tappble
PricingCreate your tap

Privacy Policy

Last updated: February 16, 2026

Privacy Policy

Effective Date: 22 February 2026 Last Updated: 22 February 2026

Lumman Ltd ("we", "us", "our") operates tappble.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our Service, whether as a creator with an account or as a visitor accessing content through a tappble link.

Lumman Ltd is a company registered in England and Wales (company number 15425759), with its registered office at 86-90 Paul Street, London, EC2A 4NE, United Kingdom.

We are the data controller for the personal data processed through the Service. You can contact us at all@lumman.ai for any privacy-related enquiries.

1. Information We Collect

1.1 Information You Provide

Account Information (Creators). When you create an account, we collect your email address, display name, and profile information provided through your authentication method (Google sign-in or magic link). You also choose a public username that is visible on your tap URLs.

Content You Create. We collect the prompts, titles, descriptions, input parameter definitions, and configuration settings you provide when creating taps.

Visitor-Provided Input. When a tap requires visitor input (such as text responses or image uploads), we collect the data the visitor provides to generate the requested AI output. Uploaded images are processed in real time and are not stored beyond the duration necessary to complete the generation.

Payment Information. If you purchase a paid plan, payment is processed by Polar Software, Inc. ("Polar"), our Merchant of Record. We do not directly collect or store your payment card details. We receive from Polar your subscription status, plan type, and billing identifiers necessary to manage your account and enforce plan limits.

1.2 Information Generated Through the Service

AI-Generated Content. When a visitor opens a tap URL, the Service generates content (text or images) using third-party AI models. This generated content is stored and may be publicly visible on the tap page and at its own permalink, depending on the tap's visibility settings.

Usage Data. We collect information about how the Service is used, including page opens, content generations, text copies, image downloads, and shares. This data is associated with a cryptographic hash of the visitor's IP address - we do not store raw IP addresses.

1.3 Information Collected Automatically

Log and Device Data. When you access the Service, our hosting infrastructure automatically collects your IP address, browser type and version, operating system, referring URL, pages visited, and timestamps.

Cookies and Similar Technologies. We use strictly necessary cookies to manage authentication sessions for creators. We do not use advertising cookies or third-party tracking cookies. See Section 8 for details.

2. How We Use Your Information

We process your personal data for the following purposes and on the following legal bases under UK GDPR:

| Purpose | Legal Basis | |---------|-------------| | Providing and operating the Service | Performance of a contract (Art. 6(1)(b)) | | Authenticating creators and managing accounts | Performance of a contract (Art. 6(1)(b)) | | Processing subscriptions and managing billing | Performance of a contract (Art. 6(1)(b)) | | Generating AI content when a visitor opens a tap | Legitimate interests (Art. 6(1)(f)) - delivering the service the creator configured | | Providing creators with usage analytics | Legitimate interests (Art. 6(1)(f)) - enabling creators to understand how their taps perform | | Rate limiting and abuse prevention | Legitimate interests (Art. 6(1)(f)) - protecting the Service and its users | | Improving and maintaining the Service | Legitimate interests (Art. 6(1)(f)) - enhancing service quality and reliability | | Complying with legal obligations | Legal obligation (Art. 6(1)(c)) | | Communicating service updates and changes | Legitimate interests (Art. 6(1)(f)) - keeping users informed of material changes |

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.

3. AI Content Generation and Third-Party AI Providers

The core function of the Service is generating content (text and images) using artificial intelligence. When a visitor opens a tap URL, we send the creator's prompt (and any associated parameters) to a third-party AI model provider to generate a response.

Visitor-uploaded images and vision input. When a tap is configured to accept image uploads and uses a vision-capable AI model, the visitor's uploaded image is sent to the AI provider as part of the generation request. Apart from this explicit input, no other personal data about the visitor is sent to AI providers - the generation request contains only the prompt configured by the creator and any input the visitor has expressly provided.

We currently use the following AI model providers:

  • OpenAI (OpenAI, L.L.C., San Francisco, USA) - privacy policy
  • Anthropic (Anthropic, PBC, San Francisco, USA) - privacy policy
  • Google (Google LLC, Mountain View, USA) - privacy policy
  • xAI (xAI Corp., San Francisco, USA) - privacy policy
  • Mistral AI (Mistral AI, Paris, France) - privacy policy
  • fal.ai (fal.ai, Inc., San Francisco, USA) - privacy policy

These providers process prompts and inputs to generate content. Under our API agreements, they do not use prompts or generated outputs to train their models. Data may be transferred internationally; see Section 6 for details on international transfers.

AI Transparency Notice. In accordance with the EU AI Act (Regulation (EU) 2024/1689), we inform you that all content generated through tappble is produced by artificial intelligence systems. AI-generated content may contain inaccuracies, biases, or errors. AI-generated images may not accurately depict real people, places, or events. You should review any generated content before relying on it or sharing it.

