Tabsy Retailer inquiry

Security & Privacy

Security is foundational to Tabsy — not an add-on. Here's what's live today and what's coming for enterprise customers.

🌐 Platform-wide — all users

Core security, available now

  • Encryption in transit — HTTPS / TLS 1.2+ on all connections
  • Encryption at rest — AES-256 on all stored data (managed by Supabase)
  • Authentication — email/password and magic-link via Supabase Auth with secure token management
  • Row Level Security (RLS) — database policies ensure each user can only access their own data
  • SHA-256 API key hashing — retailer API keys are stored as hashed values, never in plain text
  • Signed storage URLs — receipt files are served via short-lived signed URLs, not public links
  • CSP headers — Content Security Policy enforced on all pages
  • Delete controls — remove receipts or close your account at any time
  • Private accounts — receipt data scoped strictly to the owning account
  • No advertising — we never sell user data to third parties
  • GDPR & UAE PDPL — built for EU and UAE regulatory requirements
  • Data minimisation — we store only what's needed to deliver receipts
🏪 For retailers & enterprise

Integration & enterprise security

  • API key authentication — all retailer calls require a signed Bearer token
  • Webhook signature verification — payloads signed for authenticity
  • Scoped credentials — retailer keys can write receipts but cannot read shopper data
  • Secure SFTP drop — for legacy POS systems
  • Role-based access controlRoadmap
  • Audit logs for enterprise accountsRoadmap
  • Regional data residency EU / UAERoadmap
  • SSO / SAML for admin portalsRoadmap
🛍️ For shoppers

Your data, your control

  • Receipts are private — only you see your vault; retailers cannot browse your account
  • Delete anytime — remove receipts or close your account from within the app
  • No ads, ever — we don't share purchase data with advertisers
  • Data portability — export receipts as CSV at any time
  • EU & UAE rights — access, rectification, and erasure under GDPR and UAE PDPL

Read the full Privacy Policy →

Compliance & hosting

Tabsy is hosted on Supabase (database, storage, and auth) and Netlify (edge delivery) — both maintain SOC 2 Type II certification. Formal certifications in Tabsy's own name (ISO 27001, SOC 2) are planned for the future and are not yet achieved. For enterprise customers requiring compliance documentation, contact us.

Need compliance documentation?

Enterprise inquiries handled within 48 hours.

Contact us →