Important: This Privacy Policy governs how Tally AI Limited collects, processes and protects your personal data. By using our Service, you agree to the practices described here. If you do not agree, please discontinue use of the Service.
Tally AI is an artificial intelligence-powered financial management service delivered via WhatsApp and web platforms, operated by Tally AI Limited ("Company", "we", "us", or "our"), a company incorporated in Nigeria (RC 9492510).
As the operator of this Service, Tally AI Limited acts as the Data Controller in relation to personal data processed through Tally AI, in accordance with the Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Act (NDPA) 2023.
In compliance with Section 32 of the Nigeria Data Protection Act (NDPA) 2023, Tally AI Limited has designated a Data Protection Contact responsible for overseeing compliance with applicable data protection laws and handling data subject requests.
All data protection queries, rights requests, and complaints should be directed to: [email protected]
This Privacy Policy applies to all personal data collected and processed when you use the Tally AI WhatsApp bot, access the web dashboard at tallyai.ng, register for an account, subscribe to any plan, contact our support team, or otherwise interact with our Service.
Important: When you send a voice note, we process audio data for transcription. See Section 7 on Consent and Section 9 on Third-Party Services for full details.
In accordance with Article 2.2 of the NDPR 2019, we process your personal data only where we have a lawful basis to do so:
| Processing Activity | Lawful Basis | Details |
|---|---|---|
| Account creation and management | Contract (Art. 2.2(b) NDPR) | Necessary to provide the Service |
| Transaction logging | Contract (Art. 2.2(b) NDPR) | Core service functionality |
| Sending notifications | Legitimate Interest (Art. 2.2(f) NDPR) | Budget alerts and summaries you request |
| Voice note transcription | Consent (Art. 2.2(a) NDPR) | Explicit consent obtained at onboarding |
| AI-powered intent detection | Contract (Art. 2.2(b) NDPR) | Necessary to process natural language |
| Payment processing | Contract (Art. 2.2(b) NDPR) | Necessary for subscription billing |
| Security and fraud prevention | Legitimate Interest (Art. 2.2(f) NDPR) | Protecting users and the platform |
| Legal compliance | Legal Obligation (Art. 2.2(c) NDPR) | Required by applicable Nigerian law |
We use your information solely to provide and operate the Tally AI Service, process and categorise financial transactions, generate financial reports and summaries, send budget alerts and notifications, personalise your experience in your preferred language, respond to support requests, maintain security and prevent fraud, comply with applicable Nigerian law, and improve the Service through aggregated anonymised analysis.
We do not use your personal data for advertising purposes. We do not sell your personal data to third parties.
Before processing your first voice note, Tally AI will request your explicit consent to share audio content with Groq Inc. for transcription purposes. This consent is freely given, specific, informed, and unambiguous. You may continue using the Service via text without providing consent.
You may withdraw consent at any time by sending "no voice notes" to the Tally AI bot, or by contacting [email protected]. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
Our Service is not directed at persons under 18 years of age. We do not knowingly collect personal data from minors.
We retain your personal data in accordance with the NDPC General Application and Implementation Directive (GAID) 2025:
| Data Type | Retention Period | Basis |
|---|---|---|
| Transaction data | 6 months after account closure | NDPC GAID 2025 |
| Account information | 6 months after account closure | NDPC GAID 2025 |
| Voice note audio | Deleted immediately after transcription | Data minimisation |
| Session data | 24 hours after inactivity | Operational necessity |
| Audit logs | 12 months | Legal obligation |
| Payment records | 7 years | CAMA 2020 / FIRS requirements |
We share your data only with trusted third-party processors bound by Data Processing Agreements (DPAs) in accordance with Article 2.7 of the NDPR 2019:
| Provider | Purpose | Data Shared | Location | DPA |
|---|---|---|---|---|
| Twilio Inc. | WhatsApp message delivery | Phone number, message content | United States | Yes |
| Anthropic PBC | AI intent detection | Message text only | United States | Yes |
| Groq Inc. | Voice note transcription | Audio content (not stored) | United States | Yes |
| Paystack Inc. | Payment processing | Name, payment information | Nigeria | Yes |
Some of our processors are located in the United States. We safeguard cross-border transfers through Data Processing Agreements requiring processors to maintain data protection standards equivalent to Nigerian law, and by limiting data shared to the minimum necessary for the specific purpose.
In compliance with Section 40 of the NDPA 2023, where a data breach is likely to result in risk to data subjects, we will notify the Nigeria Data Protection Bureau (NDPB) within 72 hours of becoming aware of the breach, and notify affected users directly without undue delay.
You have the following rights under the NDPR and NDPA. We will respond to all valid requests within 14 days of receipt:
| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Rectification | Request correction of inaccurate or incomplete data |
| Erasure | Request deletion of your personal data |
| Portability | Receive your data in a machine-readable format |
| Object | Object to processing based on legitimate interests |
| Withdraw Consent | Withdraw consent at any time for consent-based processing |
| Complain | Lodge a complaint with the NDPB at www.ndpb.gov.ng |
To exercise any right, contact [email protected] with your name, phone number, and description of your request.
We implement appropriate technical and organisational security measures including encrypted data transmission via HTTPS/TLS, secure password hashing, JWT-based authentication, firewall protection, automated intrusion detection, and access controls. No method of electronic transmission is 100% secure, but we strive to use commercially acceptable means to protect your data.
Our WhatsApp bot does not use cookies. Our web dashboard uses only essential cookies required for authentication and session management, and Google Analytics for aggregated, anonymised traffic analysis. We do not use advertising or tracking cookies that identify individual users.
This is a living document updated to reflect changes in our operations and legal requirements. When we make material changes, we will update the "Last Updated" date, notify active users via WhatsApp at least 14 days before changes take effect, and obtain fresh consent where required by law.
If you are dissatisfied with how we have handled your personal data, you may contact our DPO at [email protected] or lodge a complaint with the Nigeria Data Protection Bureau (NDPB) at www.ndpb.gov.ng.