Last updated: 29 April 2026

Privacy Policy

1. Introduction

OneTap ("we", "our", or "us") provides AI-powered customer service automation software to businesses ("Clients"). This Privacy Policy explains how we collect, use, store, and protect personal data in connection with our platform and services.

OneTap operates as both a Data Controller — for data we collect about our Clients and their account users — and as a Data Processor — when we process personal data on behalf of our Clients about their end customers.

We are committed to complying with the EU General Data Protection Regulation (GDPR) and all applicable data protection laws.

2. Who We Are

OneTap — Registered in the Netherlands

Contact: privacy@onetap.ai

For questions about this policy or your data rights, please contact us at the email address above.

3. Data We Collect

3.1 Data from Clients (our direct customers)

When a business signs up and uses OneTap, we collect:

• Account information: company name, billing address, VAT number
• Contact details: name, email address, phone number of account holders and team members
• Payment information: processed securely via third-party payment providers
• Usage data: login activity, feature usage, API access logs

3.2 End Customer Data (processed on behalf of our Clients)

When our Clients use OneTap to automate their customer service, personal data about their end customers may be processed through our platform. This may include:

• Names and contact details submitted in support conversations
• Conversation history and chat transcripts
• Order or account references shared during support interactions
• Any other personal information voluntarily shared by end customers in conversations

In this context, our Client is the Data Controller and OneTap acts as the Data Processor. We process this data only on documented instruction from the Client and in accordance with a Data Processing Agreement (DPA).

4. Legal Basis for Processing

We process personal data on the following legal grounds under GDPR Article 6:

• Contract performance: to provide our services to Clients under our Terms of Service
• Legal obligation: to comply with applicable laws, including tax and accounting obligations
• Legitimate interests: to improve our platform, prevent fraud, and ensure security
• Consent: where required by law, for example for non-essential cookies

For end customer data processed on behalf of Clients, the legal basis is determined by each Client as the Data Controller.

5. Conversation Data & Retention

OneTap stores conversation data and chat transcripts processed through the platform. This data is:

• Stored securely on servers located within the European Economic Area (EEA)
• Retained for a maximum of 24 months from the date of the conversation, unless the Client requests earlier deletion or a different retention period is agreed upon in the DPA
• Used to provide the service, enable conversation history features, train and improve AI models only in anonymised or aggregated form unless the Client has explicitly consented otherwise
• Never sold to third parties

Clients may request deletion of their end customers' conversation data at any time by contacting us at privacy@onetap.ai.

6. How We Use Data

We use the data we collect to:

• Provide, operate, and maintain the OneTap platform
• Process payments and manage Client accounts
• Provide customer support to our Clients
• Send product updates, security alerts, and administrative communications
• Analyse usage patterns to improve platform performance and features
• Comply with legal obligations

We do not use end customer conversation data for marketing or advertising purposes.

7. Data Sharing & Sub-processors

We do not sell personal data. We may share data with the following categories of third parties:

• Cloud infrastructure providers: for hosting and data storage (EEA-based or with appropriate safeguards)
• AI model providers: for processing conversations through our automation engine, under strict data processing agreements
• Payment processors: for handling billing and transactions
• Analytics providers: for platform usage analytics, using anonymised data where possible

All sub-processors are bound by contractual obligations to protect personal data to a standard at least equivalent to our own. An up-to-date list of sub-processors is available on request.

We will not transfer personal data outside the EEA without ensuring appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

8. Your Rights Under GDPR

If you are located in the EU/EEA, you have the following rights in relation to your personal data:

• Right of access: request a copy of the personal data we hold about you
• Right to rectification: request correction of inaccurate or incomplete data
• Right to erasure: request deletion of your personal data, subject to legal obligations
• Right to restriction: request that we limit processing of your data in certain circumstances
• Right to data portability: receive your data in a structured, machine-readable format
• Right to object: object to processing based on legitimate interests
• Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing

To exercise any of these rights, please contact us at privacy@onetap.ai. We will respond within 30 days.

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at www.autoriteitpersoonsgegevens.nl.

9. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration. These measures include:

• Encryption of data in transit (TLS) and at rest
• Access controls and role-based permissions
• Regular security assessments and penetration testing
• Incident response procedures

In the event of a personal data breach that poses a risk to individuals, we will notify the relevant supervisory authority within 72 hours and affected parties without undue delay, in accordance with GDPR Article 33 and 34.

10. Data Processing Agreement

As a Data Processor for our Clients, we enter into a Data Processing Agreement (DPA) with each Client prior to processing their end customers' data. The DPA sets out the subject matter, duration, nature, and purpose of the processing, as well as the obligations and rights of both parties, in accordance with GDPR Article 28.

Clients who have not yet signed a DPA with OneTap should contact us at privacy@onetap.ai.

11. Cookies

Our website and platform use cookies and similar tracking technologies. We use:

• Essential cookies: required for the platform to function correctly
• Analytics cookies: to understand how users interact with our platform (anonymised where possible)

You can control cookie preferences through your browser settings or our cookie consent manager. Disabling essential cookies may affect platform functionality.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify Clients via email or a prominent notice on our platform at least 14 days before the changes take effect. The updated policy will always be available at our website.

13. Contact

For any questions, requests, or concerns regarding this Privacy Policy or our data practices, please contact:

We are committed to resolving any concerns promptly and transparently.