Last updated: April 17, 2026
Effective upon installation or use of the App
This Privacy Policy explains how TapResit (the "App"), operated by RCE Labs Limited ("Company", "We", "Us", or "Our"), collects, uses, stores, and protects your information when you install or use the App. By installing or using TapResit you agree to the practices described here. If you do not agree, please uninstall the App and stop using the Service.
1. Overview & Definitions
TapResit is an Android mobile application that enables individuals and businesses to create professional invoices, quotes, and receipts in seconds; apply Nigerian VAT (7.5%) and Withholding Tax (WHT) logic; generate branded PDFs; and share documents via WhatsApp and other channels. The App operates on a subscription basis — we display no third-party advertisements.
Key Terms
App / Application — TapResit, the Android software provided by RCE Labs Limited.
Account — a unique user account (email/password or Google) used to access the Service.
Business Profile — business name, logo, address, and tax details you enter to appear on generated documents.
Document — any invoice, quote, or receipt created within the App.
Personal Data — any information that identifies or could reasonably identify you or your business.
Usage Data — information collected automatically about how you interact with the App.
Service Providers — trusted third parties that process data on our behalf (e.g., Firebase, Paystack).
Subscription Plan — one of the available tiers (Free, Basic, Professional, Business) governing App features and usage limits.
You / User — the individual using TapResit, or the business on whose behalf the App is used.
2. Information We Collect
2.1 Information You Provide Directly
Authentication data: your email address and password if you use email/password sign-in, or your Google account name, email address, and profile photo if you sign in with Google. We never store your Google password.
Business profile: business name, logo image, address, phone number, email, website URL, CAC number, Tax Identification Number (TIN), and bank details — used solely to populate your generated documents.
Client data: names, email addresses, phone numbers, and addresses of clients you add to the App. You are responsible for having appropriate authority to submit any client's personal data.
Document content: line items, quantities, unit prices, notes, VAT/WHT settings, currency (NGN or USD), due dates, and document status.
Subscription and billing data: your subscription tier, billing email, and Paystack transaction references. We do not store full card numbers, CVVs, or bank PINs on our systems.
2.2 Automatically Collected Data
Device model and operating system version
Unique device identifiers
IP address (used for approximate country-level geolocation only)
In-app events: screens visited, features used, document actions (create, edit, share, delete, mark paid)
Crash reports and diagnostic logs (via Firebase Crashlytics)
Authentication events: sign-in timestamps and method used
2.3 Data Stored in Cloud Systems
Your account profile, business profile, documents, client list, subscription status, and usage counters are stored in Firebase Firestore, scoped strictly to your user account. Firestore security rules are enforced server-side so that no other user can read or write your data.
2.4 What We Do NOT Collect
✕ Device contacts✕ SMS or call logs✕ Microphone✕ GPS location✕ Social media accounts✕ Advertising identifiers (GAID)✕ Browsing history
Ad-free commitment. TapResit does not integrate any advertising SDKs and does not sell, rent, or share your data with data brokers or advertisers — ever.
3. How We Use Your Information
Purpose
Data Used
Basis
Authenticating and securing your account
Email, Google ID, session tokens
Contract / Legitimate interest
Generating and storing your invoices, quotes, and receipts
Document content, client data, business profile
Contract
Applying Nigerian VAT (7.5%) and WHT calculations
Line-item prices, tax toggle settings
Contract
Producing branded PDF documents on your device
Business logo, document data
Contract
Processing subscription payments and enforcing plan limits
TapResit uses Paystack as its payment processor for subscription billing and optional invoice payment links. The following applies:
Invoice payment links are generated server-side only via Firebase Cloud Functions. The Paystack secret key is never embedded in or exposed by the mobile App binary.
When a payment is completed, Paystack sends a signed webhook to our server. The server verifies the signature before marking the invoice as "Paid" in Firestore.
We do not store full card numbers, CVVs, or bank PINs on our systems. All payment credential handling is managed by Paystack under their own PCI-DSS compliance.
TapResit offers the following tiers. Your plan determines which features are available and is enforced both in-app and server-side.
Plan
Document Limit
Key Features
Free
Limited (see App for current limit)
"Powered by TapResit" watermark on PDFs; no payment links
Basic
Higher monthly limit
WhatsApp sharing; watermark removed
Professional
Unlimited
All Basic features + Paystack invoice payment links
Business
Unlimited
All Professional features + multi-user access + priority support
Cancelling or downgrading a plan does not delete your existing documents. Your content remains accessible subject to any applicable plan limits.
6. PDF Generation & Sharing
PDFs are generated entirely on your device using your document data and business branding. The generated file is stored temporarily in your device's local storage and is never uploaded to our servers.
When you share a PDF via WhatsApp, email, or any other app, the file is passed directly to that application from your device. We do not intercept or log shared file contents.
Free-tier PDFs include a small "Powered by TapResit" watermark, which is removed on paid plans.
You are solely responsible for the accuracy of the business information, client details, and tax figures you include in your documents (including TIN and VAT registration numbers).
7. Offline Storage & Local Caching
TapResit is built as an offline-first application. Recent documents, your business profile, and your client list are cached locally on your device using Hive and shared_preferences. This local data:
Remains on your device until you clear App data, uninstall the App, or delete your account.
