Privacy Policy

Effective date: April 28, 2026

Tend ("we", "us", "our") operates the Tend mobile application. This policy explains what data we collect, how we use it, who we share it with, and what rights you have. We believe in being straightforward, so we have written this in plain English.

1. Information We Collect

Account information. When you create an account, we collect your email address, display name, and profile photo. You may optionally provide a phone number and date of birth during onboarding.

Connection data. When you add a connection, you provide their name, relationship type, love language, important dates, notes, interests, city, communication preferences, relationship goals, and proximity. You may update this information at any time.

Engagement data. We track how you interact with nudges (whether you acted on, dismissed, or skipped them), warmth signals you send or receive (including optional reason text), your caring streaks, and relationship health scores.

Pulse check data. If you and a mutual connection participate in daily pulse checks, we store the questions and answers you each provide.

Love Map data. We store your answers to questions about your connections' inner worlds (preferences, dreams, values).

Bid tracking. If you use the emotional bid feature, we record whether bids were turned toward, turned away from, or turned against.

Conflict entries. If you use Conflict First Aid, we store the conflicts you document along with their pattern classifications (e.g., criticism, defensiveness, contempt, stonewalling).

Ritual data. If you create shared rituals with connections, we store the activity details and completion history.

Device information. We collect your Firebase Cloud Messaging (FCM) token for push notification delivery, your device type, and your timezone.

Derived psychological-profile traits. Tend infers a set of high-level traits about how you approach relationships — for example, which love languages you lean toward, your communication style, and your comfort pattern. These traits are computed from your onboarding answers (and, over time, from your in-app behavior) and stored as numeric scores alongside confidence levels. They are never shared with anyone outside Tend, never named to you using clinical vocabulary, and the full set is always available via Settings > Your data > Export my data. Your personalization consent toggle governs whether these are written at all, and deleting your account removes them alongside everything else.

Usage analytics. We collect structural events about how you use Tend — which screens you visit, which buttons you tap, which features work for you. These events are metadata only (for example, "a pulse card was answered" with the category and response time, never the answer text). Events are grouped into three tiers:

Essential: sign-ins, app launches, sessions, crashes, permission prompts, account-deletion confirmations. Retained for security-audit purposes; always on so the app can keep working.
Personalization: pulses viewed, nudges acted on, warmth signals, onboarding choices, tab navigation. Used only to personalize your experience; controlled by a consent toggle in Settings > Your data.
Research: aggregated, anonymized signals that would help us improve Tend for other couples. Off by default; opt-in via Settings > Your data.

You can see, change, or withdraw each of these settings at any time in Settings > Your data. Events contain no raw relationship content — only event types, categories, timestamps, and numeric metadata. Legacy Firebase Analytics continues to capture screen-view telemetry for the same purposes. We also collect crash reports through Firebase Crashlytics to fix bugs.

Subscription and payment data. If you subscribe to Tend Plus or Tend Therapy, Apple processes your payment. We receive confirmation of your subscription tier and its validity, but we do not see or store your payment method details.

Newsletter subscription. If you subscribe to our newsletter, we store your email address and subscription date.

2. How We Use Your Information

To generate personalized nudges and relationship insights using AI.
To deliver push notifications for nudges, warmth signals, pulse checks, and connection requests.
To match connection requests between users via email lookup.
To compute relationship health scores, caring streaks, and weekly reports.
To improve nudge quality based on your engagement patterns.
To diagnose and fix bugs using crash reports.
To understand which features are used so we can improve the app.

3. AI Processing (Anthropic Claude)

We use Anthropic's Claude AI to generate personalized nudges, "Help me say it" coach drafts, conflict reframings, weekly reports and digests, AI-mediated couple conversations, and to reply to comments and DMs on our official Instagram account. Before any prompt reaches Claude, we apply a strict redaction layer.