4. How We Share Your Information

We do not sell your personal data. We share personal data only in the following circumstances:

Service Providers. We use the following sub-processors to operate the Service:

| Provider | Purpose | Location | |----------|---------|----------| | Vercel Inc. | Hosting and content delivery | United States | | Supabase Inc. | Database and authentication | United States | | Upstash Inc. | Rate limiting | United States | | Polar Software, Inc. | Payment processing (Merchant of Record) | United States | | OpenAI, L.L.C. | AI content generation | United States | | Anthropic, PBC | AI content generation | United States | | Google LLC | AI content generation and authentication | United States | | xAI Corp. | AI content generation | United States | | Mistral AI | AI content generation | France | | fal.ai, Inc. | AI image generation | United States |

Public Content. Tap pages, creator usernames, and AI-generated results are publicly accessible by design (unless the creator has configured restricted visibility). If you are a creator, your username and tap titles are visible to anyone. Generated results may appear in the public feed on the tap page and at their own permalinks.

Legal Requirements. We may disclose your information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Lumman Ltd, our users, or others.

Business Transfers. In the event of a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you via email or prominent notice on the Service before your data is transferred and becomes subject to a different privacy policy.

5. Data Retention

| Data Type | Retention Period | |-----------|-----------------| | Creator account data | Until account deletion, plus up to 30 days for backup removal | | Tap content and configuration | Until deleted by creator or account deletion | | AI-generated results (text) | Until deleted by creator, or until the parent tap is deleted | | AI-generated results (images) | Until deleted by creator, or until the parent tap is deleted | | Visitor-uploaded images | Processed in real time; not stored after generation completes | | Subscription and billing identifiers | Until account deletion, plus as required by tax and accounting laws (up to 7 years) | | Usage analytics (events) | 24 months from creation, then automatically deleted | | Hashed IP addresses | 24 months from creation, then automatically deleted | | Authentication logs | 12 months | | Server logs | 90 days |

After the retention period, data is permanently deleted or irreversibly anonymised.

6. International Data Transfers

Our Service infrastructure and sub-processors are located in the United States, France, and the European Economic Area. When personal data is transferred from the United Kingdom or EEA to third countries, we rely on:

  • UK-US Data Bridge and EU-US Data Privacy Framework for providers that are certified participants.
  • Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office and the European Commission, supplemented by transfer impact assessments where required.
  • EU adequacy decisions where applicable (e.g., transfers within the EEA).

You may request a copy of the relevant transfer safeguards by contacting all@lumman.ai.

7. Your Rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights:

  • Access - request a copy of the personal data we hold about you.
  • Rectification - request correction of inaccurate or incomplete data.
  • Erasure - request deletion of your personal data where there is no compelling reason for its continued processing.
  • Restriction - request that we restrict processing in certain circumstances.
  • Portability - receive your personal data in a structured, commonly used, machine-readable format.
  • Objection - object to processing based on legitimate interests.
  • Withdraw consent - where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

For creators: You can access, edit, and delete your taps and account through the dashboard. To delete your account entirely, contact us at all@lumman.ai. If you have an active subscription, you must cancel it separately through the billing settings or Polar customer portal.

For visitors: You can request access to or deletion of any data associated with your usage by contacting all@lumman.ai. Since we store only hashed IP addresses, we may ask you to provide additional information to verify your identity and locate your data.

To exercise any of these rights, contact us at all@lumman.ai. We will respond within one month, as required by law. In complex cases, we may extend this by a further two months, with notice.

If you are unsatisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

8. Cookies

We use only strictly necessary cookies to operate the Service:

| Cookie | Purpose | Duration | Type | |--------|---------|----------|------| | Authentication session | Maintains your login session | Session / 7 days | Strictly necessary | | CSRF token | Protects against cross-site request forgery | Session | Strictly necessary |

We do not use analytics cookies, advertising cookies, or third-party tracking technologies. Because we use only strictly necessary cookies, consent is not required under PECR (Privacy and Electronic Communications Regulations).

If we introduce optional cookies in the future, we will update this policy and implement a consent mechanism before deploying them.

9. Children's Privacy

The Service is not intended for anyone under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly.

If you believe a child under 16 has provided us with personal data, please contact us at all@lumman.ai.

10. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption of data in transit (TLS) and at rest.
  • Access controls and authentication for all administrative systems.
  • Row-level security policies on our database to enforce data isolation.
  • Hashing of visitor IP addresses - we never store raw IP addresses.
  • Regular review of security practices and sub-processor security posture.

No method of transmission over the Internet or electronic storage is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a new "Last Updated" date. For creators with accounts, we will also send a notice via email for significant changes.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

12. Contact Us

For any questions about this Privacy Policy or to exercise your data protection rights:

Lumman Ltd 86-90 Paul Street London, EC2A 4NE United Kingdom

Email: all@lumman.ai