Syncs automatically to Firestore when your internet connection is restored.
Is protected by Android's standard app sandboxing and is not accessible to other installed apps under normal conditions.
You can clear all locally cached data via Settings → Account → Clear Local Data within the App, or by uninstalling TapResit.
8. Third-Party Services
We rely on the following trusted Service Providers to operate TapResit. Each has its own privacy policy:
Service
Provider
Purpose
Firebase Authentication
Google LLC
User authentication (email/password & Google Sign-In)
Cloud Firestore
Google LLC
Cloud database for documents, profiles, and usage data
Firebase Cloud Functions
Google LLC
Server-side payment link creation and webhook handling
Firebase Crashlytics
Google LLC
Crash reporting and diagnostics
Google Sign-In
Google LLC
OAuth 2.0 authentication option
Paystack
Paystack Inc.
Subscription billing and invoice payment processing
We do not sell your personal data. We may share data only in these limited circumstances:
Service Providers: With Google (Firebase) and Paystack to operate core App functionality, under data processing agreements that restrict their use of your data.
Legal obligations: To comply with applicable Nigerian law, court orders, or lawful requests from government or regulatory authorities.
Business transfers: In connection with a merger, acquisition, or sale of assets — we will provide prior notice and give you the opportunity to delete your account before any transfer is completed.
With your explicit consent: For example, when you choose to share a document or payment link with a client via WhatsApp or another channel.
Aggregated, anonymized data: We may publish statistics that cannot be used to identify individual users.
10. Data Retention
Data Type
Retention Period
Account & profile data
While account is active; deleted within 14 business days of a verified deletion request
Documents (invoices, quotes, receipts)
While account is active; deleted with account on request
Client records
While account is active; deleted with account on request
Usage & analytics data
Up to 24 months; anonymized or deleted thereafter
Payment / transaction references
Up to 7 years as required by Nigerian financial regulations (FIRS)
Crash & diagnostic logs
Up to 90 days
Locally cached data (on-device)
Until App uninstall, App data clear, or account deletion
Transaction references required for statutory VAT or tax compliance (e.g., FIRS records) may be retained in pseudonymized form for the legally required period even after account deletion.
11. Your Rights
You have the following rights regarding your personal data. To exercise any of them, email rcelabslimited@gmail.com — we will respond within 14 business days.
Access: Request a copy of the personal data we hold about you.
Correction: Request that inaccurate or incomplete data be corrected.
Deletion: Request permanent deletion of your account and personal data (see Section 15 for the full process).
Portability: Request your data in a machine-readable format (JSON or CSV).
Restriction: Ask us to restrict processing of your data in certain circumstances.
Objection: Object to processing based on legitimate interests where your situation warrants it.
12. Security
We implement reasonable technical and organizational measures to protect your data, including:
Encryption in transit: All App-to-server communications use HTTPS/TLS.
Per-user data isolation: Firestore security rules are enforced server-side — no user can read or write another user's data.
Secret key protection: Paystack secret keys are stored exclusively in Firebase Cloud Functions environment variables and are never exposed in the App binary.
Webhook signature verification: Payment callbacks are verified using Paystack's HMAC signature scheme before any data is updated.
Secure session management: Firebase Authentication manages session tokens with industry-standard expiry and refresh practices.
No system is 100% secure. If we become aware of a breach that materially affects your personal data, we will notify you promptly in accordance with applicable law.
13. Children's Privacy
TapResit is a business productivity application intended exclusively for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, please contact us at rcelabslimited@gmail.com and we will delete the relevant data without delay.
14. International Data Transfers
Your data may be processed on servers located outside Nigeria — for example, on Google Cloud infrastructure used by Firebase, or on Paystack's servers. Where such transfers occur, we rely on the service providers' own compliance mechanisms (Standard Contractual Clauses, Adequacy Decisions, or equivalent) to ensure your data receives adequate protection.
15. Account & Data Deletion Request
You have the right to request deletion, correction, or export of your TapResit data at any time using either method below.
Option A — In-App
Go to Settings → Account → Delete Account. This immediately clears local cached data and queues a server-side deletion of your Firestore records.
Option B — Email Request
Send an email to rcelabslimited@gmail.com with the subject line "Data Request — TapResit" and include:
The email address associated with your TapResit account
Your display name or username
Whether your account was created via Google Sign-In or email/password
The type of request: Delete / Correct / Export
What Happens Next
We will verify your identity (we may request a confirmation screenshot) to protect against unauthorized requests.
Deletion: We will permanently delete your profile, authentication credentials, business profile, all documents (invoices, quotes, receipts), client records, and subscription data.
Correction: We will update the requested fields where technically feasible.
Export: We will provide a machine-readable copy (JSON or CSV) of the personal data we hold.
Requests are typically processed within 7–14 business days.
After deletion you will be unable to sign in with that account or recover any removed data.
Transaction references required for FIRS tax compliance may be retained in pseudonymized form for the legally required period after account deletion.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we do, we will post the revised version here with an updated "Last updated" date. For changes that materially affect your rights or how we use your data, we will provide a prominent in-app notice before the changes take effect. Your continued use of TapResit after such notice constitutes your acceptance of the updated policy.
17. Contact Us
If you have questions, concerns, or requests about this Privacy Policy or your personal data, please reach out. We typically respond within 14 business days.