Privacy Policy

Effective date: 2026-04-21 Last updated: 2026-04-21 (added Google Calendar integration)

Our commitments to you

Tenshen is an AI assistant that acts as your system of record. That only works if you can trust it with your data. Here is what we commit to, in plain English.

Your data is yours. The AI reads your work so it can help you. We do not read your work to extract value from it.

We will never sell your data. Not to advertisers, not to data brokers, not to AI training pipelines — ours or anyone else's. Not to any third party for any price. Our business model is subscriptions paid by the people using the product. We have no revenue stream that competes with this commitment.

Your data reaches a third party only in two situations. First, it goes to the infrastructure Tenshen cannot run without — the sub-processors named below. Second, it goes to plugins or integrations you explicitly turn on. When you enable an integration, we will tell you exactly what is shared, ask your permission every time, and let you revoke access whenever you want.

We collect the minimum needed to run the product. No analytics trackers. No advertising IDs. No location data. No device fingerprinting. No cross-site identifiers.

If we ever change these commitments, you hear about it before it takes effect. In-app and by email, with reasonable advance notice.

What we collect

Account data: your email address, display name, and a bcrypt hash of your password.
Content you create: tasks, projects, notes, conversations with the assistant, reminders, people and organizations you track, and files you upload.
Content Tenshen generates for you: briefings and audit-log entries tied to your account.
Calendar data (only if you connect Google Calendar): event titles, descriptions, start and end times, locations, conference links, attendee email addresses, and the minimum metadata needed to sync incrementally (Google's opaque syncToken, the event id, and the recurring-event id). Stored locally on your behalf, keyed to your account. The refresh token Google issues is encrypted at rest before being written to disk.
Usage signals the product relies on: session cookies, the work / personal workspace cookie, last-viewed timestamps, view counters, and passive signals that drive features like the "possibly blocked" flag.

What we do not collect: analytics events, tracking pixels, advertising IDs, precise location, device fingerprints, or cross-site identifiers.

How we use it

To run the product for you: show your data, generate AI responses, send notifications, and run scheduled jobs (briefings, reminders, stale-task escalation, background context summarization).

That is the whole list. No secondary uses. No marketing. No ad targeting. No model training.

Assistant feedback submissions

When you tell the Tenshen Assistant to pass something on as feedback — a bug report, feature request, or product reaction — it creates a task in the Tenshen operator's account containing the text you submitted, your email address, the user id associated with your account, the page you were on when you submitted, and a timestamp. This lets the operator triage and act on what you raised.

This is separate from the general "your data is yours" commitment because it is a deliberate outbound action: you explicitly ask the assistant to forward something, the assistant confirms before sending, and nothing is routed without that confirmation.

Who sees it — our sub-processors

These are the third-party services Tenshen sends data to because it cannot run without them. We name each one.

Anthropic (Claude API). Receives task, project, note, and conversation content when Tenshen calls the Claude API to generate AI responses. Per Anthropic's commercial API terms, Anthropic does not train on API data and retains it briefly for abuse monitoring only. See Anthropic's privacy policy at https://www.anthropic.com/legal/privacy.
Google LLC (Google Calendar API). Only if you connect Google Calendar. Tenshen exchanges OAuth credentials with Google's OAuth server and calls the Calendar API to read your events. Tenshen does not send your Tenshen data to Google — the flow is strictly inbound (we read your calendar). See Google's API Services User Data Policy at https://developers.google.com/terms/api-services-user-data-policy and Google's privacy policy at https://policies.google.com/privacy.
Web Push vendors (Google, Mozilla, Apple). Receive encrypted push-notification payloads from Tenshen when you have push notifications enabled. Which vendor depends on the browser you use.

No one else. No analytics vendors. No ad networks. No data brokers. No resale partners.

Integrations you turn on — Google Calendar

When you connect Google Calendar at Profile → Integrations, Tenshen requests only the https://www.googleapis.com/auth/calendar.readonly scope. This is a read-only scope. Tenshen does not and cannot write to, modify, or delete events on your calendar. A test in our suite (tests/test_calendar_writes_guard.py) fails the build if any calendar-write API method appears in the codebase.

The refresh token Google issues is encrypted at rest with Fernet, using a key separate from the session-cookie signing key. Disconnecting the integration from Profile → Integrations → Disconnect immediately nulls the stored refresh token, stops the sync, and leaves the already-synced calendar data in place (you can delete it by deleting the individual meetings, or on request through the rights process below).

Tenshen's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Your rights

You can, at any time:

Export your data — get a copy of everything you have put into Tenshen.
Delete your account — your content is purged within 30 days of request; residual backups roll off within 90 days.
Correct inaccurate data — most fields are editable directly in the product; for anything else, contact us.

To exercise any of these rights, email us using the address in the Contact section below. We will honor your request within 30 days.

Self-serve tooling for export and account deletion is on our roadmap. The commitment above holds whether those self-serve tools exist yet or not.

How long we keep it

Your account and content stay as long as your account is active.
Soft-deleted items sit in trash for 30 days, then are purged automatically.
When you delete your account, all content is purged within 30 days. Backups roll off within 90 days. Anonymized authentication logs required for security are retained for up to 12 months.

Security

Passwords are hashed with bcrypt.
Sessions use tamper-resistant signed cookies.
CSRF protection on every mutating endpoint.
Rate limiting on authentication endpoints.
HTTPS in all production deployments.

To be straightforward: these are reasonable baseline practices, not a compliance certification. Tenshen does not claim SOC 2, ISO 27001, or HIPAA compliance.

Cookies

Tenshen uses a small set of first-party functional cookies:

A session cookie, for authentication.
A workspace-toggle cookie, so the product remembers your work / personal selection.
A CSRF double-submit cookie, read by the server on every mutating request to confirm it came from this site.
Short-lived state cookies the product's own code needs (for example, an OAuth state cookie used only during the Google Calendar connect handshake, and per-workspace palette preferences).

No analytics cookies. No tracking cookies. No third-party cookies.

Children

Tenshen is not directed at users under 16, and we do not knowingly collect data from children under 16.

Changes to this policy

If we change this policy, we will announce it in-app and by email with reasonable advance notice before it takes effect. Previous versions of this policy are available on request.

Contact

Questions, requests, or concerns about your data: privacy@tenshen.app.

Please include "Privacy" in the subject line so we can route it quickly.