Privacy Policy

Last updated: 02 May 2026

1. What We Collect

  • Account data: Email address and hashed password.
  • Financial data: Transaction records, account balances, and savings goals you enter.
  • Uploaded files: Receipt images and bank statement files uploaded for Pro features. These are stored in encrypted cloud storage.
  • Usage data: Pages visited, features used (anonymised).

2. How We Use Your Data

  • To provide and operate the TallySG service.
  • To send transactional emails (password reset, subscription receipts).
  • To improve the product using anonymised, aggregated analytics.
  • We do not sell your data to third parties.
  • We do not use your financial data for advertising.

3. Google User Data (Gmail)

TallySG offers an optional Gmail sync feature that uses Google's gmail.readonly OAuth scope. This section explains exactly how we handle Google user data in compliance with Google's API Services User Data Policy.

  • What we access: With your explicit permission, TallySG reads email subjects, senders, and message bodies solely to identify Singapore bank transfer notification emails (PayNow, FAST, DBS, OCBC, UOB, Maybank, GrabPay, PayLah).
  • How we use it: Email content is processed to extract transaction details — specifically the transfer amount, counterparty name, bank name, and transaction date. This data is used to create transaction records in your TallySG dashboard.
  • What we store: We store only the extracted transaction fields (amount, party, bank, date). Raw email content and message bodies are never stored on our servers.
  • How we share it: Processing happens in two stages. First, email subjects and sender names are sent to OpenAI's API to identify bank transfer notifications. Second, the body text of identified transfer emails (up to 1,800 characters) is sent to OpenAI to extract the transaction amount, counterparty, bank name, and date. No other emails or personal data are sent to OpenAI. Extracted transaction data is not shared with any other third party.
  • How we protect it: Google OAuth tokens are stored encrypted in our database and used only to perform Gmail API calls on your behalf. Tokens are never logged or exposed.
  • Your control: You can disconnect Gmail at any time from the Gmail Monitor page in your account. Disconnecting immediately revokes our access and deletes your stored OAuth tokens.
  • No human access: TallySG staff do not read or access your Gmail messages. All processing is fully automated.

TallySG's use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.

4. Third-Party Services

  • Google: OAuth 2.0 authentication and optional Gmail API access (see Section 3 above).
  • Stripe: Processes all payments. Your card details are never stored on our servers. Stripe Privacy Policy.
  • OpenAI: Used for AI-powered transaction categorisation and Gmail email subject filtering. Only non-identifiable email subjects and anonymised transaction data are sent. Subject to OpenAI's Privacy Policy.
  • Cloud Storage: Uploaded receipt images are stored in secure encrypted cloud storage.

5. Data Retention

Your data is retained for as long as your account is active. You may request deletion of your account and all associated data by contacting support@tallysg.com. We will process deletion requests within 30 days. Google OAuth tokens are deleted immediately upon Gmail disconnection.

6. Security

Passwords are hashed using scrypt — we cannot read them. Data is transmitted over HTTPS. OAuth tokens are stored encrypted. We follow industry-standard security practices, but no system is perfectly secure.

7. Children

This service is intended for users aged 13 and above. We do not knowingly collect data from children under 13. If you believe a child has provided us with personal data, contact us immediately.

8. Changes to This Policy

We will notify users of any material changes to how we use Google user data or other personal information by updating this page and, where appropriate, sending an email notification. Continued use of TallySG after changes constitutes acceptance of the updated policy.

9. Your Rights

Under Singapore's Personal Data Protection Act (PDPA), you have the right to access, correct, and withdraw consent for the use of your personal data. Contact us at support@tallysg.com to exercise these rights.

10. Contact

Questions about this policy? Email us at support@tallysg.com.