context behavioral advertising, those disclosures may constitute "sharing" under California law. The Meta Pixel does not run on the Dashboards or the Tipping Flow, and no other advertising trackers operate on those surfaces. Visitors to the Website can opt out of those cookies in the cookie banner or by sending a Global Privacy Control signal from their browser. See the California - CCPA and CPRA section below.

TipTap is based in the United States. Our primary infrastructure is hosted in AWS us-east-1 (Northern Virginia, USA). The subprocessors listed above are also primarily in the United States. When we transfer personal information from the European Economic Area, the United Kingdom, or Switzerland to the United States or to any other country that has not received an adequacy decision, we rely on appropriate safeguards under applicable law. These typically include the European Commission's Standard Contractual Clauses (SCCs) and, for transfers from the UK, the UK International Data Transfer Addendum to the SCCs. We also implement supplementary measures where required, including encryption in transit and at rest and access controls.

Payment data transferred to Stripe is subject to Stripe's own transfer mechanisms and certifications. To request a copy of the safeguards we rely on, contact privacy@tiptap.cx.

We keep personal information only for as long as we need it for the purposes described in this policy, and then we delete or anonymize it. Our default retention is:

• Active accounts: for the duration of the account.

• Closed accounts: deleted within ninety (90) days of closure, except where a longer retention is required by law or is necessary to resolve a dispute.

• Transaction records: retained for seven (7) years from the date of the transaction for tax, accounting, and legal compliance.

• Marketing data: retained for as long as your subscription to marketing communications remains active and for a short period thereafter to honor your unsubscribe choice.

• Backups: rolling deletion on a thirty-five (35) day cycle.

• Server and audit logs: typically retained for up to thirteen (13) months for security and incident-response purposes.

Specific retention periods may differ where required by law, where a dispute or investigation is open, or where data has been pseudonymized or aggregated such that it is no longer personal information.

We take the security of personal information seriously. Our security program is designed around accepted industry practices and includes:

• Encryption of data in transit using TLS and of data at rest in our database and backups.

• Role-based access controls, multi-factor authentication for employee access, and least-privilege defaults.

• Segregated production environments and audit logging of access to sensitive data.

• Vendor due diligence, including review of subprocessor security and contractual data-protection terms.

• Regular vulnerability scanning, dependency monitoring, and an incident-response plan with notification timelines aligned to applicable law.

No system is perfectly secure. If you believe your account or any personal information has been compromised, contact us immediately at security@tiptap.cx.

We use cookies, pixels, software development kits (SDKs), and similar technologies on the Website and the Dashboards. We do not deploy third-party analytics, session-replay, or advertising trackers on the Tipping Flow; only strictly-necessary cookies (such as session and security cookies) and minimal server-side logging are used there. Cookies fall into three categories:

• Strictly necessary. Cookies required for the Service to function, including authentication, security, and load balancing. These are used across all surfaces (Website, Dashboards, and Tipping Flow) and cannot be switched off.

• Analytics. Cookies that help us understand how the Service is used so we can improve it. We use Google Analytics 4, Google Tag Manager, and Microsoft Clarity (which provides session replay and heatmaps) on the Website and the Dashboards. None of these run on the Tipping Flow.

• Marketing. Cookies and pixels used to measure marketing campaigns and to support advertising. We use the Meta Pixel for advertising attribution on the Website only. The Meta Pixel does not run on the Dashboards or the Tipping Flow.

Where required by law, we ask for your consent before setting non-essential cookies on the Website and the Dashboards, and we will not load non-essential analytics or marketing tags before consent is given. You can withdraw or change your consent at any time using the cookie banner on those surfaces. You can also block or delete cookies in your browser settings; doing so may affect how the Service works. We honor the Global Privacy Control (GPC) signal as a request to opt out of cookies that would otherwise be classed as a "sale" or "share" under California law.

We do not respond to Do Not Track browser signals because there is no consistent industry standard for them.

The rights you have depend on where you live. Regardless of jurisdiction, you can contact privacy@tiptap.cx at any time to exercise a right under this section. We will verify your identity using account information already on file before we act on a request. We may extend the response window where the law permits, for example to handle complex or numerous requests, and we will tell you if we do.

Where personal information is processed on behalf of a Company (for example, ticket-attribution data drawn from the Company's Helpdesk), you should generally direct your request to the Company. We will assist the Company in responding.

GDPR and UK GDPR. If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights, subject to the conditions in the GDPR or UK GDPR:

• The right to access your personal information and to receive a copy.

• The right to rectification of inaccurate or incomplete information.

• The right to erasure ("right to be forgotten") in certain circumstances.

• The right to restriction of processing in certain circumstances.

• The right to object to processing based on legitimate interests, including for direct marketing.

• The right to data portability for information you have provided to us and that we process on the basis of consent or contract.

