Last Updated: February 18, 2025

Tabby Privacy Policy

Spensibly, Inc. DBA Tabby

---

Table of Contents

1. Introduction
2. Who We Are
3. Scope of This Privacy Policy
4. Personal Data We Collect
5. How We Collect Personal Data
6. How We Use Your Personal Data
7. Legal Bases for Processing (EEA/UK Users)
8. Cookies and Tracking Technologies
9. How We Share Your Personal Data
10. International Data Transfers
11. Data Security
12. Data Retention
13. Your Privacy Rights
14. Children’s Privacy
15. AI and Machine Learning
16. SMS and Text Messaging
17. Third-Party Services and Links
18. California Privacy Rights (CCPA/CPRA)
19. Virginia, Colorado, Connecticut, and Utah Privacy Rights
20. Updates to This Privacy Policy
21. Contact Us

1. Introduction

Welcome to Tabby! We understand that your privacy is important, and we’re committed to protecting your personal information and being transparent about how we collect, use, and share it.

This Privacy Policy explains how Spensibly, Inc., doing business as Tabby (“Tabby,” “we,” “us,” or “our”), collects, uses, discloses, and protects personal data when you:

• Visit our website at www.usetabby.com
• Use our mobile applications
• Access our AI-powered bookkeeping and financial management services
• Interact with us through customer support, events, or other communications

By using our Services, you agree to the collection, use, and sharing of your personal data as described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our Services.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We encourage you to review this Privacy Policy periodically.

2. Who We Are

Company Name: Spensibly, Inc.
Operating Name: Tabby
State of Incorporation: Delaware
Principal Office: 2153 Westchester Ave Suite 200, Bronx, NY 10462, United States

Tabby provides AI-powered bookkeeping and financial automation software designed for freelancers, solopreneurs, gig workers, 1099 contractors, real estate agents, small business owners, and accounting professionals. Our mission is to simplify bookkeeping and make financial management effortless through cutting-edge artificial intelligence.

For purposes of data protection laws:

• Spensibly, Inc. is the data controller for personal data we collect about our users (subscribers and invited users)
• We act as a data processor (or “service provider”) for personal data that our subscribers enter into our Services about their customers, suppliers, employees, and other third parties

3. Scope of This Privacy Policy

3.1 What This Policy Covers

This Privacy Policy applies to personal data we collect and process when you:

• Create an account and subscribe to our Services
• Use our website, mobile apps, or Services
• Communicate with our customer support team
• Attend our events, webinars, or training sessions
• Participate in surveys, competitions, or promotional programs
• Interact with our marketing materials
• Connect third-party services to your Tabby account

3.2 What This Policy Does Not Cover

This Privacy Policy does not apply to:

Personal Data Controlled by Our Subscribers

When you (as a subscriber) enter personal data about your customers, suppliers, employees, or other third parties into our Services, you are the data controller of that information. We process it only as a service provider on your behalf in accordance with our Terms of Use and applicable data protection agreements.

If you are an individual whose information has been entered into Tabby by a subscriber (for example, you are an employee, customer, or supplier of a Tabby subscriber), please contact that subscriber directly with questions about how your data is used. The subscriber controls that data, not Tabby.

Third-Party Services

This Privacy Policy does not cover the privacy practices of third-party services that you may connect to Tabby (such as banks, payment processors, or other applications). Those services have their own privacy policies, which we encourage you to review.

3.3 Your Responsibility

If you provide us with personal data about other individuals (such as team members, employees, or contractors), you represent and warrant that:

• You have the authority to share that data with us
• You have obtained all necessary consents
• You have provided those individuals with appropriate privacy notices
• Your sharing of that data complies with applicable laws

4. Personal Data We Collect

The personal data we collect depends on how you interact with our Services. We’ve organized the types of data we collect into categories below.

4.1 Identity and Contact Information

• Full name
• Email address
• Phone number
• Mailing address
• Business name and address
• Social media handles (if you contact us through social media)
• Profile photograph (if you choose to upload one)

4.2 Account and Authentication Data

• Username and password
• Account settings and preferences
• Subscription type and plan details
• User role (subscriber or invited user)
• Multi-factor authentication information
• Security questions and answers
• Account activity logs

4.3 Financial and Payment Data

• Bank account information (provided through secure third-party integrations)
• Credit or debit card details (last four digits only; full card data is processed by our payment processors)
• Payment method information
• Billing address
• Transaction history
• Invoicing and payment records
• Tax identification numbers (when required for tax reporting)

4.4 Business and Transaction Data

• Income and expense records
• Financial transactions
• Receipts and supporting documentation
• Invoice data
• Vendor and customer information (entered by you)
• Payroll information (if you use payroll integrations)
• Tax forms and financial reports
• Business structure and entity information

4.5 Communications Data

• Customer support inquiries and correspondence
• Chat logs and messages
• Call recordings (with your consent)
• Email communications
• Survey responses
• Feedback and reviews
• Event registration information
• Webinar participation data

4.6 Marketing and Preference Data

• Communication preferences (email, SMS, push notifications)
• Marketing consent status
• SMS opt-in status and mobile phone number
• Interests and service preferences
• Responses to promotional campaigns
• Referral information
• Newsletter subscription status

