Privacy Policy

Effective date: April 20, 2026

This Privacy Policy explains how Hapiga ("Tapely," "we," "us," or "our") handles information when you use the Tapely mobile application and any related services (together, the "Service"). Tapely lets you turn reference photos and audio into short AI-generated videos. We try to collect as little personal data as we can while still making the Service work, and we explain everything we do collect below in plain English.

If you have questions about this policy, email us at qn.khuat@gmail.com.

1. Who we are

Tapely is operated by Hapiga, based in Hanoi, Vietnam.

For the purposes of the EU and UK General Data Protection Regulation (GDPR), we are the "data controller" for the personal data described in this policy.

2. Information we collect

2.1 Information you give us directly

Reference media you upload. Photos, and (where supported) audio clips, that you submit so the Service can generate a video.
Generation prompts and parameters. The template, options, and any text you provide alongside your media.
Support correspondence. If you email us, we keep the message and your email address so we can reply.
Purchase information. When you buy a subscription or credit pack, Apple and our payments processor (RevenueCat) tell us that the purchase happened, what was bought, and the status of your entitlement. We do not see or store your full payment card details.

2.2 Information we collect automatically

Account identifiers. When you first open Tapely we create an anonymous account using Firebase Authentication, and we store an opaque identifier for that account. If you later sign in with a custom token or another method, we associate that with the same account.
Device and app information. Device model, OS version, app version, language, time zone, country (derived from IP), crash diagnostics, and basic performance metrics.
Usage events. Product events such as app opens, template views, generation starts and completions, paywall views, and purchases. We use these to understand which features are working and to improve the app.
Approximate location. Derived from your IP address by our backend and analytics providers. We do not collect precise GPS location.
Identifiers for advertising. If you grant App Tracking Transparency (ATT) permission, we and our partners may receive your iOS Identifier for Advertisers (IDFA) for attribution and ad measurement. If you decline ATT, we do not collect the IDFA.

2.3 Outputs we generate

Generated videos. Videos created by the Service from your inputs. These are stored in Firebase Storage so you can play them in-app and download them.

We do not knowingly collect any other categories of personal data, and we do not ask for sensitive information such as health, biometric, or financial data beyond what is described above.

3. How we use your information

We use the information described above to:

Provide the Service: authenticate your device, accept your uploads, run the generation pipeline, deliver your videos, and let you replay them.
Operate billing: verify purchases through Apple and RevenueCat, manage your subscription or credit balance, and prevent fraud or abuse.
Communicate with you: respond to support requests and send transactional notifications (e.g. "your video is ready").
Improve the Service: understand how features are used, diagnose crashes and bugs, and prioritize fixes and new features.
Measure marketing: attribute installs and conversions to advertising campaigns where you have granted ATT permission.
Comply with legal obligations: respond to lawful requests, enforce our Terms of Service, and protect the rights, safety, and property of users and the public.

4. Lawful bases (EU/UK users)

Where GDPR applies, we rely on the following lawful bases to process your personal data:

Performance of a contract for everything required to deliver the Service you asked for (e.g. running a generation, billing).
Legitimate interests for product analytics, crash diagnostics, fraud prevention, and security. These interests are balanced against your rights and freedoms.
Consent for ATT-based advertising tracking and any optional features that ask for permission.
Legal obligation where we must keep records or respond to lawful requests.

You can withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

5. AI-generated content and how we use your inputs

Tapely sends your uploaded photos, audio, and prompts to third-party AI inference providers (currently Replicate and fal.ai) to generate videos. The following is true unless we tell you otherwise in-app:

Your inputs are used only to generate the output you requested. We do not use your reference photos, audio, or prompts to train our own models.
The third-party AI providers process your inputs under their own privacy policies and terms. We have selected providers who, to our knowledge, do not use customer inputs to train public models, but you should review their policies if this is important to you (links below).
Inputs are retained for a limited period to allow us to support, debug, and reproduce your generations. Raw uploads are stored for up to 365 days, unless you delete them earlier from your account.
Outputs (your generated videos) are kept in your account until you delete them or close your account.

We share the minimum amount of data needed for each provider to do its job. We do not sell your personal data.

