Privacy Policy

At TallyBoxHQ ("we," "us," or "our"), operated by 3SHTech Ltd, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our financial management platform. By using TallyBoxHQ, you consent to the practices described in this policy.

As part of the 3SHTech Ltd family of applications, this privacy policy incorporates and is supplemented by our parent company's privacy practices as outlined in the 3SHTech Privacy Policy. Where applicable, provisions from our other applications under 3SHTech Ltd (including but not limited to SacredBox) may apply to TallyBoxHQ. When reviewing these referenced policies, please understand that references to "3SHTech," "SacredBox," or other application names should be read as applying to TallyBoxHQ where the context and provisions are relevant to our services.

Your use of TallyBoxHQ is also subject to our Terms of Use.

We collect the following categories of personal data:

• Account Data: Your name, email address, phone number, and login credentials (authenticated via AWS Cognito).
• Financial Data: Account names, types, balances, currencies, income sources, and transaction data that you voluntarily enter or import via bank statement uploads.
• Profile Data: Risk profile preferences (Frugal/Balanced/Growth), region setting (UK/US), and base currency.
• Household Data: Household membership, invite codes, and partner associations when you choose to use household features.
• Usage Data: Log data, device information, browser type, and interaction patterns collected automatically when you access our services.

We use the information we collect to:

• Provide, maintain, and improve TallyBoxHQ's financial management features.
• Calculate your Peace of Mind Score, financial runway, and wealth analytics.
• Process bank statement imports and extract transaction data using secure parsing services.
• Enable household sharing features between you and any members of your household.
• Send essential service communications (account verification, security alerts).
• Comply with legal obligations and enforce our terms.

We will never sell your financial data. Your data is used solely to provide and improve our services.

We may disclose your Personal Data to the categories of service providers and other parties listed in this section. Depending on your state of residence, our disclosures to Advertising Partners may constitute a "selling" or “sharing” under applicable UK or EU Privacy Law. For more information, please refer to the ”UK/EU Privacy Rights” section below.

We may disclose your personal data in the following circumstances:

• Service Providers. These parties help us provide the Services or perform business functions on our behalf. They include:
• Hosting, technology and communication providers.
• Payment processors.
• Our payment processing partners, Stripe, Apple, or Google collects your voluntarily-provided payment card information necessary to process your payment for our Services.
• Please see Stripe's, Apple's, or Google's respective terms of service and privacy policy for information on its use and storage of your Personal Data.
• Analytics providers that do not assist with our interest-based advertising efforts.
• Customer support platforms.
• Security and fraud prevention services.
• Support and customer service vendors.
• Artificial Intelligence platforms (e.g., OpenAI) that power our AI Services.
• Advertising Partners. These parties help us market our services and provide you with other offers that may be of interest to you. They include Ad Networks, Marketing Providers, Analytics partners that assist with our interest-based advertising efforts.
• Business Partners. These parties partner with us in offering various services. They include businesses that you have a relationship with.
• Law enforcement and government agencies.
• Business partners and affiliates.
• Parties You Authorise, Access or Authenticate
• Third parties you access through the services.
• Household Members. If you are the household admin and have added other members of your household (each, a “Household Member”), such Household Members will have access to your account and your Personal Data, regardless of any privacy or similar settings within the account. You acknowledge and agree that by adding a Household Member, you are authorising TallyBoxHQ to disclose the Personal Data in your account to such Household Member and such Household Member may be able to access, modify, or delete Personal Data and other data in the account.
• If you are added to an account as a Household Member, you acknowledge and agree that all other Household Members added to the account will have access to, and may be able to modify or delete, your Personal Data and that you may be restricted from accessing, modifying, or deleting certain data in the account and from changing certain settings.
• Professional advisors (e.g., auditors, lawyers, accountants) and other financial professionals.
• If you authorise your financial professional to access your account or otherwise use the Services on your behalf, you acknowledge and agree that you are authorising TallyBoxHQ to disclose your Personal Data to such financial professional and that TallyBoxHQ does not control how your financial professional collects, uses, or discloses your Personal Data. If you have questions about how your financial professional collects, uses, and discloses your Personal Data, please contact your financial professional directly.
• If you are a financial professional using the Services on behalf of your client, you represent and warrant that you have full power and authority, and have obtained all approvals, permissions, and consents necessary, to provide such client’s Personal Data to TallyBoxHQ. You acknowledge and agree that you, not TallyBoxHQ, are responsible for your compliance with applicable data privacy laws in your collection, use, and disclosure of your client’s Personal Data, including but not limited to any obligations you may have to provide such client with notices relating to their Personal Data and applicable privacy rights. You further acknowledge and agree that TallyBoxHQ is an independent controller of your client’s Personal Data, not a joint controller with you.
• We are not responsible for the data handling practices of third-party services.
• Legal Obligations: We may disclose any personal data that we collect with third parties in conjunction with any of the activities under the allowed commercial or business purposes for collecting any personal data and the other permitted purposes for processing personal data under the applicable laws.
• All of your Personal Data that we collect may be transferred to a third party if we undergo a merger, acquisition, bankruptcy or other transaction in which that third party assumes control of our business (in whole or in part).
• We may create aggregated, de-identified or anonymised data from the Personal Data we collect, including by removing information that makes the data personally identifiable to a particular user. We may use such aggregated, de-identified or anonymised data and disclose it to third parties for our lawful business purposes, including to analyse, build and improve the Services and promote our business, provided that we will not disclose such data in a manner that could identify you.

