LëtzTap Payment System S.àr.l-s

Privacy Policy

Last updated: March 10, 2026

1. Introduction

LëtzTap Payment System S.àr.l-s ("we", "us", "our") operates the LëtzTap mobile application (iOS and Android) and the website letztap.lu (collectively, the "Service"). LëtzTap is a cashless point-of-sale (POS) system for events, enabling NFC card-based payments.

This Privacy Policy explains what personal data we collect, how we use it, and your rights under the General Data Protection Regulation (GDPR) and applicable Luxembourg law. By using our Service, you acknowledge this Privacy Policy.

Data Controller:
LëtzTap Payment System S.àr.l-s
12, Rue de l'église
L-8467 Luxembourg
Email: info@letztap.lu

2. Data We Collect

2.1 Account Data (Event Staff & Organizers)

When you create an account or are invited to an organization, we collect:

  • Email address
  • First and last name
  • Password (stored as a secure hash, never in plain text)
  • Organization membership and role (admin, topup, purchase)

2.2 NFC Card Data

When an NFC card is scanned (by event staff or visitors), we process:

  • Card UID: A unique hardware identifier of the NFC card. This is transmitted to our server and immediately converted to a SHA-256 hash. We only store the hash — never the original card identifier.
  • Card Authentication Tag: An 8-byte HMAC value used solely to verify the card's authenticity. It is not stored after validation.

NFC cards do not contain any personal information. They function as anonymous prepaid tokens linked to a balance.

2.3 Transaction Data

For every payment or top-up, we record:

  • Transaction type (top-up, purchase, card return)
  • Payment method (NFC, cash, card, Payconiq)
  • Amount (in cents)
  • Products purchased (name, quantity, unit price)
  • Deposit charges and returns
  • Date and time
  • Associated event and organization (for staff transactions: the staff member who processed it)

2.4 Payment Provider Data

When you pay by credit/debit card or Payconiq, the payment is processed by a third-party provider (see Section 5). We receive:

  • A payment reference ID
  • Payment status (pending, succeeded, failed)
  • Amount

We do not receive or store your full credit card number, CVV, or bank account details. These are handled exclusively by the payment provider.

2.5 Device & Technical Data

Our mobile apps and website may automatically collect limited technical information:

  • Device type and operating system version
  • App version
  • Crash reports and error logs (Android only, via Firebase Crashlytics)
  • Basic app usage analytics (Android only, via Firebase Analytics)
  • IP address (processed by our server for rate limiting; not stored long-term)

On iOS, we do not use any third-party analytics or crash reporting services.

2.6 Client Area (Visitors, No Account Required)

Event visitors can use the Client Area without creating an account. The only data processed is:

  • NFC card UID (hashed) and authentication tag
  • Top-up amount (if the visitor chooses to add funds)

No name, email, or other personal information is required or collected from visitors using the Client Area.

3. How We Use Your Data

We use the collected data for the following purposes:

PurposeLegal Basis (GDPR)
Providing the POS service (transactions, top-ups, card management)Performance of contract (Art. 6(1)(b))
Account creation and authenticationPerformance of contract (Art. 6(1)(b))
Processing payments via Stripe or PayconiqPerformance of contract (Art. 6(1)(b))
Preventing fraud and ensuring payment securityLegitimate interest (Art. 6(1)(f))
Crash reporting and bug fixing (Android)Legitimate interest (Art. 6(1)(f))
Rate limiting and abuse preventionLegitimate interest (Art. 6(1)(f))
Anonymous website analytics (page views, visitor counts)Legitimate interest (Art. 6(1)(f))
Sending team invitation emailsPerformance of contract (Art. 6(1)(b))
Generating event statistics for organizersPerformance of contract (Art. 6(1)(b))

4. Permissions Used by the App

Our mobile apps request the following device permissions. All permissions are used solely for the stated purpose.

PermissionPlatformPurposeRequired
NFCiOS & AndroidReading and validating NFC payment cardsYes (core feature)
Face ID / Touch ID / BiometricsiOS & AndroidSecure app login without re-entering passwordNo (password alternative available)
BluetoothiOS & AndroidConnecting to Stripe card readers for card paymentsNo (Tap to Pay alternative available)
InternetiOS & AndroidCommunicating with our backend serversYes
Location (approximate)Android onlyRequired by Android OS for Bluetooth card reader scanningOnly if using Bluetooth readers
VibrationAndroid onlyHaptic feedback when scanning a cardNo

We do not request access to your camera, contacts, calendar, photos, microphone, or location (iOS).

5. Third-Party Services

We use the following third-party services to operate LetzTap. Each provider processes data under their own privacy policy.

5.1 Stripe (Payment Processing)

Stripe processes credit/debit card payments, Tap to Pay transactions, and Bluetooth card reader payments. Stripe may collect device information for fraud prevention.

  • Privacy Policy: stripe.com/privacy
  • Data processed: Payment card tokens, transaction amounts, device metadata
  • PCI-DSS Level 1 certified

5.2 Payconiq (QR Code Payments)

Payconiq processes QR code-based mobile payments, primarily used in Luxembourg and Belgium.

5.3 Firebase (Android Only)

On Android, we use Google Firebase for crash reporting (Crashlytics) and basic usage analytics.

  • Privacy Policy: firebase.google.com/support/privacy
  • Data collected: Crash logs (stack traces, device model, OS version), app session data, anonymized usage events
  • No personally identifiable information is sent to Firebase

On iOS, we do not use Firebase or any other third-party analytics service.