4.7 Technical and Device Data

• IP address
• Browser type and version
• Operating system
• Device type and identifiers
• Mobile device information (model, OS version, device ID)
• Internet service provider
• Time zone and location data (based on IP address)
• Advertising identifiers

4.8 Usage and Analytics Data

• Pages visited and features used
• Time spent on pages
• Click data and navigation paths
• Search queries within our Services
• Features and functionality accessed
• Error logs and crash reports
• Performance and diagnostic data
• Session duration and frequency
• Login history
• AI categorization acceptance rates

4.9 Location Data

• Approximate location based on IP address
• Precise location (only if you grant permission through your mobile device)
• Location metadata in uploaded receipts or documents

4.10 User-Generated Content

• Profile information you create
• Comments or posts in our community forums or support channels
• Photos, videos, or audio recordings you upload
• Documents and receipts you upload
• Any other content you voluntarily provide

4.11 Sensitive Personal Data

We generally do not request or require sensitive personal data to provide our Services. However, you may voluntarily provide sensitive information such as:

• Social Security Number or Tax ID (for tax reporting purposes)
• Bank account details (through secure integrations)
• Health information (if included in expense records)

We handle all sensitive personal data with heightened security measures and in compliance with applicable laws.

5. How We Collect Personal Data

We collect personal data through several methods:

5.1 Information You Provide Directly

We collect personal data when you:

• Create an account or sign up for a trial
• Subscribe to our Services
• Update your profile or account settings
• Connect your bank accounts or payment methods
• Upload receipts, invoices, or documents
• Submit customer support requests
• Participate in surveys, webinars, or events
• Sign up for our newsletter or marketing communications
• Enter competitions or promotions
• Provide feedback or testimonials

You are not required to provide personal data, but if you choose not to, you may not be able to access certain features or use our Services.

5.2 Information Collected Automatically

When you use our Services, we automatically collect:

• Technical data about your device and connection
• Usage data about how you interact with our Services
• Location data based on your IP address
• Cookies and similar tracking technologies (see Section 8)

We use analytics tools, including Google Analytics, to collect and analyze usage data to improve our Services.

5.3 Information from Third-Party Sources

We may receive personal data from:

Financial Institutions and Data Aggregators

• Bank transaction data (through Plaid or similar services)
• Account balance and holder information
• Transaction categorization data

Payment Processors

• Payment confirmation and transaction details
• Billing information
• Fraud detection data

Identity Verification Services

• Identity verification results
• Risk assessment data
• Compliance screening information

Marketing and Analytics Partners

• Demographic and interest data
• Marketing campaign performance data
• Website visitor behavior

Social Media Platforms

• Public profile information (if you connect social accounts)
• Social media interactions with our content

Business Partners and Affiliates

• Referral information
• Partnership program data
• Co-marketing campaign data

Publicly Available Sources

• Business registration data
• Public records
• Industry databases

5.4 Information from Other Users

If you are invited to use our Services by a subscriber, that subscriber may provide us with your name, email address, and role information.

6. How We Use Your Personal Data

We use your personal data for the purposes described below. The specific data categories used for each purpose are indicated.

6.1 To Provide and Deliver Our Services

We use your personal data to:

• Create and manage your account
• Authenticate your identity and prevent unauthorized access
• Process your subscription and payments
• Connect to your financial institutions and import transactions
• Automatically categorize expenses and income using AI
• Generate invoices and financial reports
• Provide real-time financial insights and dashboards
• Enable receipt scanning and document storage
• Facilitate multi-business account management
• Deliver Tabby for Accountants features
• Sync data across your devices

Data categories used: Identity and contact data, account data, financial and payment data, business and transaction data, technical data, usage data

6.2 To Communicate with You

We use your personal data to:

• Send account-related notifications and updates
• Provide customer support and respond to inquiries
• Send transaction alerts and important service announcements
• Notify you of changes to our Services or policies
• Request feedback or reviews
• Communicate about billing and subscriptions
• Send security alerts and fraud warnings

Data categories used: Identity and contact data, account data, communications data, usage data

6.3 For Quality Assurance and Training

We use your personal data to:

• Monitor and improve customer support quality
• Train our support team and AI systems
• Maintain records of our interactions with you
• Ensure compliance with our internal policies

Data categories used: Identity and contact data, communications data, account data

Note: If we record customer support calls, we will notify you and obtain your consent where required by law.

6.4 To Improve and Develop Our Services

We use your personal data to:

• Analyze how users interact with our Services
• Identify and fix bugs and technical issues
• Develop new features and functionality
• Conduct research and analytics
• Improve our AI categorization algorithms
• Optimize user experience and interface design
• Test new Services and features
• Make data-driven business decisions

Data categories used: All categories, including anonymized and aggregated data

6.5 For Security and Fraud Prevention

We use your personal data to:

• Detect and prevent fraud, abuse, and security threats
• Monitor suspicious activity and unauthorized access
• Verify user identity
• Protect against cyberattacks and data breaches
• Ensure compliance with our Terms of Use
• Investigate and respond to security incidents
• Maintain the integrity of our Services

Data categories used: Identity and contact data, account data, financial data, technical data, device data, usage data

6.6 For Marketing and Promotional Activities

With your consent or where permitted by law, we use your personal data to:

• Send promotional emails, newsletters, and offers
• Send SMS text messages with promotions, updates, and alerts
• Provide information about new features and Services
• Share educational content and resources
• Invite you to webinars, events, and training
• Run contests, sweepstakes, and referral programs
• Conduct market research and surveys
• Personalize marketing messages based on your interests

Data categories used: Identity and contact data, account data, marketing and preference data, usage data

You can opt out of marketing communications at any time by clicking the “unsubscribe” link in emails, replying STOP to SMS messages, or updating your communication preferences in your account settings. See Section 16 for detailed SMS terms and conditions.