What we never send to Claude:

Real names — yours or your connections'. Names are replaced with neutral placeholder names ("Alex", "Jamie", and similar) before the prompt is built. Real names are restored in the response on our server before it reaches your device or anyone else's.
Email addresses, phone numbers, URLs, and social handles — even if you typed them into a free-text field like a note, a warmth-signal reason, a coach-draft situation, or a therapy message. Structural identifiers like these are scrubbed by regex before the prompt is built.
City names and addresses. We drop locations entirely. Where the AI needs to know whether someone is local or far, we use a categorical descriptor ("same city", "different city", "different country") instead.
Custom-text pronoun fields. Pronouns are normalized to a closed allow-list (she/her, he/him, they/them, etc.). Anything outside the list — which could potentially contain a name — is normalized to "they/them" before the prompt is built.

What we do send to Claude:

Derived behavioral signals — love language, communication style, apology language, comfort pattern, attachment scores, life stage, budget comfort. These are categorical labels and numeric scores; they describe how without identifying who.
Structural relationship metadata — relationship type ("partner", "friend", "parent"), proximity category, relationship goal, relationship context (e.g., "long-distance", "new parent"), shared interests as keywords, the relevant placeholder name in place of the real one.
Free-text fields you provided — notes about a connection, warmth-signal reasons, coach-draft situations, conflict descriptions, therapy messages — after the redaction layer described above has run on them. Structural PII (emails, phones, URLs, handles) is replaced with opaque tokens; named references to anyone we have on record are replaced with placeholders; the rest of the text passes through.
Recent nudge history and engagement metadata — nudge category, engagement outcome, dates, streak counts, health score trends. The nudge body text passes through the same redaction layer (real names → placeholders).

For AI-mediated couple conversations specifically — message text flows through the redaction layer turn by turn. Each session has a stable placeholder mapping (the same partner gets the same placeholder name across every turn) so the AI's understanding of "who said what" remains consistent across the whole conversation. The AI's reply is restored to real names before it appears in your chat.

How we enforce this. Immediately before every call to Claude, a fail-closed gate inspects the final prompt and aborts the call if any registered name or structural-PII pattern is detected. The gate is non-optional, runs on every code path that reaches the API, and is covered by a 95-case unit-test suite plus a regression-eval suite that runs on every code change to the AI pipeline.

Per Anthropic's API terms of service, data sent via their API is not stored by Anthropic beyond the duration of the request and is not used to train their models.

4. Data Sharing

We do not sell your personal data. We share data only in the following cases:

With mutual connections. When you and another Tend user are mutual connections, the following is shared between you: your name, profile photo, warmth signals (including reason text), and pulse check answers. If you update your profile name or photo, those changes automatically sync to your connections.

User lookup (before connection). When someone searches for you by email to send a connection request, they can see your name, profile photo, love language, and date of birth before you accept the request.

Service providers. We use the following third-party services to operate Tend:

Google Firebase: Database (Firestore), authentication, analytics, crash reporting (Crashlytics), and push notifications (FCM).
Anthropic: AI processing for nudges, coach drafts, conflict reframing, and weekly reports (as described in Section 3).
Apple: Push notifications (APNs), payments and subscription management (StoreKit), and Sign in with Apple authentication.

Legal requirements. We may disclose your data if required by law, court order, or governmental regulation, or if necessary to protect our rights, safety, or property.

5. Analytics, Consent, and Controls

We run two parallel analytics systems. Both are metadata-only: neither ever captures the text you type, the content of pulses or nudges, or any other relationship content.

Personalization event log (first-party). When you use the app we record structural events — for example "pulse card viewed for 12 seconds then answered, answer length 87 characters" — into your own private event store on our servers. These events power the personalization that makes nudges feel like they're meant for you. They are divided into three tiers:

Essential events (sign-in, app lifecycle, permission prompts, account-deletion audit) are always on.
Personalization events are controlled by the "Personalize my experience" toggle in Settings > Your data. In the EU/EEA/UK this toggle defaults off and you opt in; elsewhere it defaults on and you can opt out.
Research events (aggregate, anonymized signals to improve Tend for other couples) are off by default and require explicit opt-in.

We also operate a runtime kill switch that lets us turn off event collection across the service in an emergency (for example, a cost runaway or a privacy incident). The kill switch takes effect within minutes server-side.

Your controls in Settings > Your data:

Toggle personalization on or off at any time.
Choose how long we keep your events (1 to 60 months; default 24). Events past your chosen retention are deleted automatically by a daily cleanup job.
Export a JSON copy of everything we have stored for you — profile, preferences, and your event history — delivered to your email via a 24-hour signed download link.