5.4 Sunmi (Receipt Printing)

If an event uses Sunmi cloud printers for receipt printing, transaction data (products, amounts, event name) is transmitted to the Sunmi printer via cloud API.

5.5 Email (Invitations)

We use SMTP email to send team invitation links. Only the recipient's email address and an invitation token are included.

6. Data Storage & Security

6.1 Server Infrastructure

Our backend servers are hosted in the European Union. All data is stored in a PostgreSQL database with access restricted to authorized systems only.

6.2 Encryption in Transit

All communication between the apps and our servers is encrypted via HTTPS/TLS. Both our iOS and Android apps use certificate pinning in production to prevent man-in-the-middle attacks.

6.3 On-Device Security

  • iOS: Authentication tokens are stored in the iOS Keychain with device-locked encryption (AfterFirstUnlockThisDeviceOnly). The app displays a privacy overlay when moved to the background and auto-locks after 5 minutes of inactivity.
  • Android: Authentication tokens are stored in EncryptedSharedPreferences (AES-256-GCM encryption). The app prevents screenshots in production builds (FLAG_SECURE), excludes sensitive data from device backups, and auto-locks after inactivity.

6.4 Multi-Tenancy Isolation

Each organization's data is strictly isolated. API requests are automatically scoped to the authenticated user's organization. No data can be accessed across organizations.

6.5 NFC Card Security

  • Card UIDs are stored only as SHA-256 hashes in our database
  • HMAC-SHA256 is used to validate card authenticity on every transaction
  • The organization master key used for HMAC never leaves the server
  • Clients only see a masked card identifier (last 4 characters)

7. Data Retention

  • Account data: Retained as long as your account is active. Upon account deletion, personal data is removed within 30 days.
  • Transaction data: Retained for the duration required by applicable tax and accounting regulations (typically 10 years under Luxembourg law).
  • NFC card data: Card session data is retained for the duration of the associated event and accounting requirements.
  • Crash reports (Android): Automatically retained by Firebase for 90 days.
  • Server logs: IP addresses in rate-limiting logs are not stored beyond the active session.

8. Data Sharing

We do not sell, rent, or trade your personal data to third parties.

We share data only in these cases:

  • Payment providers (Stripe, Payconiq): To process your payments as described above.
  • Event organizers: Organization admins can view transaction statistics, team member activity, and aggregated card data for their own organization only.
  • Firebase (Android): Anonymized crash and analytics data.
  • Legal obligations: If required by law, court order, or regulatory authority.

9. Your Rights Under GDPR

As a data subject in the European Union, you have the following rights:

  • Right of access (Art. 15): Request a copy of your personal data.
  • Right to rectification (Art. 16): Request correction of inaccurate data.
  • Right to erasure (Art. 17): Request deletion of your data, subject to legal retention requirements.
  • Right to restriction (Art. 18): Request restriction of processing in certain cases.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interests.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at info@letztap.lu. We will respond within 30 days.

You also have the right to lodge a complaint with the Luxembourg data protection authority: Commission Nationale pour la Protection des Données (CNPD).

10. Children's Privacy

The LetzTap staff app (POS) is intended for use by event personnel aged 16 or older. We do not knowingly collect personal data from children under 16.

The Client Area (visitor self-service) does not require an account and does not collect any personal information. NFC cards are anonymous and can be used by visitors of any age under the supervision of the event organizer.

If you believe a child under 16 has provided personal data through our Service, please contact us and we will promptly delete it.

11. Cookies & Website Analytics

Our website at letztap.lu does not use tracking cookies, advertising cookies, or profiling cookies. We may use essential cookies strictly necessary for the website to function (e.g., session management).

11.1 Vercel Analytics

We use Vercel Analytics to collect anonymous, aggregated website usage data (e.g., page views, visitor counts, referrers). Vercel Analytics is designed to be privacy-friendly:

  • No cookies: Vercel Analytics does not set any cookies on your device.
  • No personal data: No IP addresses, device fingerprints, or personally identifiable information are collected or stored.
  • No cross-site tracking: Visitors are not tracked across websites or sessions.
  • Aggregated data only: All data is collected in aggregated form and cannot be used to identify individual visitors.

Because Vercel Analytics is cookieless and does not process personal data, no GDPR consent is required for its use. The legal basis is our legitimate interest in understanding website usage to improve our service (Art. 6(1)(f) GDPR).

For more information, see the Vercel Analytics Privacy Policy.

12. International Data Transfers

Your data is primarily stored and processed within the European Union. Some third-party services (Stripe, Firebase) may process data outside the EU. Where this occurs, it is covered by:

  • EU Standard Contractual Clauses (SCCs)
  • The provider's compliance with GDPR requirements
  • Adequacy decisions where applicable

13. Data We Do Not Collect

To be transparent, here is what LetzTap does not collect:

  • Location data (GPS) — we do not track your location
  • Camera or photo library access
  • Contacts, calendar, or health data
  • Advertising identifier (IDFA/GAID)
  • Browsing history
  • Biometric data — Face ID / fingerprint authentication is processed entirely on your device by the operating system; we never receive or store biometric data

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. For significant changes, we will notify registered users via email.

15. Contact Us

If you have any questions about this Privacy Policy or your data, please contact us:

Email: info@letztap.lu
Website: letztap.lu

LëtzTap Payment System S.àr.l-s
12, Rue de l'église
L-8467 Luxembourg

← Back to LetzTap