Privacy Policy

WebOrbit LLC ("WebTap," "we," "us," or "our"), a Florida limited liability company based in Clearwater, Florida, operates the WebTap platform at webtap.me. This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you access or use our services, including WebTap Business Cards, WebTap Realty, and WebTap Reviews (collectively, the "Services").

By using our Services, you agree to the collection and use of your information as described in this Privacy Policy. If you do not agree, please do not use our Services.

1. Information We Collect

1.1 Personal Information You Provide

When you create an account or use our Services, we may collect:

• Account Information: Name, email address, password (stored as a bcrypt hash), phone number, and business name.
• Profile Information: Bio, profile photo, logo, banner images, social media URLs, website URLs, and professional details (e.g., brokerage name, license number for Realty users).
• Payment Information: Billing details processed through Stripe. We do not store your full credit card number, CVV, or bank account details on our servers — Stripe handles all payment data securely. We store only Stripe customer IDs and subscription IDs.
• Shipping Information: Mailing addresses for NFC card orders (name, street address, city, state, zip code, country).
• Business Data: Google Review URLs, Google Business Profile data (if connected), review thresholds, custom messaging, widget configurations, and competitor tracking information.
• Review Data: Customer reviews and ratings submitted through the WebTap Review platform, including the review text, star rating, reviewer IP hash, and timestamps.
• CRM Data (Realty users): Contact names, emails, phone numbers, pipeline stage, notes, tags, documents, and open house check-in information.
• NFC Card Data: Card identifiers, activation status, and association between cards and user accounts.
• Communications: Messages you send through our platform, including emails and SMS messages sent via the Realty CRM.

1.2 Information Collected Automatically

When you use our Services, we automatically collect:

• Usage Data: Pages visited, features used, request paths, HTTP methods, timestamps, and interaction patterns.
• Device Information: Browser type, operating system, screen resolution, and device identifiers.
• IP Address: Your IP address, which may be used for analytics, security, and fraud prevention. For review submissions, we store a one-way hash of your IP address (not the IP itself) to prevent duplicate reviews.
• Cookies & Local Storage: Session identifiers, authentication tokens, and preference settings. See our Cookie Policy for details.
• NFC Tap Analytics: When someone taps an NFC card linked to your account, we record the tap event (timestamp, card ID) for analytics purposes.

1.3 Information from Third Parties

• Google Business Profile: If you connect your Google Business Profile to WebTap Reviews, we access your business reviews, ratings, business name, and business type through the Google API. This data is used solely to display reviews in your dashboard and enable AI-powered review management features.
• Stripe: Payment confirmation, subscription status, and customer identifiers.

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Service Delivery & Operations

• Creating and managing your account across our platforms (Business Cards, Realty, Reviews).
• Processing NFC card orders, managing shipping, and tracking fulfillment.
• Displaying your digital business card, real estate profile, or review page to visitors.
• Processing payments and managing subscriptions (including Review+ Pro at $20/month).
• Managing your CRM contacts, pipeline, and communications (Realty).
• Routing customer reviews based on your configured star threshold.
• Generating QR codes for your review and profile pages.

2.2 AI-Powered Features

• Review Reply Generation: We use OpenAI's API to generate suggested replies to Google reviews. Your review content and business context are sent to OpenAI for this purpose.
• Sentiment Analysis: Reviews may be analyzed using AI to determine sentiment and categorize feedback.
• Marketing Content Generation: AI may be used to generate social media posts, promotional content, and review-based marketing materials (Review+ Pro feature).
• Competitor Analysis: AI-powered insights about competitors based on publicly available review data.

2.3 Analytics & Improvements

• Tracking card tap analytics, page views, and feature usage to improve our Services.
• Analyzing platform performance and identifying areas for improvement.
• Generating aggregate, anonymized statistics about platform usage.

2.4 Communications

• Sending transactional emails (account verification, password resets, order confirmations).
• Weekly digest emails for Review platform users (configurable).
• Marketing emails and SMS messages only with your explicit opt-in consent.
• Service announcements and policy updates.

