Privacy Policy

Scope

This Policy applies to our website, messaging services (SMS/RCS), and related apps or APIs that link to it.

Information We Collect

• •Account & Contact Data: name, email, mobile number.
• •Messaging Data: message content, timestamps, delivery status, and preferences.
• •Financial Connection Data: if you connect accounts via Plaid, we receive read-only account identifiers, balances, holdings, transactions, and related metadata that you authorize. We do not receive or store your bank credentials.
• •Technical Data: IP address, device identifiers, browser type, operating system, diagnostics, and analytics.
• •Usage Data: pages visited, features used, interaction patterns, and time spent on the Services.

How We Use Information

• •Provide and improve the service (alerts, insights, account and security notifications).
• •Personalize content to your holdings and preferences.
• •Secure accounts and prevent fraud/abuse.
• •Comply with law and enforce our terms.
• •With your consent, send promotions or product updates.
• •Generate AI-powered insights and analysis (see "Automated Decision-Making" below).

SMS/RCS Compliance & Mobile Data Sharing

Cookies & Tracking Technologies

We use cookies and similar technologies to operate and improve our Services:

• •Essential Cookies: Required for basic functionality, authentication, and security. These cannot be disabled.
• •Analytics Cookies: Help us understand how users interact with our Services (e.g., pages visited, features used). We use PostHog for product analytics.
• •Preference Cookies: Remember your settings and preferences for a better experience.

You can manage cookie preferences through your browser settings. Note that disabling certain cookies may affect the functionality of our Services.

Plaid

We use Plaid Inc. ("Plaid") to connect your financial accounts securely. By connecting an account, you agree that Plaid's privacy policy applies to Plaid's processing of your data. We receive read-only financial information you authorize (e.g., balances, holdings, transactions) to generate insights. We do not store bank login credentials and cannot move or hold funds.

Automated Decision-Making & AI

Our AI features:

• •Generate personalized market commentary and portfolio analysis
• •Create alerts based on your holdings and market conditions
• •Do not make any automated decisions that produce legal or similarly significant effects

For EEA/UK users: You have the right not to be subject to decisions based solely on automated processing that produce legal effects concerning you. Our AI features are supplementary and informational; no automated decisions affecting your legal rights are made without human involvement.

Legal Bases (EEA/UK)

Where applicable, we process data based on:

• •Contract Performance: Delivering requested features and services you signed up for.
• •Legitimate Interests: Providing, improving, and securing services; preventing fraud; analytics.
• •Consent: Optional marketing communications and certain analytics.
• •Legal Obligation: Compliance with applicable laws and regulations.

Data Sharing & Subprocessors

• •Service providers (subprocessors): e.g., messaging carriers, cloud hosting, analytics—bound by contract to use data only for our instructions.
• •Legal/disclosure: to comply with law or protect rights, safety, and security.
• •Business transfers: in a merger, acquisition, or asset sale, with notice where required.

We do not sell personal data. For a complete list of our third-party service providers, please see our Subprocessor List.

Data Retention

We retain data for the following periods:

• •Account data: Duration of your account plus 3 years after account closure.
• •Financial connection data: Until you disconnect your account, plus up to 30 days for deletion processing.
• •Messaging history: Up to 2 years for service delivery and support.
• •Transaction and billing records: 7 years for tax and legal compliance.
• •Analytics and usage data: Up to 2 years in identifiable form; longer in aggregated/anonymized form.

You may request deletion as described below. Some data may be retained longer if required by law or necessary to resolve disputes.

Security

We employ technical and organizational measures to protect your data, including:

• •Encryption in transit (TLS 1.2+) and at rest (AES-256)
• •Role-based access controls and multi-factor authentication
• •Regular security assessments and monitoring
• •Incident response procedures

No system is 100% secure; please use strong, unique passwords and safeguard your devices. For detailed information about our security practices, please see our Cybersecurity Policy.

Your Rights & Choices

• •Manage messaging: reply STOP to unsubscribe; HELP for help.
• •Access, correction, deletion: email privacy@tendrill.com.
• •Marketing opt-out: use unsubscribe controls in any message.
• •CCPA/CPRA (California): you may request access, deletion, or correction of personal information. You have the right to know what personal information we collect, the purposes, and third parties with whom we share it. We do not sell or share personal information for cross-context behavioral advertising. You will not be discriminated against for exercising these rights.
• •GDPR (EEA/UK): you may request access, erasure, portability, restriction, or object to processing. You have the right to withdraw consent at any time. You may lodge a complaint with your local supervisory authority.

We will respond to verified requests within the timeframes required by applicable law (generally within 30-45 days).

Children's Privacy

Our services are not directed to children under 13 (or 16 in the EEA/UK, or as otherwise defined by local law). We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child without parental consent, we will delete that information promptly.

International Transfers

Tendrill is based in the United States. If you access our Services from outside the United States, your data may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland, we use appropriate safeguards including:

• •Standard Contractual Clauses (SCCs) approved by the European Commission
• •Adequacy decisions where applicable
• •Supplementary measures as needed based on destination country requirements

Data Processing Agreements

Enterprise customers and business users subject to GDPR or other data protection regulations may request a Data Processing Agreement (DPA). Our DPA includes Standard Contractual Clauses, security commitments, and subprocessor management terms. To request a DPA, contact us at privacy@tendrill.com.

Changes to This Policy

We may update this Policy to reflect changes in our practices or legal requirements. We will post changes here and update the effective date. For material changes, we will provide notice via email or through the Services at least 30 days before the changes take effect, where required by law.