Privacy Policy

Last updated: April 2026

Who we are

TapTo is an open-source voting tool operated as a personal project. For general inquiries, email hi@tapto.vote. For privacy and data requests, email privacy@tapto.vote.

What data we collect

Visitor cookie

When you vote, we set an HTTP-only cookie (tapto_visitor) containing a random token. This prevents duplicate voting. The cookie expires after 1 year. No personal information is stored in the cookie.

Browser fingerprint

We generate a hash from your canvas rendering, screen resolution, and timezone. This hash is used solely to detect duplicate votes across different browsers. We do not use it to track you across websites.

IP address

Your IP address is used temporarily for rate limiting (preventing automated abuse). It is stored in a cache that expires automatically after 2 minutes. We do not log or retain IP addresses.

HTTP Referer

When you vote, we record the referring URL to help poll creators understand where their votes come from (e.g., X, email, direct link).

Poll content

Questions, options, and vote counts are stored to provide the voting service. Poll creators can export results as CSV.

Local storage

If you create a poll and choose "Save to this browser," we store your management link in your browser's localStorage. This data never leaves your device.

What we do NOT collect

We do not collect your name, email address, phone number, payment information, precise location, or any other personally identifiable information.

Why we collect data

• Visitor cookie + fingerprint: Prevent duplicate and fraudulent voting
• IP address: Rate limiting to prevent automated abuse
• Referer: Help poll creators understand traffic sources
• Poll content: Core product functionality

Third-party services

We use Cloudflare Turnstile for bot detection when suspicious activity is detected. Turnstile may collect browser information to verify you are human. See Cloudflare's Privacy Policy.

Our infrastructure runs on Cloudflare Workers, Pages, D1, and KV. Data is stored in Cloudflare's European region (WEUR).

Data retention

Personal data (fingerprints, referer, visitor identity) is retained for 90 days after a poll ends, then deleted. Aggregated, anonymized results (total vote counts per option) may be retained indefinitely.

Your rights

You have the right to:

• Request access to data associated with your visitor token
• Request deletion of your data
• Clear your cookie and localStorage at any time via browser settings

To exercise these rights, email us at privacy@tapto.vote.

Children's privacy

TapTo is not directed at children under 13. We do not knowingly collect data from children.

Changes to this policy

We may update this policy from time to time. Changes will be posted on this page with an updated date.