Tendly
Menu

Legal

Privacy Policy

Last updated: May 21, 2026

Draft for counsel review. This document is a template starter; it is not a binding contract until reviewed and approved by Tendly's legal counsel.

1. Who we are

Tendly, Inc. ("Tendly", "we") operates a software platform for home service businesses. This Privacy Policy describes how we collect, use, share, retain, and protect personal data when you use the Tendly platform, our websites, and related services (the "Service").

Two roles to keep in mind. When a subscriber business (our customer) uses Tendly to communicate with their own customers, the subscriber is the data "controller" for those customer records and Tendly acts as a "processor" on their behalf. When you sign up for Tendly, browse our marketing site, or contact us, Tendly is the controller for that information.

2. Personal data we collect

  • Account data. Name, email, phone, business name, role, and authentication identifiers you provide at signup.
  • Billing data. Payment method details handled by Stripe (we do not store full card numbers), billing address, invoices, and transaction history.
  • Customer data. The leads, customers, jobs, estimates, appointments, photos, and conversations our subscribers load into Tendly to run their business.
  • Communications content. SMS, email, in-app chat, and voice call transcripts and recordings handled by Tendly on behalf of subscribers and their customers.
  • Usage and device data. Pages and features used, click events, IP address, browser and OS, device identifiers, referrer, and approximate location derived from IP.
  • Support data. Information you provide when you contact support or report a security issue.

3. Sources of personal data

We collect personal data directly from you, automatically when you use the Service, from third-party identity and payment providers you authorize, and from public sources where permitted by law (for example, business directories used for lead enrichment when you opt in).

4. How we use personal data

  • To deliver, secure, and operate the Service.
  • To bill, take payment, and prevent fraud.
  • To respond to support requests and security incidents, and to send service-related notices.
  • To improve the Service, fix bugs, and develop new features. Where we use customer data to improve AI models we do so only in a way that protects the underlying personal data, and subscribers can opt out as described below.
  • To send product updates and marketing where permitted. You can unsubscribe at any time.
  • To comply with legal obligations and enforce our agreements.

5. Legal bases for processing (GDPR and UK GDPR)

For individuals in the EEA and the UK, we process personal data under one or more of the following legal bases:

  • Contract. To provide the Service you or your employer signed up for.
  • Legitimate interests. To operate, secure, and improve the Service, prevent fraud, and communicate with you about changes, balanced against your rights.
  • Consent. Where required, for example certain analytics cookies or marketing messages.
  • Legal obligation. To comply with tax, accounting, and law-enforcement requirements.

6. Sharing and disclosure

We do not sell personal data and we do not share personal data for cross-context behavioral advertising. We share personal data only with:

  • Subprocessors that help us run the Service (listed below). Each is bound by a written data processing agreement and may use personal data only to perform services for Tendly.
  • Subscribers, when the data was provided by or collected on behalf of a subscriber business that is the controller of that data.
  • Professional advisors such as auditors and legal counsel, under confidentiality.
  • Authorities, when required by law, court order, or to protect rights, safety, or the integrity of the Service.
  • Successors in a merger, acquisition, or sale of assets, subject to confidentiality and continuity of this Policy.

7. Subprocessors

Tendly relies on the following subprocessors to operate the Service. Each is bound by a Data Processing Agreement and is selected for its security posture.

  • Twilio (USA). Voice and SMS delivery, phone number provisioning, programmable messaging.
  • Stripe (USA). Payment processing, billing, partner payouts via Stripe Connect Express.
  • Deepgram (USA). Voice transcription and the bundled Voice Agent pipeline (Nova-3 STT, Aura-2 TTS, managed Claude Haiku LLM).
  • OpenAI (USA). Language models used for selected AI features.
  • Anthropic (USA). Language models used for selected AI features.
  • Supabase (USA). Application database and authentication.
  • Vercel (USA). Application hosting and edge network for the Next.js application.
  • Resend (USA). Transactional email delivery.
  • Cloudflare (USA). DNS, voice-bridge Worker runtime, and edge security.

We post material changes to this list before adding or removing a subprocessor that handles personal data on a regular basis. For data-protection contacts at each subprocessor, see the provider's own trust or privacy site.

