Tabsy Retailer inquiry
Security & Privacy

Built to protect
retailers and shoppers.

Security is foundational to Tabsy — not an add-on. Here's what's live today and what's planned for enterprise.

TLS 1.2+
Encryption in transit
AES-256
Encryption at rest
GDPR & UAE PDPL
Regulatory compliance
SOC 2 infra
Supabase & Netlify
Platform-wide - all users

Core security, available now

  • Encryption in transit - HTTPS / TLS 1.2+ on all connections
  • Encryption at rest - AES-256 on all stored data (managed by Supabase)
  • Authentication - email/password and magic-link via Supabase Auth with secure token management
  • Row Level Security (RLS) - database policies ensure each user can only access their own data
  • SHA-256 API key hashing - retailer API keys are stored as hashed values, never in plain text
  • Signed storage URLs - receipt files are served via short-lived signed URLs, not public links
  • CSP headers - Content Security Policy enforced on all pages
  • Delete controls - remove receipts or close your account at any time
  • Private accounts - receipt data scoped strictly to the owning account
  • No advertising - we never sell user data to third parties
  • GDPR & UAE PDPL - built for EU and UAE regulatory requirements
  • Data minimisation - we store only what's needed to deliver receipts
For retailers & enterprise

Integration & enterprise security

  • API key authentication - all retailer calls require a signed Bearer token
  • Webhook signature verification - payloads signed for authenticity
  • Scoped credentials - retailer keys can write receipts but cannot read shopper data
  • Secure SFTP drop - for legacy POS systems
  • Role-based access controlRoadmap
  • Audit logs for enterprise accountsRoadmap
  • Regional data residency EU / UAERoadmap
  • SSO / SAML for admin portalsRoadmap
For shoppers

Your data, your control

  • Receipts are private - only you see your vault; retailers cannot browse your account
  • Delete anytime - remove receipts or close your account from within the app
  • No ads, ever - we don't share purchase data with advertisers
  • Data portability - export receipts as CSV at any time
  • EU & UAE rights - access, rectification, and erasure under GDPR and UAE PDPL

Read the full Privacy Policy →

Compliance & hosting

Tabsy is hosted on Supabase (database, storage, and auth) and Netlify (edge delivery) — both maintain SOC 2 Type II certification. Formal certifications in Tabsy's own name (ISO 27001, SOC 2) are planned as the platform scales.