Privacy policy.

The information that flows through TabNudge.

TabNudge is invoice follow-up automation for Xero users. To do that job, it needs access to a small, well-defined set of information.

Account data

Your name, email address, business name, role, and authentication identifiers when you sign up or log in.

Xero data

Invoices, contacts, contact email addresses, invoice amounts, due dates, currency, and payment status — pulled from Xero via OAuth so TabNudge can follow up on overdue invoices.

Email connection data

When you connect Gmail or Microsoft 365, we store an OAuth refresh token, your connected email address, and the metadata of reminders we send on your behalf (recipient, subject, time sent, delivery status).

Reply and reminder content

The body of reminders we draft and send, plus the body of replies your customers send back to those reminders. Replies are received via Resend Inbound (a forwarding address) so we can track responses without reading your wider inbox.

Workspace activity

Settings you choose, tone preferences, approvals, pauses, escalations, and the workflow state of each invoice.

Technical data

Standard request logs (IP address, user agent, timestamps) used for security, abuse prevention, and debugging.

Limited Use of Google user data.

When you connect a Google account so TabNudge can send reminders from your Gmail address, the following applies.

Limited Use

TabNudge's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Scopes requested

When you connect a Google account, TabNudge requests only:openidemailprofilehttps://www.googleapis.com/auth/gmail.send

How each scope is used

openid / email / profile — to identify which Google account is connected and display its address back to you in settings.
gmail.send — to send the invoice reminders you have approved (or that automation has generated under your settings) from your own Gmail address, so customers reply directly to you. We do not request gmail.readonly, gmail.modify, or any other Gmail scope. We never read your inbox, drafts, sent items, or labels.

No human access

Employees of TabNudge do not read the contents of emails sent through your Google account except (a) with your explicit permission to debug a specific issue you have raised, (b) where required for security investigations, or (c) where required by law. Aggregate, de-identified counts may be used to monitor system health.

No advertising

Data accessed via Google APIs is never used for advertising, never sold, and never used to train generalised AI or machine-learning models.

No transfer

Data accessed via Google APIs is not transferred to third parties except as needed to operate the service (for example, our hosting provider stores the reminder you asked us to send) or where required by law.

Revoking access

You can disconnect your Google account at any time from inside TabNudge (Settings → Email) or from your Google Account permissions page. On disconnect, the OAuth refresh token is deleted immediately and TabNudge will stop sending email through Gmail.

Send-only access to your mailbox.

Scopes requested

For Microsoft 365 connections, TabNudge requests only the scopes needed to send mail on your behalf (Mail.Send) and to identify the connected mailbox (User.Read, openid, email, profile, offline_access).

Use

Used solely to send the reminders you or automation has approved. We do not read your Microsoft 365 mailbox, calendar, OneDrive, or Teams data.

Revoking access

You can disconnect from inside TabNudge (Settings → Email), or from your Microsoft account at https://account.microsoft.com. On disconnect, the OAuth refresh token is deleted immediately.

Invoices and contacts only.

Scopes requested

OAuth 2.0 with scope limited to invoices and contacts. TabNudge does not request bank, payment, or payroll scopes.

Use

To pull overdue invoices and customer contact details so reminders can be drafted, sent, and tracked. Workflow state in TabNudge is updated based on Xero changes (e.g. when a customer pays).

Revoking access

You can disconnect Xero at any time from inside TabNudge or from your Xero account settings. On disconnect, customer data is deleted within 30 days (see Section 06).

Minimal inputs. Request-scoped. No training.

Provider

TabNudge uses OpenAI (and optionally Anthropic) to draft reminder text and to classify reply intent and sentiment. The provider used for any given step depends on the configured model for that step.

What is sent to the AI

For drafting: invoice metadata (number, amount, due date, days overdue, currency), customer first name where available, the body of the most recent reply (if any), and the tone preference. For classification: the body of the reply itself.

What is not sent

No bank or payment details, no Xero credentials, no Google or Microsoft tokens, no other customers’ data, no full email threads beyond the most recent reply.

Lifetime

Data passed to the AI provider is processed for the duration of the request only. Per the providers’ API terms, data submitted via API is not used to train their models by default.

Encrypted in transit and at rest. Hosted in Sydney.

In transit

All data in transit is encrypted via TLS 1.3.

At rest

Customer data at rest is encrypted using AES-256.

Region

Primary database is hosted in Sydney, Australia.

Access controls

Production access is limited to engineering staff who require it. Authentication is via single sign-on with multi-factor authentication.

Who else processes your data.

We use a small number of trusted vendors to operate the product. Each one only sees the data needed to do their part.

Vercel (US)

Application hosting and request handling.

Supabase (Sydney, AU)

Primary database and file storage.

OpenAI (US)

AI drafting and reply classification.

Anthropic (US)

Optional alternative AI provider for drafting and classification.

Resend (US)

Outbound email delivery infrastructure and inbound reply forwarding.

Stripe (US/AU)

Payment processing for TabNudge subscriptions. Card details are entered into Stripe directly and are never seen by TabNudge.

ClickSend (AU)

SMS delivery, where you have enabled SMS reminders. Customer phone numbers are sent only at the time of dispatch.

Google / Microsoft / Xero

Integrations you choose to connect. Data flows are described in the sections above.

How long data is kept, and when it is removed.

Whilst your account is active

Data is retained for as long as your workspace is active so the product can do its job (track invoice history, learn customer behaviour, surface overdue patterns).

OAuth tokens

Deleted immediately when you disconnect a Google, Microsoft, or Xero connection inside TabNudge.

On account closure

Workspace data — invoices, contacts, reminders, replies, profiles — is deleted within 30 days of account closure or written request.

Backups and logs

Encrypted database backups are retained for up to 30 days. Request logs are retained for up to 90 days for security and debugging.

Legal holds

Where retention is required by law (for example, payment records for tax purposes), data is held only for the period required by that law.

Access, correction, deletion, complaint.

Access

You can request a copy of the personal information TabNudge holds about you by emailing support@tabnudge.com.

Correction

Most account data can be corrected directly in TabNudge settings. For anything you cannot edit yourself, email us.

Deletion

You can close your workspace from settings, or email support@tabnudge.com to request deletion. Data is removed within 30 days, subject to any legal hold.

Complaints

If you are not satisfied with how TabNudge handles your privacy, you can complain to the New Zealand Office of the Privacy Commissioner (privacy.org.nz) or the Australian Office of the Australian Information Commissioner (oaic.gov.au).

Children, advertising, transfers, changes.

Children

TabNudge is a business tool and is not directed at children under 16. We do not knowingly collect data from children.

No advertising

TabNudge does not show advertising, does not sell data, and does not use customer data to target ads on any platform.

International transfers

Some subprocessors are based in the United States. Where personal data is transferred internationally, we rely on the providers’ contractual safeguards (Standard Contractual Clauses where applicable).

Changes to this policy

When this policy changes in a material way, we will update the "Last updated" date at the top of this page and notify active workspace owners by email.