Skip to content

Privacy Policy

Last updated: April 26, 2026

This Privacy Policy explains how TallyFlex collects, uses, and protects your information.

What We Collect

Account Information

  • Name, email, and professional credentials
  • Organization name and billing details
  • User preferences and settings

Session Data

  • Behavioral observations and progress tracking
  • Session notes and clinical documentation
  • Student/client records you create

Technical Data

  • Device type and IP address
  • Usage patterns and app interactions
  • Error logs for troubleshooting

How We Use Your Information

We use your information to:

  • Provide and improve our services
  • Process payments and send invoices
  • Send important service updates
  • Maintain security and prevent fraud
  • Comply with legal obligations

We do NOT sell your data or use it for advertising.

Data Security

Technical Safeguards

  • 256-bit AES encryption at rest
  • TLS 1.3 encryption in transit
  • Hosted on Google Cloud Platform infrastructure, with Google Cloud SOC 2 reports applying to the infrastructure layer
  • Continuous security monitoring and vulnerability scanning

Access Controls

  • Role-based permissions
  • Enhanced authentication security
  • Session management
  • Audit logs retained for 7 years under TallyFlex policy and contract terms

Who We Share With

Service Providers

  • Google Cloud Platform (infrastructure and database)
  • Stripe (payment processing - no PHI access)
  • RevenueCat (subscription management and in-app purchase processing - accesses Firebase Auth UID, subscription status, and purchase history)

Service providers handling PHI sign Business Associate Agreements with us.

We may disclose information if required by law, court order, or to protect safety.

Your Rights

Healthcare Providers (HIPAA)

If you store Protected Health Information (PHI), you have rights to:

  • Access your PHI within 30 days
  • Request corrections to records
  • Receive breach notifications within 72 hours
  • Request restrictions on use

Schools (FERPA)

For district-authorized Teams education use covered by a DPA or similar written agreement, educational institutions maintain control over student records:

  • Parents can access through the school
  • Schools control disclosure
  • Student records returned or deleted upon school request, subject to applicable contract terms, backup windows, audit-log retention, and legal obligations

All Users

  • Export your data anytime
  • Delete your account and data
  • Opt-out of marketing emails
  • Request information about your data

Data Retention

  • Active account data: Kept while account is active
  • After deletion: 30-day recovery period, then permanent deletion
  • Audit logs: 7 years under TallyFlex policy and contract terms
  • Aggregated analytics: Indefinitely (fully anonymized)

HIPAA Compliance

For healthcare users, we serve as a Business Associate:

  • Business Associate Agreement (BAA) available on Solo and Teams plans. Acceptance is one-click in the app when you begin storing PHI; the legal agreement at /legal/baa is the same for both plans.
  • Technical and administrative safeguards apply across all plans (Free, Solo, Teams). Storing PHI under a TallyFlex BAA requires Solo or Teams and in-app BAA acceptance before you begin storing PHI.
  • Breach notification within 72 hours of discovery
  • Our subcontractors also sign BAAs

View our Business Associate Agreement

FERPA Compliance

For school districts using Teams education pricing under a district-authorized DPA or similar written agreement:

  • We act as a “school official” under FERPA only for district-authorized education use covered by that agreement
  • Student data is used only for authorized educational purposes
  • No sale or commercial use of student information
  • Parents access records through the school (not directly through TallyFlex)

Children’s Privacy

  • TallyFlex is designed for professional use by adults
  • Our service is not intended for or marketed to children under 13
  • Adults may collect data about children as part of professional or educational services
  • Professionals are responsible for obtaining appropriate consents for data collection
  • Schools remain responsible for FERPA notices, consents, and parent or eligible-student access processes

International Users

Data is processed in the United States. By using TallyFlex, you consent to transfer and processing in the US with appropriate safeguards.

Changes to This Policy

We’ll notify you of material changes 30 days in advance via email. Continued use after changes means acceptance.

Contact Us

Privacy Questions Email: privacy@tallyflex.com

HIPAA/Compliance Email: compliance@tallyflex.com

General Support Email: support@tallyflex.com

For complaints, you may also contact:

  • HIPAA: HHS Office for Civil Rights
  • FERPA: US Department of Education
  • Your state’s Attorney General

Terms of Service | Business Associate Agreement