tayp
  • How it works
  • FAQ
  • About us
  • Partnerships
Get in touch
Legal

Privacy Policy

Last updated: June 16th 2026
English Deutsch
Table of contents
  1. Introduction
  2. Data processing in the app
  3. Changes to this privacy policy
  4. Questions and comments
  5. Global Privacy Addendum (Non-EEA Jurisdictions)

At tayp, we believe that privacy should not be treated as an optional feature. Instead, it should be considered a core design principle from the very beginning. We believe that users should be able to access important health and prevention-related tools without being required to disclose more personal information than is necessary. Wherever possible, we seek to reduce the amount of information that is collected, processed, and stored.

Our vision is built around the principle of data minimization. This means that we continuously ask a simple question before implementing any feature: Is this information truly necessary for the functionality we want to provide? If the answer is no, we prefer not to collect it at all. The best way to protect personal information is often not to store it in the first place.

For this reason, tayp has been designed without traditional user registration. We do not require users to create an account with an email address, provide a phone number, or build a public profile in order to use the core functionality of the app. By removing these requirements, we aim to reduce the amount of personally identifiable information associated with app usage and to provide users with a greater degree of autonomy and control.

We recognize that the topics addressed through tayp can be highly personal. Individuals should be able to access prevention resources, testing information, and communication tools without feeling that they must first surrender sensitive personal information. Privacy helps create trust, and trust is essential for effective public health and prevention efforts. People are more likely to use tools that protect their confidentiality and respect their personal boundaries.

Privacy is not only about protecting data from unauthorized access. It is also about limiting unnecessary data collection, reducing digital footprints, and ensuring that users understand how information is processed. Transparency is therefore an important part of our approach. We believe users should be able to understand what information is processed, why it is processed, and what rights they have regarding that information.

At the same time, privacy must be balanced with functionality and security. Certain technical information is necessary to operate a mobile application, protect it against abuse, maintain stability, and provide its services. Whenever such processing is required, we aim to limit it to what is necessary for the specific purpose and to implement appropriate safeguards to protect user information.

1. Introduction

In the following, we provide information about the collection of personal data when using our mobile app (hereinafter only "App").

Personal data is any data that can be related to a specific natural person, such as their name or IP address.

1.1 Contact details

The controller within the meaning of Art. 4 (7) EU General Data Protection Regulation (GDPR) is tayp Germany UG (haftungsbeschränkt), Kolonnenstraße 8, Berlin, Germany, email: support@tayp-app.com. We are legally represented by Adrian Reyes von Schönfeld, Paula-Charlotte Möllendorf.

Our data protection officer can be reached via heyData GmbH, Schützenstraße 5, 10117 Berlin, www.heydata.eu, email: datenschutz@heydata.eu.

1.2 Scope of data processing, processing purposes and legal bases

We detail the scope of data processing, processing purposes and legal bases below. In principle, the following come into consideration as the legal basis for data processing:

  • Art. 6 para. 1 s. 1 lit. a GDPR serves as our legal basis for processing operations for which we obtain consent.
  • Art. 6 para. 1 s. 1 lit. b GDPR is the legal basis insofar as the processing of personal data is necessary for the performance of a contract, e.g. if a user purchases a product from us or we perform a service for them. This legal basis also applies to processing that is necessary for pre-contractual measures, such as in the case of inquiries about our products or services.
  • Art. 6 para. 1 s. 1 lit. c GDPR applies if we fulfill a legal obligation by processing personal data, as may be the case, for example, in tax law.
  • Art. 6 para. 1 s. 1 lit. f GDPR serves as the legal basis when we can rely on legitimate interests to process personal data, e.g. for functions that are necessary for the technical operation of our app.
  • Art. 9 para. 2 lit. a GDPR serves as our legal basis for the processing of special categories of personal data (health data), provided that the user has given their explicit consent. This applies to the processing within the scope of the user-initiated testing recommendations, where the user selects self-declared health-related categories.

1.3 Data processing outside the EEA

Insofar as we transfer data to service providers or other third parties outside the EEA, the security of the data during the transfer is guaranteed by adequacy decisions of the EU Commission, insofar as they exist (e.g. for Great Britain, Canada and Israel) (Art. 45 para. 3 GDPR).

