Privacy Policy

Effective Date: April 15, 2026 Last Updated: May 4, 2026

1. Introduction

Viral Host Digital LLC (“we”, “us”) respects your privacy. This Privacy Policy explains what information Tendril collects, how it is used, and your rights regarding that information.

Tendril is designed with privacy as a first principle. The core application runs entirely on your local device. Project code, agent output, and conversation history never leave your machine unless you explicitly send them to a third-party AI provider through Tendril’s generative AI features. To enforce subscription tiers and usage limits, we maintain a small amount of account information (email, account ID, aggregate token counts) on our servers — see Section 2 below for the complete list. We never see your prompts, code, or AI responses.

Tendril incorporates generative AI features. Tendril is an orchestration layer for AI coding agents — its core functionality depends on sending prompts and project context to third-party AI providers (Anthropic, OpenAI, Google) and receiving generated code, plans, and chat responses in return. Section 2.6 below explains exactly what is sent, to whom, and how it is handled.

2. Information We Collect

2.1 Locally Stored Only (Never Transmitted to Us)

The following is stored only on your device under ~/.tendril/:

• Project state, subtasks, agent messages
• Conversation history with Tendy (the chat assistant)
• Knowledge graph index of your connected projects
• Settings including BYOK API keys (encrypted via OS keychain)
• Screenshots and file edits made by agents

We have no access to this information. It is never sent to our servers.

2.2 Account Information (Required to Use the App)

Tendril requires a free account to use. You can create an account using:

• An email address and password
• A Google account (via “Sign in with Google”)
• A Microsoft account (via “Sign in with Microsoft”)

When you sign up or sign in, we receive:

• Your email address (used to identify your account, recover your password, and send important service messages)
• Your display name, if provided by your sign-in provider
• A unique account identifier issued by Amazon Cognito (our authentication provider)
• Sign-in timestamps and the provider you used

If you sign in via Google or Microsoft, we receive only the basic profile fields you authorize during the sign-in flow (typically email, name, and a unique provider ID). We never receive your password from those providers.

We use Amazon Web Services (AWS) Cognito to manage authentication. AWS processes this information on our behalf as a sub-processor. See AWS’s data processing terms for details.

2.3 Subscription Information

If you upgrade to a paid plan (Starter or Pro), Stripe processes your payment. We do not receive your full payment card details. From Stripe we receive:

• A Stripe customer identifier
• A subscription identifier
• Your subscription tier, billing cycle (monthly or annual), and renewal status

These identifiers are stored as attributes on your account so we can display your subscription status, route you to the Stripe billing portal, and validate your tier when you use paid features.

2.4 Token Usage Counters

To enforce monthly and daily usage limits per pricing tier, we track the aggregate number of tokens consumed by AI requests made through Tendril. Specifically, we record:

• Daily token totals per account (input, output, cache-read, cache-creation)
• The date and time of each token total update
• Your account identifier (so we can attribute usage to the right account)

We do not record:

• The content of your prompts or AI responses
• The names or contents of your project files
• Code generated by the AI

The token totals are derived from the count fields that AI providers (such as Anthropic) return alongside their responses. The actual prompt and response content travels directly between your device and the AI provider — Tendril sees only the count.

Token usage records are retained indefinitely for billing audit and analytics purposes, keyed only on your account identifier. You can view your current usage in the Settings panel inside the app.

2.5 Optional Telemetry (Opt-In Only)

If you opt in to anonymous usage telemetry, we may collect:

• Aggregate feature usage counts (how often settings are opened, how many projects exist)
• Error reports (stack traces with no personal content)
• Version information

Telemetry is off by default. You can enable or disable it at any time in Settings.

2.6 Generative AI Features

Tendril’s core functionality is generative AI — orchestrating AI agents that read your project context and generate code, plans, and chat responses on your behalf. This section discloses exactly how that data flow works.

