Effective June 19, 2026
Data Protection Policy
TallyMigo handles sensitive small-business financial records. This policy describes the security practices we are building into the service during beta and before public launch.
Security commitments
- Use HTTPS for production traffic.
- Store production data in managed infrastructure such as Supabase Postgres and Supabase Storage.
- Restrict production database access using authentication, row-level security, service-role isolation, and least-privilege access.
- Keep Plaid secrets, service-role keys, and other sensitive keys on the server only.
- Use private receipt storage by default.
- Log security-relevant events and investigate suspicious activity.
- Back up production data and test recovery procedures before broad launch.
Bank data protection
Bank connection is optional. When enabled, TallyMigo uses Plaid for bank linking and does not ask users for bank usernames or passwords. TallyMigo should request read-only transaction access for expense tracking and should not initiate payments or transfers in the beta product.
Access controls
Each user account should only access its own records. Administrative access should be limited to the minimum needed for support, security, and operations.
Incident response
If we learn of a security incident affecting user data, we will investigate, take steps to contain the issue, and notify affected users and regulators when required by applicable law.
User controls
- Users may export business records.
- Users may request correction or deletion of account data.
- Users may disconnect bank access when bank sync is enabled.
- Users may request a copy of personal information associated with the account.
Beta limitation
TallyMigo is currently in beta. Users should keep their own backup copies of important tax and accounting records and review records with a qualified accountant before filing taxes.