Privacy Policy

Last updated: March 21, 2026 · Version 1.0

TABLE OF CONTENTS

  1. Introduction
  2. Information We Collect
  3. How We Collect Your Information
  4. How We Use Your Information
  5. How We Share Your Information
  6. Property Access Codes (Lockbox Codes)
  7. Cookies and Tracking Technologies
  8. Data Retention
  9. Data Security
  10. Your Privacy Rights
  11. State-Specific Disclosures
  12. Children's Privacy
  13. Communications Consent
  14. Data Breach Notification
  15. International Users
  16. Changes to This Privacy Policy
  17. Contact Us

1. INTRODUCTION

This Privacy Policy describes how Insynq LLC ("Insynq," "Tally," "Company," "we," "us," or "our"), a Colorado limited liability company, collects, uses, shares, and protects personal information through the Tally platform ("Platform"). The Platform includes the Tally web application at tallyre.app and the Tally marketing website at tallyre.info. Tally is a marketplace platform that connects real estate agents ("Agents") with independent service providers ("Vendors") such as photographers, stagers, and cleaners.

This Privacy Policy applies to all users of and visitors to the Platform, including Agents, Vendors, Managers, Admins, Assistants, and any other individuals who access or use any part of the Platform (including visitors to tallyre.info who have not created an account).

By creating an account or using the Platform, you acknowledge that you have read and understood this Privacy Policy. This Privacy Policy is incorporated into and forms part of our Terms of Service.

We do not sell your personal information. We share limited hashed identifiers with advertising platforms (Meta, Google, LinkedIn, Reddit) for the purpose of targeted advertising, as described in Sections 5.5, 5.7, 5.8, and 5.9. You have the right to opt out of this sharing.

2. INFORMATION WE COLLECT

We collect the following categories of personal information:

2.1 Account and Identity Information

  • Full name
  • Email address
  • Phone number
  • Mailing address
  • Password (stored in encrypted form)
  • Profile information (bio, profile photo)
  • Google account identifiers (Google user ID, email, name, and profile photo — when you sign in with Google)
  • Role and account type (Agent, Vendor, Admin, etc.)

2.2 Professional and Business Information

For Agents:

  • Real estate license number and state(s) of licensure
  • Brokerage affiliation
  • Service areas and states of operation

For Vendors:

  • Business name and vendor service type (listing, contractor, or professional — selected during registration)
  • Service categories, subcategories, and specialties
  • Service item details (names, descriptions, pricing tiers, images)
  • Insurance information and certificates
  • Business licenses and certifications
  • Vendor logo and profile photo (stored in publicly accessible storage — see Section 2.14)

2.3 Property Information

  • Property addresses
  • Property details (bedrooms, bathrooms, square footage, lot size, year built)
  • Property status (vacancy, animals present)
  • Client and property owner contact information (name, phone, email)
  • Access notes and instructions
  • Lockbox codes and property access credentials (see Section 6)

2.4 Order and Transaction Information

  • Service orders and order history
  • Service types, pricing, and payment amounts
  • Scheduling details (dates, times, preferred time windows)
  • Order status and status history
  • Service deliverables (photos, videos, reports, staging plans)
  • Reviews and ratings
  • Contractor requests and quotes
  • Intake form responses — custom questionnaire answers submitted by Agents in response to Vendor-defined intake forms (may contain property-specific or job-specific information as defined by the Vendor's questions)
  • Per-service comments and file attachments exchanged between Agents and Vendors
  • Order change requests (schedule modifications, service changes)

2.5 Financial and Payment Information

  • Subscription plan and billing information
  • Transaction history
  • Payout records (Vendors)
  • Invoice data

Note: We do not directly collect, store, or process credit card numbers, bank account numbers, or other raw financial account details. All payment processing is handled by our third-party payment processor, Stripe, Inc. Stripe may collect financial information directly from you, subject to Stripe's Privacy Policy.

2.6 Referral and Invitation Data

When an Agent invites a Vendor to join the Platform:

  • The invited Vendor's name and email address, as provided by the inviting Agent
  • The identity of the inviting Agent (name and profile information shared in the invitation)
  • Referral status (pending, completed, expired) and timestamps
  • If multiple Agents invite the same Vendor, each referral relationship is recorded separately

Note: If you receive an invitation but do not create an account, we retain only your email address and the referral record for a limited period to prevent duplicate invitations. You may request deletion of this data by contacting us at support@tallyre.app.

2.7 Communications Data

  • Messages sent through the Platform (order messages, listing messages, per-service comments)
  • Message read receipts and listing message read receipts
  • Email notification records
  • Invitation and referral emails sent on behalf of Agents
  • Support communications

2.8 Survey and Feedback Data

  • Post-listing survey responses (NPS score, satisfaction ratings, free-text feedback, improvement selections)
  • Template usage analytics (usage counts, clarification counts, vendor-reported issues)

2.9 Device and Usage Information

  • IP address
  • Browser type and version
  • Device type and operating system
  • Pages visited and features used within the Platform
  • Date and time of access
  • Referring website or source
  • Push notification tokens

2.10 Calendar Data

When you connect your Google Calendar account:

  • Calendar event busy/free time slots (by default, we access availability windows only — we do not read event titles, descriptions, attendees, or other event details from your personal calendars)
  • A secondary calendar called "Tally Orders" is created on your Google account. We create, update, and delete events on this calendar only — corresponding to your scheduled service appointments.
  • Calendar connection metadata (connected account email, sync status, last sync time)
  • Encrypted OAuth tokens (access and refresh tokens) stored using pgcrypto encryption at rest
  • Calendar event IDs for Tally-created events (to update or delete them on reschedule or cancellation)

Optional: Event Titles. By default, only free/busy availability is read from your Google Calendar — no event titles are accessed. If you optionally enable "Event Titles" in Calendar Settings, we read and store event titles to display them in your Tally calendar view. Titles are only visible to you, never shared with agents or other users. You can disable this at any time from Calendar Settings.

