Privacy Policy
Last updated: August 21, 2025
This Privacy Policy explains how TallyFlex collects, uses, and protects your information.
What We Collect
Account Information
- Name, email, and professional credentials
- Organization name and billing details
- User preferences and settings
Session Data
- Behavioral observations and progress tracking
- Session notes and clinical documentation
- Student/client records you create
Technical Data
- Device type and IP address
- Usage patterns and app interactions
- Error logs for troubleshooting
How We Use Your Information
We use your information to:
- Provide and improve our services
- Process payments and send invoices
- Send important service updates
- Maintain security and prevent fraud
- Comply with legal obligations
We do NOT sell your data or use it for advertising.
Data Security
Technical Safeguards
- 256-bit AES encryption at rest
- TLS 1.3 encryption in transit
- Hosted on Google Cloud Platform with SOC 2 compliance
- Continuous security monitoring and vulnerability scanning
Access Controls
- Role-based permissions
- Enhanced authentication security
- Session management
- Audit logs retained for 7 years (HIPAA requirement)
Who We Share With
Service Providers
- Google Cloud Platform (infrastructure and database)
- Stripe (payment processing - no PHI access)
Service providers handling PHI sign Business Associate Agreements with us.
Legal Requirements We may disclose information if required by law, court order, or to protect safety.
Your Rights
Healthcare Providers (HIPAA) If you store Protected Health Information (PHI), you have rights to:
- Access your PHI within 30 days
- Request corrections to records
- Receive breach notifications within 60 days
- Request restrictions on use
Schools (FERPA)
Educational institutions maintain control over student records:
- Parents can access through the school
- Schools control disclosure
- Data deleted upon school request
All Users
- Export your data anytime
- Delete your account and data
- Opt-out of marketing emails
- Request information about your data
Data Retention
- Active account data: Kept while account is active
- After deletion: 30-day recovery period, then permanent deletion
- Audit logs: 7 years (legal requirement)
- Aggregated analytics: Indefinitely (fully anonymized)
HIPAA Compliance
For healthcare users, we serve as a Business Associate:
- Business Associate Agreement (BAA) available instantly when needed
- One-click BAA acceptance when you begin storing PHI
- We follow HIPAA Security and Privacy Rules
- Breach notification within 24 hours of discovery
- Our subcontractors also sign BAAs
View our Business Associate Agreement
FERPA Compliance
For educational institutions:
- We act as a “school official” under FERPA
- Student data used only for educational purposes
- No sale or commercial use of student information
- Parents access records through the school (not directly through TallyFlex)
Children’s Privacy
- TallyFlex is designed for professional use by adults
- Our service is not intended for or marketed to children under 13
- Adults may collect data about children as part of professional or educational services
- Professionals are responsible for obtaining appropriate consents for data collection
- Schools act as agents of parents under FERPA for educational data
International Users
Data is processed in the United States. By using TallyFlex, you consent to transfer and processing in the US with appropriate safeguards.
Changes to This Policy
We’ll notify you of material changes 30 days in advance via email. Continued use after changes means acceptance.
Contact Us
Privacy Questions
Email: privacy@tallyflex.com
HIPAA/Compliance
Email: compliance@tallyflex.com
General Support
Email: support@tallyflex.com
For complaints, you may also contact:
- HIPAA: HHS Office for Civil Rights
- FERPA: US Department of Education
- Your state’s Attorney General