8. International data transfers

Tendly is based in the United States and most of our subprocessors are based in or transfer data to the United States. Where personal data of individuals in the EEA, the UK, or Switzerland is transferred outside that region, we rely on the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable), supplemented by appropriate technical and organizational measures.

9. Retention

  • Account and billing records. Kept for the duration of the subscription plus 7 years after the last transaction to meet tax and accounting requirements.
  • Customer data. Kept for the duration of the subscription plus 30 days, then deleted from the active database. Subscribers can export and delete customer data on demand.
  • Voice recordings and transcripts. Kept for 12 months unless earlier deletion is requested or required by law.
  • Audit logs and security events. Kept for up to 13 months for security and incident response.
  • Backups. Retained on a rolling 35-day cycle and overwritten in the normal course.

10. Your rights

Depending on where you live, you may have the following rights with respect to your personal data:

  • Access and portability. Receive a copy of the personal data we hold about you in a portable format.
  • Correction. Ask us to correct inaccurate or incomplete data.
  • Deletion. Ask us to delete your personal data, subject to legal retention obligations.
  • Restriction and objection. Ask us to limit processing or object to processing based on legitimate interests.
  • Withdraw consent. Where we rely on consent, withdraw it at any time without affecting prior processing.
  • Lodge a complaint. Contact your local data protection authority. In the EU, that is your member state supervisory authority; in the UK, the Information Commissioner's Office.

To exercise these rights, email privacy@usetendly.com. If your personal data was provided to Tendly by a subscriber business (for example, you are the customer of a Tendly subscriber), please contact that business directly; we will assist them in honoring your request.

11. California residents (CCPA and CPRA)

If you are a California resident, you have the rights described in Section 10, plus the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • Right to know the categories and specific pieces of personal information we collected, the categories of sources, the business or commercial purpose for collecting it, and the categories of third parties with whom we shared it.
  • Right to delete personal information we collected from you, subject to exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of sale or sharing. Tendly does not sell personal information and does not share personal information for cross-context behavioral advertising, so this right is honored automatically.
  • Right to limit use of sensitive personal information. We do not use or disclose sensitive personal information for purposes that require this option.
  • Right to non-discrimination for exercising any of these rights.

To submit a CCPA request, email privacy@usetendly.com with the subject "California Privacy Request". You may authorize an agent to submit a request on your behalf with verification.

12. Cookies and similar technologies

We use a small number of first-party cookies and similar technologies:

  • Strictly necessary. Session, authentication, CSRF, and load-balancing cookies required for the Service to function. These cannot be turned off.
  • Preferences. A localStorage entry for partner-attribution capture with a 60-day TTL, and standard UI preference cookies.
  • Analytics. Privacy-respecting analytics to understand aggregate usage. We do not load third-party cross-site tracking cookies.

You can control cookies through your browser settings; blocking strictly necessary cookies will break parts of the Service.

13. Security

We protect personal data using a layered program: encryption in transit (HTTPS with HSTS preload), encryption at rest for sensitive secrets (AES-256-GCM for tenant Twilio auth tokens and similar credentials), role-based access control, audit logging, secret rotation, vulnerability scanning, and incident response procedures. No system is perfectly secure. If you believe your data has been compromised, contact us at security@usetendly.com.

14. Automated decision-making and AI

The Service uses AI to draft messages, score leads, transcribe calls, and propose actions. These outputs are advisory by default and are reviewed or approved by the subscriber before most user-impacting actions are taken. We do not use AI to make decisions producing legal effects about you without human involvement.

15. Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact privacy@usetendly.com and we will delete it.

16. SMS communications

Where you opt in to receive SMS from Tendly or from a subscriber that uses Tendly to message you, you can opt out at any time by replying STOP to any message, or HELP for help. Message and data rates may apply. Frequency varies. We retain opt-out records to honor your choice across the Service.

17. Changes to this Policy

We may update this Policy. The "Last updated" date above reflects the most recent change. We will notify you of material changes by email or in-product notice before the change takes effect.

18. Contact

Privacy questions or rights requests: privacy@usetendly.com

Security reports: security@usetendly.com