LEGAL

Privacy Policy

Last updated: February 13, 2026

1. Who We Are

Tenlines ("we," "us," or "our") operates the website tenlines.io and the Tenlines AI security gateway product. This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you visit our website, join our waitlist, create an account, or use our product.

If you have questions about this policy, contact us at privacy@tenlines.io.

2. Data We Collect

Information you provide

  • Waitlist signup: Email address.
  • Account creation: Email address, password (hashed — we never store plaintext passwords), and organization name.
  • Login: Email address and password for authentication. We issue session tokens; your password is not retained after authentication.
  • Contact form: Email address and message content.

Information collected automatically

  • Analytics: We use PostHog (hosted in the EU — Frankfurt, Germany) to collect anonymized usage data including pages visited, referral source, browser type, and device type. We do not use this data to identify individual users.
  • Server logs: Our infrastructure logs may temporarily record IP addresses, request timestamps, and HTTP metadata for security monitoring and abuse prevention. These logs are retained for no more than 30 days.

Information processed by the Tenlines product

When you use the Tenlines browser extension or gateway, the product processes AI prompts and responses to detect and scrub personally identifiable information (PII), credentials, and proprietary content. This processing occurs locally on your device or within your organization's network.

  • We do not store the original, unredacted content of your AI prompts or responses.
  • Token mappings (the reversible substitutions that allow de-tokenization) are stored in your browser's session storage and on our servers only when you are authenticated. Token mappings are associated with your organization and are not shared with third parties.
  • Scrub session metadata (timestamps, scrub counts, detection types) is logged for your organization's audit trail. This metadata does not contain the original PII.

3. How We Use Your Data

We use your data for the following purposes:

  • To provide the service: Authenticating your account, processing scrub requests, maintaining token mappings for de-tokenization, and generating audit logs.
  • To communicate with you: Sending waitlist updates, product announcements, and account-related notifications. You can unsubscribe from marketing communications at any time.
  • To improve the product: Analyzing aggregated, anonymized usage patterns to identify bugs, improve performance, and prioritize features.
  • To maintain security: Monitoring for abuse, unauthorized access, and service disruptions.

We do not sell your personal data. We do not use your data to train AI models.

4. Third-Party Processors

We use the following third-party services to operate Tenlines:

| Service | Purpose | Data processed | Hosting location | |---------|---------|---------------|-----------------| | Amazon Web Services (AWS) | Infrastructure, API hosting, database | Account data, session metadata, token mappings | US-West-2 (Oregon) | | PostHog | Product analytics | Anonymized page views, feature usage | EU (Frankfurt, Germany) | | CloudFront / S3 | Website hosting and CDN | Static assets, no personal data | US / Global edge |

We do not share your data with any other third parties except as required by law.

5. Data Retention

  • Waitlist emails: Retained until you unsubscribe or we delete the waitlist after product launch.
  • Account data: Retained for the duration of your account. Deleted within 30 days of account deletion.
  • Token mappings: Stored for the duration of your session (browser session storage) and on our servers for as long as your organization's account is active. Deleted within 30 days of account deletion.
  • Audit logs: Retained according to your organization's configured retention period, with a default of 90 days.
  • Analytics data: PostHog data is retained for 12 months.
  • Server logs: Retained for no more than 30 days.

6. Your Rights

For all users

You have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate personal data.
  • Delete your personal data and account.
  • Export your data in a portable format.

To exercise any of these rights, email privacy@tenlines.io.

Additional rights for EU/EEA residents (GDPR)

If you are located in the European Union or European Economic Area, you also have the right to:

  • Restrict processing of your personal data.
  • Object to processing based on legitimate interests.
  • Withdraw consent at any time where processing is based on consent.
  • Lodge a complaint with your local data protection authority.

Our legal basis for processing your data is:

  • Contract performance — to provide the service you signed up for (account, scrubbing, audit logs).
  • Legitimate interest — to improve the product and maintain security, where these interests do not override your rights.
  • Consent — for marketing communications and analytics, which you can withdraw at any time.

Additional rights for California residents (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how it is used.
  • Request deletion of your personal information.
  • Opt out of the sale of personal information. We do not sell personal information.
  • Non-discrimination for exercising your privacy rights.

7. Cookies and Tracking

Our website uses the following:

  • PostHog analytics: Sets a cookie to track anonymous usage across pages within a single session. No cross-site tracking. Data stays in the EU.
  • Essential cookies: Session authentication tokens for logged-in users.

We do not use advertising cookies or retargeting pixels. We do not participate in ad networks.

8. Security

We protect your data through:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Password hashing using industry-standard algorithms.
  • Session tokens with automatic expiration and refresh.
  • Role-based access controls for internal systems.
  • Regular security reviews of our infrastructure and codebase.

9. Children

Tenlines is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact us at privacy@tenlines.io and we will delete it promptly.

10. International Data Transfers

Our infrastructure is hosted in the United States (AWS US-West-2). Analytics data is processed in the EU (PostHog, Frankfurt). If you are located outside the United States, your data may be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) and AWS's compliance certifications to ensure adequate protection for international transfers.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of Tenlines after changes are posted constitutes acceptance of the updated policy.

12. Contact

For privacy-related questions or to exercise your rights:

Email: privacy@tenlines.io

Website: tenlines.io