Tapas ("we", "us", or "our") is an AI energy-efficiency platform. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and the rights you have over it. By using Tapas you agree to the practices described here.
We are committed to handling your data with care. We collect only what is necessary to operate the service, we do not sell your data, and we give you clear controls to access, correct, or delete it.
| Category | Examples | Purpose | Retention |
|---|---|---|---|
| Account data | Name, email address, OAuth provider ID | Authentication and account management | Until account deletion |
| Query data | Questions you submit to the AI, category selections | Answering queries, building the semantic cache, improving accuracy | Up to 24 months, anonymised after 90 days |
| API keys | Key name, SHA-256 hash of the key, creation date, last-used timestamp | Authenticating server-to-server integrations | Until revoked by you |
| Webhook endpoints | URL, HMAC secret hash, event filters, delivery logs | Sending real-time event notifications to your server | Until deleted by you |
| Contact submissions | Name, email, use-case category, optional message | Responding to enquiries and triaging inbound interest | 3 years |
| Usage logs | Query timestamps, cache hit/miss, energy saved (Wh), response latency | Analytics, billing, and energy reporting | 12 months |
| Session cookies | Signed JWT session cookie (HttpOnly, Secure) | Keeping you logged in across page loads | 7 days or until logout |
We use your data exclusively to operate and improve Tapas:
Service delivery — answering your queries, routing them through the semantic cache, and returning results.
Personalisation — remembering your language preference, favourite categories, and API key names.
Security — detecting abuse, rate-limiting, and verifying API key authenticity via SHA-256 hashes.
Analytics — measuring energy savings, cache hit rates, and platform health. All analytics are aggregated and anonymised before being displayed publicly.
Owner notifications — alerting the platform owner of new contact submissions, webhook failures, or system events.
We do not use your data for advertising, profiling, or sale to third parties.
We share data only in the following limited circumstances:
Infrastructure providers — we use cloud infrastructure (database, object storage, CDN) to store and serve data. These providers process data on our behalf under data processing agreements and do not have independent access to your personal data.
AI providers — when a query is not served from the semantic cache, it is forwarded to an AI inference provider (e.g., OpenAI, Anthropic). Only the query text is shared; no account data is included. Queries are not used to train third-party models under our agreements.
Legal requirements — we may disclose data if required by law, court order, or to protect the rights and safety of users or the public.
We do not sell, rent, or trade your personal data.
We apply industry-standard security measures:
- API keys are stored as SHA-256 hashes — we never store the raw key after generation. - Webhook secrets are stored as HMAC-SHA256 hashes and used to sign outbound payloads. - Session cookies are signed with a server-side JWT secret, marked HttpOnly and Secure, and expire after 7 days. - Database connections use TLS in transit and encrypted storage at rest. - Passwords — we use Manus OAuth for authentication; we do not store passwords ourselves.
No system is perfectly secure. If you discover a vulnerability, please report it to [email protected].
Request a copy of the personal data we hold about you.
Ask us to correct inaccurate or incomplete data.
Request deletion of your account and associated personal data. Query logs are anonymised within 90 days.
Receive your data in a machine-readable format (JSON).
Object to processing based on legitimate interests.
Ask us to restrict processing while a dispute is resolved.
Where processing is based on consent, withdraw it at any time without affecting prior processing.
We retain data only as long as necessary:
- Account data — retained until you delete your account. - Query logs — retained for 12 months; anonymised after 90 days. - Cache entries — retained indefinitely as they contain no personal data (only anonymised question/answer pairs). - API keys — retained until revoked; only the hash is stored. - Contact submissions — retained for 3 years for business continuity. - Session cookies — expire after 7 days or on logout.
To request deletion of your account and data, contact [email protected].
Tapas is operated globally. Your data may be processed in countries outside your own, including the United States and the European Union. Where we transfer data internationally, we rely on Standard Contractual Clauses (SCCs) or equivalent mechanisms approved by relevant data protection authorities.
Tapas is not directed at children under 13 (or under 16 in the EU). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at [email protected] and we will delete it promptly.
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and, for material changes, notify you via email or an in-app banner. Continued use of Tapas after changes constitutes acceptance of the updated policy.
For privacy-related questions, access requests, or deletion requests:
Email: [email protected] General contact: [tapas.one/contact](/contact)
We aim to respond to all privacy requests within 30 days.