What Tendril sends to AI providers:

• Your prompts and chat messages typed into Tendril
• Selected project file contents (only files in scope of the active subtask, or files the agent has been instructed to read)
• Project metadata you provide (task descriptions, acceptance criteria, scope hints)
• Plan structures and prior agent messages within the same project (for follow-up turns)
• Visual feedback you submit (screenshots you annotate and send to Tendy)

What Tendril does not send:

• Files outside the active subtask’s scope (we only send what the agent requests)
• Other projects you have not engaged with in the current session
• Files explicitly excluded by your project’s .gitignore and Tendril’s built-in protected-path list (.git/, .ssh/, .aws/, .env, node_modules/, OS keychains)
• Your account credentials, license keys, or payment information

Which AI providers receive this data:

• Default path (Claude Code CLI): When you sign in with your Anthropic account through the Claude Code CLI (the default Tendril setup), prompts and project context travel directly from your device to Anthropic’s API. Tendril does not relay or intercept this traffic.
• BYOK path: If you configure Bring-Your-Own-Key integration in Settings, traffic goes directly to your selected provider — Anthropic, OpenAI, or Google — using your API key. Tendril does not see your key after you save it (it is encrypted at rest using your operating system’s keychain).
• MCP servers you install: Tendril supports user-installed MCP (Model Context Protocol) servers, which may forward selected tool calls to additional services you have explicitly configured. Each MCP server’s data handling is governed by that server’s terms.

Training and retention by AI providers:

The AI providers operate on your account or API key per their respective terms. As of this policy’s effective date:

• Anthropic does not use your API inputs/outputs to train its models by default (Anthropic privacy policy)
• OpenAI does not use API data to train models by default (OpenAI privacy policy)
• Google has provider-specific terms that vary by API surface (Google privacy policy)

These provider terms are subject to change. You are responsible for reviewing each provider’s current privacy policy before sending sensitive data through Tendril.

Your control:

• You can switch providers at any time in Settings → Provider
• You can stop sending project context by closing the project, ending an agent run, or signing out of your AI provider
• You can use Tendril fully offline (no agents, knowledge graph only) by not initiating agent runs
• You can review every prompt before it is sent: agent dispatch is gated by your explicit approval at the plan-review stage of each pipeline run

We never see your prompts, project code, or AI responses. Tendril’s servers receive only the aggregate token counters described in Section 2.4 — never the content of what was sent.

3. How We Use Information

We use the limited information we collect to:

• Validate licenses and provide Pro tier access
• Fix bugs and improve the Software (telemetry, if enabled)
• Comply with legal obligations

We do not sell, rent, or share your information with third parties for marketing purposes.

4. Data Retention

• Account records (email, account ID, sign-in timestamps): retained while your account is active, then deleted within 30 days of account closure
• Subscription records (Stripe IDs, tier, billing cycle): retained for the duration of the subscription plus 3 years for tax and audit purposes
• Token usage counters: retained indefinitely keyed only on your account ID, deleted within 30 days of account closure
• Telemetry data (if opted in): retained for 12 months, then aggregated and anonymized
• Local data: retained on your device until you delete it

5. Your Rights

Depending on your jurisdiction, you may have the following rights:

GDPR (EU users)

• Right to access your personal data
• Right to rectification
• Right to erasure (“right to be forgotten”)
• Right to data portability
• Right to object to processing
• Right to lodge a complaint with a supervisory authority

CCPA (California users)

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination

To exercise any of these rights, contact support@viralhostdigital.com.

6. Security

We implement reasonable technical and organizational measures to protect information we hold:

• API keys stored locally are encrypted using your operating system’s keychain (macOS Keychain, Windows DPAPI, Linux libsecret)
• License activation uses HTTPS (TLS 1.2+)
• Our licensing servers follow industry-standard security practices

However, no system is perfectly secure. You are responsible for securing your local device.

7. Children’s Privacy

Tendril is not directed at children under 13. We do not knowingly collect information from children under 13.

8. Changes to This Policy

We may update this Policy from time to time. Changes will be posted here and in the Software. Continued use after changes constitutes acceptance.

9. Contact

Privacy questions or requests: support@viralhostdigital.com

Data controller: Viral Host Digital LLC Puerto Rico, USA