Privacy Policy
Effective Date: January 26, 2026 Version: 2.0
Introduction {#introduction}
Welcome to Tabba. We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our financial management platform.
By accessing or using Tabba, you agree to the terms of this Privacy Policy. If you do not agree with our policies and practices, please do not use our services.
Key Principles:
- Transparency: We clearly explain what data we collect and why
- Minimization: We collect only the data necessary to provide our services
- Control: You have full control over your data
- Security: We implement industry-leading security measures
- Compliance: We comply with GDPR, CCPA, and other privacy regulations
Information We Collect {#data-collection}
Information You Provide to Us
Account Information:
- Email address (required for account creation)
- Full name
- Company name and details (for business accounts)
- Password (encrypted and never stored in plain text)
- Profile picture (optional)
Financial Data:
- Bank account connections (via secure OAuth)
- Transaction data imported from connected accounts
- Financial categories and tags you create
- Budget and goal information
- Custom financial reports
Communication Data:
- Support messages and correspondence
- Feedback and survey responses
- Email preferences
Payment Information:
- Billing name and address
- Payment method details (processed securely by Stripe)
- Transaction history and invoices
Information Collected Automatically
Usage Data:
- Pages visited and features used
- Time spent on the platform
- Click patterns and navigation paths
- Device information (browser, OS, screen resolution)
- IP address and general location (country/city level)
Technical Data:
- Log files and server data
- Cookies and similar tracking technologies
- Error reports and performance metrics
Important Note: We use anonymized, aggregated analytics only. We do NOT track individual user behavior for advertising purposes.
How We Use Your Information {#data-usage}
We use your information for the following purposes:
Service Delivery
- Account Management: Create and manage your account
- Financial Tools: Provide budgeting, forecasting, and reporting features
- AI Insights: Generate personalized financial recommendations (with zero AI training)
- Synchronization: Sync data across your devices
Communication
- Service Updates: Notify you about important changes or updates
- Customer Support: Respond to your inquiries and provide assistance
- Marketing: Send promotional emails (you can opt out at any time)
Security and Compliance
- Fraud Prevention: Detect and prevent unauthorized access
- Legal Compliance: Comply with legal obligations and regulations
- Security Monitoring: Monitor for security threats and vulnerabilities
Product Improvement
- Analytics: Understand how users interact with our platform (anonymized)
- Feature Development: Identify opportunities for new features
- Bug Fixes: Diagnose and resolve technical issues
Zero AI Training Guarantee: Your data is NEVER used to train AI models. We have contractual zero-data-retention agreements with all AI providers (Anthropic, OpenAI, etc.). Your prompts and financial data are deleted within 24 hours.
Information Sharing {#sharing}
We do NOT sell your personal information. We share data only in the following limited circumstances:
Service Providers (Subprocessors)
We work with trusted third-party companies to provide our services:
| Provider | Purpose | Location | Certifications |
|---|---|---|---|
| Supabase | Database, Authentication | EU (Frankfurt) | SOC 2, ISO 27001, GDPR |
| Vercel | Application Hosting, CDN | Global | SOC 2 |
| Stripe | Payment Processing | Global | PCI DSS Level 1, SOC 2 |
| Anthropic | AI Processing (Claude) | US | SOC 2, Zero-retention |
| Resend | Transactional Email | US | — |
All subprocessors are bound by strict Data Processing Agreements (DPAs) and comply with GDPR.
Legal Requirements
We may disclose your information if required by law:
- To comply with a subpoena or court order
- To protect our legal rights or defend against legal claims
- To prevent fraud or illegal activity
- To protect the safety of our users or the public
Business Transfers
If Tabba is acquired or merged with another company, your data may be transferred as part of that transaction. You will be notified of any such change.
With Your Consent
We may share your information with third parties if you explicitly consent to such sharing.
Data Retention {#retention}
We retain your data only as long as necessary to provide our services and comply with legal obligations:
| Data Type | Retention Period | Rationale |
|---|---|---|
| Account Information | Account lifetime + 30 days | Service provision and recovery period |
| Financial Data | Account lifetime + 30 days | User access and legal compliance |
| Usage Analytics | 90 days (anonymized) | Product improvement |
| Financial Records | 7 years after deletion | Tax and accounting legal requirements |
| AI Prompts | 24 hours maximum | Zero-retention policy with AI providers |
| Support Messages | 3 years | Customer support and quality assurance |
When you delete your account, all personal data is permanently deleted within 72 hours, except for data required by law (financial records for tax purposes).
Your Rights {#rights}
Under GDPR, CCPA, and other privacy regulations, you have the following rights:
Right to Access
Request a copy of all personal data we hold about you.
Right to Rectification
Correct any inaccurate or incomplete personal data.
Right to Erasure (Right to be Forgotten)
Request deletion of your personal data (subject to legal retention requirements).