Busy time data retention: Synced busy time blocks are automatically deleted after 48 hours via a daily scheduled cleanup job. Active busy times are refreshed when you log in or when an agent adds your services to their cart.

What we do NOT access or store by default: Event descriptions, attendees, locations, or any content from your personal calendars. We can only manage the "Tally Orders" calendar that we create. Event titles are only accessed if you explicitly opt in via Calendar Settings.

2.11 Location Data

  • Property addresses provided by Users
  • Agent service area designations (states of operation)
  • Geocoding and address autocomplete data derived from address searches (see Section 5.5)

2.12 Advertising and Analytics Data

When you visit our Platform or interact with our advertisements on third-party platforms:

  • Meta Pixel identifiers and event data (page views, conversions, button clicks)
  • Google Ads conversion tracking data and remarketing identifiers
  • Google Analytics (GA4) measurement data (page views, sessions, events, user interactions, traffic sources)
  • LinkedIn Insight Tag data (page views, conversions, professional demographic insights)
  • Reddit Pixel data (page views, conversions, ad interaction events)
  • Hashed identifiers used for audience matching (email, phone — hashed before transmission to Meta, Google, LinkedIn, and Reddit)
  • Ad interaction data (impressions, clicks, conversions from Facebook, Instagram, YouTube, Google Search/Display, LinkedIn, and Reddit ads)
  • Browser and device fingerprint data collected by advertising pixels and analytics scripts
  • Vercel Analytics data (page views, referrers, browser/device type — cookieless, privacy-focused)

2.13 Marketing Assets

  • Photos, images, and other marketing materials uploaded by Agents
  • Marketing template metadata (name, type, category)

2.14 Publicly Accessible Content

Certain content you upload to the Platform is stored in publicly accessible storage and may be viewable without authentication:

  • Vendor logos — uploaded during profile setup, used to identify your business on the Platform
  • Service item images — photos associated with your service offerings
  • Agent marketing assets — marketing materials uploaded by Agents (stored in user-specific folders)

These files are accessible via direct URL. While they are not indexed or linked publicly by Tally, anyone with the URL can view them. If you wish to remove publicly accessible content, you may delete it through your account settings or contact us at support@tallyre.app.

2.15 Public Vendor Booking Pages

Vendor business profiles are publicly accessible at tallyre.app/book/[vendor-id] without requiring authentication. Publicly visible information includes:

  • Business name, description, and logo
  • Service offerings, packages, and pricing
  • Average ratings and review counts
  • Service areas (cities and states)

Vendor contact information (email, phone, website) is not visible on the public booking page and is only shown to authenticated Tally users. If you wish to remove your public profile, you may deactivate your vendor account.

3. HOW WE COLLECT YOUR INFORMATION

We collect personal information through the following methods:

3.1 Directly from You

  • When you create an account or register on the Platform
  • When you complete your profile or update account settings
  • When you submit property listings, service orders, or contractor requests
  • When you send messages through the Platform
  • When you upload files, photos, or marketing materials
  • When you provide lockbox codes or property access information
  • When you submit reviews or ratings
  • When you connect a third-party account (e.g., Google) for authentication or calendar access
  • When you invite a Vendor to join the Platform (we collect the invited Vendor's name and email address as provided by you)
  • When you contact us for support

3.2 Automatically

  • Through server logs when you access the Platform
  • Through cookies and similar technologies (see Section 7)
  • Through push notification services when you enable push notifications
  • Through usage analytics within the Platform

3.3 From Other Users

  • Vendor Invitations: When an Agent invites a Vendor to join the Platform, the Agent provides the Vendor's name and email address. If you are a prospective Vendor who receives an invitation, your contact information was provided by the inviting Agent — not collected directly from you. You are under no obligation to accept the invitation or create an account.

3.4 From Third Parties

  • Stripe: Transaction status, payment confirmations, fraud detection signals
  • Supabase Authentication: Authentication tokens and session data
  • Google OAuth: When you sign in with Google, we receive your Google account email, name, profile photo, and a unique account identifier. We do not receive your Google password.
  • Google Calendar API: When you connect your Google Calendar, we request two specific permissions: (1) calendar.app.created — to create and manage a "Tally Orders" secondary calendar and its events on your Google account, and (2) calendar.events.freebusy — to read free/busy time blocks across your calendars for availability scheduling. We do not read, modify, or delete events on your personal calendars. We do not access event titles, descriptions, attendees, or locations from your personal calendar events.
  • Google Maps Platform: Address autocomplete suggestions and geocoded location data (latitude, longitude, structured address components) in response to address queries entered on the Platform
  • Google Ads: Conversion data, click identifiers (GCLID), and audience signals when you interact with our advertisements on Google Search or the Google Display Network
  • Google Analytics (GA4): Session data, page view events, traffic source attribution, and user interaction data collected automatically when you visit the Platform
  • Meta Platforms (Facebook/Instagram): Ad conversion data, audience insights, and engagement metrics when you interact with our advertisements on Facebook or Instagram. Meta may also provide us with aggregated, non-identifiable demographic and interest data about ad audiences.
  • LinkedIn: Conversion data and professional demographic insights when you interact with our advertisements on LinkedIn. LinkedIn may provide aggregated audience insights (job titles, industries, company sizes).
  • Reddit: Conversion data and ad interaction events when you interact with our advertisements on Reddit.