Certain security-audit events (sign-in successes and failures, permission grants/denials, confirmed account deletions) are retained for 24 months regardless of your retention setting, because security and fraud investigations routinely need a longer window than ordinary events.

Firebase Analytics (third-party). We use Firebase Analytics to understand aggregate screen-view patterns. Events track structural actions only (for example, "user viewed the Discover tab") and never include relationship content.

Firebase Crashlytics. We use Crashlytics to collect crash reports, which include device type, operating system version, and stack traces. This helps us find and fix bugs. Crashes do not capture your data.

We do not collect advertising identifiers (IDFA).

6. Push Notifications

Push notifications are delivered via Firebase Cloud Messaging (FCM) and Apple Push Notification service (APNs). Notification content may include nudge text, connection names, and warmth signal descriptions. You can disable push notifications at any time in your device settings.

7. Data Storage and Security

Your data is stored in Google Firebase (Firestore), which encrypts data both in transit and at rest.
Firestore security rules restrict access so that you can only read and write your own data.
Profile photos are stored as compressed data within your user document.
We do not apply additional field-level encryption beyond what Firebase provides.

8. Your Rights

Regardless of where you live, you have the following rights:

Access and portability: Settings > Your data > Export my data generates a machine-readable JSON copy of your profile, preferences, and event history and emails you a 24-hour signed download link. If the email doesn't arrive, the app shows a Copy link fallback so you always get the download. You may also email us at privacy@tend.guru.
Correction: You can edit your profile, love language, communication style, and connection details at any time within the app.
Deletion: You can delete your account from Settings > Delete Account. This removes all your data — including your event history and any pending data exports — from our servers within 30 days.
Control over analytics: Settings > Your data lets you toggle personalization and research consent, and pick a retention window (1–60 months) independent of your overall account lifetime.

For residents of the European Union / European Economic Area:

Our legal bases for processing your data are your consent (when you create an account and use features) and our legitimate interest in operating and improving the app.
You have the right to withdraw consent at any time by deleting your account.
You have the right to lodge a complaint with your local data protection supervisory authority.
Your data is transferred to the United States (where Google Cloud and Anthropic servers are located). By using Tend, you consent to this transfer.

For California residents (CCPA):

Right to know: The categories of personal information we collect are listed in Section 1 of this policy.
Right to delete: Use Settings > Delete Account, or contact us at privacy@tend.guru.
Right to opt out of sale: We do not sell your personal data to third parties.
Right to non-discrimination: We will not treat you differently for exercising any of your privacy rights.

9. Data Retention

Account data (profile, connections, nudges, pulses, love map, rituals) is retained for as long as your account is active.
Personalization and research events are retained per your "Keep my activity for" setting in Settings > Your data (default 24 months; configurable 1–60). A daily cleanup job deletes events past this window.
Essential security-audit events (sign-ins, permission decisions, confirmed account deletions) are retained for 24 months regardless of your retention setting.
Derived psychological-profile traits (summary signals computed from your events and onboarding answers) are retained for as long as your account is active and are recomputed periodically from the most recent underlying data. They are deleted together with your account and are included in "Export my data." Pruning the underlying events (via your retention setting) will cause the traits to drift toward their baseline on the next recomputation.
When you delete your account, all your data — including the event history and any pending data-export files — is removed from our servers within 30 days.
Please note: warmth signals you previously sent to mutual connections, and data included in your mutual connections' weekly reports, may persist in their accounts after you delete yours.
Newsletter subscriptions are retained until you unsubscribe.

10. Children's Privacy

Tend is not intended for anyone under the age of 13. We do not knowingly collect personal data from children under 13. If we learn that we have collected data from a child under 13, we will delete that data promptly. If you believe a child under 13 has provided us with personal data, please contact us at privacy@tend.guru.

11. International Data Transfers

Your data is processed in the United States via Google Cloud (Firebase) and Anthropic. By using Tend, you consent to the transfer of your data to the United States, where data protection laws may differ from those in your country.

12. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you through the app or by email. Your continued use of Tend after changes are posted constitutes your acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or want to exercise any of your rights, contact us at privacy@tend.guru.