Right to Restrict Processing
Limit how we use your personal data in certain circumstances.
Right to Data Portability
Receive your data in a structured, machine-readable format (JSON or CSV).
Right to Object
Object to processing of your data for direct marketing or other purposes.
Right to Withdraw Consent
Withdraw consent at any time (does not affect prior processing).
Right to Lodge a Complaint
File a complaint with your local data protection authority.
How to Exercise Your Rights:
- Go to Settings > Privacy > Data Rights
- Email us at privacy@tabba.io
- Use our self-service data export and deletion tools
We will respond to all requests within 30 days as required by law.
Cookies {#cookies}
We use cookies and similar technologies to provide and improve our services.
Types of Cookies We Use
Essential Cookies (Always Active):
- Authentication and session management
- Security and fraud prevention
- Load balancing and performance
Analytics Cookies (Optional):
- Aggregated usage statistics (anonymized)
- Feature usage and engagement metrics
- Error tracking and performance monitoring
Marketing Cookies (Optional):
- Ad campaign effectiveness (if you opt in)
- Retargeting (only with explicit consent)
Managing Cookies
You can control cookie preferences via:
- Our cookie banner (shown on first visit)
- Settings > Privacy > Cookie Preferences
- Your browser settings (blocks all cookies)
Note: Disabling essential cookies may impair platform functionality.
Third-Party Cookies
We do NOT allow third-party advertising networks to place cookies on our platform. Analytics cookies are first-party only.
Third-Party Links {#third-party}
Our platform may contain links to external websites, including:
- Bank login pages (OAuth connections)
- Integration partner websites
- Help Center and documentation
We are NOT responsible for the privacy practices of third-party websites. We encourage you to review the privacy policies of any external sites you visit.
When you connect your bank account via OAuth, you are subject to your bank's privacy policy and terms of service.
International Transfers {#transfers}
Tabba is headquartered in Denmark (EU), and all customer data is stored in EU data centers (Frankfurt and Ireland).
Data Transfers Outside the EU
In limited cases, data may be transferred to third-party providers located outside the EU:
| Provider | Location | Safeguards |
|---|---|---|
| Anthropic (Claude) | United States | Standard Contractual Clauses (SCCs), Zero-retention |
| Resend | United States | Standard Contractual Clauses (SCCs) |
All international transfers comply with GDPR requirements via:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy Decisions for countries with equivalent data protection
- Binding Corporate Rules (BCRs) where applicable
EU Data Residency Guarantee
Your financial data is NEVER transferred outside the EU. Only anonymized analytics and AI prompts (with zero retention) may be processed in the US.
Children's Privacy {#children}
Tabba is NOT intended for use by individuals under the age of 18 (or the age of majority in your jurisdiction).
We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@tabba.io, and we will promptly delete such information.
Security Measures {#security}
We implement industry-leading security measures to protect your data:
Encryption
- At Rest: AES-256 encryption for all stored data
- In Transit: TLS 1.3 with perfect forward secrecy
- Database: Encrypted PostgreSQL databases with row-level security
Access Controls
- Role-Based Access Control (RBAC): Employees have access only to data necessary for their role
- Multi-Factor Authentication (MFA): Required for all team members
- Audit Logs: All data access is logged and monitored
Infrastructure Security
- SOC 2 Type II Certified: Annual independent audits
- Penetration Testing: Regular security assessments by third-party experts
- DDoS Protection: AWS Shield and Web Application Firewall (WAF)
- Network Isolation: VPC segmentation and private subnets
Incident Response
- 24/7 Monitoring: Real-time threat detection and alerting
- Incident Response Plan: Documented procedures for security incidents
- Breach Notification: We will notify affected users within 72 hours as required by GDPR
For more details, see our Security Page.
Policy Changes {#changes}
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations.
Notification of Changes
- Material Changes: We will notify you via email at least 30 days before changes take effect
- Minor Changes: Posted on this page with an updated "Last Updated" date
- Version History: Available in our Trust Center
Continued Use
By continuing to use Tabba after changes take effect, you accept the updated Privacy Policy.
Previous Versions
You can access previous versions of this policy at /trust-center/privacy-history.
Contact Information {#contact}
If you have questions, concerns, or requests regarding this Privacy Policy, please contact us:
Email: privacy@tabba.io Data Protection Officer: dpo@tabba.io Mailing Address: Tabba ApS Privacy Team Copenhagen, Denmark
EU Representative (for GDPR inquiries): Tabba ApS Copenhagen, Denmark Email: gdpr@tabba.io
Response Time: We aim to respond to all privacy inquiries within 5 business days.
Last Updated: January 26, 2026 Version: 2.0 Effective Date: January 26, 2026
For security-related inquiries, please visit our Security Page or email security@tabba.io.