6.7 To Personalize Your Experience

We use your personal data to:

• Customize the content and features you see
• Recommend relevant insights and tips
• Tailor your dashboard and reports to your business type
• Provide location-specific information
• Remember your preferences and settings

Data categories used: Account data, usage data, location data, marketing and preference data

6.8 For Advertising and Retargeting

We use your personal data to:

• Display relevant advertisements on our website and Services
• Show you Tabby ads on third-party websites and platforms
• Measure the effectiveness of our advertising campaigns
• Create lookalike audiences for marketing purposes
• Retarget website visitors who haven’t signed up

Data categories used: Identity and contact data, technical data, usage data, marketing and preference data

You can control advertising preferences through cookie settings and opt-out mechanisms described in Section 8.

6.9 For Legal and Regulatory Compliance

We use your personal data to:

• Comply with applicable laws and regulations
• Respond to legal requests, court orders, and government inquiries
• Enforce our Terms of Use and other agreements
• Meet tax reporting and financial regulatory requirements
• Conduct internal audits and compliance checks
• Fulfill record-keeping obligations

Data categories used: All categories as necessary

6.10 To Manage Legal Claims and Disputes

We use your personal data to:

• Establish, exercise, and defend legal claims
• Investigate potential violations of our Terms of Use
• Resolve disputes with users or third parties
• Protect our rights, property, and safety

Data categories used: Identity and contact data, account data, financial data, communications data, usage data

7. Legal Bases for Processing (EEA/UK Users)

If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, we are required to inform you of the legal bases for processing your personal data.

7.1 Contractual Necessity

We process your personal data to fulfill our contractual obligations under our Terms of Use and to provide the Services you have subscribed to.

Applies to: Providing and delivering Services, communicating about Services, payment processing

7.2 Consent

We process your personal data based on your explicit consent, which you can withdraw at any time.

Applies to: Marketing communications (email and SMS), certain cookies and tracking technologies, call recordings, optional features

How to withdraw consent: Use the unsubscribe link in emails, reply STOP to SMS messages, adjust cookie settings, or contact us at support@usetabby.com

7.3 Legitimate Interests

We process your personal data for our legitimate business interests or those of third parties, provided that such interests do not override your fundamental rights and freedoms.

Applies to: Improving Services, security and fraud prevention, analytics, personalization, certain marketing activities, quality assurance

Our legitimate interests include:

• Operating and improving our business
• Protecting our Services and users from fraud and security threats
• Understanding how users interact with our Services
• Communicating about our Services
• Marketing our Services to existing customers

7.4 Legal Obligation

We process your personal data to comply with legal obligations, such as tax laws, financial regulations, and data protection laws.

Applies to: Tax reporting, regulatory compliance, responding to legal requests, record-keeping

8. Cookies and Tracking Technologies

8.1 What Are Cookies?

Cookies are small text files stored on your device when you visit websites or use applications. They help us recognize your device, remember your preferences, and improve your experience.

8.2 Types of Cookies We Use

Strictly Necessary Cookies

These cookies are essential for the Services to function and cannot be disabled. They enable core functionality such as:

• Account authentication and security
• Session management
• Load balancing
• Security features

Functional Cookies

These cookies enhance functionality and personalization, including:

• Remembering your preferences and settings
• Saving your language selection
• Maintaining your login state
• Customizing your dashboard

Analytics and Performance Cookies

These cookies help us understand how you use our Services so we can improve them:

• Google Analytics
• Usage statistics and metrics
• Error tracking and diagnostics
• A/B testing and optimization

Marketing and Advertising Cookies

These cookies enable us to show you relevant advertisements and measure campaign effectiveness:

• Remarketing and retargeting
• Conversion tracking
• Social media pixels (Facebook, LinkedIn, Twitter)
• Google Ads and other advertising platforms

8.3 Similar Tracking Technologies

We also use:

• Web beacons (pixels): Small graphics embedded in emails and web pages to track opens, clicks, and conversions
• Local storage: Browser storage for caching and performance
• SDKs and APIs: Third-party software development kits in our mobile apps for analytics and functionality

8.4 Third-Party Cookies

Some cookies are placed by third-party services we use, including:

• Google Analytics
• Google Ads
• Facebook Pixel
• LinkedIn Insight Tag
• Intercom (customer support chat)
• Stripe (payment processing)
• Plaid (bank connections)

These third parties may use cookies to track you across multiple websites and services.

8.5 Managing Cookie Preferences

You can control cookies through:

Browser Settings

Most browsers allow you to:

• View and delete cookies
• Block all cookies
• Block third-party cookies
• Receive alerts when cookies are set

Instructions vary by browser. Visit your browser’s help menu for more information.