In the case of data transfer to service providers in the USA, the legal basis for the data transfer is an adequacy decision of the EU Commission if the service provider has also certified itself under the EU-US Data Privacy Framework.

In other cases (e.g. if no adequacy decision exists), the legal basis for the data transfer is usually, i.e. unless we indicate otherwise, standard contractual clauses. These are a set of rules adopted by the EU Commission and are part of the contract with the respective third party. According to Art. 46 para. 2 lit. b GDPR, they ensure the security of the data transfer. Many of the providers have given contractual guarantees that go beyond the standard contractual clauses to protect the data. These include, for example, guarantees regarding the encryption of data or regarding an obligation on the part of the third party to notify data subjects if law enforcement agencies wish to access the respective data.

1.4 Storage duration

Unless expressly stated in this privacy policy, the data stored by us will be deleted as soon as they are no longer required for their intended purpose and no legal obligations to retain data conflict with the deletion. If the data are not deleted because they are required for other and legally permissible purposes, their processing is restricted, i.e. the data are blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.

1.5 Rights of data subjects

Data subjects have the following rights against us with regard to their personal data:

  • Right of access,
  • Right to rectification or erasure,
  • Right to limit processing,
  • Right to object to the processing,
  • Right to data transferability,
  • Right to revoke a given consent at any time.

Data subjects also have the right to complain to a data protection supervisory authority about the processing of their personal data. Contact details of the data protection supervisory authorities are available at bfdi.bund.de.

1.6 Obligation to provide data

Within the scope of the business or other relationship, customers, prospective customers or third parties need to provide us with personal data that is necessary for the establishment, execution and termination of a business or other relationship or that we are legally obliged to collect. Without this data, we will generally have to refuse to conclude the contract or to provide a service or will no longer be able to perform an existing contract or other relationship.

Mandatory data are marked as such.

1.7 No automatic decision making in individual cases

As a matter of principle, we do not use a fully automated decision-making process in accordance with Article 22 GDPR to establish and implement the business or other relationship. Should we use these procedures in individual cases, we will inform of this separately if this is required by law.

1.8 Making contact

When contacting us, e.g. by email or telephone, the data provided to us (e.g. names and email addresses) will be stored by us in order to answer questions. The legal basis for the processing is our legitimate interest (Art. 6 para. 1 s. 1 lit. f GDPR) to answer inquiries directed to us. We delete the data accruing in this context after the storage is no longer necessary or restrict the processing if there are legal retention obligations.

2. Data processing in the app

2.1 Downloading the app

Our app is available for download in the Apple App Store and the Google Play Store (hereinafter referred to as the 'Stores'). When users download the app, the necessary information is transmitted to the stores, i.e. in particular username, email address and customer number of the account, time of download, payment information and the individual device identification number. We have no influence on this data collection and are not responsible for it. We process the data only insofar as it is necessary for downloading the mobile app to the user's mobile device.

2.2 Hosting

Our app is hosted by Firebase (Google Cloud). The provider thereby processes the personal data transmitted via the app, e.g. on content, usage, meta/communication data or contact data. It is our legitimate interest to provide an app, so that the legal basis of the data processing is Art. 6 para. 1 s. 1 lit. f GDPR.

2.3 Informative use of our app

When users use our app, we collect the data that is technically necessary for us to offer users the functions of our app and to ensure stability and security. This is our legitimate interest, so that the legal basis is Art. 6 para. 1 s. 1 lit. f GDPR.

The data processed to this extent are:

  • IP address
  • Date and time of the request
  • Time zone difference from Greenwich Mean Time (GMT)
  • Content of the request (specific interface accessed)
  • Access status/HTTP status code
  • Amount of data transferred in each case
  • Operating system and its interface
  • Language and version of the operating system

2.4 Access to functions or data

The app requests the user's access to functions of the end device or to data of the device in order to be able to execute functions of the app. By allowing access, the user gives consent to the associated data processing, so that the legal basis is Art. 6 para. 1 s. 1 lit. a GDPR. Users can revoke their consent at any time by terminating access in the settings of their end device. The revocation does not affect the lawfulness of the processing until the revocation.