We will never sell your financial data. Your data is used solely to provide and improve our services.

We use the following third-party services to operate TallyBoxHQ:

• Amazon Web Services (AWS): Cloud infrastructure, authentication (Cognito), email delivery (SES), and secure parameter storage (SSM).
• MongoDB Atlas: Database hosting with encryption at rest and in transit.
• Statement Parsing Services: Secure document processing for bank statement imports, with data transmitted over encrypted connections and not retained after processing.

Each third-party provider is contractually obligated to protect your data in accordance with industry standards.

We seek to protect your Personal Data from unauthorised access, use and disclosure using appropriate physical, technical, organisational and administrative security measures based on the type of Personal Data and how we are processing that data. We implement industry-standard security measures to protect your personal information:

• All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption.
• Authentication is managed through AWS Cognito with secure token handling.
• We maintain read-only access to your financial information. We cannot move or access your money from the bank accounts or credit/debit cards unless you explicitly authorise it.
• Regular security assessments and vulnerability monitoring.

You should also help protect your data by appropriately selecting and protecting your password and/or other sign-on mechanism; limiting access to your computer or device and browser; and signing off after you have finished accessing your account. Although we work to protect the security of your account and other data that we hold in our records, please be aware that no method of transmitting data over the internet or storing data is completely secure.

We retain your personal data for as long as you have an account with us or as needed to provide you with our services or to perform our business or commercial purposes for collecting your Personal Data. When establishing a retention period for specific categories of data, we consider who we collected the data from, our need for the Personal Data, why we collected the Personal Data, and the sensitivity of the Personal Data. In some cases we retain Personal Data for longer, if doing so is necessary to comply with our legal obligations, resolve disputes or collect fees owed, or is otherwise permitted or required by applicable law, rule or regulation. We may further retain information in an anonymous or aggregated form where that information would not identify you personally. When you delete your account, we will delete your personal data within 90 days, except where we are required to retain it for legal or regulatory purposes.

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of your personal data.
• Rectification: Correct inaccurate personal data.
• Deletion: Request deletion of your personal data.
• Portability: Receive your data in a structured, machine-readable format.
• Objection: Object to processing of your personal data.
• Restriction: Request restriction of processing.

To exercise any of these rights, please contact us at legal.tallyboxhq@3shtech.com.

TallyBoxHQ uses essential cookies for authentication and session management. For full details, please see our Cookie Policy.

TallyBoxHQ is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us to have it removed.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our platform and updating the "Last updated" date. Your continued use of TallyBoxHQ after such changes constitutes your acceptance of the updated policy.

If you have any questions about this Privacy Policy, please contact us:

• Email: support.tallyboxhq@3shtech.com
• Company: 3SHTech Ltd
• Website: 3shtech.com