Opt-Out Tools

• Google Analytics Opt-Out: Google Analytics Opt-out Browser Add-on
• Digital Advertising Alliance: DAA Opt-Out
• Network Advertising Initiative: NAI Opt-Out
• Your Online Choices (EU): YourOnlineChoices

Mobile Device Settings

• iOS: Settings > Privacy > Advertising > Limit Ad Tracking
• Android: Settings > Google > Ads > Opt out of Ads Personalization

Note: Disabling certain cookies may affect the functionality of our Services.

8.6 Do Not Track Signals

Some browsers have “Do Not Track” (DNT) features. Currently, there is no industry standard for responding to DNT signals. Our Services do not respond to DNT signals, but you can use the cookie controls described above.

9. How We Share Your Personal Data

We do not sell your personal data. We share your personal data only in the circumstances described below.

9.1 Service Providers and Partners

We share personal data with trusted third-party service providers who help us deliver our Services, including:

Financial Services

• Plaid: Bank account connections and transaction data
• Stripe: Payment processing
• Tax software providers: Tax filing and compliance

Infrastructure and Hosting

• Cloud hosting providers (AWS, Google Cloud, etc.)
• Content delivery networks
• Database and storage providers

Customer Support

• Customer support platforms (e.g., Intercom, Zendesk)
• Email service providers
• Chat and messaging services

Analytics and Marketing

• Google Analytics
• Marketing automation platforms
• Email marketing services (e.g., Mailchimp)
• Advertising platforms (Google Ads, Facebook Ads, LinkedIn Ads)

Security and Fraud Prevention

• Identity verification services
• Fraud detection and prevention tools
• Security monitoring services

Business Operations

• Accounting and tax advisors
• Legal counsel
• Audit and compliance firms

These service providers:

• Are contractually obligated to protect your data
• May only use your data to provide services to us
• Must comply with applicable data protection laws
• Are not permitted to use your data for their own purposes

9.2 Third-Party Integrations You Connect

When you choose to connect third-party services to your Tabby account (such as payroll systems, invoicing tools, or business applications), we share data with those services as necessary to enable the integration.

Important: Third-party services have their own privacy policies and terms. We do not control how they use your data, and we encourage you to review their policies before connecting them.

9.3 Subscribers and Invited Users

• If you are an invited user, we may share your usage data and activity within the Services with the subscriber who invited you
• Subscribers can see which invited users access their subscription and how they use the Services

9.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your personal data may be transferred to the successor entity. We will notify you of any such change and your rights regarding your personal data.

9.5 Legal Requirements and Protection of Rights

We may disclose your personal data if required to do so by law or if we believe in good faith that such disclosure is necessary to:

• Comply with legal obligations, court orders, or government requests
• Enforce our Terms of Use and other agreements
• Protect and defend our rights, property, or safety
• Protect the rights, property, or safety of our users or the public
• Investigate and prevent fraud, security threats, or illegal activity
• Respond to lawful requests from public authorities, including national security or law enforcement

9.6 With Your Consent

We may share your personal data with third parties when you give us explicit consent to do so.

9.7 Aggregated and Anonymized Data

We may share aggregated, de-identified, or anonymized data that does not identify you personally with:

• Research partners
• Business intelligence providers
• Industry analysts
• Marketing partners
• The public (e.g., in reports or blog posts)

This data cannot be used to identify you and is not considered personal data.

10. International Data Transfers

10.1 Where We Process Data

Tabby is based in the United States. When you use our Services, your personal data may be transferred to, stored, and processed in:

• The United States
• Other countries where we, our affiliates, or our service providers operate

These countries may have data protection laws that differ from the laws of your country.

10.2 Safeguards for International Transfers

When we transfer personal data outside of your country, we implement appropriate safeguards to protect your data, including:

For EEA/UK Users:

• Standard Contractual Clauses (SCCs): EU-approved contractual terms with data recipients
• Adequacy Decisions: Transfers to countries deemed adequate by the European Commission
• Binding Corporate Rules: Internal data protection policies for transfers within our corporate group
• Your Consent: Where appropriate, we may obtain your explicit consent for specific transfers

For Other Users:

• Contractual protections with service providers
• Compliance with applicable data transfer laws
• Use of certified service providers

10.3 Your Rights Regarding International Transfers

If you are in the EEA or UK, you have the right to request information about the safeguards we use for international transfers. Contact us at support@usetabby.com.

11. Data Security

11.1 Our Security Measures

We take the security of your personal data seriously and implement industry-standard technical, physical, and organizational measures to protect it from unauthorized access, disclosure, alteration, or destruction.

Technical Safeguards:

• Encryption: Data is encrypted in transit (TLS/SSL) and at rest (AES-256)
• Secure authentication: Multi-factor authentication (MFA) options
• Access controls: Role-based access controls and least privilege principles
• Firewalls and intrusion detection: Network security monitoring
• Security testing: Regular vulnerability assessments and penetration testing
• Secure development: Security-focused development practices

Physical Safeguards:

• Secure data centers with restricted access
• Environmental controls and monitoring
• Backup power and redundancy systems

Organizational Safeguards:

• Employee training on data security and privacy
• Background checks for employees with data access
• Confidentiality agreements with employees and contractors
• Incident response procedures
• Regular security audits and compliance reviews

11.2 Third-Party Security

Our service providers and partners are required to implement appropriate security measures and comply with applicable data protection laws. We assess their security practices before engaging them.

11.3 Your Responsibility

You play an important role in protecting your data:

• Use strong, unique passwords
• Enable multi-factor authentication
• Keep your login credentials confidential
• Log out when using shared devices
• Report suspicious activity immediately
• Keep your software and devices updated

11.4 Security Limitations

While we strive to protect your personal data, no security system is completely impenetrable. We cannot guarantee absolute security. Internet transmissions are never completely secure, and we cannot ensure the security of data transmitted to us over the Internet.

11.5 Security Incidents

In the event of a data breach that affects your personal data, we will:

• Investigate and contain the incident
• Notify you as required by applicable law
• Provide information about the breach and steps you can take to protect yourself
• Notify relevant authorities as required

If you become aware of any security vulnerability or incident, please contact us immediately at support@usetabby.com.

12. Data Retention

12.1 How Long We Retain Data

We retain your personal data for as long as necessary to:

• Provide our Services
• Maintain your account
• Comply with legal and regulatory obligations
• Resolve disputes
• Enforce our agreements
• Support business operations

12.2 Retention Periods by Data Type

Account and Identity Data

• Retained while your account is active
• Retained for up to 90 days after account termination or deletion
• May be retained longer if required for legal or regulatory compliance (typically 7 years for financial records)

Financial and Transaction Data

• Retained for at least 7 years to comply with tax and accounting regulations
• May be retained longer if involved in legal disputes or investigations

Communications Data

• Customer support records: Retained for 3-5 years
• Marketing communications: Retained until you opt out or for up to 2 years of inactivity

Usage and Analytics Data

• Typically retained for 2-3 years
• Aggregated and anonymized data may be retained indefinitely

Cookies and Tracking Data

• Varies by cookie type; typically 1-24 months
• See Section 8 for cookie-specific retention periods

12.3 Data Deletion

After the applicable retention period:

• Personal data is securely deleted or anonymized
• Deletion is performed in a manner that makes recovery impossible
• Anonymized data may be retained for research and analytics

12.4 Exceptions

We may retain personal data longer than specified above when:

• Required by law or regulation
• Necessary for ongoing legal proceedings
• Needed to protect our legal rights
• Required for legitimate business purposes (e.g., fraud prevention)
• You request extended retention

12.5 Backup Data

Deleted data may remain in backup systems for up to 90 days before being permanently removed.

13. Your Privacy Rights

Depending on your location, you have certain rights regarding your personal data. This section describes those rights and how to exercise them.

13.1 Rights Available to All Users

Right to Access

You have the right to request confirmation of whether we process your personal data and to obtain a copy of that data.

Right to Correction

You have the right to correct inaccurate or incomplete personal data we hold about you.

Right to Deletion

You have the right to request deletion of your personal data in certain circumstances, such as:

• The data is no longer necessary for its original purpose
• You withdraw consent (where consent is the legal basis)
• You object to processing and there are no overriding legitimate grounds
• The data was unlawfully processed

Note: We may need to retain certain data to comply with legal obligations or for legitimate business purposes.

Right to Opt-Out of Marketing

You can opt out of marketing communications at any time by:

• Clicking “unsubscribe” in marketing emails
• Updating your communication preferences in your account settings
• Contacting us at support@usetabby.com

Right to Manage Cookie Preferences

You can control cookies through browser settings and opt-out tools (see Section 8).

13.2 Additional Rights for EEA/UK Users

Under the General Data Protection Regulation (GDPR) and UK GDPR, you have additional rights:

Right to Restrict Processing

You can request that we limit how we use your personal data in certain situations, such as:

• While we verify the accuracy of your data
• When processing is unlawful but you don’t want data deleted
• When we no longer need the data but you need it for legal claims

Right to Data Portability

You can request a copy of your personal data in a structured, commonly used, machine-readable format and have it transferred to another service provider where technically feasible.

Right to Object

You can object to processing of your personal data based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds.

Right Not to Be Subject to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects, unless:

• Necessary for a contract
• Authorized by law
• Based on your explicit consent

Note: Our AI categorization is not fully automated decision-making with legal effects. You can review and override AI-generated categorizations.

Right to Withdraw Consent

Where we process your data based on consent, you can withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.

Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.

EEA/UK Data Protection Authorities:

• UK: Information Commissioner’s Office (ICO) – https://ico.org.uk
• EU: Your local supervisory authority – https://edpb.europa.eu/about-edpb/board/members_en

13.3 Additional Rights for California Residents

See Section 18 for California-specific rights under CCPA/CPRA.

13.4 How to Exercise Your Rights

To exercise any of these rights, you can:

• Update your information directly in your account settings
• Contact us at support@usetabby.com
• Send a written request to:

Spensibly, Inc. DBA Tabby
Attn: Privacy Team
2153 Westchester Ave Suite 200
Bronx, NY 10462
United States

Verification Process

To protect your privacy and security, we will verify your identity before fulfilling your request. We may ask for:

• Account information
• Email verification
• Government-issued ID (for certain requests)
• Additional identifying information

Response Time

We will respond to your request within:

• 30 days for most requests
• 45 days for complex requests (we’ll notify you of any extension)
• As required by applicable law for jurisdiction-specific requests

No Discrimination

We will not discriminate against you for exercising your privacy rights.

Authorized Agents

You may designate an authorized agent to make requests on your behalf. The agent must provide:

• Written authorization signed by you
• Proof of their identity
• Verification of your identity

14. Children’s Privacy

14.1 Age Restrictions

Our Services are not intended for children under the age of 18. We do not knowingly collect personal data from children under 18.

If you are under 18, you may not:

• Create an account
• Use our Services
• Provide any personal data to us

14.2 Parental Notice

If we become aware that we have collected personal data from a child under 18 without parental consent, we will take steps to delete that information as quickly as possible.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at support@usetabby.com.

15. AI and Machine Learning

15.1 How We Use AI

Tabby uses artificial intelligence and machine learning technologies to:

• Automatically categorize transactions and expenses
• Extract data from receipts and documents
• Provide financial insights and recommendations
• Detect anomalies and potential errors
• Personalize your experience
• Improve our Services

15.2 AI Training

We may use your data to train and improve our AI models:

• Anonymized training data: We use anonymized and aggregated data to train AI models
• Model improvement: User feedback and corrections help improve categorization accuracy
• Privacy protection: Personal identifiers are removed before data is used for training

15.3 Human Review

While our AI automates many tasks, you remain in control:

• You can review and modify AI-generated categorizations
• You can provide feedback to improve accuracy
• Critical decisions require human review

15.4 AI Accuracy

Our AI systems strive for high accuracy, but they are not perfect. You should:

• Review AI-generated categorizations before relying on them
• Verify financial reports before using them for tax or compliance purposes
• Not rely solely on AI for important financial decisions

16. SMS and Text Messaging

16.1 SMS Program Description

Tabby offers an SMS (Short Message Service) text messaging program that allows us to send you:

• Account notifications and alerts
• Transaction notifications
• Security alerts and fraud warnings
• Service updates and important announcements
• Promotional offers and marketing messages (with your consent)
• Appointment reminders and event notifications
• Tips and educational content

16.2 Consent and Opt-In

Express Consent Required

By providing your mobile phone number and opting in to receive SMS messages from Tabby, you expressly consent to receive text messages at the phone number you provided. This consent includes:

• Recurring automated marketing and promotional messages
• Transactional and informational messages
• Messages sent using an automatic telephone dialing system

How to Opt-In

You can opt in to receive SMS messages by:

• Checking the SMS opt-in box during account registration
• Texting a keyword (e.g., “START” or “JOIN”) to our SMS short code
• Updating your communication preferences in your account settings
• Providing consent through other sign-up methods we may offer

Opt-in is Not Required for Purchase

Consenting to receive SMS messages is not a condition of purchasing or using Tabby’s Services. You can use our Services without opting in to SMS.

16.3 Message Types and Frequency

Transactional Messages

Even if you have not opted in to marketing messages, we may send you transactional SMS messages related to your account, including:

• Security alerts and verification codes
• Fraud warnings
• Critical service updates
• Password reset confirmations
• Two-factor authentication codes

These transactional messages are necessary for account security and service delivery and cannot be opted out of without closing your account.

Marketing Messages

If you opt in, you may receive promotional SMS messages, including:

• Special offers and discounts
• New feature announcements
• Event invitations
• Tips and best practices
• Seasonal promotions

Message Frequency

• Transactional messages: Sent as needed based on account activity
• Marketing messages: Up to 4 messages per month (frequency may vary)
• You may receive more messages during promotional periods or as account activity requires

16.4 Message and Data Rates

Carrier Charges Apply

Message and data rates may apply based on your mobile phone plan. Standard text messaging rates from your wireless carrier will apply to all messages sent and received. Please contact your wireless carrier for details about your messaging plan.

Data Usage

While SMS messages themselves do not use significant data, any links within messages that you click will use mobile data according to your carrier’s data plan.

16.5 Supported Carriers

Our SMS program is supported by major U.S. wireless carriers, including:

• AT&T
• Verizon
• T-Mobile
• Sprint
• Boost Mobile
• Cricket Wireless
• MetroPCS
• U.S. Cellular
• Virgin Mobile
• And other participating carriers

Carrier support may change without notice. We are not responsible for messages that are not delivered due to carrier limitations or incompatibilities.

16.6 How to Opt-Out (STOP)

Unsubscribe at Any Time

You can opt out of marketing SMS messages at any time at no cost by:

• Replying STOP, END, CANCEL, UNSUBSCRIBE, or QUIT to any SMS message from Tabby
• Updating your communication preferences in your account settings
• Contacting customer support at support@usetabby.com

Confirmation

After you opt out, you will receive one final confirmation message confirming your opt-out request.

Re-Subscribing

If you opt out and later wish to re-subscribe, you can:

• Text START, UNSTOP, or JOIN to our SMS number
• Update your preferences in your account settings
• Contact customer support

16.7 Help and Support

Get Help

For help with SMS messages, you can:

• Reply HELP to any SMS message from Tabby
• Contact us at support@usetabby.com
• Call our support line (if available)
• Visit our support center at https://www.usetabby.com/support

HELP Response

When you text HELP, you will receive information about the SMS program, including how to opt out and contact information.