2.5 Security & Legal

• Detecting and preventing fraud, abuse, and unauthorized access.
• Complying with legal obligations and responding to lawful requests.
• Enforcing our Terms of Service and protecting our rights.

3. Information Sharing & Third-Party Services

We do not sell your personal information. We share information only with the following categories of service providers, strictly as necessary to operate our Services:

3.1 Payment Processing

• Stripe (stripe.com) — Processes all payments, subscriptions, and billing. Stripe receives your payment card details directly; we never store them. Stripe's privacy policy: stripe.com/privacy

3.2 Cloud Infrastructure & Hosting

• Heroku (Salesforce) — Hosts our application servers. Data is stored in Heroku's US data centers.
• MongoDB Atlas — Hosts our database infrastructure. Data is stored with encryption at rest and in transit.

3.3 Media Storage

• Cloudinary (cloudinary.com) — Stores and serves user-uploaded images (profile photos, logos, banners, listing photos, documents). Images are served via Cloudinary's CDN.

3.4 Email & Communications

• SendGrid (Twilio) — Sends transactional and marketing emails on our behalf.
• Twilio (twilio.com) — Sends SMS messages for the Realty CRM platform. Used only when you explicitly send an SMS to a contact.

3.5 AI Services

• OpenAI (openai.com) — Provides AI-powered features including review reply generation, sentiment analysis, marketing content creation, and competitor insights. We send only the minimum data necessary (review text, business context) and do not send personally identifiable information of reviewers.

3.6 Google APIs

• Google Business Profile API — Used to fetch and display your Google reviews. Access is granted through OAuth and can be revoked at any time from your Google account settings.
• Google Maps API — May be used to display maps for real estate listings and business locations.

3.7 Other Disclosures

We may also disclose your information:

• To comply with applicable laws, regulations, legal processes, or governmental requests.
• To enforce our Terms of Service or protect the rights, property, or safety of WebTap, our users, or others.
• In connection with a merger, acquisition, or sale of assets (you will be notified of any change in ownership).
• With your explicit consent for any purpose not listed here.

4. Cookies & Tracking Technologies

We use cookies and similar technologies to maintain your session, remember your preferences, and improve our Services. For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.

Key cookie categories include:

• Essential Cookies: Required for authentication, session management, and core functionality.
• Preference Cookies: Remember your settings (theme, layout preferences, cookie consent choice).
• Analytics Cookies: Help us understand how you use our Services to improve them.

5. Data Retention

We retain your information for as long as your account is active or as needed to provide our Services. Specifically:

• Account Data: Retained for the lifetime of your account. Upon account deletion, your data is permanently removed within 30 days.
• Review Data: Retained for as long as your Review account is active. Aggregate, anonymized review statistics may be retained indefinitely.
• NFC Card Analytics: Tap event data is retained for up to 24 months.
• CRM Data (Realty): Contact and communication records are retained for the lifetime of your Realtor account.
• Payment Records: Transaction records are retained for 7 years for tax and legal compliance.
• Server Logs: Application logs containing IP addresses and usage data are retained for up to 90 days.
• Deleted Accounts: When you request account deletion, we mark your account for deletion and permanently remove all associated data within 30 days, except where retention is required by law.

6. Security Measures

We implement industry-standard security measures to protect your data:

• Encryption in Transit: All data transmitted between your browser and our servers uses TLS/SSL encryption (HTTPS).
• Encryption at Rest: Database data is encrypted at rest using MongoDB Atlas's built-in encryption.
• Password Security: Passwords are hashed using bcrypt with a cost factor of 10. We never store plaintext passwords.
• Payment Security: All payment processing is handled by Stripe, a PCI DSS Level 1 certified processor. Card details never touch our servers.
• Access Controls: Application access is controlled through session-based authentication with role-based authorization.
• IP Hashing: Review submission IPs are stored as irreversible hashes, not as raw IP addresses.
• Secure Image Handling: Uploaded images are processed through Cloudinary with automatic malware scanning.