4. HOW WE USE YOUR INFORMATION

We use your personal information for the following purposes:

4.1 Providing and Operating the Platform

  • Creating and managing your account
  • Processing service orders and facilitating connections between Agents and Vendors
  • Processing payments and payouts
  • Transmitting lockbox codes and property access information at Agents' direction
  • Delivering service notifications and order updates
  • Enabling communication between Users
  • Sending invitation emails to prospective Vendors on behalf of inviting Agents
  • Tracking referral relationships between Agents and invited Vendors
  • Providing customer support

4.2 Safety, Security, and Compliance

  • Maintaining immutable audit logs for security, fraud prevention, and dispute resolution
  • Logging lockbox access grants, views, and revocations
  • Detecting, investigating, and preventing fraud, unauthorized access, and other harmful activity
  • Verifying User identity, licensing, and insurance
  • Automated service-level monitoring — tracking response times and order fulfillment timelines to detect potential SLA breaches, trigger escalation notifications, and maintain platform quality standards
  • Complying with applicable laws, regulations, and legal processes
  • Enforcing our Terms of Service

4.3 Improving the Platform

  • Analyzing usage patterns to improve features and user experience
  • Identifying and fixing technical issues
  • Developing new features and services
  • Analyzing post-listing survey responses and NPS scores to measure satisfaction and identify improvement areas
  • Tracking listing template usage and performance to optimize default configurations

4.4 Advertising and Marketing

  • Displaying targeted advertisements to prospective users on Facebook, Instagram, YouTube, Google Search, Google Display Network, LinkedIn, and Reddit (cold lead acquisition)
  • Retargeting users who have previously visited the Platform with relevant advertisements on the above platforms (remarketing)
  • Measuring the effectiveness of advertising campaigns (conversion tracking, audience insights)
  • Creating custom and lookalike audiences on Meta, Google, LinkedIn, and Reddit based on hashed user identifiers
  • Analyzing traffic sources, user behavior, and conversion paths using Google Analytics (GA4)

We do not sell your personal information to advertisers. Advertising platforms receive hashed identifiers (not raw personal data) for the purpose of audience matching and ad delivery. We do not permit these platforms to use your data for purposes other than delivering and measuring our advertisements.

4.5 Communications

  • Sending transactional emails (order confirmations, status updates, appointment reminders)
  • Sending account-related notifications (password resets, security alerts)
  • Sending service-related communications (delivery notifications, revision requests)
  • Sending vendor invitation and referral reminder emails on behalf of Agents
  • With your consent, sending promotional or marketing communications

4.6 Billing and Subscriptions

  • Managing subscription plans and billing cycles
  • Processing subscription payments and renewals
  • Tracking feature usage against subscription tier limits
  • Sending subscription-related notices (trial expiration, renewal reminders)

5. HOW WE SHARE YOUR INFORMATION

We share your personal information only in the following circumstances:

5.1 Between Users on the Platform

When an Agent places a service order, certain information is shared with the assigned Vendor to enable service fulfillment, including:

  • Agent name and contact information
  • Property address and access instructions
  • Lockbox codes (only when explicitly granted by the Agent — see Section 6)
  • Order details, scheduling, and service specifications

When a Vendor is assigned to an order, certain information is shared with the ordering Agent, including:

  • Vendor name and business information
  • Service capabilities and portfolio
  • Ratings and reviews

Vendor Invitations. When an Agent invites a Vendor to join the Platform, the inviting Agent's name and profile information are included in the invitation email sent to the prospective Vendor. If the invited Vendor creates an account, they are automatically added to the inviting Agent's preferred vendor list. The invited Vendor can see which Agent(s) invited them. Agents can see the status of their invitations (pending, completed, expired) but cannot see whether the invited Vendor has opened or read the invitation email.

5.2 Stripe, Inc. (Payment Processing)

We use Stripe for payments, analytics, and other business services. Stripe may collect personal data including via cookies and similar technologies. The personal data Stripe collects may include transactional data and identifying information about devices that connect to its services. Stripe uses this information to operate and improve the services it provides to us, including for fraud detection, loss prevention, authentication, and analytics related to the performance of its services. You can learn more about Stripe and its processing activities via its privacy policy at https://stripe.com/privacy.

For Vendors: We use Stripe Connect to process vendor payouts. Your payout information (bank account details) is collected and processed directly by Stripe, subject to the Stripe Connected Account Agreement. We do not store your raw bank account information on our servers.

5.3 Resend (Email Delivery)

We use Resend to deliver transactional and notification emails. When we send you an email, Resend processes your email address and message content to deliver the message. Resend may also collect usage data related to email delivery. For more information, see Resend's privacy policy at https://resend.com/legal/privacy-policy.

5.4 Supabase (Infrastructure)

We use Supabase to provide database, authentication, file storage, and serverless function infrastructure. Your data is stored on Supabase-managed infrastructure in the United States. Supabase acts as a service provider under contract with us and processes data solely on our behalf and in accordance with our instructions.

5.5 Google (Authentication, Calendar, Maps, Analytics, and Advertising)

We use several Google services in connection with the Platform:

Google OAuth (Authentication). You may sign in to the Platform using your Google account. When you do so, Google authenticates your identity and shares your account email, name, profile photo, and a unique identifier with us. Google may receive information that you are signing in to Tally. Your use of Google sign-in is subject to Google's Privacy Policy and Terms of Service.

Google Calendar API (Scheduling and Availability). Vendors and Agents may optionally connect their Google Calendar to enable availability scheduling and appointment tracking. We request the following permissions:

  • calendar.app.created — Allows Tally to create a secondary calendar called "Tally Orders" on your Google account and manage events on that calendar only. Service appointments are automatically added when orders are booked, updated on reschedule, and removed on cancellation.
  • calendar.events.freebusy — The default permission. Allows Tally to read free/busy time blocks across your calendars to prevent scheduling conflicts. We access only whether a time slot is busy or free — we do not read event titles, descriptions, attendees, locations, or any other event details from your personal calendars.
  • calendar.events.readonly — An optional, opt-in permission. If you enable "Event Titles" in Calendar Settings, we request this additional scope to read your calendar event titles. Titles are stored and displayed only in your own Tally calendar view — they are never shared with agents or other users. You can disable this at any time from Calendar Settings, which triggers a re-authorization with the default scope only.

