tenuo

Privacy Policy

Effective: April 20, 2026·Last updated: April 20, 2026

This Privacy Policy explains how Tenuo, Inc. (“Tenuo,” “we,” “us,” or “our”) collects, uses, shares, and protects information when you use Tenuo Cloud — our hosted control plane for managing warrant-based authorization for AI agents, available at cloud.tenuo.ai and related domains (the “Service”).

1. Information we collect

Information you provide

  • Account information. When you sign in, we receive your name, email address, and profile picture URL from the identity provider you choose (GitHub or Google) via our authentication partner, WorkOS.
  • Organization information. When you create or join an organization, we collect the organization name, invite code, and role (admin, member, readonly).
  • Configuration you create. Warrants, policies, approval rules, service accounts, API keys (as one-way SHA-256 hashes), authorizer registrations, and webhooks that you configure inside the Service.
  • Support communications. If you email us, we retain the message and contact details you provide.

Information collected automatically

  • Usage data. Request logs, IP address, user agent, timestamps, referrer, and which Service features you use.
  • Audit records. Authorization decisions, approval events, policy evaluations, and configuration changes made in your organization.
  • Cookies. See “Cookies and similar technologies” below.

Information from third parties

When you sign in with GitHub or Google via WorkOS, we receive your verified email address and basic profile fields from that identity provider. We do not receive your password or long-lived OAuth access tokens for the identity provider.

2. How we use information

  • To operate, maintain, and secure the Service.
  • To authenticate you, route you to the correct tenant, and enforce permissions.
  • To evaluate authorization requests that your agents make against the Service.
  • To produce audit records, usage reports, and rate-limiting signals.
  • To detect, investigate, and prevent fraud, abuse, and security incidents.
  • To respond to support requests and communicate with you about the Service.
  • To comply with our legal and contractual obligations.

We do not use the content of your warrants, policies, audit records, or other organization data to train machine-learning models, and we do not sell your personal information.

3. How we share information

  • Within your organization. Members of your Tenuo Cloud organization with the appropriate role can see configuration and audit records for that organization.
  • Service providers (subprocessors). We share information with vendors who process data on our behalf under written agreements, including:
    • Google Cloud Platform — compute, storage, networking, managed databases.
    • WorkOS — authentication, OAuth, and session management.
    • Email delivery providers — transactional email (e.g., verification codes).
  • Legal and safety. We may disclose information when we reasonably believe it is required by law, legal process, or to protect the rights, property, or safety of Tenuo, our users, or the public.
  • Business transfers. If Tenuo is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to this Policy.

4. How we use information from Google APIs

Tenuo Cloud's use of information received from Google APIs — specifically, the profile and email data returned when you sign in with Google — will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We use Google profile data only to authenticate you and create or match your account in Tenuo Cloud. We do not use it for advertising, we do not sell it, and we do not allow humans to read it except (a) with your consent, (b) as required for security (including investigating abuse), (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized.

5. Data retention

  • Account data is retained while your account is active. You may request deletion at any time.
  • Session API keys expire automatically after 7 days.
  • Authorization decisions and audit records are retained for the period configured by your organization administrator, subject to legal requirements.
  • Backups are retained for a rolling operational window and then overwritten.

6. Security

We use industry-standard measures to protect your information, including TLS in transit, encryption at rest, scoped API keys stored as one-way SHA-256 hashes, sealed session cookies, and least-privilege access controls. No method of transmission or storage is 100% secure; if you believe your account has been compromised, email security@tenuo.ai immediately.

7. International data transfers

Tenuo Cloud is operated from the United States and relies on cloud infrastructure that may process data in multiple regions. If you access the Service from outside the United States, you consent to the transfer and processing of your information in the United States and other jurisdictions where our service providers operate.

8. Your rights and choices

Depending on your jurisdiction, you may have the right to:

  • Access, correct, or delete your personal information.
  • Object to or restrict certain processing.
  • Request a portable copy of your information.
  • Withdraw consent where processing is based on your consent (withdrawal does not affect prior processing).
  • Lodge a complaint with a supervisory authority in your jurisdiction.

To exercise these rights, email privacy@tenuo.ai. We may need to verify your identity before acting on a request.

9. Cookies and similar technologies

Tenuo Cloud uses only strictly-necessary cookies for authentication, tenant routing, and session management:

  • tenuo_session, tenuo_tenant, tenuo_scopes, tenuo_apikey — session and tenant state.
  • workos_pending_token — short-lived token used during email verification for GitHub sign-in.

We do not use third-party advertising or tracking cookies on the authenticated Service.

10. Children's privacy

Tenuo Cloud is a developer and enterprise product and is not directed to children under 16. We do not knowingly collect personal information from children. If you believe we have, email privacy@tenuo.ai.

11. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or a prominent notice in the Service prior to the change becoming effective. The “Last updated” date at the top of this page indicates when the policy was last revised.

12. Contact us

If you have questions about this Privacy Policy or our privacy practices, contact us at: