Tabby Privacy Policy

01 Introduction

Welcome to Tabby! We understand that your privacy is important, and we're committed to protecting your personal information and being transparent about how we collect, use, and share it.

This Privacy Policy explains how Spensibly, Inc., doing business as Tabby ("Tabby," "we," "us," or "our") collects, uses, discloses, and protects personal data when you:

• Visit our website at www.usetabby.com
• Use our mobile applications
• Access our AI-powered bookkeeping and financial management services
• Interact with us through customer support, events, or other communications

By using our Services, you agree to the collection, use, and sharing of your personal data as described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our Services.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We encourage you to review this Privacy Policy periodically.

02 Who We Are

Tabby provides AI-powered bookkeeping and financial automation software designed for freelancers, solopreneurs, gig workers, 1099 contractors, real estate agents, small business owners, and accounting professionals. Our mission is to simplify bookkeeping and make financial management effortless through cutting-edge artificial intelligence.

For purposes of data protection laws:

• Spensibly, Inc. is the data controller for personal data we collect about our users (subscribers and invited users)
• We act as a data processor (or "service provider") for personal data that our subscribers enter into our Services about their customers, suppliers, employees, and other third parties

03 Scope of This Privacy Policy

3.1 What This Policy Covers

This Privacy Policy applies to personal data we collect and process when you:

• Create an account and subscribe to our Services
• Use our website, mobile apps, or Services
• Communicate with our customer support team
• Attend our events, webinars, or training sessions
• Participate in surveys, competitions, or promotional programs
• Interact with our marketing materials
• Connect third-party services to your Tabby account

3.2 What This Policy Does Not Cover

Personal Data Controlled by Our Subscribers: When you (as a subscriber) enter personal data about your customers, suppliers, employees, or other third parties into our Services, you are the data controller of that information. We process it only as a service provider on your behalf in accordance with our Terms of Use and applicable data protection agreements.

Third-Party Services: This Privacy Policy does not cover the privacy practices of third-party services that you may connect to Tabby. Those services have their own privacy policies, which we encourage you to review.

3.3 Your Responsibility

If you provide us with personal data about other individuals, you represent and warrant that you have the authority to share that data with us, have obtained all necessary consents, have provided appropriate privacy notices, and that your sharing complies with applicable laws.

04 Personal Data We Collect

The personal data we collect depends on how you interact with our Services.

4.1 Identity and Contact Information

• Full name, email address, phone number
• Business name and address
• Profile photograph (if you choose to upload one)

4.2 Account and Authentication Data

• Username and password, account settings and preferences
• Subscription type and plan details, user role
• Multi-factor authentication information, security questions
• Account activity logs

4.3 Financial and Payment Data

• Bank account information (via secure third-party integrations)
• Credit or debit card details (last four digits only)
• Payment method information, billing address
• Transaction history, invoicing and payment records

4.4 Business and Transaction Data

• Income and expense records, financial transactions
• Receipts and supporting documentation
• Invoice data, vendor and customer information (entered by you)

4.5 Communications Data

• Customer support inquiries, chat logs and messages
• Email communications, survey responses
• Event registration and webinar participation data

4.6 Marketing and Preference Data

• Communication preferences (email, SMS, push notifications)
• Marketing consent status, SMS opt-in status
• Interests, service preferences, referral information

4.7 Technical and Device Data

• IP address, browser type and version, operating system
• Device type and identifiers, mobile device information
• Time zone and location data (based on IP address)

4.8 Usage and Analytics Data

• Pages visited, features used, time spent on pages
• Click data, navigation paths, search queries
• Error logs, crash reports, AI categorization acceptance rates

4.9–4.11 Location, User-Generated Content & Sensitive Data

• Approximate location based on IP address; location metadata in uploaded documents
• Profile information, forum comments, documents and receipts you upload
• We generally do not request or require sensitive personal data to provide our Services

05 How We Collect Personal Data

5.1 Information You Provide Directly

We collect personal data when you create an account, subscribe to services, connect bank accounts, upload receipts or documents, submit support requests, participate in surveys or events, or sign up for marketing communications.

5.2 Information Collected Automatically

When you use our Services, we automatically collect technical data about your device and connection, usage data, location data based on your IP address, and cookies and similar tracking technologies. We use analytics tools, including Google Analytics, to analyze usage data.

