Privacy & Data Policy

Data you create

Tend stores the content you actively enter: mood check-ins, journal entries, gratitude logs, intentions, affirmations, CBT worksheets, coping cards, breathing sessions, habit logs, sleep logs, diet logs, work logs, planner events, chat messages, safety plan content, relationship goals, shared memories, relationship events, and daily partner question answers.

Account data

When you create an account, Clerk (our authentication provider) collects your email address and manages your login credentials. We store a reference to your Clerk user ID alongside your app data, along with any optional profile fields you choose to set — such as your display name, pronouns, and country.

Settings and preferences

We store your app preferences: AI provider choice, partner sharing toggles, dashboard widget visibility, and similar configuration. No preference data is sensitive or shared with third parties.

Usage and technical data

Vercel (our hosting provider) may log standard server request metadata — IP addresses, browser type, request paths — for infrastructure monitoring. This is not linked to your app content and is governed by Vercel's privacy policy. We do not run any independent analytics or tracking.

All data is encrypted in transit using HTTPS/TLS. The most sensitive fields are also encrypted at rest using AES-256-GCM before being written to the database.

Critically, each user's data is encrypted with a unique key derived from your account. This means your encrypted entries cannot be decrypted by another user's key — even if two accounts shared the same database row, neither could read the other's content. The derivation uses HKDF (an industry-standard key derivation function), combining a server-side master secret with your unique user ID to produce a key that exists only for your data.

Fields encrypted at rest include:

• Journal entry titles and body text
• Mood check-in notes
• AI chat messages (both yours and the AI's responses)
• CBT worksheet thoughts and reframes
• Coping card titles and body text
• Gratitude, intention, and sleep notes
• Partner question answers
• Safety plan content
• Work log reflections
• AI personal context (the background about yourself you share with your companion)

Even if the database were compromised, the content of these fields would be unreadable without both the server-side master secret and the correct user ID — neither of which is stored in the database.

Authentication is handled by Clerk — we never store your password or have access to it.

When you use an AI feature — solo chat, couples chat, journal reflection, CBT hints, or AI digest — your message and relevant context are sent to an AI provider (Anthropic or OpenAI, depending on your settings) to generate a response.

Your conversations are not used to train any AI model. We use API-only access under data processing agreements that explicitly prohibit the provider from training on inputs. Your messages are processed to generate a response and are then discarded by the provider.

If you have enabled “Share mood with AI” in Settings, a brief summary of your recent mood and patterns is included at the start of each session to give the AI context. You can disable this at any time and it affects only future sessions.

You can verify these commitments directly:

• Anthropic Privacy Policy
• OpenAI API Data Usage Policy

If you link a partner, certain wellbeing signals can be shared between you — but only those you explicitly opt in to. Sharing is individually controlled in Settings → Partner:

• Mood check-ins (mood label and energy level only)
• Sleep logs (hours and quality score)
• Meal logs (meal name, type, and calories)
• Gratitude entries (the text of entries)

The following are never shared with your partner, regardless of settings:

• Journal entries
• AI chat messages (solo sessions)
• CBT worksheets
• Coping card content
• Safety plan

Shared goals, relationship memories, events, and daily partner question answers are visible to both linked partners by design — these are explicitly collaborative features. Partner question answers are encrypted at rest and only surfaced to your partner once both of you have answered.

Real-time partner features (live notifications, couples chat) use Ably for message delivery. Ably acts as a transient relay — messages are not stored by Ably beyond the time needed to deliver them.

The eye icon in the top bar activates Privacy Mode. When enabled, sensitive text on screen is blurred so it cannot be read over your shoulder or in a screenshot. This is a client-side visual layer only — it does not affect what is stored or transmitted. Your data remains fully intact when Privacy Mode is on.

Access

All the data you enter is visible to you within the app. You can review your mood history, journal, habits, chat sessions, and every other tool at any time.

Deletion

You can delete individual entries directly within each tool. To erase everything, go to Settings → Privacy → Clear all data. This permanently and irreversibly deletes all app data associated with your account. Your Clerk login account is unaffected — you can delete that separately from your account settings or by contacting Clerk.

Portability

If you would like an export of your data, please contact us. We will provide a machine-readable export within 30 days.

Rectification

You can update your display name, pronouns, and other profile fields at any time in Settings. For corrections to data you cannot edit in-app, contact us.

Objection and restriction (GDPR)

If you are in the EU or UK, you have the right to object to processing or request restriction. As we process your data solely to provide the service you have requested, the most practical way to exercise these rights is to delete your data or account. Contact us for any other requests.

Tend uses a small number of browser cookies and local storage items, strictly for functional purposes:

• Authentication session cookie — set by Clerk to keep you signed in
• Theme — Tend follows your OS dark/light mode preference automatically; no theme value is written to storage
• Dismissed feature announcements— stored in local storage so notification banners don't reappear
• Splash screen flag — session storage flag so the intro animation only plays once per tab
• Privacy Mode state — session storage flag so the screen-blur setting persists within a tab; resets when the tab is closed

We do not use advertising cookies, cross-site tracking cookies, or any third-party analytics cookies.

Your data is retained for as long as your account is active. If you delete specific entries, they are removed immediately. If you use “Clear all data,” all app content is deleted immediately and cannot be recovered.

If you have an active Grow plan subscription, Stripe retains billing records for as long as required by financial regulations (typically 7 years). These records contain only payment metadata — no health or app content.

Server-side request logs (held by Vercel) are retained according to Vercel's standard data retention policy, typically 30 days.

Tend uses the following third-party services. Each handles only the data necessary for its function and operates under its own privacy policy.

• Clerk — Authentication and user account management
• Neon / PostgreSQL — Encrypted database hosting (EU region)
• Vercel — Application and API hosting, edge delivery
• Anthropic — Claude AI models — API only, no training on your data
• OpenAI — GPT AI models — API only, no training on your data (if selected)
• Ably — Real-time message relay for partner features and live chat
• Stripe — Payment processing for Grow plan subscriptions

We do not use any advertising networks, data brokers, or analytics platforms (e.g. Google Analytics, Meta Pixel).

Tend is not designed for or directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has created an account, please contact us and we will delete the account and associated data promptly.