Back

Privacy Policy for Tailride

Last updated: 25 May 2026

This Privacy Policy describes how Tailride S.à r.l., 6 rue M. Schnadt, L-2530 Luxembourg, RCS B303779, VAT LU37209474 ("Tailride", "we", "us") collects, uses, stores, and discloses personal data when you use https://tailride.so and the Tailride application.

1. Data we collect
- Account data: name, email address, authentication data.
- Billing data: customer/subscription identifiers and payment metadata from our payment providers.
- Service data: invoices, receipts, extracted fields, scan history, connected account metadata, and settings.
- Integration data: when you connect email providers (for example Google or Microsoft), we receive authorized tokens and read-only mailbox access needed to locate relevant financial documents.
- Technical data: logs, device/browser information, IP-related diagnostics, and cookie/session data.

2. How we use data
We process data to (a) provide and maintain the service, (b) extract and structure invoice/receipt information, (c) secure accounts and prevent abuse, (d) process billing and subscriptions, (e) provide support, and (f) improve reliability and performance.

3. Legal bases (where applicable)
Depending on your jurisdiction, we process personal data on one or more of these bases: contract performance, legitimate interests (security, fraud prevention, product reliability), legal obligations, and your consent (for example certain integrations/cookies).

4. Integrations and restricted use of mailbox data
If you connect an inbox, Tailride uses granted permissions only to identify and process relevant financial documents for your workspace. We do not send email on your behalf through this access. Tailride does not use customers' data to develop, improve, or train generalized AI/ML models.

5. Sharing and processors
We do not sell personal data. We share personal data with three categories of third parties:

(a) Sub-processors that process personal data on Tailride's behalf and under Tailride's instructions (cloud hosting, OCR/AI providers, transactional email, customer-support chat). These are listed in our Data Processing Agreement at https://tailride.so/dpa and operate under GDPR Article 28 contracts.

(b) Independent or joint data controllers that process certain personal data for their own purposes (payment processors, web/product analytics, advertising and affiliate partners, anti-fraud checks). These are listed in section 12 below, are not Tailride Sub-processors, and process personal data under their own privacy notices.

(c) User-enabled integrations and recipients that you choose to connect (for example email providers, accounting platforms, messaging channels) — these process personal data under your own agreement with the relevant provider.

We may also disclose personal data to your authorized collaborators, or when required to comply with law, legal process, or enforceable requests.

6. International transfers
Your data may be processed in countries other than your own. Where required, we use appropriate safeguards for cross-border transfers.

7. Retention
We retain personal data for as long as needed to provide the service, maintain legitimate business records, and comply with legal obligations.

8. Deletion of account and data
You can delete your account directly in the product:
- Go to Settings.
- Open the Delete account section.
- Enter your account email for confirmation.
- Click Permanently delete.

When completed, Tailride initiates deletion of your workspace data (including invoices, extracts, connected accounts/integrations, and settings) from our production systems within 90 days, revokes available provider tokens, deletes associated stored files, and logs you out. Some limited records may be retained where legally required (for example fraud prevention, accounting, or dispute obligations).

Encrypted backups roll over on their own cycle (currently up to twelve months); they are kept isolated and used solely for disaster recovery. If we ever restore from a backup, we re-apply your deletion to the restored data.

If you cannot access your account, request deletion at mike@tailride.so from your registered email.

9. Security
We implement reasonable technical and organizational safeguards, including encryption in transit and access controls. No system can be guaranteed fully secure.

10. Your rights
Subject to applicable law, you may request access, correction, deletion, objection/restriction, or portability of your personal data by contacting mike@tailride.so. You may also manage cookies through browser controls.

11. Children's data
Tailride is not directed to children under 13, and we do not knowingly collect personal data from children.

12. Provider list (third-party services we use)
This list reflects providers as of the Last updated date and is kept current. It separates Sub-processors (covered by Tailride's DPA) from independent or joint controllers and from user-enabled integrations.