We store encrypted OAuth tokens (access and refresh tokens) using pgcrypto encryption at rest. Synced busy time blocks are automatically deleted after 48 hours via a daily cleanup job. You may disconnect your Google Calendar at any time through Calendar Settings in the app, which deletes all stored tokens and availability data from our systems. Your "Tally Orders" calendar and its events remain on your Google account after disconnection.

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, we do not use Google Calendar data for advertising, we do not sell it to third parties, and we limit our use to providing and improving the scheduling features of Tally.

Google Maps Platform (Address Autocomplete and Geocoding). We use the Google Places API and Google Geocoding API to provide address autocomplete and location search functionality. When you search for a property address, the text you enter is sent to Google's servers to retrieve address suggestions and geographic coordinates. Google may receive the query text, session tokens, and your IP address as part of the request. Google's use of this data is subject to Google's Privacy Policy and the Google Maps Platform Terms of Service.

Google Analytics (GA4). We use Google Analytics 4 to understand how visitors and users interact with both tallyre.app and tallyre.info. GA4 collects page views, session duration, traffic sources, user interactions (clicks, scrolls, form submissions), device and browser information, and approximate geographic location (derived from IP address). GA4 uses first-party cookies (_ga, _ga_*) to distinguish unique users and sessions. Google processes this data on our behalf and may also use it to improve its own services. You may opt out of Google Analytics by installing the Google Analytics Opt-Out Browser Add-on. For more information, see How Google Uses Data.

Google Ads (Advertising and Retargeting). We use Google Ads to display advertisements on Google Search, the Google Display Network, and YouTube. Google Ads tools we use include:

  • Conversion tracking: When you take an action on the Platform after clicking a Google ad (e.g., creating an account, placing an order), Google receives confirmation of that conversion to measure ad effectiveness. Google may set cookies (_gcl_au, _gcl_aw, conversion linker) for this purpose.
  • Remarketing: We use Google Ads remarketing to show relevant advertisements to users who have previously visited the Platform. Google may use cookies and device identifiers to serve these ads across the Google Display Network.
  • Customer Match: We may upload hashed (cryptographically anonymized) email addresses or phone numbers to Google for the purpose of creating custom audiences. Google matches these hashed values against its own user base to serve targeted ads and discards non-matching records.

What data Google Ads does NOT receive: raw (unhashed) personal identifiers, property details, lockbox codes, order specifics, or payment/financial information.

Your controls for Google advertising: You may opt out of Google Ads personalization by:

For more information, see Google's Privacy Policy and Advertising Policies.

5.6 Netlify and Vercel (Web Hosting and Analytics)

The Tally web application (tallyre.app) is hosted by Netlify. The Tally marketing website (tallyre.info) is hosted by Vercel. Both hosting providers may collect server logs including your IP address, browser information, and page requests as part of hosting operations. Both act as service providers under their respective terms of service.

Vercel Analytics and Speed Insights. The marketing website (tallyre.info) uses Vercel Analytics and Vercel Speed Insights. Vercel Analytics is a privacy-focused, cookieless analytics service that collects aggregated page view data (page URLs, referrers, browser/device type). It does not use cookies, does not collect personal identifiers, and does not track individual users across sessions. Vercel Speed Insights monitors Web Vitals performance metrics (page load times, interactivity, visual stability) to help us improve site performance. No personal data is collected by either service.

5.7 Meta Platforms (Facebook/Instagram Advertising)

We use Meta Platforms' advertising tools, including the Meta Pixel and Conversions API, to reach prospective users and measure the effectiveness of our advertising campaigns on Facebook and Instagram.

What data Meta receives:

  • Meta Pixel data: page views, conversion events (e.g., account creation, order placement), browser and device information collected automatically when you visit the Platform
  • Hashed identifiers: We may upload hashed (cryptographically anonymized) email addresses or phone numbers to Meta for the purpose of creating custom audiences for retargeting. Meta matches these hashed values against its own user base and discards non-matching records.
  • Conversion events: When you take an action on the Platform after clicking a Facebook or Instagram ad, Meta receives confirmation of that conversion to measure ad effectiveness.

What data Meta does NOT receive:

  • Raw (unhashed) email addresses, phone numbers, or other personal identifiers
  • Property details, lockbox codes, order specifics, or any service-related data
  • Payment or financial information

Purpose: We use Meta advertising solely to (1) reach prospective users who may benefit from the Platform (cold lead acquisition), (2) display relevant advertisements to users who have previously visited the Platform (retargeting), and (3) measure the effectiveness of our advertising spend.

Your controls: You may opt out of Meta-based retargeting by:

  • Adjusting your ad preferences in your Facebook Ad Settings
  • Using the "Off-Facebook Activity" tool in your Facebook settings
  • Enabling Global Privacy Control (GPC) in your browser, which we honor as an opt-out signal
  • Contacting us at privacy@tallyre.app to request removal from custom audiences

For more information, see Meta's Data Policy and Cookie Policy.

5.8 LinkedIn (Advertising)

We use the LinkedIn Insight Tag and LinkedIn Conversions API to display advertisements to prospective users on LinkedIn and to measure ad effectiveness.

What data LinkedIn receives:

  • LinkedIn Insight Tag data: page views, conversion events, browser and device information collected when you visit the Platform
  • Hashed identifiers: We may upload hashed email addresses to LinkedIn for audience matching (Matched Audiences). LinkedIn matches these against its user base and discards non-matching records.
  • Professional demographic insights: LinkedIn may provide us with aggregated, non-identifiable data about ad audiences (job titles, industries, company sizes)

What data LinkedIn does NOT receive: raw personal identifiers, property details, order specifics, or financial information.

Your controls: You may opt out of LinkedIn advertising by adjusting your LinkedIn Ad Preferences or enabling GPC in your browser. For more information, see LinkedIn's Privacy Policy.

5.9 Reddit (Advertising)

We use the Reddit Pixel to display advertisements to prospective users on Reddit and to measure ad effectiveness.

