Privacy Policy
Last updated: 25 April 2026
Tendo (operated by Miguel Ridruejo, sole proprietor; "we", "us") is an AI customer-support tool installed on Shopify stores by merchants. This policy explains what personal data we process, why, where it lives, how long we keep it, and how to exercise your rights over it.
1. Who controls your data
For data we receive from merchants (their Shopify session, OAuth tokens, knowledge-base content), Tendo is the data controller.
For data inside customer support emails forwarded to Tendo by merchants (your customer's name, email, order details, complaint text), the merchant is the controller and Tendo is the processor. If you are an end-customer asking about your data, contact the merchant first; we'll honor a request routed through them.
2. What we process
From merchants when they install Tendo:
- Shopify session token, store domain, store timezone, plan tier (provided by Shopify on install).
- OAuth refresh and access tokens for the merchant's connected email inbox (Gmail, Microsoft 365) — encrypted at rest with AES-256-GCM.
- SMTP credentials when the merchant chooses SMTP — encrypted identically.
- Knowledge-base text the merchant pastes (return policies, FAQs, shipping info).
- Sample reply text the merchant pastes for tone calibration.
From customer support emails forwarded to Tendo:
- The sender's email address, name (when included).
- The body of the email (subject + plain text + HTML).
- Order references mentioned in the email (e.g., "#1004") which we look up against the merchant's Shopify order data.
- A SHA-256 hash of the sender's email (for indexing without storing PII in indices).
From the merchant's Shopify store (via webhooks the merchant authorizes during install): order status, financial status, fulfillment status, total, customer email, line items. Stored as a per-shop snapshot for tickets to reference; refreshed on Shopify webhooks.
Operational metadata: request IPs (for the public waitlist form, hashed; we never store raw IPs at rest), user agents (capped at 500 chars), and audit-log entries for actions Tendo takes on the merchant's behalf.
3. Why we process it
- To draft, send, and track customer-support replies on behalf of the merchant. This is the core service; without these data we cannot deliver Tendo.
- To maintain audit logs of every action (refund issued, reply sent, escalation) — for the merchant's accountability and dispute defense.
- To bill via Shopify (the merchant's billing relationship is handled by Shopify, not us).
- To improve the service through anonymized eval datasets that contain no real customer text (we maintain a hand-written golden-dataset internally for testing).
We do not sell personal data, train AI models on merchant or customer data, or use data for advertising. The AI model provider (Anthropic) does not train on data sent through their API per their commercial terms.
4. Sub-processors
We use the following infrastructure providers. Each handles only the slice of data described, and only inside the United States or regions chosen for performance.
| Provider | Purpose | Region |
|---|---|---|
| Supabase (Postgres + pgvector) | Primary database | US East |
| Fly.io | Application server hosting | US East (iad) |
| Upstash (Redis) | Job queues + rate-limit counters | US East |
| Anthropic (Claude API) | AI processing of ticket text | US |
| OpenAI (embeddings only) | Knowledge-base vector embeddings | US |
| Postmark | Inbound email delivery | US |
| Cloudflare | DNS, static landing/docs hosting | Global edge |
| Shopify | App distribution, billing, OAuth | Per-merchant |
5. Retention
- Tickets, messages, actions: kept while the merchant's installation is active. Deleted within 30 days of app uninstall (Shopify Compliance webhooks trigger this).
- OAuth tokens / SMTP credentials: deleted immediately when the merchant disconnects the inbox or uninstalls.
- Audit logs: retained 2 years hot, then archived and deleted within 7 years.
- Waitlist signups: kept until you ask us to remove them (email below) or 24 months without contact.
6. Your rights
Whether you're an end-customer whose email reached Tendo through a merchant, or a merchant directly, you can ask us to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Delete your data ("right to be forgotten").
- Receive a copy of your data in a structured, common format.
- Object to processing or restrict it.
End-customers should ask the merchant first (the merchant is the controller for support-email data). If the merchant cannot resolve your request, email us and we will help. Merchants can contact us directly.
We respond within 30 days. For California residents, we also honor CCPA-specific rights including the right to know what categories of data are collected and the right to opt-out of any sale (we do not sell data).
7. Security
- OAuth tokens and SMTP passwords encrypted at rest (AES-256-GCM).
- TLS 1.2+ in transit for all customer-facing endpoints.
- Database access locked to our application servers via Supabase pooler.
- Rate limits and per-IP throttling on public endpoints.
- Webhook authenticity verified via HMAC (Shopify) or basic auth (Postmark) before processing.
If we suffer a breach affecting personal data, we will notify affected merchants without undue delay and within 72 hours where feasible, in line with GDPR Article 33.
8. International transfers
Most data is stored in the United States by our sub-processors. Where you are located in the European Economic Area, the United Kingdom, or Switzerland, transfers rely on Standard Contractual Clauses (SCCs) executed with our processors.
9. Children
Tendo is not directed at children. We do not knowingly collect personal data from anyone under 16. If a parent or guardian believes we hold such data, contact us and we will delete it.
10. Changes to this policy
We will update this page when our processing materially changes, and notify merchants by email or in-app banner with at least 14 days' notice before material changes take effect.
11. Contact
Email: privacy@tendohq.app
Postal: address available on request.