What we collect
- Account: email address, hashed password (PBKDF2-SHA256, 100k iterations — never the cleartext), tenant name, role.
- Conversations: the messages you send, Tanya's responses, and the conversation context that lets the assistant refer back to earlier turns.
- Memory facts: short, high-importance facts that Tanya extracts from your messages (e.g. "remember that I work at Acme") so the assistant can use them in later conversations. Stored in PostgreSQL.
- Billing: your Stripe customer id and subscription status. Card details are handled by Stripe directly — Tanya never sees a card number.
- Usage: per-request token counts and costs, scoped to your account. Used for billing reconciliation and rate limits.
Who else sees your data (sub-processors)
Tanya depends on a small set of third-party services to run. Each of them is a sub-processor under GDPR Art. 28. The full list with data categories, jurisdictions, and DPA links lives in our sub-processor register. The short list:
- Anthropic (Claude API) — receives your messages when you query the assistant. Standard Contractual Clauses apply. Anthropic does NOT train on Tanya API traffic.
- OpenAI (fallback LLM + Whisper STT) — same.
- Stripe — handles billing.
- Resend — sends transactional email (account verification, password reset).
How long we keep it
- Account data: as long as your account is active. When you delete your account (see below), we erase it.
- Conversation memories: the periodic consolidation job (F-223) prunes ambient memories older than 30 days that fall below the importance threshold. High-importance facts (the ones you asked Tanya to remember) survive consolidation.
- Stripe webhook idempotency keys: 90 days, auto-purged. Required to avoid double-charging on Stripe retries.
- Revoked auth tokens: until natural expiry, auto-purged afterwards.
Your rights
Under GDPR, you have the right to access your data, correct it, export it, and delete it. Tanya implements these rights as plain HTTP endpoints on the saas-api:
GET /users/me— see your account.GET /users/me/export— download your data in JSON (F-231 / Art. 20 portability).DELETE /users/me— erase your account, api keys, and usage records (F-224 / Art. 17 erasure). Owners must transfer tenant ownership first to avoid orphaning the tenant. Pg-only tables (ambient memories, interactions) are not yet erased by this endpoint — open a support ticket and we will run the manual cascade.
Self-service UI for these endpoints is on the dashboard roadmap. Until then, the API is reachable with your bearer token via curl.
Cookies
This marketing site sets no cookies. The dashboard sets one HttpOnly + Secure + SameSite=Strict session cookie, only after you sign in. There are no analytics trackers, no Google Tag Manager, no Segment, nothing.
Contact
Privacy questions: open a GitHub issue on the project repository or email the founder directly at the address listed in the manifesto.