What data Reddit receives:

  • Reddit Pixel data: page views, conversion events, browser and device information collected when you visit the Platform
  • Hashed identifiers: We may upload hashed email addresses to Reddit for audience matching (Custom Audiences). Reddit matches these against its user base and discards non-matching records.

What data Reddit does NOT receive: raw personal identifiers, property details, order specifics, or financial information.

Your controls: You may opt out of Reddit advertising by adjusting your Reddit Ad Preferences or enabling GPC in your browser. For more information, see Reddit's Privacy Policy.

5.10 Legal Requirements

We may disclose your personal information if required to do so by law or in response to valid legal process, including:

  • Court orders, subpoenas, or warrants
  • Requests from law enforcement or government agencies
  • Legal proceedings where disclosure is necessary
  • To protect our rights, property, or safety, or the rights, property, or safety of others

5.11 Business Transfers

If Insynq LLC is involved in a merger, acquisition, reorganization, sale of assets, or bankruptcy, your personal information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.

5.12 With Your Consent

We may share your information for other purposes with your explicit consent.

5.13 Vendor Business Information in Promotional Content

Vendor business profile information — including business name, service categories, service descriptions, pricing as entered on the Platform, basic business contact information (phone number, email, address), and reviews/ratings from the Platform — may be displayed to non-Platform users in connection with promoting the Platform. This includes:

  • Live product demonstrations and sales presentations
  • Tutorial and how-to videos (including YouTube)
  • Marketing materials, case studies, and promotional content
  • Screenshots and screen recordings of the Platform

By registering as a Vendor, you consent to the use of your business profile information and reviews in these promotional contexts (see Terms of Service Section 8.8). This consent applies to your business information only — not to your personal contact information (personal email, personal phone) unless it is the same as your business contact information you provided for your vendor profile. Tally will make reasonable efforts to use current and accurate information. If you wish to opt out of promotional use of your business profile, you may contact us at support@tallyre.app.

5.14 Information We Do NOT Sell or Share

  • We do not sell your personal information to third parties as defined under the California Consumer Privacy Act (CCPA/CPRA) or any other applicable law.
  • We share limited personal information with advertising platforms (Meta, Google, LinkedIn, and Reddit) consisting of hashed identifiers and browsing/interaction data for the purpose of targeted advertising, as described in Sections 5.5, 5.7, 5.8, and 5.9. Under CCPA/CPRA and CPA, this may constitute "sharing" for targeted advertising purposes. You have the right to opt out of this sharing (see Section 10.5 and the opt-out controls in each advertising section).
  • We do not disclose personal information for monetary or other valuable consideration.
  • Apart from advertising platform sharing as described above, we do not share your personal information for cross-context behavioral advertising with any other third party.

6. PROPERTY ACCESS CODES (LOCKBOX CODES)

Property access codes (lockbox codes, gate codes, keypad entries) are among the most sensitive information processed through our Platform. We treat this data with heightened security and transparency.

6.1 How Lockbox Codes Are Handled

  • Lockbox codes are provided to the Platform by Agents and are transmitted to Vendors only when the Agent explicitly grants access for a specific service order.
  • Lockbox codes are transmitted through secure, access-controlled channels within the Platform.
  • Access grants are controlled by the Agent, who may grant or revoke Vendor access at any time.
  • Lockbox access is not granted by default — Agents must affirmatively enable access for each Vendor on each order.

6.2 Audit Logging

All lockbox-related activities are recorded in immutable audit logs, including:

  • When an Agent grants lockbox access to a Vendor
  • When a Vendor views a lockbox code
  • When an Agent revokes lockbox access

These audit logs are maintained for security, fraud prevention, dispute resolution, and legal compliance purposes.

6.3 Retention

  • Active lockbox codes are accessible only for the duration of the authorized service and while the Agent's access grant remains active.
  • Audit records of lockbox access events are retained for up to seven (7) years for legal compliance and security purposes.
  • Upon account deletion, lockbox codes in active orders are handled according to the order completion process. Audit records are pseudonymized (see Section 8.3).

6.4 Your Responsibilities

  • Agents: You are responsible for obtaining proper authorization before sharing lockbox codes through the Platform and for revoking access when no longer needed.
  • Vendors: You must use lockbox codes solely for performing the booked service and must not retain, share, or copy codes after service completion.

7. COOKIES AND TRACKING TECHNOLOGIES

7.1 What We Use

| Category | Purpose | Examples | Required? | |----------|---------|----------|-----------| | Strictly Necessary | Authentication, security, core functionality | Session cookies, CSRF tokens, Supabase auth tokens, Google OAuth tokens | Yes | | Payment Processing | Fraud detection, payment security | Stripe cookies | Yes (for payment features) | | Third-Party Services | Address autocomplete, maps functionality | Google Maps Platform cookies and scripts | Yes (for address search features) | | Advertising | Ad targeting, retargeting, conversion tracking | Meta Pixel (_fbp, _fbc), Google Ads (_gcl_au, _gcl_aw, conversion linker), Google remarketing tags, LinkedIn Insight Tag (_li_, li_fat_id), Reddit Pixel (_rdt_uuid) | Optional (opt-out available) | | Functional | User preferences, interface settings | Theme preferences, notification settings | Optional | | Analytics | Understanding Platform usage and performance | Google Analytics 4 (_ga, _ga_*); Vercel Analytics (cookieless — no cookies set) | Optional (GA4 opt-out available) |

7.2 How to Manage Cookies

You can manage cookies through your browser settings. Most browsers allow you to:

  • View what cookies are stored
  • Delete individual or all cookies
  • Block cookies from specific or all websites
  • Set preferences for cookie acceptance

Note: Disabling strictly necessary cookies may prevent you from using certain features of the Platform, including logging in.

