Privacy Policy
Effective date: May 24, 2026
1. Who we are
Tapshop ("we", "us") is a mobile-first commerce platform that lets small sellers in Cambodia turn their Facebook and TikTok posts into online shops. Our service is available at www.tapshopkh.com.
2. Data we collect
- Account information — email address, Telegram ID, name, and profile photo when you sign in.
- Shop profile — username, display name, city, phone number, delivery address, slogan, logo, and Bakong account ID (required for KHQR payments).
- Social tokens — Facebook and TikTok OAuth access tokens stored encrypted in our database, used solely to read your own posts on your behalf.
- Products — product names, descriptions, prices, images, and inventory you create or import.
- Orders — buyer name, phone number, delivery address, quantities, and payment method chosen at checkout.
- Usage data — standard server logs (IP address, browser type, pages visited) retained for up to 90 days.
3. How we use your data
- To operate your shop and process buyer orders.
- To send you one-time sign-in codes via email (Brevo).
- To generate product descriptions using AI (Anthropic Claude) from your social media post captions — captions are sent to Anthropic's API and not stored beyond the generation request.
- To calculate delivery quotes and dispatch couriers via Lalamove.
- To display real-time order notifications in your dashboard.
- To comply with legal obligations.
We do not sell your personal data to third parties, use it for advertising, or share it with anyone except the processors listed below.
4. Third-party processors
| Processor | Purpose |
|---|---|
| Supabase (US) | Database, authentication, file storage |
| Anthropic (US) | AI product description generation |
| Brevo (EU) | Transactional email (OTP codes) |
| Lalamove (KH) | Delivery quotes and dispatch |
| Telegram (Dubai) | Seller and buyer authentication widget |
| Meta / Facebook (US) | Reading seller's Page posts via Graph API |
| TikTok (Singapore) | Reading seller's videos via Display API |
| Vercel (US) | Hosting and edge network |
5. Cookies and local storage
We use two first-party cookies:
NEXT_LOCALE— your language preference (English or Khmer). Expires in 1 year.tapshop_currency— your currency display preference (KHR or USD). Expires in 1 year.
Supabase Auth stores your session in an HTTP-only cookie. We do not use any third-party tracking or advertising cookies.
6. Data retention
Your account data is kept as long as your account is active. You may request deletion at any time (see Section 8). Order records are retained for 5 years to comply with Cambodian commercial regulations. Server logs are deleted after 90 days.
7. Security
All data is transmitted over HTTPS. Social OAuth tokens are stored in a server-side database with Row Level Security — they are never exposed to the browser. Payments are processed via KHQR (National Bank of Cambodia standard) — we do not store card numbers.
8. Your rights
You have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Request deletion of your account and associated data.
- Disconnect your Facebook or TikTok account at any time from Dashboard → Settings.
To exercise these rights, email us at privacy@tapshopkh.com.
9. Children
Tapshop is not directed at children under 13. We do not knowingly collect data from minors.
10. Changes to this policy
We may update this policy from time to time. When we do, we will update the effective date above and notify active sellers via email.
11. Contact
Questions? Email privacy@tapshopkh.com or write to us at: Tapshop, Phnom Penh, Cambodia.