16.8 SMS Terms and Conditions

Eligibility

To participate in our SMS program, you must:

• Be 18 years of age or older
• Be the account holder or authorized user of the mobile phone number provided
• Have a U.S. mobile phone number
• Use a supported wireless carrier

Accuracy of Information

You represent that:

• The mobile phone number you provide is accurate and belongs to you
• You are authorized to receive SMS messages at that number
• You will update your phone number if it changes

Delivery

While we strive to deliver all messages promptly, we do not guarantee:

• Timely delivery of SMS messages
• Delivery of every message
• That messages will be error-free

Message delivery may be delayed or blocked due to:

• Carrier network issues
• Device or phone limitations
• Spam filters
• International roaming restrictions
• Account or payment issues with your carrier

We are not liable for delays, failures to deliver, or errors in SMS messages.

16.9 International Users

Our SMS program is designed primarily for U.S. phone numbers. If you are located outside the United States:

• We may not be able to send SMS messages to international numbers
• International message and data rates may apply
• Delivery and functionality may be limited
• You should use alternative communication methods (email, in-app notifications)

16.10 Privacy and Data Use

SMS Data Collection

When you participate in our SMS program, we collect:

• Your mobile phone number
• Opt-in and opt-out status
• Message delivery and open status
• Responses to SMS messages
• Device and carrier information

How We Use SMS Data

We use SMS data to:

• Send requested messages
• Improve our SMS program
• Analyze message effectiveness
• Ensure compliance with telecommunications regulations
• Prevent fraud and abuse

SMS Data Sharing

We share SMS data with:

• SMS service providers (e.g., Twilio, AWS SNS) who facilitate message delivery
• Analytics providers to measure campaign effectiveness
• Legal authorities when required by law

We do not sell your mobile phone number to third parties.

Data Security

Your mobile phone number and SMS data are protected by the security measures described in Section 11 of this Privacy Policy.

Retention

We retain SMS data as described in Section 12 of this Privacy Policy, typically:

• Opt-in/opt-out records: 7 years (for compliance)
• Message delivery logs: 2-3 years
• Marketing analytics: 2 years

16.11 Changes to SMS Program

We reserve the right to:

• Modify message frequency
• Change the types of messages sent
• Update SMS terms and conditions
• Suspend or discontinue the SMS program

We will notify you of material changes to the SMS program by:

• Sending an SMS notification
• Updating this Privacy Policy
• Posting a notice on our website

16.12 Prohibited Uses

You may not use our SMS program to:

• Send spam or unsolicited messages
• Harass, abuse, or threaten others
• Send illegal, fraudulent, or malicious content
• Impersonate others
• Interfere with the SMS program’s operation
• Violate any applicable laws or regulations

Violation of these terms may result in immediate termination of your SMS privileges and/or account suspension.

16.13 SMS Disclaimer

SMS MESSAGES ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. WE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

We are not liable for:

• Failures or delays in message delivery
• Messages sent to the wrong number due to your error
• Charges from your wireless carrier
• Damages arising from your participation in the SMS program
• Loss or disclosure of information transmitted via SMS

16.14 SMS Program Contact Information

For questions about our SMS program, contact:

Spensibly, Inc. DBA Tabby
2153 Westchester Ave Suite 200
Bronx, NY 10462
United States

Email: support@usetabby.com
SMS Help: Reply HELP to any message
Opt-Out: Reply STOP to any message

17. Third-Party Services and Links

17.1 Third-Party Integrations

Our Services integrate with various third-party services, including:

• Financial institutions (via Plaid)
• Payment processors (Stripe)
• Payroll systems (Gusto, ADP)
• Accounting software
• Business applications

When you connect these services:

• You authorize data sharing between Tabby and the third party
• The third party’s privacy policy and terms apply to their use of your data
• We are not responsible for the privacy practices of third parties

17.2 Links to Third-Party Websites

Our website and Services may contain links to third-party websites, apps, or services. We do not control these third parties and are not responsible for their privacy practices or content.

We encourage you to review the privacy policies of any third-party services before providing them with your personal data.

20.3 Social Media Features

Our website and Services may include social media features (e.g., Facebook “Like” button, Twitter “Tweet” button). These features may collect your IP address, page visits, and set cookies. Your interactions with these features are governed by the privacy policies of the companies providing them.

18. California Privacy Rights (CCPA/CPRA)

18.1 Applicability

This section applies to California residents under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

18.2 California Consumer Rights

Right to Know

You have the right to request:

• The categories of personal information we collect
• The categories of sources from which we collect personal information
• Our business or commercial purposes for collecting or selling personal information
• The categories of third parties with whom we share personal information
• The specific pieces of personal information we have collected about you

Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions.

Right to Correct

You have the right to request correction of inaccurate personal information.

Right to Opt-Out of Sale or Sharing

You have the right to opt out of the “sale” or “sharing” of your personal information.

Note: Tabby does not sell personal information for monetary consideration. However, certain advertising and analytics practices may be considered “sharing” under the CPRA.

Right to Limit Use of Sensitive Personal Information

You have the right to limit our use of sensitive personal information to what is necessary to provide our Services.

Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA/CPRA rights.