7.3 Global Privacy Control (GPC)

We honor Global Privacy Control (GPC) signals sent by your browser. When we detect a GPC signal, we will treat it as a valid request to opt out of the sale or sharing of your personal information, as required by the Colorado Privacy Act and other applicable state privacy laws.

7.4 Do Not Track

There is currently no uniform standard for how to respond to "Do Not Track" (DNT) browser signals. We treat GPC signals (which have a legal standard) as described above. We do not currently respond to DNT signals differently from other browser requests.

8. DATA RETENTION

8.1 Retention Periods

We retain your personal information only as long as necessary for the purposes described in this Privacy Policy or as required by law:

| Data Category | Retention Period | Reason | |--------------|-----------------|--------| | Account and profile data | Duration of your account plus 30 days after deletion | Service provision and account recovery | | Order and transaction records | 7 years after order completion | Tax compliance (IRS requirements), financial records | | Payment and billing records | 7 years | Tax compliance, financial records | | Messages (order and listing messages) | Duration of your account plus 90 days | Service provision, dispute resolution | | Audit logs (order audit trail, lockbox access, role changes, payout status, email logs) | 7 years | Legal compliance, fraud prevention, security | | Marketing assets | Duration of your account plus 30 days after deletion | User-uploaded content management | | Subscription and usage data | Duration of subscription plus 7 years | Tax and billing records | | Intake form responses | 7 years (immutable — cannot be modified after submission) | Service fulfillment, dispute resolution | | Survey and feedback data | Duration of account plus 7 years | Platform improvement, quality metrics | | Push notification tokens | Until revoked or account deleted | Service provision | | Calendar connection data | Duration of connection; tokens deleted immediately on disconnection | Scheduling and availability | | Calendar busy/free data | Automatically deleted after 48 hours via daily cleanup; all data deleted on disconnection | Availability scheduling only | | Calendar event IDs | Duration of the associated order | Event update/delete on reschedule or cancellation | | Address autocomplete queries | Not retained (processed transiently via Google) | Address search only | | Advertising data (Meta, Google, LinkedIn, Reddit) | Up to 180 days (Meta); up to 540 days (Google Ads); up to 180 days (LinkedIn); up to 90 days (Reddit); hashed custom audiences refreshed periodically | Ad targeting and measurement | | Analytics data (GA4) | Up to 14 months (Google's default retention); configurable | Website usage analysis | | Analytics data (Vercel) | Aggregated, no personal data retained | Privacy-focused page view analytics | | SMS/communication consent records | Duration of account plus 7 years | TCPA compliance, proof of consent | | Server logs | Up to 90 days | Security monitoring and troubleshooting |

8.2 Deletion Upon Request

When you request deletion of your personal information (see Section 10), we will delete or de-identify your account information and personal data from our active systems within the timeframes required by applicable law (typically 45 days).

To request account deletion, contact us at privacy@tallyre.app or support@tallyre.app. Self-service account deletion through your account settings may be available in the future.

8.3 Audit Logs and Deletion Requests

Certain records, including audit logs, transaction records, and security logs, may be retained in pseudonymized form after an account deletion request. This means we replace your personally identifiable information (such as your name and email) with anonymized identifiers while preserving the audit trail's integrity. This retention is permitted under applicable law for:

  • Legal compliance — maintaining records required by tax, financial, or other laws
  • Security — preventing, detecting, and protecting against fraud and security incidents
  • Legal claims — investigating, exercising, or defending legal claims

When we retain records under these exceptions, we will inform you of which categories of data were retained and the legal basis for retention.

9. DATA SECURITY

9.1 Security Measures

We implement reasonable administrative, technical, and physical security measures to protect your personal information, including:

  • Encryption of data in transit (TLS/SSL)
  • Secure authentication through Supabase Auth
  • Role-based access controls enforced through Row-Level Security (RLS) policies
  • Immutable audit logging of sensitive operations
  • Rate limiting on authentication and sensitive endpoints
  • Secure, access-controlled lockbox code transmission
  • Session-based impersonation controls (cleared on browser close)
  • Regular security assessments of the Platform

9.2 Limitations

No method of electronic transmission or storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security. You are responsible for maintaining the confidentiality of your login credentials and for any activity that occurs under your account.

10. YOUR PRIVACY RIGHTS

Depending on your state of residence, you may have some or all of the following rights regarding your personal information:

10.1 Right to Know / Access

You have the right to request confirmation of whether we process your personal information and to access the personal information we hold about you.

10.2 Right to Correct

You have the right to request correction of inaccurate personal information we hold about you.

10.3 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions (see Section 8.3).

10.4 Right to Data Portability

You have the right to receive your personal information in a portable, commonly used, and machine-readable format.

10.5 Right to Opt Out

You have the right to opt out of:

  • The sale of your personal information (note: we do not sell personal information)
  • Targeted advertising based on your personal information — including retargeting via Meta, Google, LinkedIn, and Reddit (see Sections 5.5, 5.7, 5.8, and 5.9 for opt-out controls)
  • Certain types of profiling that produce legal or similarly significant effects

To opt out of targeted advertising, you may: (1) enable Global Privacy Control (GPC) in your browser, (2) adjust your Facebook Ad Settings, (3) use Facebook's "Off-Facebook Activity" tool, (4) adjust your Google Ad Settings, (5) install the Google Analytics Opt-Out Browser Add-on, (6) adjust your LinkedIn Ad Preferences, (7) adjust your Reddit Privacy Settings, or (8) contact us at privacy@tallyre.app.

10.6 Right to Limit Use of Sensitive Personal Information

You have the right to limit the use and disclosure of your sensitive personal information to uses necessary to perform the services you request.

10.7 Right to Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. We will not deny you services, charge you different prices, provide a different quality of service, or retaliate against you for exercising your rights.

10.8 Right to Appeal

If we deny your privacy rights request, you have the right to appeal our decision. We will provide instructions for how to appeal with our response.

