Legal

Privacy Policy

1. Who we are

Tally ("Tally", "we", "us", "our") is a household finance application operated from Melbourne, Australia by the team behind Tally. We are the entity responsible for the personal information described in this policy, and you can identify and contact us at hello@tallyio.com.au. Tally is a pre-launch venture; our formal business registration details (including our ABN) will be published here once registered, and our registered postal address is available on request by emailing us.

We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where it applies to you, we also aim to meet the standards of the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Bank data shared through the Consumer Data Right is additionally governed by the rules described in section 4.

2. What we collect

We collect only what the app needs to function. Depending on which features you use, that includes:

CategoryExamplesSource
Identity & accountYour name and email address from Google sign-in; allowlist status; session recordsGoogle OIDC sign-in
Financial dataAccount names, balances, and transaction details (date, amount, description, merchant); loan and property figures you enter; budgets and categoriesYour bank via an accredited CDR provider; and data you enter
Email content & metadataMessage subjects, senders, recipients, snippets, labels, bodies and attachments you choose to process; drafts we generate at your requestYour Google account (with your consent)
Calendar dataEvents we read or create on your behalfYour Google account (with your consent)
Voice memosAudio you record and its transcriptYou
Derived dataAI-generated categories, extracted bills/actions/events, insights, and usage logsGenerated by the app
Waitlist & enquiriesEmail, optional name, and preferences you submit; messages you send usYou
TechnicalMinimal request logs needed to operate and secure the serviceAutomatic

We do not collect bank login credentials — you authenticate directly at your bank, never with us. We do not run third-party advertising or analytics trackers.

3. How we use your information

We use your information only to provide and operate the features you ask for:

Our legal bases (where the GDPR applies) are: performance of our contract with you; your consent (which you can withdraw); and our legitimate interests in operating and securing the service. We do not sell your personal information, and we do not use it for advertising.

4. Bank data & the Consumer Data Right

Bank transactions reach Tally through an accredited Consumer Data Right (CDR) provider (our open-banking partner, Fiskil), not by screen-scraping. You grant consent at your bank, on a per-account basis, and that consent expires at least every 12 months by law. Key points:

Where data is shared under the CDR, its collection and handling is also governed by the CDR consent you give and by our partner's CDR policy. Please review your bank's and the partner's CDR disclosures when you grant consent.

5. Google user data (Gmail & Calendar)

If you connect a Google account, Tally requests only the scopes needed for the feature you enable:

ScopeWhy we askWhat it does not allow
gmail.readonlyRead message metadata and bodies to extract bills, transactions, actions and eventsModifying or deleting messages
gmail.composeCreate draft replies you reviewSending — no send scope is ever requested
gmail.modifyAdd or remove labels to organise mailSending, deleting or moving messages
calendar.eventsRead and create calendar eventsEmailing invitations to attendees (updates are suppressed)

Email content is processed only to power the features you turn on. To do this, message text you choose to process is sent to our AI provider (see section 6) solely to generate the extraction or draft for you; it is not used to train that provider's models. We never request the ability to send email on your behalf — outbound actions stop at a draft you must send yourself. You can disconnect Google at any time in Settings, which revokes our access at Google and deletes the stored connection.

6. AI processing

Tally uses Anthropic's Claude models to categorise transactions, extract items from email, transcribe and summarise voice memos, draft reply text, and write monthly insights. Anthropic acts as our processor for this purpose.

AI outputs (categories, extracted bills, forecasts, insights) are automated estimates and may be incomplete or wrong. Always verify against your own records before relying on them.

7. Who we share with

We share personal information only with the service providers needed to run Tally, each acting on our instructions:

ProviderPurpose
CloudflareHosting, database, file and cache storage, and network security for the entire app
GoogleSign-in, and (if you connect it) Gmail and Calendar access
FiskilAccredited open-banking access to your bank data
AnthropicAI processing as described in section 6

We may also disclose information where required by law, to protect our or others' rights and safety, or as part of a sale or restructure of the business (in which case we will require the recipient to honour this policy, and CDR and Google data will be handled per the applicable rules and your consent). We do not sell your personal information.

8. Storage, location & security

Tally runs on Cloudflare's platform. Your data may be stored and processed on servers located outside Australia (including by Cloudflare, Google and Anthropic). By using the service you acknowledge this cross-border handling; we take reasonable steps to ensure recipients protect your information.

We apply security measures appropriate to the sensitivity of the data, including:

No system is perfectly secure. We cannot guarantee absolute security, and you are responsible for keeping your own device and Google account secure. If we become aware of a data breach likely to cause you serious harm, we will notify you and the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches scheme.

9. Retention & deletion

We keep personal information only as long as needed for the purposes above or as required by law. As a guide:

You can ask us to delete your data at any time (see section 10). Some backups may persist for a short period before being overwritten.

10. Your rights & choices

Subject to the law that applies to you, you may:

To exercise any of these, email hello@tallyio.com.au. We may need to verify your identity first. We will respond within the timeframe required by law.

11. Cookies

We use a single essential, HttpOnly session cookie to keep you signed in. We do not use advertising or third-party analytics cookies. Because the session cookie is strictly necessary to provide the service, it is not used for tracking.

12. Children

Tally is not directed at, and may not be used by, anyone under 18. We do not knowingly collect information from children. If you believe a child has provided us information, contact us and we will delete it.

13. Changes to this policy

We may update this policy as the service evolves. We will post the updated version here and change the "Last updated" date. If the changes are significant, we will take reasonable steps to notify you. Continued use after an update means you accept the revised policy.

14. Contact & complaints

Questions, requests, or privacy complaints: hello@tallyio.com.au. We will acknowledge and investigate any complaint and respond within a reasonable time. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au, or the data-protection authority in your jurisdiction.

Read our Terms of Service →