5.3 Information from Third-Party Sources

• Financial Institutions & Data Aggregators: Bank transaction data via Plaid or similar services, account balance, and transaction categorization data
• Payment Processors: Payment confirmation, transaction details, and billing information
• Identity Verification Services: Identity verification results
• Marketing & Analytics Partners: Demographic data, interest data, and campaign performance
• Social Media Platforms: Public profile information if you connect social accounts
• Business Partners & Affiliates: Referral information and co-marketing data
• Publicly Available Sources: Business registration data, public records, industry databases

5.4 Information from Other Users

If you are invited to use our Services by a subscriber, that subscriber may provide us with your name, email address, and role information.

06 How We Use Your Personal Data

6.1 To Provide and Deliver Our Services

We use your data to create and manage your account, authenticate your identity, process subscriptions and payments, connect to financial institutions, automatically categorize expenses and income using AI, generate invoices and financial reports, and sync data across your devices.

6.2 To Communicate with You

We send account-related notifications, provide customer support, send transaction alerts, notify you of policy changes, request feedback, and communicate about billing and security.

6.3 For Quality Assurance and Training

We monitor and improve support quality, train our support team and AI systems, and maintain records of our interactions. If we record support calls, we will notify you and obtain consent where required by law.

6.4 To Improve and Develop Our Services

We analyze how users interact with the Services, identify and fix bugs, develop new features, conduct research and analytics, and improve our AI categorization algorithms.

6.5 For Security and Fraud Prevention

We detect and prevent fraud, monitor suspicious activity, verify user identity, protect against cyberattacks, and investigate security incidents.

6.6 For Marketing and Promotional Activities

With your consent or where permitted by law, we send promotional emails, newsletters, SMS messages, and information about new features, events, and educational content.

6.7 To Personalize Your Experience

We customize content and features, recommend relevant insights, tailor dashboards to your business type, and remember your preferences and settings.

6.8 For Advertising and Retargeting

We display relevant advertisements, show Tabby ads on third-party platforms, measure advertising effectiveness, create lookalike audiences, and retarget website visitors.

6.9 For Legal and Regulatory Compliance

We comply with applicable laws, respond to legal requests and court orders, enforce our Terms of Use, meet tax reporting requirements, and fulfill record-keeping obligations.

6.10 To Manage Legal Claims and Disputes

We establish, exercise, and defend legal claims, investigate potential violations of our Terms, resolve disputes, and protect our rights, property, and safety.

07 Legal Bases for Processing (EEA/UK Users)

If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, we are required to inform you of the legal bases for processing your personal data.

7.1 Contractual Necessity

We process your personal data to fulfill our contractual obligations under our Terms of Use. Applies to: Providing Services, communicating about Services, payment processing.

7.2 Consent

We process your personal data based on your explicit consent, which you can withdraw at any time. Applies to: Marketing communications (email and SMS), certain cookies, optional features.

7.3 Legitimate Interests

We process your personal data for our legitimate business interests, provided such interests do not override your fundamental rights and freedoms. These include operating and improving our business, protecting our Services from fraud, understanding usage, and marketing to existing customers.

7.4 Legal Obligation

We process your personal data to comply with legal obligations such as tax laws, financial regulations, and data protection laws. Applies to: Tax reporting, regulatory compliance, responding to legal requests.

08 Cookies and Tracking Technologies

8.1 What Are Cookies?

Cookies are small text files stored on your device when you visit websites or use applications. They help us recognize your device, remember your preferences, and improve your experience.

8.2 Types of Cookies We Use

• Strictly Necessary Cookies: Essential for core functionality — account authentication, session management, load balancing, security features. Cannot be disabled.
• Functional Cookies: Enhance functionality — remembering preferences, language selection, login state, and dashboard customization.
• Analytics and Performance Cookies: Help us understand usage — Google Analytics, usage statistics, error tracking, A/B testing.

8.3 Similar Tracking Technologies

We also use web beacons (pixels) in emails and web pages, local storage for caching and performance, and SDKs/APIs in our mobile apps for analytics and functionality.

8.4 Third-Party Cookies

Some cookies are placed by third-party services including Google Analytics, Google Ads, Facebook Pixel, LinkedIn Insight Tag, Intercom, Stripe, and Plaid. These third parties may track you across multiple websites.

8.5 Managing Cookie Preferences

You can control cookies through your browser settings (view, delete, or block cookies) or mobile device settings (iOS: Settings > Privacy > Advertising; Android: Settings > Google > Ads). Note that disabling certain cookies may affect the functionality of our Services.

8.6 Do Not Track Signals

Currently, there is no industry standard for responding to DNT signals. Our Services do not respond to DNT signals, but you can use the cookie controls described above.

09 How We Share Your Personal Data

We share your personal data only in the circumstances described below.