10.9 How to Exercise Your Rights

You may submit a privacy rights request by:

  • Email: privacy@tallyre.app
  • In-App: Through the privacy settings in your account (when available)

We will verify your identity before processing your request. We will respond to verifiable requests within 45 days. If we need additional time, we will notify you of the reason and extension (up to an additional 45 days).

You may designate an authorized agent to make a request on your behalf. Authorized agents must provide proof of written authorization.

The first access request within a 12-month period is free. Subsequent requests may be subject to a reasonable fee.

11. STATE-SPECIFIC DISCLOSURES

11.1 Colorado Residents (Colorado Privacy Act)

If you are a Colorado resident, you have the rights described in Section 10 under the Colorado Privacy Act (CPA), Colo. Rev. Stat. § 6-1-1301 et seq.

Additional Colorado-specific disclosures:

  • We process personal data for the purposes described in Section 4.
  • We share personal data with the categories of third parties described in Section 5.
  • We honor Global Privacy Control (GPC) signals as a valid universal opt-out mechanism, as required by CPA regulations effective July 1, 2024.
  • We do not sell personal data. We share limited hashed identifiers with advertising platforms (Meta, Google, LinkedIn, Reddit) for targeted advertising. You may opt out of targeted advertising at any time (see Sections 5.5, 5.7, 5.8, 5.9, and 10.5).
  • Right to Appeal: If we deny your request, you may appeal by contacting us at privacy@tallyre.app. If you are not satisfied with our appeal response, you may contact the Colorado Attorney General at https://coag.gov/file-complaint/.

11.2 California Residents (CCPA/CPRA)

If you are a California resident, you have the rights described in Section 10 under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), Cal. Civ. Code § 1798.100 et seq.

Categories of personal information collected in the past 12 months:

| CCPA Category | Examples from Tally | Source | Business Purpose | |--------------|--------------------|---------|--------------------| | A. Identifiers | Name, email, phone, IP address, account ID, Google user ID | Direct collection, automatic, Google OAuth, user-provided referrals | Account management, communications, authentication, vendor invitations | | B. Customer Records | Name, address, phone, financial info | Direct collection | Service provision, billing | | D. Commercial Information | Orders, services purchased, pricing | Direct collection | Order management, billing | | F. Internet/Network Activity | Browser type, pages visited, push tokens, advertising pixel data (Meta, Google, LinkedIn, Reddit), GA4 analytics data | Automatic collection, advertising pixels, GA4 | Security, analytics, notifications, advertising | | G. Geolocation | Property addresses, geocoding data | Direct collection, Google Maps Platform | Service provision, address search | | H. Sensory Information | Photos, marketing assets uploaded | Direct collection | Marketing, service delivery | | I. Professional/Employment | License info, brokerage, vendor business info | Direct collection | Verification, service provision |

Categories of personal information disclosed for a business purpose in the past 12 months:

| Category Disclosed | Recipient | Purpose | |-------------------|-----------|---------| | Identifiers (name, email) | Stripe, Resend, other Platform Users, prospective Vendors (via invitation emails) | Payments, email delivery, service fulfillment, vendor invitations | | Commercial Information | Stripe | Payment processing | | Geolocation (addresses) | Google Maps Platform, other Platform Users | Geocoding, address autocomplete, service fulfillment | | Identifiers (Google user ID) | Google | Authentication via Google OAuth | | Identifiers (hashed email/phone) | Meta, Google, LinkedIn, Reddit | Custom audience matching for advertising | | Internet/Network Activity | Meta, Google, LinkedIn, Reddit | Conversion tracking, retargeting, website analytics | | Professional Information | Other Platform Users | Service matching and fulfillment |

We have not sold any personal information in the past 12 months. We share limited personal information (hashed identifiers and Internet/Network Activity data) with advertising platforms (Meta, Google, LinkedIn, Reddit) for the purpose of targeted advertising, as described in Sections 5.5, 5.7, 5.8, and 5.9. You have the right to opt out of this sharing.

Sensitive Personal Information: We collect certain categories of sensitive personal information as defined by CPRA, including account credentials, precise geolocation (property addresses), and contents of communications. This information is used solely for purposes necessary to provide the services you request. You have the right to limit the use and disclosure of your sensitive personal information.

Financial Incentives: We do not offer financial incentives related to the collection or sale of personal information.

11.3 Texas Residents (TDPSA)

If you are a Texas resident, you have the rights described in Section 10 under the Texas Data Privacy and Security Act (TDPSA), Tex. Bus. & Com. Code § 541.001 et seq. The TDPSA applies to all businesses serving Texas residents, regardless of size or revenue.

11.4 Other State Residents

If you reside in Virginia, Connecticut, Oregon, Montana, Delaware, Maryland, Minnesota, Indiana, Kentucky, Rhode Island, or any other state with a comprehensive privacy law, you have privacy rights under your state's applicable law. The rights described in Section 10 are designed to satisfy the requirements of all currently effective US state privacy laws.

12. CHILDREN'S PRIVACY

The Platform is not directed to individuals under the age of 18 and is designed for use by licensed real estate professionals and service providers. We do not knowingly collect personal information from children under the age of 13 as defined by the Children's Online Privacy Protection Act (COPPA).

If we become aware that we have collected personal information from a child under 13, we will promptly delete that information. If you believe a child under 13 has provided personal information through the Platform, please contact us at privacy@tallyre.app.

13. COMMUNICATIONS CONSENT

13.1 Consent to Receive Communications

BY CREATING AN ACCOUNT ON THE PLATFORM, YOU EXPRESSLY CONSENT TO RECEIVE COMMUNICATIONS FROM TALLY via email, SMS/text message, push notification, phone call, and in-app messaging at the contact information you provide, including any phone number or email address associated with your account. This consent covers:

(a) Transactional and Service Communications — including order confirmations, status updates, appointment reminders, scheduling changes, payment receipts, delivery notifications, security alerts, and account-related notices. These are necessary for the operation of the Platform and cannot be opted out of while you maintain an active account.

