Tenlo AI Inc. (“Tenlo”, “we”, “our”) provides AI-powered software for small and medium businesses. We collect and use personal information only for defined business purposes: operating the Services, supporting Customers, securing the platform, processing payments, sending Customer-directed messages, and meeting legal obligations.
We process Customer Data on the Customer’s instructions. We do not sell personal information. We do not use Customer Data to train general-purpose AI models. We do not permit our AI providers to use Customer Data submitted through our API accounts to train their general-purpose models.
You can ask for access, correction, deletion, portability, or information about our handling of your personal information by emailing privacy@tenloai.com.
This policy applies to:
For Recipient data, the Customer is usually the organization with the direct relationship to the Recipient. Tenlo acts as the service provider that processes the data for that Customer.
We collect:
Depending on the products a Customer uses, Customer Data may include:
We collect:
When a Customer connects a third-party account through OAuth or another authorization method, Tenlo receives only the data the Customer authorizes and only for the Services the Customer has enabled. Supported or planned connected platforms include:
The third-party platform remains responsible for its own privacy practices and terms.
We use personal information and Customer Data for the following purposes:
Tenlo is not designed to process, and will not knowingly process, Protected Health Information as defined under the US Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), regulated health information under the Personal Information Protection and Electronic Documents Act (Canada) (“PIPEDA”), or equivalent regulated-health-data regimes. We do not sign Business Associate Agreements. If you upload regulated health data in breach of the Terms of Service, we may remove it and may suspend your account under Section 13 of the Terms of Service.
We do not sell or rent personal information. We do not share personal information with third parties for their independent marketing purposes.
Tenlo is a Canadian business and designs this policy around the Personal Information Protection and Electronic Documents Act (“PIPEDA”), applicable provincial private-sector privacy laws, and other laws that may apply to our Services.
Under PIPEDA, we collect, use, and disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. We rely on consent where consent is required. Consent may be express or implied depending on the sensitivity of the information, the context, and the individual’s reasonable expectations.
For processing that is integral to delivering the Services requested by a Customer, consent is generally provided through the Customer’s subscription, configuration choices, connected-account authorization, uploaded data, and use of the Services. For non-integral processing, such as Tenlo’s own optional marketing communications, we provide a choice where required.
We may also process or disclose personal information without consent where permitted or required by law, including for security, fraud prevention, debt collection, legal compliance, investigations, or emergencies.
For Customer Data, the Customer is generally the organization accountable for determining whether it has authority to collect, upload, connect, send, or otherwise process that data through the Services. Tenlo processes Customer Data as a service provider on the Customer’s behalf and according to the Customer’s instructions, the product configuration, these Terms, and applicable law.
For information about Tenlo account holders, billing contacts, website visitors, job applicants, and Tenlo’s own business contacts, Tenlo is the accountable organization.
Tenlo currently supports Customers in Canada and the United States. The Services are not intended for use in Europe, the United Kingdom, or other unsupported jurisdictions unless Tenlo agrees in writing. Customers that require additional data-processing terms for North American procurement may request Tenlo’s Master Services Agreement at legal@tenloai.com.
We use subprocessors to operate the Services. We require subprocessors to apply appropriate safeguards and to process personal information only for the services they provide to Tenlo.
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase | Authentication and database | United States |
| Vercel | Application hosting | United States and global edge |
| Railway | Worker and job execution | United States |
| Anthropic | LLM inference (review classification, chat) | United States |
| OpenAI | Embeddings | United States |
| Pinecone | Vector storage | United States |
| Resend | Transactional email and unsubscribe handling | United States |
| Twilio | SMS delivery for review-request campaigns | United States |
| Stripe | Payment processing | United States and Canada |
We may add or replace subprocessors. For material subprocessor changes, we will provide at least 30 days’ notice by email, in-app notice, or posting in this policy. Customers with a signed Master Services Agreement may have additional notice or objection rights under that agreement.
Tenlo is based in Canada, but many of our subprocessors operate in the United States or use global infrastructure. Personal information and Customer Data may be transferred to, stored in, or accessed from Canada, the United States, and other jurisdictions where Tenlo or its subprocessors operate.
Information processed outside Canada may be subject to lawful access by courts, law enforcement, national security authorities, or regulators in those jurisdictions. We use contractual safeguards, access controls, encryption, and vendor diligence to protect information transferred across borders.
We retain personal information only as long as reasonably necessary for the purposes described in this policy, unless a longer period is required or permitted by law.
Customers may request earlier deletion by emailing privacy@tenloai.com. Some records may be retained where required or permitted by law, including tax records, payment records, security records, legal hold data, suppression records, and minimal deletion-request audit records.
We use:
We do not use advertising cookies or cross-site behavioral advertising cookies on tenloai.com unless this policy is updated and any required consent mechanism is implemented.
Users can manage cookies through their browser settings. Disabling essential cookies may prevent the Services from working.
Tenlo uses AI systems to generate drafts, classify content, summarize information, create embeddings, score leads, support chatbot responses, and assist with review, outreach, and support workflows.
AI outputs are drafts or recommendations. They may be inaccurate, incomplete, biased, duplicative, or unsuitable. Customers are responsible for reviewing AI output before sending, posting, relying on, or using it externally, except where the Customer has expressly configured automation rules that allow a workflow to proceed without manual review.
Tenlo does not use Customer Data to train general-purpose AI models. Tenlo does not permit Anthropic or OpenAI to use Customer Data submitted through Tenlo’s API accounts to train their general-purpose models.