The data processed or access functions used in this respect are:

  • Camera, Sensors
  • Bluetooth, Push-Notifications.

The app requests access to the camera (to scan QR codes) and Bluetooth. These access permissions are used exclusively for the purpose of establishing a local connection between the end devices of users in order to establish a User-Initiated Pairing. By allowing access, the user gives consent. No health-related data or communication contents are transmitted over these local interfaces.

2.5 Data processing for the provision of functions

In the app, we process data in order to provide the user with functions of the app. The legal basis for the processing is the usage agreement concluded with the user via the app.

The data processed to this extent are:

  • Other identifiers besides UUID
  • Data entered into the app by the user
  • Universally Unique Identifier (UUID) of the device

2.6 Purchase of products or services

We offer users the ability to purchase goods or services via our app. In the ordering process or shipping, we involve the following service providers, who receive only the personal data required in each case to provide a service. The processing of the data takes place for the performance of the contract concluded with the respective user (Art. 6 para. 1 s. 1 lit. b GDPR).

2.7 Third-party tools

2.7.1 Shopify

We use Shopify to maintain an online store. The provider is Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland. The provider processes master data (e.g. names, addresses), payment data (e.g. bank details, invoices, payment history), meta/communication data (e.g. device information, IP addresses) in the EU.

The legal basis for the processing is Art. 6 para. 1 s. 1 lit. f GDPR. We have a legitimate interest to make our products easily accessible to interested parties.

The data will be deleted when the purpose for which it was collected no longer applies and there is no obligation to retain it. Further information is available in the provider's privacy policy at shopify.com/legal/privacy.

2.7.2 Firebase Cloud Messaging

We use Firebase Cloud Messaging to communicate with users. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The provider processes meta/communication data (e.g. device information, IP addresses), usage data (e.g. app usage data, interest in content, access times) in the EU.

The legal basis for the processing is Art. 6 para. 1 s. 1 lit. a GDPR. The processing is based on consent. Data subjects may revoke their consent at any time by contacting us, for example, using the contact details provided in our privacy policy. The revocation does not affect the lawfulness of the processing until the revocation.

The data will be deleted when the purpose for which it was collected no longer applies and there is no obligation to retain it. Further information is available in the provider's privacy policy at firebase.google.com/support/privacy.

2.7.3 Firebase App Check

We use Firebase App Check to protect the app against misuse and unauthorized access, to track errors in the app. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Dublin, D04e5w5, Ireland. The provider processes usage data (e.g. web pages visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses) in the EU.

The legal basis for the processing is Art. 6 para. 1 s. 1 lit. f GDPR. We have a legitimate interest in adequately monitoring the functionality of our applications.

The data will be deleted when the purpose for which it was collected no longer applies and there is no obligation to retain it. Further information is available in the provider's privacy policy at policies.google.com/privacy.

2.7.4 Firebase Crashlytics

We use Firebase Crashlytics to analyze errors and improve app stability, to track errors in the app. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Dublin, Ireland. The provider processes usage data (e.g. web pages visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses) in the EU.

The legal basis for the processing is Art. 6 para. 1 s. 1 lit. a GDPR. The processing is based on consent. Data subjects may revoke their consent at any time by contacting us, for example, using the contact details provided in our privacy policy. The revocation does not affect the lawfulness of the processing until the revocation.

The data will be deleted when the purpose for which it was collected no longer applies and there is no obligation to retain it. Further information is available in the provider's privacy policy at policies.google.com/privacy.

2.7.5 Firebase Authentication

We use Firebase Authentication to manage authentications. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Dublin, D04e5w5, Ireland. The provider processes meta/communication data (e.g. device information, IP addresses), contact data (e.g. email addresses, telephone numbers) in the USA.

The legal basis for the processing is Art. 6 para. 1 s. 1 lit. f GDPR. We have a legitimate interest in sufficiently authenticating users of our applications.

The legal basis for the transfer to a country outside the EEA is an adequacy decision. The security of the data transferred to the third country (i.e. a country outside the EEA) is guaranteed because the EU Commission has decided as part of an adequacy decision in accordance with Art. 45 para. 3 GDPR that the third country ensures an adequate level of protection.

