Privacy Policy

This Privacy Policy explains how Tenfold Studio ("Tenfold", "we", "us") collects, uses, shares, and protects personal data when you visit tenfoldstudio.org, use our intake wizard, customer workspace, AI Developer assistant, or purchase one of our build packages (collectively, the "Service"). We comply with the EU/UK General Data Protection Regulation ("GDPR") and the California Consumer Privacy Act ("CCPA/CPRA").

1. Data Controller

Tenfold Studio is the data controller for personal data processed via the Service. Contact: hello@tenfoldstudio.org.

2. Personal Data We Collect

• Account & intake data: business name, owner name, email, phone (optional), answers to wizard questions, brand assets, voice transcripts, photos and PDFs you upload as references.
• Payment data: processed by Stripe; we receive only the transaction ID, last 4 digits, country, and amount — we do not store full card numbers.
• Authentication data: email, hashed password or OAuth identifier, session tokens.
• Communications: messages exchanged with the AI Developer and our team.
• Technical data: IP address, browser, device type, pages viewed, referrer, and cookie identifiers (see Section 7).

3. How We Use Your Data and Legal Bases (GDPR)

• To deliver the Service (contract, Art. 6(1)(b)): process your order, build your application, host your workspace, run the AI Developer.
• To communicate with you (contract / legitimate interest, Art. 6(1)(b)/(f)): send transactional emails, delivery notifications, and project updates.
• To comply with law (legal obligation, Art. 6(1)(c)): tax, accounting, fraud prevention.
• To improve the Service (legitimate interest, Art. 6(1)(f)): aggregated analytics, security monitoring.
• Marketing (consent, Art. 6(1)(a)): only if you opt in. You can withdraw consent anytime.

4. Subprocessors and Sharing

We share data only with subprocessors who help operate the Service:

• Stripe, Inc. — payment processing (US/EU).
• Supabase, Inc. — database, authentication, file storage (US/EU regions).
• Lovable — hosting infrastructure and AI gateway (EU).
• OpenAI and Google (Gemini) — AI model inference for the AI Developer.
• Mailgun — transactional email delivery.

All subprocessors are bound by data-processing agreements with appropriate safeguards. See our Data Processing Addendum.

5. International Transfers

Some subprocessors are located in the United States. Where data is transferred outside the EEA/UK, we rely on the EU Standard Contractual Clauses and the EU–US Data Privacy Framework where applicable.

6. Data Retention

• Intake and project data: retained for the duration of your customer relationship plus 7 years for tax and accounting.
• Account data: retained until you delete your account, then 30 days in backups.
• Voice transcripts and uploaded files: retained while the project is active; you may request deletion at any time after delivery.
• Analytics: pseudonymized, retained up to 14 months.

7. Cookies

We use only strictly-necessary cookies for authentication, session security, and to remember your cookie preferences. Optional analytics or marketing cookies will only be set after you opt in via our cookie banner. You can change your preferences at any time by clearing site data in your browser.

8. Your GDPR Rights

If you are in the EU/UK, you have the right to: access your data, rectify inaccuracies, request erasure, restrict or object to processing, data portability, and withdraw consent. To exercise these rights, email hello@tenfoldstudio.org. We respond within 30 days. You may also lodge a complaint with your local data protection authority.

9. Your CCPA/CPRA Rights (California)

California residents have the right to know what personal information we collect, to access it, to request deletion, to correct it, and to opt out of any "sale" or "sharing" of personal information. Tenfold does not sell or share personal information for cross-context behavioral advertising. To exercise rights, contact hello@tenfoldstudio.org.

10. Security

We apply industry-standard safeguards: encryption in transit (TLS) and at rest, row-level security in our database, least-privilege access controls, hashed passwords, and routine backups. No system is perfectly secure; you use the Service at your own risk.

11. Children

The Service is not directed to anyone under 18. We do not knowingly collect data from children.

12. Changes

Material changes to this Policy will be announced here and, where reasonable, by email.

13. Contact

Tenfold Studio — hello@tenfoldstudio.org