While we strive to protect your information, no method of transmission or storage is 100% secure. If you discover a security vulnerability, please contact us immediately at support@webtap.me.

7. Your Rights & Choices

You have the following rights regarding your personal information:

• Access: You can access your personal data through your account dashboard at any time.
• Correction: You can update or correct your profile information through your account settings.
• Deletion: You can request deletion of your account and all associated data through the "Request Account Deletion" feature in your account settings, or by emailing support@webtap.me. Deletion is processed within 30 days.
• Data Portability: You can request a copy of your data in a structured, machine-readable format by emailing support@webtap.me.
• Opt-Out of Marketing: You can opt out of marketing emails and SMS at any time by updating your consent preferences in your account settings or by contacting us. Transactional emails (password resets, order confirmations) are not affected.
• Revoke Google Access: If you connected your Google Business Profile, you can revoke access at any time from your Google account settings or from the WebTap Review dashboard.
• Cookie Preferences: You can manage your cookie preferences through the cookie consent banner or your browser settings. See our Cookie Policy for details.

8. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights:

• Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, fraud prevention).
• Right to Correct: You have the right to request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising. Therefore, there is no need to opt out.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond what is necessary to provide our Services.

To exercise your CCPA rights, please email us at support@webtap.me with the subject line "CCPA Request" or use the account deletion feature in your dashboard. We will verify your identity before processing your request and respond within 45 days.

Categories of Personal Information Collected (past 12 months):

• Identifiers (name, email, phone, IP address hash)
• Commercial information (purchase history, subscription records)
• Internet/electronic network activity (usage data, browsing history on our platform)
• Professional/employment information (brokerage, license number — Realty users only)
• Geolocation data (derived from IP address, shipping address)

9. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) provides you with additional rights:

9.1 Legal Basis for Processing

We process your data under the following legal bases:

• Contract Performance: Processing necessary to provide our Services (account creation, order fulfillment, subscription management).
• Legitimate Interests: Analytics, fraud prevention, and service improvement, balanced against your privacy rights.
• Consent: Marketing communications and non-essential cookies, which you can withdraw at any time.
• Legal Obligation: Where we are required to retain data by law (e.g., financial records).

9.2 Your GDPR Rights

• Right of Access: Request a copy of all personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data.
• Right to Restrict Processing: Request that we limit how we use your data.
• Right to Data Portability: Receive your data in a structured, machine-readable format.
• Right to Object: Object to processing based on legitimate interests or for direct marketing.
• Right to Withdraw Consent: Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any GDPR rights, email us at support@webtap.me with "GDPR Request" in the subject line. We will respond within 30 days. If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local supervisory authority.

9.3 International Data Transfers

Our Services are hosted in the United States. If you access our Services from the EEA, UK, or other regions with data protection laws, your data will be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) and our service providers' certifications where applicable to ensure adequate data protection for international transfers.

10. Children's Privacy

Our Services are not directed at children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided personal information to us, please contact us at support@webtap.me, and we will promptly delete such information.

If we become aware that we have collected personal information from a child under the applicable age limit, we will take immediate steps to delete that information.

11. International Data Transfers

WebTap is operated from the United States. Your information may be transferred to, stored in, and processed in the United States and other countries where our service providers operate. These countries may have different data protection laws than your country of residence.

By using our Services, you consent to the transfer of your information to the United States and other jurisdictions. We take steps to ensure that your data receives adequate protection in accordance with this Privacy Policy, regardless of where it is processed.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

• We will update the "Last Updated" date at the top of this page.
• We will notify you via email or an in-app notification for significant changes.
• We may ask you to re-accept the updated terms for material changes that affect how we use your data.

Your continued use of our Services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For CCPA requests, include "CCPA Request" in the subject line.
For GDPR requests, include "GDPR Request" in the subject line.
We aim to respond to all privacy-related inquiries within 30 days.