This page lists the external services we use to run the product. Each one does a specific job for us, and each one is named below along with what it does, where it sits, and a link to its own published privacy terms.
If we plan to add a new one, we update this page first. The primary store of your workspace information stays in India and we do not plan to change that. Where a service on the list is outside India, we pick providers who publish their own safeguards.
Services we use today
Google (Sign in with Google)
- What it does
- When you choose Sign in with Google, Google verifies your identity for us. We only contact Google when you click that button. We do not call Google for anything else on your behalf.
- What it sees
- Your Google email address, your profile name, and a Google account identifier. Received once at sign-in and stored against your workspace so we know which Google identity is linked to your account.
- Where it sits
- United States.
- Safeguard
- Google has its own privacy and security commitments and publishes them at the link below.
- Reference
- https://policies.google.com/privacy
Clerk
- What it does
- Sign-in, sign-out, password recovery, multi-factor authentication, and session management. Clerk handles the identity layer so we do not store passwords ourselves.
- What it sees
- Your email, name where you provided it, multi-factor settings, session tokens, request IP, and the time you signed in.
- Where it sits
- United States.
- Safeguard
- Clerk has its own data-handling commitments and publishes them at the link below.
- Reference
- https://clerk.com/legal
Cloudflare
- What it does
- DNS, content delivery, TLS termination, basic bot blocking, and the Turnstile check that protects the contact form from automated abuse.
- What it sees
- Request metadata such as IP, headers, and URL. Turnstile challenge tokens. The body of any request is not retained by Cloudflare.
- Where it sits
- Primary edge in India. Global edge used only for failover when the Indian edge is unavailable.
- Safeguard
- Cloudflare publishes its own data-handling commitments at the link below.
- Reference
- https://www.cloudflare.com/cloudflare-customer-dpa/
Hostinger
- What it does
- Virtual private server hosting. The machine that runs our control plane, our database files, and our backups.
- What it sees
- Everything the product stores at rest sits on this server.
- Where it sits
- India.
- Safeguard
- Hostinger publishes its own data-handling commitments at the link below.
- Reference
- https://www.hostinger.com/legal/data-processing-addendum
Razorpay
- What it does
- Payment processing and subscription billing.
- What it sees
- Email, billing name, address, GSTIN, mobile, the last four digits of the card used or the UPI handle, and transaction history. Full card numbers do not pass through our servers, they go straight from your browser to Razorpay.
- Where it sits
- India.
- Safeguard
- Razorpay publishes its own data-handling commitments at the link below, and is PCI DSS Level 1 certified for the card data it handles.
- Reference
- https://razorpay.com/privacy/
Anthropic (powers the website help bot)
- What it does
- A small chat bubble in the bottom-left of every public page on our website lets visitors ask questions about the product and the help guide. We send those questions to Anthropic, whose Claude model writes the reply. The bot only sees what you type into that chat box. It does not see your Tally data, your sign-in, or anything inside your workspace.
- What it sees
- The text of the messages you type into the website help bot. Nothing more. The bot has no access to your account.
- Where it sits
- United States.
- Safeguard
- Anthropic publishes its own commercial terms and privacy notice at the link below, including a no-training-on-API-data commitment for paid API usage. Using the chat bubble is optional — you can ignore it and use the contact form instead.
- Reference
- https://www.anthropic.com/legal/commercial-terms
AI clients you choose to connect
- What it does
- When you connect an AI assistant like Claude or ChatGPT to your workspace, that assistant runs the queries you send. We only forward what you ask. We do not push information to any AI provider on our own.
- What it sees
- Whatever your question and the answer it pulls from your workspace cause that assistant to see. The link only happens when you ask a question.
- Where it sits
- Wherever the AI provider you chose hosts. You can pick a provider that hosts in India, in another region, or even one that runs on hardware you control.
- Safeguard
- Each AI provider publishes its own privacy and data-handling terms. You stay in control of which assistant connects and what you send to it.
- Reference
- See the privacy notice of whichever AI provider you connect.
If something on this list does not work for you
Write to us at [email protected] and we will discuss. Where there is a practical alternative we will work to switch. Where there is no alternative, we will explain why and you can decide what to do next.
On responsibility
We pick our external services carefully and we follow what each one publishes about how it handles information. No external service can be guaranteed to be free from every possible problem. We do not accept responsibility for incidents that originate on infrastructure we do not run, or for indirect costs such as lost business or lost goodwill that may follow from such an incident.