Privacy Policy

1. Information We Collect

We collect information you provide directly to us and information generated through your use of our platform.

Information you provide

• Account information: name, email address, business name, and password when you register.
• Billing information: payment card details (processed by Stripe; Tenlo does not store raw card numbers).
• Business data: your Google Business Profile details, customer contact lists, review campaign settings, and related content you upload or connect.
• Communications: messages you send us through support channels.

Information collected automatically

• Usage data: pages visited, features used, timestamps, and actions taken within the platform.
• Device & log data: IP address, browser type, operating system, and referring URLs.
• Cookies: session tokens and preference data (see Section 7).

Information from third parties

• Google Business Profile data when you connect your account via OAuth.
• Gmail data (sender, subject, snippet) when you authorize the Sales Outreach product.

2. How We Use Your Information

We use your information to:

• Provide, operate, and improve the Tenlo platform and its features.
• Send review request campaigns via SMS and email on your behalf.
• Authenticate your identity and maintain account security.
• Process payments and send billing notifications.
• Respond to your support requests and inquiries.
• Send product updates, security notices, and policy changes (you may opt out of marketing emails at any time).
• Analyze aggregate usage patterns to improve performance and features.
• Comply with legal obligations.

We do not use your data to train AI models, and we do not sell or rent your personal information to any third party.

3. Sharing Your Information

We share your information only in the following limited circumstances:

Service providers

We work with trusted vendors who process data on our behalf under strict confidentiality agreements. These include Supabase (database), Twilio (SMS), Resend (email), Stripe (payments), Vercel (hosting), OpenAI and Anthropic (AI processing), and Pinecone (vector search).

Legal requirements

We may disclose information if required by law, court order, or to protect the rights, property, or safety of Tenlo, our users, or the public.

Business transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email prior to any such transfer.

With your consent

We may share information with your explicit permission for purposes not described here.

4. Data Retention

We retain your account and business data for as long as your account is active. When you cancel your subscription, we retain your data for 90 days to allow for account reactivation, after which it is permanently deleted from our systems.

Aggregated, anonymized analytics data may be retained indefinitely. Backup copies may persist for up to 30 additional days following deletion.

You may request earlier deletion at any time by contacting us at privacy@tenloai.com.

5. Security

We take reasonable technical and organizational measures to protect your information, including:

• TLS encryption in transit for all data.
• Row-level security policies in our database (Supabase/PostgreSQL).
• OAuth-only authentication flows — we never store plain-text passwords.
• Access controls limiting data access to authorized personnel only.

No method of transmission or storage is 100% secure. If you suspect unauthorized access to your account, contact us immediately at security@tenloai.com.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data (subject to legal retention obligations).
• Portability: Receive your data in a structured, machine-readable format.
• Objection: Object to certain types of processing, including direct marketing.
• Withdrawal of consent: Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email privacy@tenloai.com. We will respond within 30 days.

If you are located in Canada, you have additional rights under PIPEDA. If you are in the EU/EEA, GDPR rights apply. California residents may exercise rights under CCPA.

7. Cookies & Tracking

We use the following categories of cookies:

• Essential cookies: Required for authentication sessions and platform functionality. Cannot be disabled.
• Analytics cookies: Help us understand how the platform is used (e.g., page views, feature usage). You may opt out via your browser settings.

We do not use advertising or cross-site tracking cookies. You can manage or disable non-essential cookies in your browser's privacy settings at any time.

8. Third-Party Services

Our platform integrates with third-party services to deliver features. Each operates under their own privacy policy:

• Stripe — payment processing
• Twilio — SMS delivery
• Resend — transactional email
• Supabase — database and authentication
• OpenAI — AI processing
• Anthropic — AI processing

Tenlo is not responsible for the privacy practices of these third parties. We encourage you to review their policies.

9. Children's Privacy

Tenlo is a business-to-business platform intended for users 18 years of age and older. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us immediately and we will delete it.

10. CASL Compliance (Canada's Anti-Spam Legislation)

Tenlo is headquartered in Canada and complies with Canada's Anti-Spam Legislation (CASL), S.C. 2010, c. 23. When we send commercial electronic messages (CEMs) — including review request SMS and emails — on behalf of our customers, we require and facilitate compliance with the following obligations.

Consent

We only send CEMs to recipients where express or implied consent exists. Express consent is obtained when a recipient explicitly agrees to receive messages. Implied consent may exist where there is an existing business relationship between the sender and the recipient. Tenlo's platform is designed to support customer-directed campaigns; our customers are responsible for ensuring valid consent exists for each recipient in their campaigns.

Identification

Every commercial electronic message sent through Tenlo identifies the sender and includes accurate contact information, including the business name and a means to contact the sender.

Unsubscribe Mechanism

Every message includes a clear and functional unsubscribe mechanism. Unsubscribe requests are processed within 10 business days as required by CASL. Once a recipient unsubscribes, no further messages will be sent to that contact.

Consent Records

Tenlo maintains records of consent on behalf of customers where technically feasible. Customers are responsible for maintaining their own consent records and providing proof of consent if required. We recommend customers document how and when consent was obtained for each recipient.

Customer Responsibility

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email at least 14 days before the changes take effect, and we will update the "Last updated" date at the top of this page.

Your continued use of Tenlo after the effective date constitutes acceptance of the updated policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please reach out: