Last Updated: April 17, 2026
This Privacy Policy explains how Tallycart ("we," "us," or "our") collects, uses, shares, and protects information when you use the Tallycart mobile application and our website at tallycart.io (collectively, the "Service"). It should be read together with our Terms of Service.
By using the Service, you acknowledge this Privacy Policy.
Data Controller
Andrei David, individual data controller based in Romania. Contact: contact@tallycart.io
1. Definitions
Account: a profile created to access the Service.
Personal Data: information that identifies or can reasonably be linked to you.
Receipt Photo: an image of a grocery receipt you submit for processing.
Receipt Data: data extracted from a Receipt Photo (store name, date, items, prices).
Usage Data: technical and usage information collected automatically.
2. Information We Collect
2.1 Account information.
First name, last name, email address, username (auto-generated, editable), and password (stored only in hashed form).
2.2 Receipt processing.
Receipt Photos are processed in memory only and deleted immediately after processing. They are never written to persistent storage or backups. We store only Receipt Data (store name, date, item names, item prices).
2.3 Budget and preferences.
Monthly grocery budget, currency preference (USD default; EUR or GBP optional), and notification preferences.
2.4 Device, log, and analytics data.
IDFV (iOS), ANDROID_ID (Android), IP address, user-agent, device type and OS, app version, crash logs, and in-app usage events. We collect general (city/country-level) location from IP address only, no precise GPS location.
2.5 Notification data.
Push notification tokens and notification interaction events where notifications are enabled.
2.6 Subscription data.
Subscription status, product identifiers, purchase timestamps, and transaction validation data. Subscriptions are processed by Apple App Store and Google Play. We do not store payment card details.
2.7 Support communications.
If you contact us, we collect the contents of your message.
2.8 Information we do not collect.
Payment card numbers, precise GPS location, contacts, photos other than receipts you submit, biometrics, or sensitive categories of data (health, religion, sexual orientation, etc.).
3. How We Use Information
We use information to: create and manage Accounts; process receipts; provide grocery tracking and budgeting features; deliver service-related notifications; provide customer support; monitor performance and improve the Service; validate subscriptions; maintain security and prevent fraud; and comply with legal obligations.
We do not use your data for targeted advertising, sell it to third parties, or use it to train AI models.
4. AI Processing
We use Anthropic's Claude API to extract and verify receipt data. Receipt Photos and extracted text are sent to Anthropic solely for this purpose. Per Anthropic's API terms, data submitted through the Claude API is not used to train their models. We do not send payment card information.
5. How We Share Information
We do not sell Personal Data. We share data only with Service Providers necessary to operate the Service, each contractually bound to protect your data:
Supabase - hosting and database
Anthropic (Claude API) - AI receipt extraction
Adapty - subscription management and validation
Firebase (Google) - analytics and crash reporting
Unity - in-app and push notification delivery
Email delivery providers - transactional emails
We may also disclose data to comply with legal obligations, enforce our Terms, prevent fraud or abuse, protect rights and safety, or in connection with a merger, acquisition, or sale of assets (with prior notice).
6. Legal Bases for Processing (EEA/UK)
For users in the EEA, UK, or Switzerland, we process Personal Data under the following GDPR legal bases:
Contract - creating your Account, processing receipts, and providing core features.
Legitimate interests - security, fraud prevention, debugging, and service improvement.
Consent - notifications, optional analytics, and marketing communications where required; withdrawable at any time.
Legal obligation - tax, accounting, and responses to lawful requests.
7. Data Retention
Receipt Photos: deleted immediately after processing.
Account data and Receipt Data: retained while your Account is active; deleted within 30 days of account deletion.
Server logs: 7 days.
Backups: up to 7 days after deletion from production.
Subscription records: retained as required by applicable tax and accounting law.
Support communications: up to 2 years after the last interaction.
8. International Transfers
Your information may be processed outside your country of residence, including in the United States. For transfers from the EEA or UK, we rely on Standard Contractual Clauses, adequacy decisions, or other lawful transfer mechanisms. You may request a copy of the relevant safeguards at contact@tallycart.io.
9. Your Rights
All users can access, edit, or delete Account data from within the app, control notifications through device settings, and contact us for any privacy request.
EEA, UK, and Swiss residents have the right to: access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. You may also lodge a complaint with your local supervisory authority - in Romania, this is the ANSPDCP (dataprotection.ro).
California residents (CCPA/CPRA) have the right to know, delete, correct, and opt out of sale or sharing. We do not sell or "share" Personal Data for cross-context behavioral advertising, and we do not use sensitive Personal Information for purposes requiring a limit right. Categories of Personal Information collected in the past 12 months: identifiers, commercial information (subscription status), internet/usage activity, and inferences drawn from usage. Sources: directly from you; automatically from your device; from our Service Providers. We do not discriminate against users who exercise their rights.
Residents of other US states (including Virginia, Colorado, Connecticut, and Utah) have similar rights of access, correction, deletion, and portability.
Requests: contact@tallycart.io. We respond within the time required by applicable law (typically 30 days under GDPR). We may need to verify your identity before processing a request.
10. Automated Decision-Making
We do not use automated decision-making that produces legal or similarly significant effects.
11. Security
We use reasonable technical and organizational safeguards, including TLS encryption in transit, encryption at rest where supported, password hashing, access controls, and Service Provider due diligence. No system is completely secure. If we become aware of a personal data breach that is likely to result in a risk to your rights, we will notify you and the relevant supervisory authority as required by law (within 72 hours under GDPR where feasible).
12. Children's Privacy
The Service is not directed to children under 13, and we do not knowingly collect Personal Data from children under 13. Users aged 13-17 may use the Service only with parental consent and supervision. In jurisdictions with a higher age of digital consent (typically 16 in parts of the EEA), the minimum age is adjusted accordingly. If you believe a child under the applicable age has provided us with Personal Data, contact contact@tallycart.io.
13. Cookies and Similar Technologies
Our website is built with Framer, which may set functional and analytics cookies necessary to operate the site. We do not use cookies for advertising or cross-site tracking. For details on Framer's data practices, see Framer's Privacy Policy. Our mobile app uses SDKs from the Service Providers listed in Section 5, which may use device identifiers and local storage to function. We do not use cookies or SDKs for cross-site advertising.
14. Changes to This Policy
We may update this Privacy Policy. For material changes, we will provide reasonable notice (in-app or by email) at least 30 days before the changes take effect, where practicable. The "Last Updated" date reflects the latest revision. Continued use after changes take effect constitutes acceptance.
15. Contact
Data controller: Andrei David
Email: contact@tallycart.io