Google Firebase (Auth, Firestore, Storage, Cloud Functions, Crashlytics, Cloud Messaging) — app backend, auth, database, file storage, push notifications, crash reports. Receives: account ID, uploaded media, generated videos, app and device metadata, crash logs, push tokens. Policy: firebase.google.com/support/privacy and policies.google.com/privacy.
Replicate — AI model inference. Receives: your reference media and prompt for the duration of a generation. Policy: replicate.com/privacy.
fal.ai — AI model inference. Receives: your reference media and prompt for the duration of a generation. Policy: fal.ai/privacy-policy.
Bunny.net (Bunny CDN) — content delivery for generated videos. Receives: generated video URLs and viewer IP. Policy: bunny.net/privacy.
RevenueCat — subscription and entitlement management. Receives: anonymous user ID, purchase events, subscription status, device/platform metadata. Policy: revenuecat.com/privacy.
Apple (In-App Purchase) — processes payments for subscriptions and credit packs. Receives: Apple ID, payment, purchase receipt. Policy: apple.com/legal/privacy.
Adjust — mobile attribution and analytics. Receives: device identifiers (incl. IDFA when allowed), install/event data, IP. Policy: adjust.com/terms/privacy-policy.
Meta / Facebook SDK — ad attribution and conversion measurement. Receives: device identifiers (incl. IDFA when allowed), install/event data, IP. Policy: facebook.com/privacy/policy.

We may also share information with professional advisors, with successors in the event of a merger or acquisition, or with authorities where required by law.

7. App Tracking Transparency (ATT) and advertising

On iOS we present Apple's App Tracking Transparency prompt before any tracking that requires it. If you choose "Ask App Not to Track":

We will not access your device's IDFA.
Adjust and the Facebook SDK will run in a limited mode that does not link your activity to your identity across other apps and websites.
Core analytics (e.g. crash reporting, product event counts) still operate using non-tracking identifiers, because they are necessary to run the Service.

You can change your choice at any time in iOS Settings -> Privacy & Security -> Tracking.

8. Data retention

Account data and generated videos: kept for as long as your account exists. You can delete individual videos in-app, or request full account deletion (see Section 11).
Uploaded reference media: stored for up to 365 days, unless you delete it earlier from your account. Third-party AI providers may retain inputs for shorter periods under their own policies.
Logs and analytics events: typically kept for up to 14 months, then deleted or anonymized.
Purchase and billing records: kept for as long as required by tax and accounting law in our jurisdiction.

When you delete your account, we delete or anonymize personal data within 30 days, except where we must keep it to comply with legal obligations (for example, billing records).

9. Security

We use industry-standard measures to protect your data, including TLS in transit, encryption at rest for Firebase Storage, scoped credentials for our third-party providers, and access controls for our team. No system is perfectly secure, however, and we cannot guarantee absolute security.

10. International data transfers

Tapely is operated from Vietnam and uses providers based in the United States, the European Union, and other regions. When your personal data is transferred outside your country of residence, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses or equivalent mechanisms.

11. Your rights

Depending on where you live, you may have the right to:

Access the personal data we hold about you.
Correct inaccurate or incomplete data.
Delete your data ("right to be forgotten").
Object to or restrict certain processing.
Receive a copy of your data in a portable format.
Withdraw consent.
Lodge a complaint with your local data protection authority.

California residents have additional rights under the California Consumer Privacy Act (CCPA/CPRA), including the right to know what personal information we collect, the right to delete it, the right to correct it, and the right not to be discriminated against for exercising your rights. We do not "sell" personal information as defined by the CCPA, and we do not knowingly share personal information of consumers under 16 for cross-context behavioral advertising.

To exercise any of these rights, email qn.khuat@gmail.com. We will respond within the time frames required by applicable law. To protect your account, we may need to verify your identity before acting on a request.

12. Children

Tapely is not directed to children under 13, and we do not knowingly collect personal information from children under 13. We require users to be at least 13 years old, or the minimum age required to consent to the processing of personal data in their country, whichever is higher. If you believe a child has provided us with personal information, contact qn.khuat@gmail.com and we will delete it.

13. Changes to this policy

We may update this policy from time to time. When we do, we will change the "Last updated" date at the top and, for significant changes, notify you in-app or by email. Continued use of the Service after a change means you accept the updated policy.

14. Contact us

For privacy questions, requests, or complaints, contact:

Email: qn.khuat@gmail.com
Mail: Hapiga, Tòa VOV Mễ Trì, Nam Từ Liêm, Hà Nội, Vietnam

If you are in the European Union or United Kingdom, you also have the right to lodge a complaint with your local supervisory authority.

Tapely Privacy Policy