9.1 Service Providers and Partners

• Financial Services: Plaid (bank connections), Stripe (payment processing)
• Infrastructure & Hosting: Cloud hosting providers (AWS, Google Cloud), CDNs, database providers
• Customer Support: Crisp (support platform and messaging)
• Analytics & Marketing: Google Analytics, Mailchimp, Google Ads, Facebook Ads, LinkedIn Ads

All service providers are contractually obligated to protect your data, may only use it to provide services to us, and are not permitted to use your data for their own purposes.

9.2 Third-Party Integrations You Connect

When you connect third-party services to your Tabby account (payroll systems, invoicing tools, etc.), we share data as necessary to enable the integration. Those services have their own privacy policies; we encourage you to review them before connecting.

9.3 Subscribers and Invited Users

If you are an invited user, your usage data and activity within the Services may be shared with the subscriber who invited you. Subscribers can see which invited users access their subscription and how the Services are used.

9.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your personal data may be transferred to the successor entity. We will notify you of any such change and your rights regarding your personal data.

9.5 Legal Requirements and Protection of Rights

We may disclose your personal data if required by law or in good faith to comply with legal obligations, enforce our Terms of Use, protect our rights or safety, or respond to lawful requests from public authorities.

9.6 With Your Consent

We may share your personal data with third parties when you give us explicit consent to do so.

9.7 Aggregated and Anonymized Data

We may share aggregated, de-identified data that does not identify you personally with research partners, business intelligence providers, and industry analysts. This data is not considered personal data.

10 International Data Transfers

10.1 Where We Process Data

Tabby is based in the United States. Your personal data may be transferred to, stored, and processed in the United States and other countries where we, our affiliates, or our service providers operate. These countries may have data protection laws that differ from the laws of your country.

10.2 Safeguards for International Transfers

For EEA/UK Users: We implement Standard Contractual Clauses (SCCs), rely on Adequacy Decisions from the European Commission where applicable, use Binding Corporate Rules for intra-group transfers, and may obtain your explicit consent for specific transfers.

For Other Users: We use contractual protections with service providers, comply with applicable data transfer laws, and utilize certified service providers.

10.3 Your Rights Regarding International Transfers

If you are in the EEA or UK, you have the right to request information about the safeguards we use for international transfers. Contact us at support@usetabby.com.

11 Data Security

11.1 Our Security Measures

• Technical: Encryption in transit (TLS/SSL) and at rest (AES-256), multi-factor authentication, role-based access controls, firewalls, intrusion detection, regular penetration testing
• Physical: Secure data centers with restricted access, environmental controls, backup power and redundancy systems
• Organizational: Employee security training, background checks, confidentiality agreements, incident response procedures, regular security audits

11.2 Third-Party Security

Our service providers are required to implement appropriate security measures and comply with applicable data protection laws. We assess their security practices before engagement.

11.3 Your Responsibility

• Use strong, unique passwords and enable multi-factor authentication
• Keep your login credentials confidential and log out on shared devices
• Report suspicious activity immediately and keep your software updated

11.4 Security Limitations

While we strive to protect your personal data, no security system is completely impenetrable. We cannot guarantee absolute security, and internet transmissions are never entirely secure.

11.5 Security Incidents

In the event of a data breach, we will investigate and contain the incident, notify you as required by applicable law, provide information about the breach, and notify relevant authorities as required. Report vulnerabilities immediately to support@usetabby.com.

12 Data Retention

12.1 How Long We Retain Data

We retain your personal data for as long as necessary to provide our Services, maintain your account, comply with legal obligations, resolve disputes, enforce our agreements, and support business operations.

12.2 Retention Periods by Data Type

12.3 Data Deletion

After the applicable retention period, personal data is securely deleted or anonymized in a manner that makes recovery impossible. Anonymized data may be retained for research and analytics purposes.

12.4 Exceptions

We may retain personal data longer when required by law or regulation, for ongoing legal proceedings, to protect our legal rights, or for legitimate business purposes such as fraud prevention.

12.5 Backup Data

Deleted data may remain in backup systems for up to 90 days before being permanently removed.

13 Your Privacy Rights

13.1 Rights Available to All Users

• Right to Access: Request confirmation of whether we process your data and obtain a copy.
• Right to Correction: Correct inaccurate or incomplete personal data we hold about you.
• Right to Deletion: Request deletion when data is no longer necessary, you withdraw consent, or data was unlawfully processed. Note: We may retain data for legal obligations.
• Right to Opt-Out of Marketing: Click "unsubscribe" in emails, update preferences in your account settings, or contact us at support@usetabby.com.
• Right to Manage Cookie Preferences: Control cookies through browser settings (see Section 8).