Tenlo may use aggregated, de-identified, or Customer-approved data to monitor performance, improve prompts, improve product workflows, detect abuse, and evaluate service quality. Tenlo will not use identifiable Customer Data for prompt improvement, model fine-tuning, benchmarking, marketing, or public demonstrations unless the Customer has authorized that use or the data has been de-identified.
Tenlo accesses Google user data only after a Customer authorizes access through OAuth. The scopes requested depend on the product enabled by the Customer.
For Google Business Profile, Tenlo requests the https://www.googleapis.com/auth/business.manage scope to read and respond to the Customer’s authorized business listings and reviews.
For Gmail, Tenlo requests the minimum Gmail scopes needed to send Customer-approved outbound email, track send status, and classify replies related to outreach sent through Tenlo.
Tenlo does not request access to Google Drive, Google Calendar, Google Photos, YouTube, or Google Contacts unless a future product requires it and this policy is updated.
Customers can review or revoke Google access at myaccount.google.com/permissions.
For Google Business Profile, Tenlo may access:
For Gmail, Tenlo may access:
Tenlo does not access Google user data from any Google account other than the Customer-authorized account.
Tenlo uses Google user data only to provide the Customer-authorized Services, including:
Tenlo does not sell Google user data. Tenlo does not use Google user data for advertising, retargeting, data-brokerage, or model training. Tenlo shares Google user data only with subprocessors that are necessary to provide the Services and that process the data on Tenlo’s instructions.
Tenlo AI Inc.’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Tenlo personnel do not access Google user data except where reasonably necessary to provide support requested by the Customer, investigate security or abuse issues, comply with law, maintain the Services, or work with aggregated or de-identified data. Access is limited by role and logged where technically available.
Google user data is deleted from production systems within 30 days after the Customer revokes OAuth access or finally cancels the relevant Tenlo subscription, unless law requires retention. Encrypted backups may retain deleted Google user data for up to 30 additional days before being overwritten.
Tenlo may send commercial electronic messages (“CEMs”) on a Customer’s behalf, including sales outreach, review requests, follow-ups, and related messages.
Customers are responsible for ensuring they have a valid consent basis for every Recipient they upload, import, sync, or message through the Services. Consent may include express consent or implied consent where permitted by Canada’s Anti-Spam Legislation (“CASL”) or other applicable law.
Every CEM sent through Tenlo must identify the Customer as the sender and include a working unsubscribe mechanism that remains valid for at least 60 days after the message is sent. Tenlo processes unsubscribe requests without delay and in any event within 10 business days, as required by CASL. Where Tenlo detects unsubscribe requests sent by reply or other supported manual channel, Tenlo will suppress the Recipient for that Customer. Tenlo maintains per-Customer suppression records so the Customer does not re-contact unsubscribed Recipients through the Services.
Tenlo also maintains a global complaint and abuse list for hard bounces, repeated spam complaints, known abuse signals, and sender-reputation protection. This list is not a general unsubscribe list for all Customers.
Customers must not re-import or re-contact a Recipient who has unsubscribed unless the Customer has obtained fresh, documented express consent.
You may only send CEMs through the Services to a Recipient for whom you have a valid CASL consent basis. The bases are:
Where Quebec’s private-sector privacy law applies, individuals may have additional rights, including the right to request data portability in a structured technological format, the right to be informed about certain automated decision-making, and the right to request information about the personal information used and the main factors that led to an exclusively automated decision.
Tenlo’s Services are generally designed to assist Customers and provide drafts, recommendations, classifications, or lead scores. They are not intended to make legally or similarly significant decisions about individuals without human review.
If Tenlo becomes aware of a confidentiality incident involving personal information that presents a risk of serious injury under Quebec law, Tenlo will take reasonable steps to reduce the risk of harm, prevent similar incidents, record the incident, and notify the Commission d’accès à l’information du Québec and affected individuals where required.
Subject to applicable law, you may request:
To exercise these rights, email privacy@tenloai.com. We may need to verify your identity and authority before responding.
We respond to access, correction, deletion, and portability requests within 30 calendar days unless an extension is permitted by law. If we extend the time, we will tell you why and explain any available complaint rights.
You may complain to the Office of the Privacy Commissioner of Canada. If you are in Quebec, you may also complain to the Commission d’accès à l’information du Québec.
The Services are not designed for:
Customers must not upload, connect, or process these categories through the Services unless Tenlo has confirmed in writing that the relevant product and agreement support that data.
The Services are intended for business users who are at least 18 years old. We do not knowingly collect personal information from children. If you believe a child has provided personal information to Tenlo, contact privacy@tenloai.com and we will take appropriate steps to delete it.
We use commercially reasonable administrative, technical, and physical safeguards designed to protect personal information, including:
No system is perfectly secure. If you believe your account or data has been compromised, contact security@tenloai.com immediately.
If Tenlo becomes aware of a breach of security safeguards involving personal information that creates a real risk of significant harm, Tenlo will notify affected individuals and the Office of the Privacy Commissioner of Canada as required by PIPEDA. We will also notify Customers and other regulators where required by applicable law or contract.
We may update this policy from time to time. For material changes, we will provide at least 30 days’ advance notice by email, in-app notice, or another reasonable method. Non-material changes may take effect when posted.
The “Last updated” date reflects the latest revision. Continued use of the Services after a change takes effect means the Customer accepts the updated policy, to the extent permitted by law.
Tenlo AI Inc.
PO BOX 10004
Uxbridge RPO Elgin Park, Ontario, L9P 0B1
Canada
We aim to respond to all privacy-related inquiries within 5 business days.
privacy@tenloai.com