Privacy Policy

1. Introduction

Tally (“the Service”) is operated by Carolyn Hsu (“we”, “us”, or “our”). This Privacy Policy explains how we collect, use, store, and protect your information when you use the Service.

2. Information We Collect

Account Information

When you sign in with Google, we receive your name, email address, and profile picture from Google OAuth. We use this to identify your account.

Purchase & Return Data

You may manually enter purchase and return information including retailer names, item names, prices, order numbers, and dates. This data is stored in our database and associated with your account.

Email Data (Gmail Integration)

If you connect Gmail, we access your email messages to scan for purchase confirmations and return receipts. We use the Gmail API with read-only access. We extract order details (retailer, items, prices, dates) and store them as structured purchase records. We do not store raw email content or access emails unrelated to shopping.

Financial Data (Bank Integration)

If you connect a bank account via Teller or SimpleFIN, we access transaction data to verify refunds against your return records. We store account identifiers, institution names, and transaction details necessary for refund matching. We do not store full bank account numbers.

3. How We Use Your Information

We use your information to:

• Provide and maintain the Service
• Track your purchases and returns
• Automatically detect purchases from email receipts
• Verify refunds by matching bank transactions to returns
• Generate spending analytics and insights
• Send return deadline reminders (if enabled)

We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes.

4. Data Storage & Security

• Database: Your data is stored in a PostgreSQL database hosted on Neon, with encrypted connections.
• Token encryption: Gmail and bank access tokens are encrypted using AES-256-GCM before storage. Tokens are never stored in plaintext.
• Authentication: We use NextAuth.js with JWT-based sessions and Google OAuth. Session tokens are stored in secure, HTTP-only cookies.
• Hosting: The Service is hosted on Vercel with HTTPS enforced on all connections.
• Rate limiting: API endpoints are rate-limited to prevent abuse.

5. Third-Party Services

The Service integrates with the following third-party providers:

• Google OAuth & Gmail API — for authentication and email scanning. Subject to Google’s Privacy Policy.
• Teller — for bank account connection and transaction data. Subject to Teller’s Privacy Policy.
• SimpleFIN — for bank account connection and transaction data. Subject to SimpleFIN’s terms.
• Anthropic (Claude API) — for parsing purchase details from email content. Email excerpts may be sent to Claude for processing. Subject to Anthropic’s Privacy Policy.

6. Data Retention

We retain your data for as long as your account is active. If you disconnect a third-party integration (Gmail, Teller, SimpleFIN), we delete the associated access tokens immediately. Purchase and return records you created remain unless you manually delete them.

7. Your Rights

You may:

• Disconnect Gmail or bank integrations at any time from Settings
• Delete individual purchases and returns
• Request deletion of your account and all associated data by contacting us
• Revoke Gmail access from your Google Account settings

8. Cookies

We use essential cookies only: a session token cookie for authentication and a temporary CSRF state cookie during Gmail OAuth. We do not use analytics, advertising, or tracking cookies.

9. Children’s Privacy

The Service is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children under 13.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will indicate the date of the last update at the top of this page. Continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact

If you have questions about this Privacy Policy or wish to request data deletion, please contact us at ch@carolynhsu.com.