13.2 Additional Rights for EEA/UK Users (GDPR)

• Right to Restrict Processing: Limit how we use your data while verifying accuracy, or when processing is unlawful.
• Right to Data Portability: Receive your data in a structured, machine-readable format and transfer it to another provider.
• Right to Object: Object to processing based on legitimate interests or for direct marketing.
• Right Not to Be Subject to Automated Decision-Making: Our AI categorization is not fully automated decision-making with legal effects; you can review and override all AI-generated categorizations.
• Right to Withdraw Consent: Withdraw consent at any time without affecting prior lawful processing.
• Right to Lodge a Complaint: UK: Information Commissioner's Office (ICO) | EU: Your local supervisory authority

13.4 How to Exercise Your Rights

Update your information directly in your account settings, contact us at support@usetabby.com, or send a written request to: Spensibly, Inc. DBA Tabby, Attn: Privacy Team, 118-21 Queens Blvd, Suite 606, Forest Hills, NY 113752, United States.

We will respond within 30 days for most requests, or 45 days for complex requests (we'll notify you of any extension). We will not discriminate against you for exercising your privacy rights.

14 Children's Privacy

14.1 Age Restrictions

Our Services are not intended for children under the age of 18. We do not knowingly collect personal data from children under 18. If you are under 18, you may not create an account, use our Services, or provide any personal data to us.

14.2 Parental Notice

If we become aware that we have collected personal data from a child under 18 without parental consent, we will take steps to delete that information as quickly as possible. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at support@usetabby.com.

15 AI and Machine Learning

15.1 How We Use AI

Tabby uses artificial intelligence and machine learning to automatically categorize transactions and expenses, extract data from receipts and documents, provide financial insights and recommendations, detect anomalies and potential errors, personalize your experience, and improve our Services.

15.2 AI Training

We may use your data to train and improve our AI models. We use anonymized and aggregated data for training — personal identifiers are removed before data is used. User feedback and corrections also help improve categorization accuracy.

15.3 Human Review

While our AI automates many tasks, you remain in control. You can review and modify AI-generated categorizations, provide feedback to improve accuracy, and critical decisions require human review.

15.4 AI Accuracy

16 SMS and Text Messaging

16.1 SMS Program Description

Tabby offers an SMS text messaging program that sends account notifications, transaction alerts, security warnings, service updates, promotional offers (with consent), appointment reminders, and educational tips.

16.2 Consent and Opt-In

By providing your mobile phone number and opting in, you expressly consent to receive text messages including recurring automated marketing messages and transactional messages. You can opt in by checking the SMS opt-in box during registration, texting "START" or "JOIN" to our short code, or updating your communication preferences in account settings.

16.3 Message Types and Frequency

• Transactional Messages: Security alerts, verification codes, fraud warnings, critical service updates, 2FA codes — these cannot be opted out of without closing your account.
• Marketing Messages: Special offers, feature announcements, event invitations, tips, seasonal promotions — up to 4 messages per month if you opt in.

16.4 Message and Data Rates

Standard text messaging rates from your wireless carrier will apply to all messages sent and received. Please contact your wireless carrier for details about your messaging plan.

16.5 Supported Carriers

Our SMS program is supported by major U.S. wireless carriers including AT&T, Verizon, T-Mobile, Sprint, Boost Mobile, Cricket Wireless, MetroPCS, U.S. Cellular, Virgin Mobile, and others. Carrier support may change without notice.

16.6 How to Opt-Out (STOP)

Reply STOP, END, CANCEL, UNSUBSCRIBE, or QUIT to any SMS message from Tabby, update your preferences in account settings, or contact support@usetabby.com. You will receive one confirmation message after opting out. To re-subscribe, text START, UNSTOP, or JOIN.

16.7 Help and Support

Reply HELP to any SMS message, contact support@usetabby.com, or visit our help center at https://www.usetabby.com/help.

16.8 SMS Terms and Conditions

To participate, you must be 18 or older, be the account holder of the phone number provided, have a U.S. mobile phone number, and use a supported wireless carrier. We are not liable for delays, failures to deliver, or errors in SMS messages.

16.9 International Users

Our SMS program is designed primarily for U.S. phone numbers. International delivery may be limited. Alternative communication methods (email, in-app notifications) are recommended for users outside the United States.

16.10 Privacy and Data Use

We collect your mobile phone number, opt-in/opt-out status, message delivery and open status, and device and carrier information. We share SMS data with SMS service providers (e.g., Twilio, AWS SNS) and analytics providers. We do not sell your mobile phone number to third parties.