The data will be deleted when the purpose for which it was collected no longer applies and there is no obligation to retain it. Further information is available in the provider's privacy policy at policies.google.com/privacy.

2.7.6 heyData

We have integrated a data protection seal in our app. The provider is heyData GmbH, Schützenstraße 5, 10117 Berlin, Germany. The provider processes meta/communication data (e.g. IP addresses) in the EU.

The legal basis of the processing is Art. 6 para. 1 s. 1 lit. f GDPR. We have a legitimate interest in providing users of the app with confirmation of our data privacy compliance. At the same time, the provider has a legitimate interest in ensuring that only customers with existing contracts use its seals, which is why a mere image copy of the certificate is not a viable alternative as confirmation.

As the data is masked after collection, there is no possibility to identify website visitors. Further information is available in the privacy policy of the provider at heydata.eu/en/privacy-policy.

3. Changes to this privacy policy

We reserve the right to change this privacy policy with effect for the future. A current version is always available here.

4. Questions and comments

If you have any questions or comments regarding this privacy policy, please feel free to contact us using the contact information provided above.

5. Global Privacy Addendum (Non-EEA Jurisdictions)

This Addendum is intended to supplement, and must be read in conjunction with, the main Privacy Policy. In the event of any direct contradiction or inconsistency between the provisions of this Addendum and the main Privacy Policy regarding data processing activities within the European Economic Area (EEA), the provisions of the main Privacy Policy shall prevail. For users outside the EEA, the provisions of this Addendum shall apply to the extent necessary to comply with applicable local data protection laws (including the CPRA and India's DPDP Act 2023), without otherwise invalidating the core privacy obligations established in the main Privacy Policy.

Alignment with Privacy Principles

This Addendum implements the same privacy-by-design and data minimization principles described in the main Privacy Policy. All processing of personal data, including sensitive personal data, is strictly limited to what is necessary to provide user-initiated functionality, maintain system security, and ensure service integrity.

Wherever possible, we design our systems to avoid collecting or storing personal data. Where processing is required for functionality, it is limited in scope, purpose, and retention.

5.1 Scope

This Addendum applies to users located outside the European Economic Area and supplements the main Privacy Policy. It provides additional disclosures required under applicable non-EEA data protection laws, including the California Consumer Privacy Act (CPRA), and the India Digital Personal Data Protection Act 2023.

5.2 Data Controller Role

For users outside the EEA, tayp Germany UG (haftungsbeschränkt) acts as the data controller for the processing described in this Addendum, unless otherwise stated for specific third-party services acting as independent controllers.

5.3 Categories of Personal Data Processed

We process only the categories of personal data necessary to provide the app's functionality:

(A) Identifiers

  • Universally Unique Identifiers (UUIDs)
  • Firebase Authentication identifiers (including anonymous user identifiers generated by the authentication system)
  • Push notification tokens
  • Device-related identifiers where necessary for functionality

(B) Technical Information

  • IP address
  • Device type and operating system
  • App version and configuration data
  • Language and regional settings

(C) Usage and Security Data

  • App usage events necessary for functionality
  • Authentication and security logs
  • Crash logs and diagnostic information

(D) User-Provided Data

  • Information voluntarily entered into the app by users
  • User-initiated connection requests and interactions

(E) Connection Data

  • User-initiated Bluetooth pairing events
  • Connection timestamps and status
  • System-generated identifiers required to enable connections between users

(F) Health-Related Event Data (Sensitive Data)

  • Self-declared health-related categories provided by a user only when initiating a testing recommendation
  • Sender and recipient identifiers linked to such user-initiated events

This data is processed solely to enable the specific user-requested functionality and is not used for profiling, advertising, or marketing.

5.4 Data Lifecycle Description

Personal data is processed according to the following lifecycle:

  1. User-Initiated Pairing: A connection is created only when explicitly initiated and confirmed by both users.
  2. Event Creation: If a user chooses to send a testing recommendation, a system event is created linking sender and recipient identifiers and the selected health category.
  3. Notification Delivery: A notification is delivered to the intended recipient based on this event.
  4. Operational Storage: Data is retained only for as long as necessary to provide functionality, ensure security, prevent abuse, and maintain system integrity.
  5. Deletion and Effect: When a user deletes a connection, active system records are removed. Limited technical logs may remain where strictly necessary for security and integrity purposes and are not used for functional processing.

