Privacy Policy

1.1 As Data Controller

We act as a data controller when processing personal data in connection with our business relationships with Data Subjects, such as:

• Contact information of Data Subjects
• Personal data related to business transactions
• Information submitted by website visitors through forms
• Registration information of event attendees

1.2 As Data Processor

When our customers or partners engage us to process personal data on their behalf (e.g., in connection with the provision of services), we act as a data processor. In such cases, we process data in accordance with applicable privacy laws and data processing agreements entered into with the controller. We may also act as a processor when our customers use third-party service providers (such as Facebook, Google Ads, LINE, etc.).

2.1 Personal Data We Collect

We primarily obtain personal data directly from Data Subjects, including but not limited to:

We do not collect sensitive personal data (special categories of personal data).

2.2 Purpose of Personal Data Use

We process personal data on the following legal bases:

2.3 Direct Marketing

Unless the Data Subject objects, personal data may be used for direct marketing, including by electronic means. We will provide customized service information according to the Data Subject's interests.

2.4 Third-Party Platform Integration

When using our services, we may request the following permissions:

• Facebook permissions: Basic information, access rights (including ad account access, business manager access), app notifications, contact email, ad management, page management
• Google Ads permissions: Account access and ad management permissions
• Other platforms: Relevant permissions for mainstream advertising platforms such as TikTok, LINE, etc.

For more information, please refer to Facebook Data Policy, Google Privacy Policy, and privacy documents of other relevant third-party platforms.

3.1 Data Sharing Principles

We will not share your customer data with any third parties unless we have obtained your explicit consent or the consent of relevant third parties.

3.2 Lawful Disclosure Circumstances

We only disclose personal data in the following circumstances:

• In compliance with legal requirements or good faith principles
• When reasonably necessary to protect the rights, property, or safety of Tagtoo, users, or the public
• To fulfill legal obligations or respond to lawful requests from government authorities

3.3 Authorized Third Parties

In certain circumstances, we may provide customer data to third parties under strictly limited work instructions, including:

• Affiliated companies within the same group
• Cooperating service providers
• Technical support vendors
• Data hosting service providers

These third parties must comply with agreement provisions and take appropriate confidentiality and security measures.

3.4 Cross-Border Data Transfers

Personal data may be transferred outside the European Union and the European Economic Area (EU/EEA), including but not limited to:

Such transfers are conducted subject to appropriate safeguards, such as Standard Data Protection Clauses adopted or approved by the EU Commission. Data Subjects may request to review the applicable Standard Data Protection Clauses.

4.1 General Retention Period

We retain personal data for 3 years from the Data Subject's latest purchase or contact with us.

4.2 Exceptions

Personal data may be retained, wholly or in part, for longer or shorter periods if required by applicable law or if there is other justified reason. After there is no longer any need for retention, we will promptly delete the Data Subject's personal data.

4.3 Regular Evaluation

We regularly evaluate the necessity and accuracy of personal data.

5.1 Right of Access

The right to request a copy of your personal data from us.

5.2 Right to Rectification

The right to request correction of inaccurate or incomplete personal data.

5.3 Right to Erasure (Right to be Forgotten)

Under certain circumstances, the right to request deletion of your personal data.

5.4 Right to Restriction of Processing

The right to request restriction of processing of your personal data.

5.5 Right to Data Portability

Under certain preconditions, the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

5.6 Right to Object

The right to object to our processing of your personal data, particularly for direct marketing purposes.

5.7 Right to Withdraw Consent

Where processing is based on consent, Data Subjects have the right to withdraw such consent at any time. Please note that this will not affect the lawfulness of processing based on consent before its withdrawal.

5.8 Right to Lodge a Complaint

If Data Subjects consider that their data protection rights are infringed, they may lodge a complaint with the supervisory authority of their residence (e.g., in Taiwan, the National Development Council).

5.9 How to Exercise Rights

Data Subjects may exercise the above rights through the following means:

6.1 Technical and Organizational Measures

We have taken appropriate technical and organizational measures to ensure the integrity and confidentiality of personal data, including:

• Data encryption
• Access controls
• Firewall protection
• Regular security audits
• Employee data protection training

6.2 Security Statement

Despite appropriate security measures, considering cyber threats in the modern online environment, we cannot 100% guarantee that our security measures will prevent illegally and maliciously operating third parties from obtaining access to personal data and the absolute security of that information during its transmission or storage.