Tally

Privacy Policy

Effective 2 June 2026 · Last updated 2 June 2026

This Privacy Policy explains what information the Tally app (“Tally”, “we”, “us”) collects, how we use it, who we share it with, and the choices and rights you have. Tally is a personal budgeting and expense-tracking application.

1. Who we are

Tally is provided by Nibal (the “data controller”).

Contact: Nibal.khattar12@gmail.com
Postal address: Available on request

If you are in the United Arab Emirates, this policy is intended to satisfy Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the “PDPL”). If you are in the European Economic Area or the United Kingdom, it is intended to satisfy the GDPR / UK GDPR.

2. The data we collect

Tally is built so that you give us as little personal data as possible. We collect only what is needed to run the service.

a. Account data

When you create an account we store your email address and authentication credentials. If you sign in with Google or Apple, we receive a unique account identifier and the email address associated with that sign-in. Passwords are never stored by us in plain text — authentication is handled by our authentication provider (Supabase).

b. Budget and financial data you enter

Tally stores the budgeting information you create in the app, including:

transactions (amounts, dates, notes, and the category/bucket you assign),
categories, budgets, recurring rules, and monthly plans,
your chosen currency, language, and app settings,
an optional display name and an optional profile photo you add.

This data is stored as a single record tied to your account so it can sync across your devices.

c. Statement files you choose to import (optional)

If you use the Import statement feature, the file you select (a PDF, CSV, or photo of a statement) is sent to our AI provider to extract the transactions. These files may contain sensitive information such as account numbers and balances. See Section 4 (AI processing) for details. Tally does not permanently store the uploaded file — it is processed and discarded.

d. Technical data

Our hosting and infrastructure providers automatically process limited technical data (such as IP address and request logs) to deliver and secure the service. We do not use third-party advertising or analytics trackers in the app.

We do not knowingly collect data from children under 13 (or the minimum age required in your jurisdiction).

3. How we use your data

We use your data only to:

authenticate you and keep your account secure,
store and sync your budget data across your devices,
provide the AI Coach and statement-import features when you choose to use them,
operate, maintain, debug, and secure the service,
comply with legal obligations.

We do not sell your personal data, and we do not use your financial data to serve advertising.

Legal bases (GDPR/UK GDPR): we process account and budget data to perform our contract with you (providing the app); we process optional features (AI Coach, statement import) on the basis of your consent; and we process technical/security data on the basis of our legitimate interest in operating a secure service.

4. AI processing (AI Coach and statement import)

Two optional features use a third-party AI provider, Anthropic, PBC (“Anthropic”), which operates the Claude models:

AI Coach: when you chat with the coach, a snapshot of your current month’s budget data (category names, amounts, dates, and notes) is sent to Anthropic to generate a response.
Import statement: when you import a statement, the file you select is sent to Anthropic to read and extract the transactions, then discarded — Tally does not store the file itself. Statements can contain sensitive details (account numbers, balances) and information about other people, such as payees; you are responsible for ensuring you are allowed to share the document, and you may redact anything you do not want processed. You are shown a consent notice before the first import.

Requests are sent over an encrypted connection through our own backend. Per Anthropic’s commercial terms, data submitted through the API is not used to train Anthropic’s models. You can read Anthropic’s privacy practices at anthropic.com/legal/privacy.

These features are optional. If you never use the AI Coach or the import feature, none of your data is sent to Anthropic.

5. Who we share data with (sub-processors)

We share data only with infrastructure providers that help us run Tally:

Provider	Purpose	Data involved
Supabase	Authentication and encrypted database hosting	Account data, budget data
Vercel	Hosting of the app and backend functions	Technical/request data
Anthropic	AI Coach and statement reading (only when you use them)	Budget snapshot / uploaded statement

Each provider acts as our processor / sub-processor and is bound by its own data protection terms. We do not share your data with any other third parties except where required by law.

6. International transfers

Our providers may process data on servers located outside your country, including outside the UAE and the EEA. Where required, transfers are protected by the providers’ standard contractual clauses or equivalent safeguards. By using Tally you understand that your data may be processed in these locations.

7. Data retention

We keep your account and budget data for as long as your account exists. Imported statement files are not retained after processing. When you delete your account (see Section 8), your data is deleted from our systems. Backups and provider logs may persist for a limited period before being overwritten.

8. Your rights and choices

You can, at any time:

Access and edit all of your budget data directly in the app,
Export your data from Settings,
Delete your account and all associated data from Settings — the in-app account-deletion option removes your account and your stored data.

Depending on your jurisdiction (PDPL, GDPR/UK GDPR) you also have the right to request access, rectification, erasure, restriction, portability, and to object to processing, and to withdraw consent for the optional AI features. To exercise these rights, contact Nibal.khattar12@gmail.com. You also have the right to lodge a complaint with your local data protection authority (in the UAE, the UAE Data Office).

9. Security

We protect your data with industry-standard measures, including:

encryption in transit (HTTPS/TLS) and encryption at rest at the database layer,
row-level security so each account can access only its own data,
optional biometric (Face ID / Touch ID) lock on supported devices, with the session token stored in the device’s secure keychain,
server-side verification of your session before any AI request is processed.

No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

10. Changes to this policy

We may update this policy from time to time. Material changes will be reflected by updating the “Last updated” date above and, where appropriate, by an in-app notice. Continued use of Tally after a change means you accept the updated policy.

11. Contact

Questions or requests about this policy or your data: Nibal — Nibal.khattar12@gmail.com