5.5 Purposes of Processing

We process personal data only for the following purposes:

  • Providing core app functionality, including user-initiated pairing
  • Enabling user-generated testing recommendation functionality
  • Delivering notifications between connected users
  • Maintaining security, fraud prevention, and abuse prevention
  • Ensuring technical functionality, stability, and reliability
  • Supporting access to third-party laboratory services where applicable

We do not use personal data for advertising, marketing, profiling, or sale.

5.6 Legal Bases for Processing

Depending on the jurisdiction, processing is based on:

  • User consent (including explicit consent where required for sensitive data)
  • Performance of a user-requested service
  • Legitimate interests (limited to security, fraud prevention, and system integrity)
  • Legal obligations where applicable

Where required by law, explicit consent is obtained prior to processing sensitive personal data.

5.7 Sensitive Personal Data Handling

Sensitive personal data is processed only where explicitly initiated by the user and only for the purpose of enabling the requested functionality.

Such data is strictly limited to:

  • generating and delivering testing recommendation notifications
  • ensuring system integrity and preventing misuse

Sensitive personal data is not:

  • sold or shared for advertising
  • used for profiling or behavioral analysis
  • used for cross-context behavioral advertising

Where required by applicable law, users are provided with controls to limit the use of sensitive personal data, except where such limitation would prevent core functionality.

5.8 Consent and Withdrawal

Where processing is based on consent, users may withdraw consent at any time. Withdrawal does not affect prior processing and may limit or disable certain features.

Consent mechanisms are designed to be as simple as providing consent.

5.9 User Rights (Non-EEA Jurisdictions)

Depending on applicable law, users may have rights to:

  • access personal data
  • request deletion of personal data
  • request correction of inaccurate data
  • obtain information about categories of data processed
  • object to certain processing activities
  • withdraw consent where applicable

Users in the United Kingdom may also contact the Information Commissioner's Office (ICO). Users may exercise their rights to access or request correction or deletion of data directly through the self-service controls provided within the app's settings. We do not maintain identifiable records (such as names or emails) linking user support requests to specific in-app data; therefore, manual processing of deletion requests via email is not technically feasible. If you require guidance or assistance on using our in-app privacy tools, you may contact support@tayp-app.com.

5.10 No Sale or Sharing of Personal Data

We do not sell personal data.

We do not share personal data for cross-context behavioral advertising or targeted advertising purposes.

5.11 Third-Party Services and Laboratory Providers

We use third-party service providers, including Firebase services, strictly for hosting, authentication, messaging, security, and system functionality.

Where users access third-party laboratory services:

  • those providers act as independent data controllers
  • users provide data directly to those providers
  • we do not receive test results or payment data from those providers

5.12 Data Retention

We retain personal data only for as long as necessary to provide the app's functionality and ensure security and system integrity.

Retention is determined based on strict necessity and is regularly reviewed to ensure data is not stored longer than required.

  • Connection data: retained until deleted by the user
  • Event data: retained only as long as necessary for functionality and security
  • Technical logs: retained for limited security and stability purposes

Data is deleted or irreversibly anonymized when no longer required.

5.13 International Data Transfers

Personal data may be processed outside the user's jurisdiction, including in the European Union and the United States.

Where required, appropriate safeguards are implemented, including contractual protections and technical security measures.

5.14 Security Measures

We implement appropriate technical and organizational measures, including:

  • encryption in transit
  • access controls and authentication safeguards
  • restricted access to sensitive data
  • abuse and fraud prevention systems
  • monitoring for security and system integrity

5.15 Children

The service is intended for users aged 18 years and older. We do not knowingly collect personal data from individuals under 18.

5.16 Changes to This Addendum

We may update this Addendum from time to time. Continued use of the app constitutes acceptance of the updated version.