(b) Customer Service Communications — including responses to your inquiries, account support, troubleshooting, and follow-up communications related to your use of the Platform.

(c) Platform Updates — including notifications about new features, service changes, maintenance windows, outages, policy updates, and product improvements.

(d) Marketing and Promotional Communications — including information about new services, promotions, tips, and content we believe may interest you. Marketing communications require your separate opt-in consent and you may opt out at any time (see Section 13.5).

13.2 Communication Methods

We may contact you via:

| Method | Transactional | Customer Service | Platform Updates | Marketing | |--------|:---:|:---:|:---:|:---:| | Email | Yes | Yes | Yes | With opt-in | | SMS / Text | Yes | Yes | Yes | With opt-in | | Push notification | Yes | Yes | Yes | With opt-in | | Phone call | No | Yes (return calls) | No | With opt-in | | In-app message | Yes | Yes | Yes | Yes |

13.3 SMS/Text Message Terms

If you provide a mobile phone number, you consent to receive SMS/text messages from Tally for transactional, customer service, and platform update purposes. By opting in to marketing texts, you additionally consent to receive promotional messages.

  • Message frequency: Varies based on your account activity. Transactional messages are sent as triggered by order events. Marketing messages will not exceed 4 messages per month.
  • Message and data rates may apply. Your mobile carrier's standard messaging and data rates apply to all SMS/text messages.
  • Opt out of marketing texts: Reply STOP to any marketing text message, or update your notification preferences in account settings. You will receive a confirmation of your opt-out.
  • Opt out of all texts: Reply STOP to any text message. Note that opting out of transactional texts may affect your ability to receive time-sensitive order updates. You may re-enable texts at any time in your account settings.
  • Help: Reply HELP to any text message for assistance, or contact us at support@tallyre.app.
  • Supported carriers: Major US carriers are supported. Tally is not responsible for delayed or undelivered messages caused by carrier issues.

13.4 Telephone Consumer Protection Act (TCPA) Disclosure

By providing your phone number and creating an account, you provide your prior express consent under the Telephone Consumer Protection Act (47 U.S.C. § 227) to receive:

(a) Calls and texts from Tally or its service providers using an automatic telephone dialing system or prerecorded/artificial voice for transactional and customer service purposes;

(b) With your separate opt-in consent, marketing calls and texts using an automatic telephone dialing system or prerecorded/artificial voice.

Your consent is not a condition of purchasing any goods or services. You may revoke your consent at any time by contacting us at support@tallyre.app or by replying STOP to any text message.

13.5 Opting Out of Marketing Communications

You may opt out of marketing communications at any time by:

  • Email: Using the "unsubscribe" link in any marketing email
  • SMS/Text: Replying STOP to any marketing text message
  • Push notifications: Disabling notifications in your device settings or account settings
  • Phone: Requesting removal during any call, or contacting support@tallyre.app
  • Account settings: Updating your notification preferences on the Platform

We will honor opt-out requests within 10 business days for email (as required by the CAN-SPAM Act) and within a reasonable period for other channels (typically 1-3 business days for SMS).

Opting out of marketing communications does not affect transactional, customer service, or essential platform update communications.

13.6 Platform Communications Monitoring

Communications sent through the Platform (including order messages and listing messages) may be monitored, reviewed, and stored for purposes of platform safety, dispute resolution, quality assurance, and legal compliance. By using the Platform's messaging features, you consent to such monitoring.

13.7 Email Audit Logging

We maintain an audit log of all transactional emails sent through the Platform. This log records the email type, recipient, timestamp, and delivery status, but does not store the full email body after delivery.

14. DATA BREACH NOTIFICATION

In the event of a data breach involving your personal information, we will:

  • Notify affected individuals in accordance with applicable state law
  • Notify the Colorado Attorney General if 500 or more Colorado residents are affected (within 30 days of determination)
  • Notify applicable state attorneys general as required by their respective laws
  • Notify credit reporting agencies if 1,000 or more residents of any state are affected
  • Provide information about the nature of the breach, the types of information involved, and steps you can take to protect yourself

15. INTERNATIONAL USERS

The Platform is intended for use within the United States only. We process and store all data within the United States. If you access the Platform from outside the United States, you do so at your own risk and are responsible for compliance with local laws. By using the Platform, you consent to the transfer and processing of your information in the United States.

16. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this Privacy Policy
  • Notify you by email and/or prominent notice on the Platform at least thirty (30) days before the changes take effect
  • For material changes, require your affirmative acknowledgment upon your next login

Your continued use of the Platform after the effective date of a revised Privacy Policy constitutes your acceptance of the changes.

We encourage you to review this Privacy Policy periodically.

17. CONTACT US

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Insynq LLC

Privacy Inquiries: privacy@tallyre.app General Support: support@tallyre.app

For Colorado Privacy Act complaints, you may also contact the Colorado Attorney General at https://coag.gov/file-complaint/.

BY USING THE PLATFORM, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY.

Version 1.0 — March 21, 2026

REMINDER: This document was drafted using legal research and industry best practices but has not been reviewed by a licensed attorney. Insynq LLC should have this document reviewed by a privacy attorney licensed in Colorado before publishing. Special attention should be given to: (1) whether a Data Protection Assessment is required under CPA for lockbox access tracking, vendor matching, or targeted advertising via Meta and Google, (2) compliance with the Google API Services User Data Policy (including Limited Use requirements) for Google Calendar integration, (3) whether Google Analytics (GA4) and Google Ads require a cookie consent banner or opt-in mechanism under CPA/CCPA before cookies are set, (4) whether the Google Ads Customer Match and Meta Custom Audiences disclosures are sufficient under CPA's "sharing for targeted advertising" provisions, and (5) whether a unified policy covering both tallyre.app and tallyre.info requires any additional disclosures for marketing-site-only visitors who have not created accounts.