Tabsy Retailer inquiry
Legal

Privacy Policy

Last updated: 2026-04-06

This Privacy Policy explains how Tabsy collects, uses, and protects personal data. We comply with the EU General Data Protection Regulation (GDPR) and the UAE Personal Data Protection Law (PDPL).

1. Data Controller

The data controller is Tabsy. Contact us via the Contact page for any privacy-related questions or requests.

2. What We Collect

  • Account data: name, email address, phone number (optional — used as an alternative sign-in identifier and for receipt matching by retailers), member code, company name (for retailer accounts).
  • Receipt data: uploaded files (PDF/JPG) and associated metadata (store, date, total, items, currency, tags, notes, invoice number, tax amount, and payment method). For receipts transmitted by retailers via POS systems, we also collect: branch, cashier name, payment method, and the identifier used by the retailer to match the receipt to you (email address, phone number, or member code).
  • Device & usage data: IP address, browser logs, pages visited — used for security and service operation. Integration logs: retailer POS IP address, retailer identifier, and request timestamps (stored up to 90 days; email and phone values are redacted from logs).
  • Support data: messages or enquiries you send us.

3. How We Use Data

  • Provide, maintain, and improve the Tabsy service.
  • Authenticate users and ensure account security.
  • Deliver and store digital receipts.
  • Provide warranty tracking and return deadline reminders.
  • Process uploaded receipt files using third-party OCR software to extract store, total, date, and line-item data.
  • Retrieve foreign exchange rates to display totals in your preferred currency.
  • Respond to support and compliance requests.
  • Comply with applicable legal obligations.

4. Receipt Delivery

Tabsy provides infrastructure that enables retailers to deliver digital receipts to shoppers. Receipt information is transmitted to Tabsy by retailers or their point-of-sale systems through secure APIs or file integrations.

Tabsy processes this information solely for the purpose of delivering receipts, storing purchase history, and enabling warranty and return tracking features.

5. Retailer Access Restrictions

Retailers that integrate with Tabsy can only transmit receipt data originating from their own transactions.

Retailers cannot browse, search, or access a shopper's complete receipt vault or purchases made at other retailers.

Access to shopper data is strictly controlled through authentication and API permissions.

6. Data Accuracy

Receipt information displayed within Tabsy is transmitted directly by retailers or their point-of-sale systems.

Tabsy does not independently verify the accuracy or completeness of this information.

Retailers remain responsible for the accuracy of the transaction data they transmit to the platform.

7. Legal Bases (GDPR)

  • Contract — processing necessary to provide the Tabsy service.
  • Legitimate interests — security monitoring, product improvement, and OCR processing (improving accuracy of extracted receipt data).
  • Consent — where you have given explicit consent for optional features.

8. International Transfers

Data may be processed outside your country of residence. Where required, Tabsy relies on adequacy decisions, Standard Contractual Clauses (GDPR), or safeguards recognised under UAE PDPL.

9. Data Retention

  • Receipts: stored for a minimum of 7 years from the date of purchase, or until you delete them or close your account. This minimum aligns with standard tax and accounting retention requirements (UAE VAT law: 5 years; EU: 7 years). Basic metadata (store name, total, date) is retained indefinitely for your records.
  • Inactive accounts: accounts with no activity for 24 consecutive months may receive a reactivation notice and may be closed after a further 30-day notice period.
  • API logs and integration logs: retained up to 90 days.
  • Security logs: retained up to 12 months.

10. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access your personal data
  • Correct inaccurate information
  • Request deletion of your data
  • Restrict or object to certain processing
  • Receive a portable copy of your data

11. Cookies & Analytics

We use only essential cookies and local storage tokens required to operate the service (authentication session, theme preference, language preference). We do not use advertising or tracking cookies.

For website analytics, Tabsy uses Plausible Analytics — a privacy-first, cookie-free tool. Plausible does not set any cookies, does not track individuals across sites, and does not collect personal data. Only aggregated, anonymous statistics are recorded (page views, referrer source, device type, country). No consent banner is required under GDPR or UAE PDPL for this type of analytics.

12. Security

All data is encrypted in transit using TLS and protected through access controls and monitoring. See the Security page for more details.

13. Third-Party Providers

Tabsy uses the following sub-processors to operate the service. These providers are contractually bound by data-processing agreements.

  • Supabase (supabase.com) — database, authentication, file storage, and serverless functions. Data may be stored in the EU or US region.
  • Netlify (netlify.com) — website hosting and CDN. Based in the US.
  • Plausible Analytics (plausible.io) — cookie-free website analytics. No personal data is collected or shared. Only aggregated, non-identifiable statistics are processed (page views, referrers, device type, country). Plausible is GDPR-compliant by design.
  • ocr.space (ocr.space) — optical character recognition. When you upload a receipt file (PDF or image), that file is sent to ocr.space for text extraction. ocr.space processes the file and returns structured data; files are not stored by ocr.space beyond the processing request.
  • exchangerate.host — foreign exchange rate data. No personal data is shared.

Tabsy does not sell personal data to advertisers or third parties.

14. Contact

For privacy inquiries or to exercise your rights, please visit the Contact page.

15. Children's Data

Tabsy is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child under 16 has provided us with personal data, please contact us and we will delete it.

16. UAE PDPL

For users in the UAE, we comply with Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL). You have the right to access, correct, or delete your personal data, and to withdraw consent where processing is based on consent. Cross-border data transfers are made under appropriate safeguards. To exercise your rights, please contact us via the Contact page.

17. Data Portability

Tabsy currently provides the ability to delete your account and all associated data. A structured data export feature (JSON/CSV of your receipt metadata) is under development.

18. Retailer Data Sharing

Retailers that transmit receipt data to Tabsy are acting as independent data controllers in respect of their customers. Tabsy processes this data as a data processor acting on the retailer's behalf. Retailers are contractually required to ensure they have the necessary legal basis to share customer identifiers with Tabsy.

19. Contact

For privacy inquiries or to exercise your rights, please visit the Contact page.