• The right to withdraw consent at any time where we rely on consent, without affecting the lawfulness of prior processing.

• The right to lodge a complaint with a supervisory authority. UK residents may complain to the Information Commissioner's Office (ICO) at ico.org.uk. Residents of an EEA Member State may complain to the data protection authority of their country.

California - CCPA and CPRA. If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

• The right to know what personal information we collect, the sources, the purposes, and the categories of third parties with whom we share it.

• The right to access your personal information and to receive a copy in a portable format.

• The right to delete your personal information, subject to legal exceptions.

• The right to correct inaccurate personal information.

• The right to opt out of the sale or sharing of personal information for cross-context behavioral advertising. To exercise this right, use the cookie banner on the Website or send a Global Privacy Control signal from your browser.

• The right to limit the use and disclosure of sensitive personal information.

• The right to non-discrimination for exercising your rights.

• The right to designate an authorized agent to act on your behalf.

TipTap does not sell personal information for money. With respect to "sharing" as defined under California law, "sharing" may occur as a result of the Meta Pixel operating on the Website. No advertising trackers operate on the Dashboards or the Tipping Flow. You can opt out of advertising-cookie sharing using the cookie banner on the Website or by sending a Global Privacy Control signal from your browser. If we deny a request, we will explain why and what other options you may have. For complaints, you may contact the California Privacy Protection Agency or the California Attorney General.

Canada - PIPEDA. If you are in Canada, you have the right under the Personal Information Protection and Electronic Documents Act, and applicable provincial laws, to: access your personal information and the use we have made of it; request correction of inaccurate personal information; and file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca. You may withdraw consent to certain uses of your personal information at any time, subject to legal or contractual restrictions and reasonable notice.

Brazil - LGPD. If you are in Brazil, you have rights under the Lei Geral de Protecao de Dados (LGPD), including: confirmation of the existence of processing and access to your personal information; correction of incomplete, inaccurate, or outdated personal information; anonymization, blocking, or deletion of personal information that is unnecessary, excessive, or processed in non-compliance with the LGPD; portability of your personal information to another service or product provider; deletion of personal information processed with your consent, subject to legal exceptions; information about the public and private entities with which we have shared your personal information; information about the possibility of refusing to give consent and the consequences of refusal; revocation of consent at any time, free of charge; and the right to file a complaint with the Brazilian National Data Protection Authority (ANPD).

Australia - Privacy Act and APPs. If you are in Australia, you have rights under the Privacy Act 1988 and the Australian Privacy Principles, including the right to request access to your personal information, and to request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading. If you believe we have breached the Privacy Act or the APPs, please contact privacy@tiptap.cx first. If you remain dissatisfied, you may complain to the Office of the Australian Information Commissioner at oaic.gov.au.

Other US States and Other Jurisdictions. Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and other U.S. states with comprehensive privacy laws, and residents of other countries that grant similar rights, may have rights comparable to those listed above, including rights of access, correction, deletion, portability, and the right to opt out of certain processing. To exercise any such right, or for any other privacy question, contact privacy@tiptap.cx. We will respond consistent with the law of the relevant jurisdiction.

The Service is intended for adults. We do not knowingly collect personal information from anyone under the age of 13. The Service is not directed to anyone under the age of 18, and we do not intentionally allow anyone under 18 to register as a Company user or as an Agent. If you believe a child has provided personal information to us, contact privacy@tiptap.cx and we will delete it.

We do not make decisions that produce legal or similarly significant effects about you solely by automated means. Fraud-prevention and risk systems may flag transactions or accounts for human review, but a human at TipTap or at Stripe makes the final decision on actions such as account suspension, withholding of funds, or termination.

Under Article 27 of the GDPR, our EU representative is to be appointed. Once appointed, EU residents may contact our EU representative on any matter relating to the processing of their personal information.

Under Article 27 of the UK GDPR, our UK representative is to be appointed. Once appointed, UK residents may contact our UK representative on any matter relating to the processing of their personal information.

TipTap is not required by law to appoint a Data Protection Officer. For any matter that a DPO would otherwise handle, including any rights request or complaint about the way we process personal information, contact privacy@tiptap.cx and we will route the request to the right person internally.

We may update this policy from time to time. For material changes, we will notify you in advance by email to the address on file (where applicable) and by in-product notice on the Dashboard or the Website. Non-material changes (for example, clarifications) take effect when posted. The effective date at the top of this policy will always show the date of the most recent version. Continued use of the Service after the effective date constitutes acceptance of the change.

For any privacy question, including to exercise a right under this policy, contact:

• Privacy: privacy@tiptap.cx

• Legal: legal@tiptap.cx

• Support: support@tiptap.cx

• Mail: TipTap LLC, 407 Lincoln Rd, Suite 8N-420, Miami Beach, FL 33139, USA

Version: 1.0