OAuth-Based Email Integrations in TallyPrime

1. Provider-Specific Disclosures (Privacy & Data Handling)

This section outlines our commitment to data privacy and security for specific email providers.

A. Google API Services (Gmail)

What Gmail Data We Access (and Why)

When you connect your Gmail account, we request a minimal set of OAuth scopes necessary to provide email sending functionality. The exact scopes are displayed on the Google consent screen and are limited to:

Scopes we request

What Gmail Data We Access

Our application is designed as a send-only implementation.

Data we access:

The information entered in Tally is sent directly to Google's mail servers through the API. Tally does not access or store the email content. Only limited technical data (such as telemetry or metadata), which does not identify the user, may be temporarily stored.

Data we DO NOT access:

We do not access, read, retrieve, or process any existing data from your Gmail account, including:

• Email messages (past or current)
• Inbox or folders/labels
• Email metadata (sender, timestamps, threads)
• Attachments stored in your mailbox
• Gmail settings (filters, forwarding, signatures, etc.)

Our application cannot view or read your mailbox at any time.

Restricted Scope Clarification

We do NOT request or use any restricted Gmail scopes, including:

• https://mail.google.com/ (full mailbox access)
• gmail.readonly or gmail.modify

This ensures that your email content remains completely private and our access is limited strictly to sending emails you initiate.

How Email Sending Works

When you send an email via our application:

• You compose the email within the application
• The content is securely transmitted to Gmail via API
• Gmail sends the email on your behalf

We use this data only at the time of sending and:

• Do not store email content after transmission
• Do not analyze or scan your email content
• Do not use email data for any secondary purpose

What we store & what we don't — Data Storage and Tokens

• We securely store OAuth access tokens to enable email sending (access token, refresh token, expiry, scopes, token type), your Google account email, and an internal link to your TallyPrime user/session. The access token is associated with this reference ID and not directly tied to your Tally account or email.
• Tokens are encrypted at rest and in transit, and limited in scope to send-only permissions.
• You can remove TallyPrime's access to your Google account at any time, either from TallyPrime or your Google account settings. Tokens are also automatically deleted after a period of inactivity. Once access is removed, you'll need to sign in again the next time you send an email.
• Minimal operational logs (timestamps, IP address, user agent, error traces without message content) to keep the service secure and debuggable.

We do not store any email data or mailbox content. We do not engage in automated analysis of message content beyond what is required to display and send your email.

• No background scraping: We fetch data as you use the UI; we do not routinely process your mailbox in the background.
• Human access is exceptional: Prohibited except (a) with your explicit consent for support, (b) when strictly required for security/abuse, or (c) to comply with applicable law. Any such access is limited and logged.

Retention

• OAuth tokens are retained until you revoke access or disconnect.
• We log basic events when you use the email service, such as login completion and successful email sends. These logs include only the time and a session reference, not email content, subject, recipients, or attachments. They are used for monitoring and troubleshooting and are kept for up to 6 months, after which they are deleted or retained only as non-identifiable summary data.

Security

• Transport security: All communications use TLS.
• Token protection: Tokens are stored with least-privilege access.
• Infrastructure: The Tally OAuth backend operates with standard security controls including network segmentation, rate limiting, and continuous monitoring.

Tally does not store or process the content of emails sent through this integration. Email content (subject, body, recipients, and the attached report) is sent directly from your TallyPrime application to your email provider via their API and is not stored on Tally's servers.

Your choices & controls

Revoke app access (Google account controls)

• Open Google Account → Security → Third-party apps with account access.
• Select the TallyPrime app (the exact app name shown on the consent screen).
• Click Remove Access.

Disconnect & delete tokens

You can log out from TallyPrime at any time, which immediately removes the tokens from the application and deletes them from Tally's servers. Tokens are also automatically deleted if not used for 7 days.

Data portability

Your Gmail data remains in Gmail. Because we do not store message content, there is no additional export to provide beyond what Google already offers.

Sharing & transfers

• No sale or leasing: We do not sell or lease Gmail data.
• No advertising use: We do not share Gmail data for advertising purposes.
• Service providers: We may use trusted vendors (e.g., hosting, monitoring) bound by contracts to use data only to provide services to us.
• Legal disclosures: We may disclose data where required by law or to protect rights, property, or safety, in accordance with due process.

Data transfers

All TallyPrime services for this integration are hosted and processed in India. If you access the service from outside India, your information will be transferred to and stored in India in accordance with applicable laws. Gmail message content itself remains with Google unless and until you view it in the UI.

Children's privacy

TallyPrime is not directed to children. Do not use the Gmail integration if you are under the minimum age.

How Sign-in works in your browser

We use essential session cookies or local storage for authentication and to maintain state within the webmail UI. During OAuth sign-in, your browser interacts directly with your email provider's pages, and any cookies or local storage set at that stage are governed by your email provider's policies. We do not use email data for advertising or cross-site tracking.

Compliance with Google API Services User Data Policy

Our use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.

• Data is used only to provide user-initiated functionality (sending emails)
• No data is used for advertising, profiling, or analytics
• No data is sold or transferred to third parties

B. Microsoft Graph API (Outlook / Office 365)

• Scope of Access: TallyPrime utilizes the "Mail.Send" permission via the Microsoft Graph API.
• Usage Intent: This permission is used exclusively to allow you to send business communications directly from the TallyPrime interface.
• Privacy Commitment: TallyPrime does not access, read, store, delete or share your inbox content, calendar, or contacts associated with your Microsoft account.

2. Common Technical & Legal Standards (Terms of Service)

The following supplemental terms and technical standards apply to all OAuth-based email integrations within TallyPrime:

• Credential Security: OAuth refresh tokens are stored on the Tally OAuth backend, encrypted at rest and in transit. The TallyPrime application holds only a short-lived access token and a session reference; it does not store your refresh token locally.
• Third-Party Compliance: By utilizing these features, you authorise the integration and agree to comply with the respective Terms of Service of your chosen provider, including the Google Terms of Service and Microsoft Service Agreement.
• User Responsibility: You are solely responsible for the accuracy, content, and legality of all messages sent through the integration.
• Service Limitations: TallyPrime is not liable for delivery failures, rate-limiting, or service outages caused by any reasons beyond our reasonable control including the third-party email API providers.
• Access Revocation: You maintain full control over these connections. You may revoke access at any time through your email provider's account settings:
  • Google account: Google Account → Security → Third-party apps
  • Microsoft consumer account (Outlook, Hotmail, Live, MSN): account.live.com/consent/Manage
  • Microsoft 365 / work or school account: myapps.microsoft.com

You may refer to the TallyPrime Policies for further information:

• Privacy Policy
• General Terms of Use