A) Sub-processors covered by the Data Processing Agreement (Article 28 GDPR)
The full list with legal entities, regions of processing and transfer safeguards is in Appendix 3 of the DPA at https://tailride.so/dpa. As of the Last updated date these are:
- Vercel — web hosting, edge compute, CDN.
- Amazon Web Services — object storage (S3) and OCR (Textract).
- MongoDB Atlas — managed application database.
- Upstash — asynchronous job queue (QStash).
- Google Cloud Run — internal backend microservices.
- Hetzner — background worker and Gotenberg PDF rendering.
- Resend — transactional email delivery.
- Crisp — live-chat customer support.
- OpenAI — invoice text extraction.
- Microsoft Azure (Azure OpenAI / Azure AI Vision) — OCR and document understanding.
- Google Gemini — invoice extraction.

B) Payment partners (independent data controllers)
Payment partners act as independent data controllers for payment data they process under their own legal and regulatory obligations (PCI-DSS, anti-money-laundering, fraud prevention). They are not Tailride Sub-processors.
- Stripe (Stripe Payments Europe Ltd, Dublin, Ireland) — payment processing, subscription billing, customer billing portal, tax-related fields at checkout.
- Planned: Paddle (Paddle.com Market Ltd, London, UK) — Merchant of Record payment processing for selected markets.

C) Web and product analytics (joint or independent controllers; loaded subject to cookie consent)
- Google Tag Manager and Google Analytics 4 (Google Ireland Ltd) — site analytics and conversion measurement.
- DataFast — privacy-friendly product analytics (page views and conversion events).
- Ahrefs Analytics — basic website analytics.

D) Advertising partners (joint or independent controllers; loaded subject to cookie consent)
- Meta Pixel and Conversions API (Meta Platforms Ireland Ltd) — ad measurement and audience targeting.
- Planned: Google Ads (Google Ireland Ltd) — ad delivery and conversion measurement.

E) Affiliate-marketing partners
- Affonso (Affonso, Cologne, Germany) — affiliate-referral attribution; minimal data shared (click ID and conversion events).

F) Anti-fraud and account-creation checks
- UserCheck (Issoudun Pte. Ltd. dba UserCheck, Singapore) — disposable-email-domain check at registration; only the email domain is sent.

G) Ancillary providers that do not process personal data
- Brandfetch — vendor-logo lookup (only a vendor domain name is sent).
- Currency-rate APIs — only currency codes are sent.

H) User-enabled integrations, communication channels, and destinations (activated only if you connect or use them; they process data under your own agreement or relationship with the relevant provider)
- Google services (Gmail, Drive, Sheets).
- Microsoft services (Microsoft 365 / Outlook / Graph, OneDrive).
- QuickBooks Online.
- Xero.
- Microsoft Dynamics 365 Business Central.
- Odoo.
- IMAP/SMTP servers.
- WhatsApp Cloud API.
- Telegram Bot API.
- Any custom webhooks configured by you.

This also includes documents uploaded through your browser or sent to Tailride through an email or messaging channel chosen by you or the sender.

13. Cookies and similar technologies
Tailride uses first-party and third-party cookies. Current cookies include:

A) Strictly necessary
- next-auth.session-token / __Secure-next-auth.session-token: keeps you signed in; session/authentication.
- next-auth.csrf-token / __Secure-next-auth.csrf-token: CSRF protection for auth flows.
- next-auth.callback-url / __Secure-next-auth.callback-url: stores post-login redirect target.
- NEXT_LOCALE: remembers your selected language (up to 1 year).

B) Functional and attribution
- initialReferrer: stores first known referrer domain for attribution/support context (about 30 days).
- utm_source, utm_medium, utm_campaign, utm_term, utm_content: stores UTM campaign parameters from landing URL (about 30 days).

C) Marketing/analytics cookies (set by enabled third-party scripts)
- datafast_visitor_id, datafast_session_id: DataFast attribution/session identifiers.
- affonso_referral: affiliate referral identifier used at checkout attribution.
- Google Analytics/Tag Manager cookies (for example _ga and related measurement cookies).
- Other vendor cookies from enabled analytics scripts (for example Ahrefs), which may vary by vendor implementation.

You can control non-essential cookies through your browser settings and, where available, consent controls.

14. Policy changes
We may update this Privacy Policy from time to time. Material updates will be posted on this page with a new "Last updated" date.

15. Contact
Privacy questions or requests: mike@tailride.so.
Tailride SARL
6 rue Henri M. Schnadt2530Fentange
+352661622171mike@tailride.so
Tailride