Privacy Policy
Preamble
This privacy policy is intended to inform users of the Tallyd website about the methods of collection and processing of their personal data, in accordance with Regulation (EU) 2016/679 of April 27, 2016 on the protection of natural persons with regard to the processing of personal data (GDPR) and applicable data protection laws.
Section A - Data Controller Identity
- Company
- [COMPANY_NAME]
- Legal Form
- [LEGAL_FORM]
- SIRET
- [SIRET_NUMBER]
- RCS
- [RCS_CITY] [RCS_NUMBER]
- Registered Address
- [REGISTERED_ADDRESS]
[POSTAL_CODE] [CITY]
France
Data Protection Officer (DPO)
DPO Contact: privacy@tallyd.org
Section B - Data Collected
B.1 Account and Identification Data
| Data | Required | Source |
|---|---|---|
| Email address | Yes | Registration form |
| Full name | No | Profile or Google OAuth |
| Password (hashed) | Yes | Registration form |
| Google OAuth identifier | Conditional | Google Sign-In |
B.2 Payment Data
Important: We NEVER store credit card numbers, CVV or expiration dates. All payments are processed directly by Stripe, a PCI-DSS Level 1 certified processor.
B.3 Connected Platforms Data
When you connect a payment platform to Tallyd, we collect:
| Data | Platform | Description |
|---|---|---|
| OAuth Tokens | Stripe, PayPal, YouTube | Encrypted with AES-256-GCM |
| API Keys | LemonSqueezy, Paddle | Encrypted with AES-256-GCM |
| Account ID | All platforms | Unique identifier |
| Transactions | All platforms | Amount, currency, date, status |
Section C - Legal Bases and Purposes
| Processing | Legal Basis | Duration |
|---|---|---|
| Account creation | Contract performance (Art. 6.1.b) | Account lifetime |
| Platform connections | Contract performance | Connection duration |
| Email notifications | Consent (Art. 6.1.a) | Until withdrawal |
| Audit logs | Legitimate interest (Art. 6.1.f) | 1 year |
| Anonymized analytics | Legitimate interest | 2 years |
| Analytics cookies | Consent | 13 months max |
Contract Performance
These processing activities are necessary to provide the Tallyd service:
- Creation and management of your user account
- Secure connection to your payment platforms
- Synchronization and storage of your transactions
- Transaction reconciliation engine
- Analytics and dashboard generation
- Export of your data in CSV format
Consent
For email notifications and analytics cookies, we request your explicit consent. You can withdraw it at any time in Settings.
Section D - Data Recipients
D.1 Data Processors
| Processor | Country | Purpose | Safeguards |
|---|---|---|---|
| Supabase Inc. | Singapore (EU data) | Database | Hosted EU-West-3 Paris, SCCs |
| Vercel Inc. | USA | Hosting | SCCs, SOC 2 Type II |
| Stripe Inc. | USA/Ireland | Payments | PCI-DSS Level 1, SCCs |
| Resend | USA | Emails | SCCs |
| Sentry | USA | Monitoring (anonymized) | SCCs |
D.2 Transfers Outside EU
Some of our processors are located in the United States. These transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission and additional technical measures (TLS 1.3 and AES-256 encryption).
Section E - Retention Periods
| Category | Duration | Justification |
|---|---|---|
| Account data | Account lifetime + 30 days | Contract performance |
| Transactions (Free) | 30 rolling days | Contractual limit |
| Transactions (Pro) | 180 days (6 months) | Contractual limit |
| Encrypted OAuth tokens | Until disconnection | Synchronization |
| Audit logs | 1 year | Security |
| Billing data | 10 years | Legal obligation |
| Analytics cookies | 13 months max | CNIL recommendation |
Section F - Your Rights
Under the GDPR, you have the following rights regarding your personal data:
F.1 Right of Access (Article 15)
You can obtain a copy of your personal data via Settings > Export my data, or by email to privacy@tallyd.org.
F.2 Right to Rectification (Article 16)
You can correct any inaccurate data via Settings > Profile.
F.3 Right to Erasure (Article 17)
You can request deletion of your data via Settings > Delete my account. Processing time: maximum 30 days.
F.4 Right to Data Portability (Article 20)
You can retrieve your data in CSV or JSON format via Settings > Export my data.
F.5 Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority. For EU residents, you may contact your local data protection authority or the CNIL (France):
CNIL
3 Place de Fontenoy
TSA 80715
75334 Paris Cedex 07
France
F.6 Response Time
We commit to responding to any request to exercise your rights within 30 days. This period may be extended by 60 additional days for complex requests.
Section G - Security Measures
Encryption
| Element | Method |
|---|---|
| Data in transit | TLS 1.3 (mandatory HTTPS) |
| Data at rest | AES-256 (Supabase native) |
| OAuth tokens and API keys | AES-256-GCM (application-level encryption) |
| Passwords | bcrypt with salt |
| Backups | AES-256 encrypted |
Application Security
- Row Level Security (RLS): Database-level data isolation
- Input validation: Zod schemas for all APIs
- SQL injection protection: Parameterized queries only
- XSS protection: Automatic React escaping
- Security headers: HSTS, X-Frame-Options, CSP
Section J - Contact
For any questions regarding this privacy policy or to exercise your rights:
Email: privacy@tallyd.org
Mail:
[COMPANY_NAME]
Data Protection Officer
[REGISTERED_ADDRESS]
[POSTAL_CODE] [CITY]
France