5.17 California Privacy Rights (CPRA Supplement)

5.17.1 Notice at Collection

We collect the following categories of personal information:

  • Identifiers (UUIDs, device identifiers, authentication identifiers, push tokens)
  • Internet or network activity information (usage data, IP address, logs)
  • Device and technical information
  • User-generated content and inputs
  • Connection and interaction data
  • Sensitive personal information (health-related event data where applicable)

We retain these categories of information only for as long as necessary to provide core app functionality and maintain security, as detailed in Section 5.12.

We use this information solely to:

  • provide core app functionality
  • enable user-initiated pairing and notifications
  • maintain security and system integrity
  • ensure stability and performance

We do not sell or share personal information.

5.17.2 Sensitive Personal Information Limitation

Sensitive personal information is used only for:

  • enabling user-initiated testing recommendation functionality
  • delivering associated notifications
  • ensuring system security and preventing abuse

Sensitive personal information is not used for profiling, advertising, or cross-context behavioral advertising.

5.17.3 Consumer Rights

California residents have the right to:

  • know what personal information is collected and how it is used
  • request deletion of personal information
  • request correction of inaccurate information
  • request disclosure of categories and specific pieces of personal information
  • limit the use of sensitive personal information
  • opt out of sale or sharing (not applicable, as we do not sell or share)
  • non-discrimination for exercising privacy rights

5.17.4 Verification of Requests

We may require reasonable verification before responding to requests to protect user privacy and security.

5.17.5 Authorized Agents

California residents may designate an authorized agent to submit requests, subject to verification.

5.17.6 Do Not Sell or Share

We do not sell personal information.

We do not share personal information for cross-context behavioral advertising.

5.17.7 Retention Notice

Personal information is retained only as long as necessary to provide functionality, ensure security, and maintain system integrity, and is deleted or anonymized when no longer required.

5.18 India Data Protection (Digital Personal Data Protection Act 2023)

5.18.1 Applicability

This section applies to users located in India and supplements the Global Privacy Addendum. tayp Germany UG (haftungsbeschränkt), Kolonnenstraße 8, Berlin, Germany acts as the Data Fiduciary under applicable Indian law.

5.18.2 Notice and Consent

We provide notice of data processing at or before collection, including categories of data and purposes of use. Processing is based on user consent obtained at app download and at the point of specific feature use including pairing and sending notifications. Consent may be withdrawn at any time via in-app settings (such as by deleting your user profile). Because we do not link app usage to real-world identifiers like your name or email, data erasure must be initiated directly within the app. For guidance on how to navigate these settings or withdraw consent, users may contact support@tayp-app.com.

5.18.3 Data Collected

We process only data necessary to operate the service, including device and technical identifiers, authentication and security data, system logs required for stability and abuse prevention, user-generated inputs and actions, and user-selected health-related categories chosen from a predefined list when sending a testing recommendation.

5.18.4 Nature of Service

The service is a user-initiated communication tool. It does not provide medical advice, diagnosis, screening, or treatment. The system does not determine, verify, infer, or validate any medical or health condition. All health-related categories are selected by the user and transmitted without interpretation or modification.

5.18.5 Purpose of Processing

Personal data is processed only to provide core functionality, enable user-initiated pairing, deliver notifications including testing recommendations, maintain security, prevent abuse, and ensure system stability. Personal data is not used for advertising, profiling, or automated decision-making.

5.18.6 Rights

Users in India may request access, correction, or deletion of personal data and may withdraw consent at any time by contacting privacy@tayp-app.com.

5.18.7 Grievance

Users may contact privacy@tayp-app.com for any grievance relating to personal data processing.

5.18.8 Retention

Data is retained only as long as necessary for service provision. Connection and event data are deleted upon user request. Technical logs are retained only for security and system integrity.

5.18.9 Transfers

Data may be processed outside India, including in the European Union, with appropriate safeguards.

5.18.10 Security

We apply reasonable technical and organizational security measures including encryption, access controls, and abuse prevention systems.

5.18.11 Children

The service is intended for users aged 18 and older. We do not knowingly collect data from individuals under 18.

5.18.12 Changes

We may update this section from time to time. Continued use of the service constitutes acceptance of the updated version.

© tayp 2026. All rights reserved.
  • Privacy Policy
  • Terms & Conditions
  • Acceptable Use Policy
  • Imprint