20.3 Categories of Personal Information Collected

In the past 12 months, we have collected the following categories of personal information:

• Identifiers (name, email, address, IP address)
• Financial information (bank account data, payment information)
• Commercial information (transaction history, purchase records)
• Internet or network activity (browsing history, usage data)
• Geolocation data (approximate location)
• Professional or employment-related information (business information)
• Inferences (preferences, behavior predictions)

20.4 Sources of Personal Information

We collect personal information from:

• Directly from you
• Automatically through your use of our Services
• Financial institutions and data aggregators
• Payment processors
• Analytics and advertising partners
• Other third parties as described in Section 5

19.5 Business Purposes for Collecting Personal Information

We use personal information for the business purposes described in Section 6, including:

• Providing and improving our Services
• Customer support
• Security and fraud prevention
• Marketing and advertising
• Legal compliance

18.6 Disclosure of Personal Information

We disclose personal information to the categories of third parties described in Section 9, including:

• Service providers
• Business partners
• Affiliates
• Government entities (when required)

18.7 Sale and Sharing of Personal Information

Sale: We do not sell personal information for money.

Sharing: We may “share” personal information with advertising partners for cross-context behavioral advertising, which may be considered a “sale” or “share” under CCPA/CPRA.

Categories of personal information shared: Identifiers, internet activity, inferences

Opt-Out: To opt out of sharing for targeted advertising:

• Adjust cookie settings on our website
• Use the “Do Not Sell or Share My Personal Information” link on our website
• Contact us at support@usetabby.com

18.8 Retention

See Section 12 for information on how long we retain personal information.

18.9 Sensitive Personal Information

We collect the following sensitive personal information:

• Social Security Number or Tax ID (for tax reporting)
• Financial account credentials (through secure third-party integrations)
• Precise geolocation (only with your permission)

We use sensitive personal information only for:

• Providing our Services
• Security and fraud prevention
• Compliance with legal obligations
• Other purposes disclosed in this Privacy Policy

You have the right to limit our use of sensitive personal information. Contact us at support@usetabby.com to exercise this right.

18.10 Authorized Agents

You may designate an authorized agent to make CCPA/CPRA requests on your behalf. The agent must:

• Provide written authorization from you
• Verify their identity and authority
• Comply with our verification procedures

18.11 How to Exercise Your Rights

Contact us at:

• Email: support@usetabby.com
• Phone: Available upon request
• Mail: Spensibly, Inc. DBA Tabby, Attn: Privacy Team, 2153 Westchester Ave Suite 200, Bronx, NY 10462

We will respond within 45 days of receiving your request.

18.12 Verification

To verify your identity, we may request:

• Email address associated with your account
• Account information
• Government-issued ID (for certain requests)
• Other identifying information

18.13 Shine the Light Law

California’s “Shine the Light” law permits California residents to request information about disclosure of personal information to third parties for their direct marketing purposes. We do not share personal information with third parties for their own direct marketing purposes.

19. Virginia, Colorado, Connecticut, and Utah Privacy Rights

19.1 Applicability

This section applies to residents of Virginia, Colorado, Connecticut, and Utah under their respective state privacy laws.

19.2 Your Rights

Right to Know/Access

You have the right to confirm whether we process your personal data and access that data.

Right to Correct

You have the right to correct inaccuracies in your personal data.

Right to Delete

You have the right to request deletion of your personal data.

Right to Data Portability

You have the right to obtain a copy of your personal data in a portable format.

Right to Opt Out

You have the right to opt out of:

• Targeted advertising
• Sale of personal data
• Profiling in furtherance of decisions that produce legal or similarly significant effects

Note: We do not engage in activities that constitute “sale” under these state laws. However, certain advertising practices may constitute “targeted advertising.”

20.3 Sensitive Data

We do not process sensitive data (as defined by applicable state law) without your consent or as permitted by law.

20.4 How to Exercise Your Rights

Contact us at support@usetabby.com or use the contact information in Section 20.

19.5 Appeals

If we deny your request, you have the right to appeal. Contact us at support@usetabby.com to initiate an appeal. We will respond within the timeframe required by applicable law.

20. Updates to This Privacy Polic

20.1 Changes to This Policy

We may update this Privacy Policy from time to time to reflect:

• Changes to our Services or business practices
• New legal or regulatory requirements
• Improvements in data protection
• User feedback

20.2 Notice of Material Changes

If we make material changes to this Privacy Policy, we will notify you by:

• Sending an email to the address associated with your account
• Posting a prominent notice on our website
• Displaying a notification when you log into your account
• Other appropriate means

20.3 Effective Date of Changes

Changes to this Privacy Policy become effective:

• Immediately for new users
• Upon your continued use of our Services after notice is provided
• As specified in the notice of changes

20.4 Review

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your privacy. The date at the top of this Privacy Policy indicates when it was last updated.

21. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Spensibly, Inc. DBA Tabby

Privacy Team
2153 Westchester Ave Suite 200
Bronx, NY 10462
United States

Email: support@usetabby.com

General Support:
Visit: https://www.usetabby.com/support

We will respond to your inquiry as promptly as possible, typically within 30 days.

---

Thank you for trusting Tabby with your financial data. Your privacy is important to us, and we are committed to protecting it.

---

Last Updated: Nov 12, 2025

© 2025 Spensibly, Inc. All rights reserved.