Privacy Policy

This Privacy Policy describes how Asymit Marketing LLC dba Tapzyn™ ("Tapzyn™," "we," "us," or "our") collects, uses, discloses, and safeguards information when you visit our website at www.tapzyn.com (the "Site") or use our AI-powered event check-in and management platform (the "Services"). By accessing or using our Site and Services, you agree to the terms of this Privacy Policy.

Tapzyn™ is a commercially sold Software-as-a-Service (SaaS) platform used by event organizers, businesses, schools, military programs, and other institutions ("Clients") to manage event attendance, guest check-in, and transportation logistics. We act as a data processor on behalf of our Clients, who are the data controllers for the personal information of their event attendees.

We use the information we collect for the following purposes:

• Providing, operating, and improving the Site and Services
• Authenticating users and maintaining secure sessions
• Sending transactional emails (QR code delivery, password resets, event confirmations)
• Responding to inquiries and providing customer support
• Sending promotional communications (you may opt out at any time)
• Analyzing usage trends to improve platform performance
• Generating event reports and analytics for Clients
• Complying with applicable legal obligations
• Protecting the rights, property, and safety of Tapzyn™, our Clients, and their attendees

We take the security of your personal information seriously and implement industry-standard technical and organizational measures to protect it, including:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security / HTTPS).
• Encryption at rest: Data stored in our database and file storage systems is encrypted at rest using AES-256 encryption provided by our cloud infrastructure (TiDB Cloud / AWS S3).
• Password security: User passwords are never stored in plaintext. All passwords are hashed using bcrypt with a salt factor of 10 before storage.
• Authentication tokens: Session tokens are signed using a secure JWT secret and stored as HTTP-only cookies to prevent client-side JavaScript access.
• Access controls: Role-based access control (RBAC) ensures that users can only access data within their authorized scope (organization, event, or role level).
• QR code data: Personal check-in QR codes are unique per attendee and stored in a private S3 bucket with non-enumerable keys.

While we implement these safeguards, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any known vulnerabilities.

The Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g, protects the privacy of student education records at institutions that receive federal funding. When Tapzyn™ is used by educational institutions — including schools, universities, JROTC programs, and other federally funded educational organizations — we operate as a school official with a legitimate educational interest under FERPA, acting as a service provider on behalf of the educational institution (the data controller).

Our FERPA commitments include:

• We use student education records only for the purposes for which the educational institution has engaged us (event check-in, attendance tracking, transportation management).
• We do not sell, share, or disclose student education records to third parties for commercial purposes without the written consent of the educational institution or eligible student.
• We maintain appropriate technical and organizational safeguards to protect student records from unauthorized access, disclosure, or destruction.
• We support educational institutions in fulfilling their FERPA obligations, including responding to requests for access, correction, or deletion of student records.
• Upon termination of a Client's account, student education records are deleted from our active systems within 90 days, unless a longer retention period is required by law.
• We do not retain student education records for longer than necessary to fulfill the purposes for which they were collected.

Educational institutions using Tapzyn™ remain responsible for ensuring that their use of the platform complies with FERPA, including obtaining any required consents and providing appropriate notices to students and parents.

We may share your information in the following circumstances:

• Service providers: We share data with trusted third-party vendors who assist in operating our platform, including cloud hosting (AWS), database services (TiDB), email delivery (Resend), payment processing (Stripe), and analytics. These providers are contractually obligated to protect your data and use it only for the services they provide to us.
• Client organizations: Event attendee data is accessible to the Client organization that collected it (event managers, org admins, and authorized attendants within that organization).
• Legal compliance: We may disclose information when required by law, regulation, legal process, or governmental request.
• Business transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership.
• Protection of rights: We may disclose information to protect the rights, property, or safety of Tapzyn™, our Clients, or others.

We do not sell your personal information to third parties.

We use cookies and similar technologies to operate and improve our Services:

• Authentication cookies: Secure, HTTP-only cookies that maintain your logged-in session. Login cookies last for 2 days; selecting "Remember Me" extends this to 14 days.
• Preference cookies: Store your display preferences (e.g., theme settings) for up to 1 year.
• Analytics: We may use anonymized analytics to understand how users interact with the platform. No personally identifiable information is shared with analytics providers.

You can configure your browser to refuse cookies, but some features of the platform may not function correctly without them.

We retain personal information for as long as necessary to provide our Services and fulfill the purposes described in this policy:

• Account data: Retained for the duration of the account and for up to 2 years after account closure for legal and audit purposes.
• Event and attendee records: Retained for the duration of the Client's subscription and deleted within 90 days of account termination, unless required by law.
• Student education records (FERPA): Deleted within 90 days of the educational institution's account termination.
• Payment records: Retained for 7 years as required by financial regulations.
• Server logs: Retained for up to 90 days for security and debugging purposes.

Depending on your location, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data, subject to legal retention requirements.
• Portability: Request an export of your data in a machine-readable format.
• Opt-out of marketing: Unsubscribe from promotional emails at any time by clicking "Unsubscribe" in any marketing email, or by contacting us at [email protected]. You will continue to receive transactional emails related to your account.

Event attendees who wish to exercise their rights regarding data held by a specific Client organization should contact that organization directly. We will cooperate with Clients to fulfill such requests.

Tapzyn™ is a platform for event organizers and is not directed to children under the age of 13. We do not knowingly collect personal information directly from children under 13. When Clients use Tapzyn™ for events that include minors, the Client is responsible for obtaining any required parental consents and for complying with applicable laws, including COPPA (Children's Online Privacy Protection Act) and FERPA.

Our Site may contain links to third-party websites or embedded content. These third parties may collect data about you, use cookies, and track your interactions. We are not responsible for the privacy practices of third-party sites and encourage you to review their privacy policies.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on our Site and updating the "Last Updated" date. Your continued use of our Site and Services after the effective date of the updated policy constitutes your acceptance of the changes.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: