Privacy Policy
Privacy Policy
Last Updated: February 2025
Your Privacy Matters: This policy explains what data we collect, how we use it, and your rights regarding your information. We believe in transparency and protecting your data.
TL;DR — The Quick Version:
- ✓ We never sell your data — to anyone, ever.
- ✓ Uploaded images are auto-deleted after 30 days.
- ✓ We support GDPR and CCPA deletion requests.
- ✓ Your images are never used to train AI models.
- ✓ We don't use advertising or tracking cookies.
1. Information We Collect
Information You Provide
- Account Information: Store name, email address, Shopify store URL when you install Tally
- Payment Information: Billing is handled through Shopify; we do not store your payment details directly
- Content: Images and files uploaded through the Service for processing
- Communications: Information you provide when contacting support
Information Collected Automatically
- Usage Data: How you interact with Tally (features used, settings configured)
- Device Information: Browser type, operating system, device identifiers
- Log Data: Access times, pages viewed, errors encountered
2. How We Use Your Information
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Provide the Service | Account info, uploaded content | Contract performance |
| Process payments | Billing information via Shopify | Contract performance |
| Customer support | Communications, account info | Contract performance |
| Improve the Service | Usage data, feedback | Legitimate interest |
| Security | Log data, device information | Legitimate interest |
3. Data Sharing
We do NOT sell your personal information. We may share data with:
- Shopify: As required for app functionality and billing
- Cloud Hosting (AWS): For secure data storage and infrastructure, bound by confidentiality agreements
- AI Processing Services: Uploaded images may be sent to third-party AI services solely for order processing (e.g., image analysis and preparation). These providers are bound by confidentiality agreements and are contractually prohibited from using your data for any other purpose, including model training
- Legal Requirements: When required by law or to protect rights and safety
Sub-Processors
We use the following sub-processors to deliver the Service:
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting & storage | United States |
| Shopify | App platform & billing | United States / Canada |
We will update this list if our sub-processors change. Material changes will be communicated via email.
4. AI & Image Processing
Your images are never used to train AI models. When you upload images to Tally, they are sent to our AI processing services solely to fulfill your order (e.g., image analysis, layout preparation, and print-readiness checks). Once processing is complete, images are retained for up to 30 days for order fulfillment and then automatically deleted. No uploaded content is used for model training, research, or any purpose beyond providing the Service to you.
5. Data Retention
- Account Data: Retained while your account is active, deleted upon request
- Uploaded Images: Processed images are retained for 30 days for order fulfillment, then automatically deleted
- Usage Logs: Retained for 90 days for security and debugging purposes
6. Your Rights
You have the right to:
- Access: Request a copy of your personal data
- Correction: Update or correct inaccurate information
- Deletion: Request deletion of your personal data
- Portability: Receive your data in a portable format
- Restriction: Request that we limit how we process your data
- Objection: Object to processing based on legitimate interest
- Opt-out: Unsubscribe from marketing communications
To exercise these rights, contact us at privacy@tallyquoter.com. We will respond to all requests within 30 days.
For EU/EEA Users (GDPR)
If you are located in the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR). We process your data based on the legal bases outlined in Section 2 above. You have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated. We support Shopify's GDPR data deletion and portability webhooks, meaning deletion and access requests initiated through Shopify are processed automatically.
For California Users (CCPA)
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete your personal information, and the right to opt out of the sale of your personal information. We do not sell personal information as defined by the CCPA. To submit a CCPA request, contact us at privacy@tallyquoter.com. We will verify your identity before processing any request.
7. Data Security
We implement industry-standard security measures including:
- SSL/TLS encryption for data in transit
- Encrypted storage for sensitive data at rest
- Regular security audits and updates
- Access controls and role-based authentication
- Secure development practices and code review
Breach Notification
In the unlikely event of a data breach affecting your personal information, we will notify affected users and relevant authorities within 72 hours of becoming aware of the breach, in accordance with GDPR requirements. Notifications will include the nature of the breach, the data affected, and the steps we are taking to address it.
8. Cookies and Tracking
We use essential cookies required for the Service to function. We do not use advertising or tracking cookies. Your Shopify store's own cookie policy applies to your storefront.
| Cookie Type | Purpose | Duration |
|---|---|---|
| Session cookies | Maintain your active session | Session (expires on close) |
| Authentication cookies | Keep you signed in | Up to 30 days |
9. Children's Privacy
Tally is not intended for use by individuals under 18 years of age. We do not knowingly collect information from children. If we become aware that we have collected data from a minor, we will delete it promptly.
10. International Data Transfers
Data may be processed in the United States. If you are located outside the United States, by using Tally you consent to the transfer of your data to the U.S. We ensure appropriate safeguards are in place for international transfers, including standard contractual clauses where required by GDPR.
11. Data Processing Addendum
If you require a Data Processing Addendum (DPA) for compliance purposes, please contact us at privacy@tallyquoter.com and we will provide one.
12. Changes to This Policy
We may update this policy periodically. Material changes will be communicated via email or in-app notification at least 30 days before they take effect. Continued use after changes constitutes acceptance.
February 2025 — Added GDPR/CCPA sections, AI processing disclosures, sub-processor list, breach notification commitment, DPA availability.
December 2024 — Initial privacy policy published.
13. Contact Us
For privacy-related questions or to exercise your rights:
Privacy Contact: privacy@tallyquoter.com
General Support: Matthew@tallyquoter.com
Questions? We take privacy seriously. If you have any concerns about how your data is handled, please reach out. We're happy to address any questions.