Privacy Notice
How Ta11y handles personal data
This notice explains what Ta11y collects, why it is used, who helps process it, how long it is kept, and how to ask for access, correction, deletion, or portability.
Last updated: May 5, 2026
Who Controls The Data
Ta11y is the controller for personal data processed by this deployment. For privacy questions or requests, email privacy@auth.ta11y-up.com.
Data Ta11y Collects
Account and authentication
- Email address
- Display name
- Supabase authentication identifiers and session cookies
- Magic-link and verification tokens while sign-in is being completed
Trip ledgers
- Trip names, currencies, and membership records
- Invited member email addresses
- Expense descriptions, categories, dates, amounts, payers, and split details
- Settlement status and payment confirmation records
Email delivery
- Transactional emails for sign-in, invitations, and settlement summaries
- Basic delivery metadata handled by the email provider
Support and feedback
- Feedback type and message content submitted through the feedback form
- The account identifier associated with the submission while the account exists
Operations and analytics
- Hosting logs needed to run and secure the service
- Cookie-free, aggregate Vercel Web Analytics data such as page path, referrer, country, device type, browser, and operating system
- Vercel Speed Insights performance metrics such as Core Web Vitals
Why Ta11y Uses Data
| Purpose | Legal basis |
|---|---|
| Authenticate users and keep accounts signed in. | Performance of the service you ask Ta11y to provide. |
| Create trips, manage members, record expenses, calculate balances, and support settlements. | Performance of the service and legitimate interests in maintaining a shared ledger. |
| Send sign-in links, invite flows, and settlement summaries. | Performance of the service and legitimate interests in service reliability. |
| Protect the app, troubleshoot issues, measure aggregate usage, and improve performance. | Legitimate interests in security, abuse prevention, reliability, and product improvement. |
| Review feedback, investigate reported issues, and decide what to improve. | Legitimate interests in support, troubleshooting, and product improvement. |
Cookies And Analytics
Ta11y uses Supabase authentication cookies to keep users signed in and protect account sessions. These cookies are needed for the app to work.
Ta11y uses Vercel Web Analytics and Speed Insights for aggregate usage and performance measurement. Ta11y does not send custom analytics events, drops auth callback telemetry, and strips query strings and URL fragments before analytics or performance URLs are sent.
Sharing And Processors
Trip members can see the shared ledger information for trips they belong to. Ta11y does not sell personal data. Ta11y uses these processors to run the service:
- Supabase for authentication, database storage, and local development email testing.
- Vercel for hosting, deployment, Web Analytics, Speed Insights, and operational logs.
- Resend for production and preview transactional email delivery.
These providers may process data in countries outside your own. Ta11y relies on provider data processing terms and transfer safeguards for those services.
Retention
Account data is kept while the account exists. Shared trip ledger data is kept while a trip needs to remain available to its members. Pending invites can be deleted, and when an account is deleted Ta11y removes sign-in access, clears the user profile name, deletes feedback submissions, deletes pending invites for the account email, deletes trips where that user was the only active member, and anonymizes the user in shared ledgers that remain for other members.
Feedback submissions are kept while they are useful for support and product improvement. Operational logs, analytics, and email delivery metadata are kept according to the retention settings of the processors that provide those services.
Your Rights
Depending on where you live, you may have rights to access, correct, delete, restrict, object to, or receive a portable copy of your personal data. You may also have the right to complain to your local data protection authority.
To make a request, email privacy@auth.ta11y-up.com. Ta11y may need to verify that the request is coming from the account holder before acting on it.
Sensitive Data
Ta11y is meant for ordinary trip expense tracking. Do not add sensitive personal data, special category data, government identifiers, passwords, or payment card details to trip names, member names, expense descriptions, feedback messages, or other free-text fields.