Privacy Policy

Who we are

Tallow is operated as a personal service by an individual based in the United Kingdom, who is the data controller. For any privacy question or to exercise your rights, contact andrew@stretch.codes.

What data we process

• Account data — the email address you sign in with (handled by our authentication provider, Supabase).
• Connection data — OAuth access and refresh tokens for HMRC and FreeAgent, and your VAT registration number (VRN). These are encrypted before they are stored.
• Conversation data— your chat messages, the assistant’s replies, the conversation title, and any accounting data retrieved from HMRC or FreeAgent while answering you. Message content is encrypted before it is stored.
• Technical data — HMRC requires anti-fraud headers on every VAT API call (for example your device/browser characteristics and IP address); these are assembled per request and sent to HMRC, not retained by us.

We do not use analytics, advertising, or third-party tracking cookies.

How we use your data

• To authenticate you and keep you signed in.
• To call the HMRC VAT (Making Tax Digital) and FreeAgent APIs on your instruction — for example retrieving obligations, liabilities and payments, and submitting a VAT return that you have reviewed and confirmed.
• To generate the assistant’s responses and to title your conversations.

Our legal bases are performance of our service to you, your consent (which you give when you connect a provider, and can withdraw at any time), and our legitimate interest in operating and securing the service.

Who we share it with

We do not sell your data. We share it only with the processors needed to run the service:

• Amazon Web Services (AWS Bedrock)— to generate responses, your messages and the accounting data retrieved for a conversation are sent to a Claude model run on AWS Bedrock. Inference is pinned to AWS’s EU region; AWS does not use this content to train models.
• HMRC — for VAT (MTD), using the read:vat and write:vat scopes. We send your VRN and the figures of any return you submit.
• FreeAgent — to read your accounting data on your instruction.
• Supabase — managed database and authentication.
• Fly.io — application hosting.

Where your data is stored

The application and database are hosted in the United Kingdom (Fly.io’s London region, with Supabase as the managed database). Language-model inference runs in AWS’s EU region. Your use of HMRC and FreeAgent is also subject to their own privacy policies.

How we protect it

• OAuth tokens, your VRN and your message content are encrypted at rest with AES-256-GCM. The encryption key is held outside the database, so a database dump alone cannot reveal them.
• All traffic to the application and between services uses TLS.
• Access is restricted to a single authorised account; every request is checked against an allow-list before any data is read.

How long we keep it

We keep your data while your account is active. You can delete any conversation from within the app (its messages are deleted with it), and you can disconnect a provider to remove its access. On request we will delete your account and associated data, subject to any records we must retain by law.

Your rights

Under UK data protection law you have the right to access, correct, delete, or port your data, to restrict or object to processing, and to withdraw consent. To exercise any of these, email andrew@stretch.codes. You also have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk.

Cookies

We use only the strictly necessary cookies that keep you signed in. There are no advertising or analytics cookies.

Changes to this policy

We may update this policy from time to time. The date at the top reflects the latest revision; material changes will be reflected here.