tend

What Tend does with your information.

Plain-language policy, laid out for scanning instead of legal theater.

What Tend accesses

Messages (macOS)

On the Mac, Tend reads Apple’s local Messages database to measure cadence, balance, timing, and related signals. Message bodies are processed locally.

Contacts

Tend asks for Contacts permission so numbers and emails can be matched to names and shown cleanly across your devices.

Full Disk Access

macOS requires Full Disk Access for Tend to read ~/Library/Messages/chat.db. That permission is used for local analysis tied to the app.

Relationship notes

Relationship notes are written by a small AI model that runs entirely on your Mac. Tend never sends message text, prompts, or excerpts to a cloud AI provider — there is no cloud-AI path.

What syncs and what does not

What can sync through your iCloud

A thin relationship layer can move through your own iCloud to your own iPhone: display names, last-talked timestamps, tier signals, and preferences.

What does not leave the Mac

Your full iMessage archive, message bodies, attachments, and the local scan index are not uploaded to a Tend-hosted backend.

What Tend cannot see

Tend keeps no central database of your conversations, and there is no admin console with your message graph in it. Sign-in (see Identity below) establishes who your devices belong to — it never gives Tend your messages.

What we do not sell

We do not sell your personal information or use your Messages or Contacts for ad-broker targeting.

How you sign in

Tend uses Sign in with Apple, and only Sign in with Apple — no Tend password, no email-and-password login, and no third-party identity providers. One Apple prompt during setup creates the private Tend account link.

What the sign-in establishes

It identifies which Mac and iPhone are yours so your paraphrased summaries reach the right device, and — if you applied to the beta — links your install to your application. That is its entire job.

What Apple shares with Tend

An opaque per-app identifier that is specific to Tend and cannot be used to track you across other apps. It is not your Apple ID and not your password. If you choose Hide My Email, Apple relays a private address and Tend never sees your real one.

Where it is kept

That identifier lives in Tend's authentication store (Supabase Auth) solely to recognise you on return. The app stores the Supabase session in Keychain and uses a server-generated opaque analytics/support id for PostHog, Intercom, and admin joins. No message content, contact graph, or AI output passes through sign-in.

Deleting it

Revoke Tend in your Apple ID settings, or ask us to delete the Tend account link. Tend deletes the Supabase profile where applicable and uses the shared opaque support id to purge matching PostHog and Intercom records.

App-quality services

A small, deliberately narrow set of third-party services helps us run the beta. None of them ever receives your message content, contact graph, AI outputs, or free-text fields you didn't write to them yourself.

Product analytics (PostHog)

The Swift apps emit a strict allowlisted set of categorical events through a Cloudflare Worker proxy at stneve.tendapp.io, which drops anything not on the allowlist before reaching PostHog. The PostHog API key never lives on your device. The Swift apps emit a small set of categorical product and engagement events — app launch, onboarding progress and completion, setting a cadence, opening the daily list and tapping through it, handing a drafted message to Messages, opening a contact's profile, and local-model version / load-failure diagnostics — carrying only counts, buckets, and enumerated values. Telemetry never includes message content, names, phone numbers, friend identifiers, AI outputs, or free-text fields, and is gated on-device by an analytics-consent control (iPhone: Settings → Privacy → "Anonymous analytics"; Mac: Settings → Privacy) — declining stops all analytics emission. After Sign in with Apple, PostHog uses the server-generated opaque analytics/support id. Legacy beta installs may use their original beta analytics id until they sign in.

Customer support & lifecycle emails (Intercom)

Tend uses Intercom for in-app support chat, the public help center, and a small set of categorical lifecycle emails (Day 0 welcome, Day 7 check-in, optional Day 14 survey nudge, beta-end, GA-launch — each one-click unsubscribe). Intercom never receives your message content, contact graph, AI outputs, or substantive survey free-text. Support conversations exist only because you initiated them. Intercom receives categorical support attributes like app version, OS, onboarding state, contact-count bucket, and the opaque support id; no custom events are sent today. We have explicitly disabled Intercom Fin AI Agent, session recording, and co-browsing.

Diagnostics (Apple MetricKit)

Crash and performance reports are collected by your operating system through Apple's MetricKit framework and stored locally under Application Support/Tend/Diagnostics/ with a rolling cap of 10 reports. Tend does not automatically transmit any of them. You may share a diagnostic report with support via Settings → Send debug info to support; if you do, the report leaves your device only because you picked a destination yourself in the system share sheet. We do not ship a third-party crash SDK.

Deletion across services

If you ask to leave the beta or delete your account, we cascade-delete the PostHog person record and the Intercom user record using the shared opaque analytics/support id as the join key. MetricKit reports remain on your device unless you've already chosen to share one — those copies are then governed by your email provider, not by us.

Beta website data

What we collect

When you apply for the beta, we collect the form fields you submit, plus basic abuse-protection metadata such as hashed IP and user agent.

Where it is stored

We store beta application data, Sign in with Apple app-profile state, survey responses, and help-center helpful/not-helpful feedback in Supabase. We send onboarding or invite email through Resend.

Analytics

The website uses narrow, opt-in product analytics for funnel shape. Free-text is not sent as analytics payload.

Why we keep it

We use beta-site data only to operate the waitlist, abuse controls, and beta communications.

Retention, changes, and contact

  • Local data on your Mac or iPhone remains under your device controls until you remove the app or delete data through normal OS mechanisms.
  • Beta waitlist data is retained only as long as needed to run invites and beta communications.
  • Tend is not intended for children under 13, and we do not knowingly collect personal information from children under 13 in a targeted way.
  • We may update this policy. When we do, we will change the last-updated date at the top.

Questions about privacy? Send us a message and we'll reply within 72 hours.

Want the technical architecture? Read Local-first for how the signal layer stays tied to your own devices.