Privacy policy.

TabTab is an on-premise system. Your business data — documents, SOPs, client records, agent conversations — lives on hardware you physically own. It does not leave your building. We cannot access it, read it, or sell it. This policy covers the data we do collect: what you give us when you buy a node or visit this website.

When you purchase a node: Name, email, phone, company name, billing address, and payment information (processed by Square — we never store card numbers).

When you visit this site: Anonymous analytics via Vercel Analytics and PostHog (cookieless mode). We collect page views, referrer, device type, and country. No cookies. No fingerprinting. No cross-site tracking.

When you contact us: Name, email, and message content submitted through our forms. Protected by Cloudflare Turnstile — no CAPTCHAs, no tracking cookies.

We do not collect, transmit, or have access to any data processed by your TabTab node. This includes but is not limited to: vault contents, agent conversations, org chart configurations, client records, financial documents, or any file stored on the device. The node operates on a local network with no call-home capability.

Purchase information is used to fulfill your order, ship your node, and provide support. Contact form submissions are used to respond to your inquiry. Analytics data is used to understand which pages are useful and improve the site. We do not sell, rent, or share your personal information with third parties for marketing purposes.

We use the following services to operate this website and process orders:

• Square — Payment processing
• SendGrid — Transactional email (order confirmations, support replies)
• Vercel — Hosting and anonymous analytics
• PostHog — Cookieless product analytics
• Cloudflare — Anti-bot protection (Turnstile)
• AWS S3 — Encrypted file storage for order documents
• Sentry — Error monitoring (no PII logged)

Purchase records are retained for 7 years for tax and legal compliance. Contact form submissions are retained for 1 year. Analytics data is aggregated and anonymized — no individual records are stored beyond 90 days.

All data in transit is encrypted via TLS. Sensitive fields (tax IDs, payment tokens) are encrypted at rest using AWS KMS envelope encryption. We do not store passwords in plaintext — credentials are hashed with argon2id. Access to production systems is restricted and audited.

You may request access to, correction of, or deletion of your personal data at any time by emailing privacy@tabtab.com. We respond within 30 days. If you are in the EU, UK, or California, you have additional rights under GDPR, UK GDPR, and CCPA respectively.

We may update this policy. Material changes will be posted here with a revised date. We will not retroactively reduce your rights without notice.