Privacy Policy

Account data: your email address, sign-in provider, and authentication tokens (managed by Auth.js).

Brief data: the text and structured guidance you submit when starting a run.

Run data: the generated package, agent telemetry (tokens used, models used, sources cited, timings), and run status.

Payment data: Razorpay order IDs, payment IDs, and last-4 / brand of your card. Razorpay stores full card details; we do not.

Operational telemetry: aggregated request logs, performance metrics, and error reports (Sentry). Sensitive payloads and brief content are excluded from these logs per our logging policy.

To run the agent pipeline and deliver your package.

To bill you and prevent fraud.

To improve reliability, performance, and quality (aggregated telemetry only — brief content is not used to train third-party foundation models).

To respond to support requests and enforce these terms.

We share the minimum data required with: Google Cloud (hosting, storage, model inference via Vertex AI), Razorpay (payments), Resend (transactional email), Sentry (error reporting), PostHog (product analytics with PII redaction). Each operates under its own terms and privacy policy.

Account data: kept while your account is active and for a reasonable period after.

Briefs and packages: retained for as long as you may want to download them, typically 12 months. You may request deletion at any time.

Rendered PDF/Markdown artifacts: stored in encrypted object storage and automatically transitioned to Nearline cold storage after 30 days.

Payment records: kept as required by tax and accounting law.

Encryption in transit (TLS) and at rest. Private networking for the database and cache. Least-privilege service accounts. Secrets in Google Secret Manager. Razorpay webhook signatures verified. Pub/Sub push verified via OIDC. We follow OWASP Top 10 guidance for application code.

Depending on your jurisdiction (UK / EU / California / India etc.) you may have the right to access, correct, delete, port, or restrict processing of your personal data, and to object to certain uses. Email legal@tessar.dev to exercise these rights.

We do not sell your personal data. We do not use your brief content to train foundation models.

The service is not intended for anyone under 18. We do not knowingly collect data from children.

Data may be processed in regions other than your own (primarily where our Google Cloud region and our subprocessors operate). Where required by law we rely on Standard Contractual Clauses or equivalent safeguards.

Privacy questions: legal@tessar.dev. We aim to respond within 30 days.