16.11 Changes to SMS Program

We reserve the right to modify message frequency, change message types, update SMS terms, or suspend the program. We will notify you of material changes via SMS, by updating this Privacy Policy, or by posting a notice on our website.

16.14 SMS Program Contact Information

Spensibly, Inc. DBA Tabby
2153 Westchester Ave Suite 200, Bronx, NY 10462, United States
Email: support@usetabby.com
SMS Help: Reply HELP to any message  |  Opt-Out: Reply STOP

17 Third-Party Services and Links

17.1 Third-Party Integrations

Our Services integrate with financial institutions (via Plaid), payment processors (Stripe), payroll systems (Gusto, ADP), accounting software, and business applications. When you connect these services, you authorize data sharing with the third party, their privacy policy applies to their use of your data, and we are not responsible for third-party privacy practices.

17.2 Links to Third-Party Websites

Our website and Services may contain links to third-party websites, apps, or services. We do not control these third parties and are not responsible for their privacy practices or content. We encourage you to review the privacy policies of any third-party services before providing personal data.

17.3 Social Media Features

Our website may include social media features (e.g., Facebook "Like" button, Twitter "Tweet" button). These features may collect your IP address, page visits, and set cookies. Your interactions with these features are governed by the privacy policies of the companies providing them.

18 California Privacy Rights (CCPA/CPRA)

18.1 Applicability

This section applies to California residents under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

18.2 California Consumer Rights

• Right to Know: Request the categories and specific pieces of personal information we collect, our sources, purposes for collection, and categories of third parties with whom we share it.
• Right to Delete: Request deletion of your personal information, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: Tabby does not sell personal information for monetary consideration. However, certain advertising and analytics practices may constitute "sharing" under the CPRA.
• Right to Limit Use of Sensitive Personal Information: Limit our use of sensitive personal information to what is necessary to provide our Services.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

18.3 Categories of Personal Information Collected (Past 12 Months)

• Identifiers (name, email, address, IP address)
• Financial information (bank account data, payment information)
• Commercial information (transaction history, purchase records)
• Internet or network activity (browsing history, usage data)
• Geolocation data (approximate location)
• Professional or employment-related information (business information)
• Inferences (preferences, behavior predictions)

18.7 Sale and Sharing of Personal Information

Sale: We do not sell personal information for money. Sharing: We may use personal information with third-party advertising tools for cross-context behavioral advertising.

18.9 Authorized Agents

You may designate an authorized agent to make CCPA/CPRA requests on your behalf. The agent must provide written authorization from you, verify their identity and authority, and comply with our verification procedures.

18.10 How to Exercise Your Rights

Email: support@usetabby.com
Mail: Spensibly, Inc. DBA Tabby, Attn: Privacy Team, 2153 Westchester Ave Suite 200, Bronx, NY 10462
We will respond within 45 days of receiving your request.

18.12 Shine the Light Law

California's "Shine the Light" law permits California residents to request information about disclosure of personal information to third parties for their direct marketing purposes. We do not share personal information with third parties for their own direct marketing purposes.

19 Virginia, Colorado, Connecticut, and Utah Privacy Rights

19.1 Applicability

This section applies to residents of Virginia, Colorado, Connecticut, and Utah under their respective state privacy laws.

19.2 Your Rights

• Right to Know/Access: Confirm whether we process your personal data and access that data.
• Right to Correct: Correct inaccuracies in your personal data.
• Right to Delete: Request deletion of your personal data.
• Right to Data Portability: Obtain a copy of your personal data in a portable format.
• Right to Opt Out: Opt out of targeted advertising, sale of personal data, and profiling for decisions with legal or significant effects. Note: We do not engage in activities that constitute "sale" under these laws, though certain advertising may constitute "targeted advertising."

19.3 Sensitive Data

We do not process sensitive data (as defined by applicable state law) without your consent or as permitted by law.

19.4 How to Exercise Your Rights

Contact us at support@usetabby.com.

19.5 Appeals

If we deny your request, you have the right to appeal. Contact us at support@usetabby.com to initiate an appeal. We will respond within the timeframe required by applicable law.

20 Updates to This Privacy Policy

20.1 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our Services or business practices, new legal or regulatory requirements, improvements in data protection, or user feedback.

20.2 Notice of Material Changes

If we make material changes, we will notify you by sending an email to the address associated with your account, posting a prominent notice on our website, displaying a notification when you log into your account, or other appropriate means.

20.3 Effective Date of Changes

Changes become effective immediately for new users, upon your continued use of the Services after notice for existing users, or as specified in the notice of changes.

20.4 Review

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your privacy. The date at the top of this Privacy Policy indicates when it was last updated.