Privacy Policy

Last updated: 2026-04-30

1. Data Controller

Lineri AB (trading as "Tack.") is the data controller responsible for personal data processed in connection with the Tack service. We are registered in Sweden. For any questions about this policy, email hello@tack.company.

2. Who this policy covers

Tack handles two distinct groups of people. We treat their data differently:

  • Merchants — account holders who sign up for Tack to run feedback and rewards at their business.
  • Customers — people who scan a Tack QR code at a merchant's location and submit feedback.

For customer data, the merchant is the joint controller of the email addresses they collect. We process that data on their behalf under a Data Processing Agreement (see /dpa).

3. Data we collect from merchants

  • Account data — name, email address, login credentials
  • Business data — business name, branding, feedback settings, offer/reward configuration
  • Billing-related data — handled by Paddle as Merchant of Record; we receive subscription status, plan, and invoice metadata only
  • Usage data — pages visited, features used, session duration
  • Device & technical data — IP address, browser type, device type

4. Data we collect from customers

  • Email address — required to deliver the discount code the customer requested
  • Star rating (1–5)
  • Optional comment
  • Scan timestamp
  • Truncated IP and device type — for rate-limiting and fraud prevention only

What we never collect from customers:

  • Names
  • Phone numbers
  • Cross-site tracking or browsing history
  • Purchase history or payment details

5. How we use merchant data

  • Account creation & authentication — to set up and secure your account
  • Service delivery — feedback collection, analytics, rewards, multi-location, staff access
  • Billing — coordinated with Paddle for subscription management and invoicing
  • Customer support — to respond to your inquiries
  • Product improvement — to understand usage patterns and improve the service
  • Security & fraud prevention — to protect the service and our users

6. How we use customer data

  • Send the one-time discount code — contract performance; necessary to deliver the reward the customer asked for.
  • Send a "We Miss You" nudge from the merchant if enabled — legitimate interest of the merchant, balanced with one-click unsubscribe in every email.
  • Anonymised aggregate analytics for the merchant — rating distributions, scan counts, no individual identification.

What we never do with customer data:

  • Sell it to anyone
  • Share it with other merchants
  • Use it for ad targeting
  • Enrich it with third-party data sources

7. Legal basis

We process personal data on the following bases:

  • Contract performance — providing the service and delivering rewards customers request
  • Legitimate interests — analytics, security, service improvement, retention nudges from the merchant
  • Consent — where applicable (e.g. optional analytics cookies)
  • Legal obligation — where required by law (tax records, etc.)

8. Sub-processors

We share data with the following Sub-processors, each under a written agreement and only for the purposes listed:

  • Supabase (EU region) — database hosting, authentication, file storage
  • Cloudflare Workers — edge runtime that serves the application
  • Paddle (Merchant of Record) — payments, subscription management, tax compliance, invoicing
  • Resend — transactional email delivery (welcome, rewards, nudges, trial reminders)
  • Lovable — application hosting platform
  • Plausible Analytics (EU-hosted) — privacy-first, cookieless website analytics. No personal data, no cross-site tracking.
  • Professional advisers — legal and accounting, where required
  • Authorities — where required by law

We commit to giving at least 30 days' notice of any material change to this list. The current list above is canonical; for the latest version email hello@tack.company.

9. International transfers

Customer data primarily stays in the EU via our Supabase EU region. Where any data is transferred outside the EEA, we ensure appropriate safeguards are in place — typically Standard Contractual Clauses or an adequacy decision under GDPR Chapter V.

10. Data retention

  • Merchant account data — kept for the lifetime of the account, deleted or anonymised within 30 days of account closure. Some billing records are retained by Paddle for up to 7 years to satisfy Swedish tax law.
  • Customer feedback rows (rating + comment) — 24 months from submission, then anonymised: the email is removed and the rating is kept solely for the merchant's aggregated metrics.
  • Customer email on the unsubscribe list — kept indefinitely as a suppression list, so we can honour the unsubscribe.
  • Logs and analytics events — 12 months.

11. Customer rights & how to exercise them

If you submitted feedback at a Tack-using business and want to exercise your rights, you can either:

  • Email us directly at hello@tack.company, or
  • Ask the merchant who collected your data — either route works.

We respond within 30 days. You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY, imy.se) or your local supervisory authority.

12. Your rights as a merchant

Under applicable data protection law (including GDPR), you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Request erasure of your data
  • Restrict processing
  • Data portability
  • Object to processing
  • Withdraw consent at any time
  • Lodge a complaint with your local supervisory authority

We will respond to requests within one month.

You can exercise the access (export) and erasure (delete) rights yourself from Settings → Privacy & data. For the others, email hello@tack.company.

13. Security

We implement appropriate technical and organisational measures to protect data, including encryption in transit and at rest, Row-Level Security isolating each merchant's data, role-based access controls, automated backups with point-in-time recovery, and incident response procedures including 72-hour breach notification.

14. Cookies

Tack uses two categories of cookies:

  • Essential — authentication, security, and saved settings. Always on; the service won't work without them.
  • Analytics — anonymised usage data so we can improve the product. Optional.

EU/EEA visitors see a banner on first visit to choose. You can change your choice anytime via in the page footer.

15. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes via email or in-app notification.

16. Contact

For privacy-related inquiries, contact us at hello@tack.company.