The Short Version
- Service available to users in the United States and Canada only
- You own everything you create—100% copyright yours
- We NEVER train AI models on your content
- We NEVER sell or share your personal information
- Your work is encrypted in transit and at rest
- Export your data anytime in standard formats
- Data archived for 6 months after cancellation (restorable if you return)
- Full deletion available upon request
Want to understand our broader trust commitments? See our Trust Promise.
Geographic Availability
Tandem is currently available only to users located in the United States and Canada. By using our service, you confirm that you are located in one of these jurisdictions.
1. Introduction
Tandem ("we," "our," "us," or the "Company") provides AI-assisted thinking and organization tools for writers through our website and related services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Service.
We built Tandem with a fundamental belief: your creative work belongs to you. This policy reflects that commitment and complies with applicable privacy laws including the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).
By using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our Service.
2. Information We Collect
2.1 Information You Provide Directly
Account Information
When you create an account, we collect:
- Email address (required)
- Password (stored using industry-standard bcrypt hashing—we cannot see your password)
- Display name or nickname (optional)
- First and last name (optional)
Payment Information
If you subscribe to a paid plan, our payment processor (Stripe) collects:
- Credit card or payment method details
- Billing address
We do not store complete credit card numbers on our servers. Payment processing is handled entirely by Stripe, which is PCI-DSS compliant.
Your Creative Content
When you use Tandem, you may provide:
- Story manuscripts, drafts, and excerpts
- Character descriptions, profiles, and development notes
- Plot outlines, story structure, and world-building details
- Brainstorming notes, ideas, and conversations with the AI assistant
- Any other creative content you choose to enter
Your Content Is Sacred: Your creative content is stored solely to provide the Service to you. We do not read, analyze, sell, share, or use your creative content for any purpose other than delivering the features you use. We do not train any AI or machine learning models on your content.
2.2 Information Collected Automatically
When you use our Service, we automatically collect certain technical information:
- Device Information: Device type, operating system, browser type and version
- Log Data: IP address, access times, pages viewed, referring URL
- Usage Data: Features used, session duration, interactions with the Service
- Error Data: Crash reports and error logs for debugging
2.3 Information from Third Parties
We may receive limited information from:
- Authentication Providers: If you sign in via a third-party service (e.g., Google), we receive your email and name from that provider
- Payment Processor: Stripe provides us with transaction status and subscription information (not full card numbers)
3. How We Use Your Information
| Category of Data | Purpose of Use | Legal Basis |
|---|---|---|
| Account Information | Create and manage your account, authenticate access, send essential communications | Contract performance |
| Payment Information | Process subscriptions, manage billing, prevent fraud | Contract performance |
| Creative Content | Provide the Service: storage, AI assistance, character tracking, organization features | Contract performance |
| Usage Data | Improve Service, fix bugs, understand feature adoption, ensure security | Legitimate interest |
| Device/Log Data | Security monitoring, fraud prevention, troubleshooting | Legitimate interest |
What We NEVER Do With Your Data:
- Train AI or machine learning models on your creative content
- Sell your personal information to third parties
- Share your creative content with third parties
- Use your content for advertising or marketing
- Read your creative work (except when you explicitly request support assistance)
- Profile you for targeted advertising
4. AI Processing and Your Content
Tandem uses artificial intelligence (AI) powered by Amazon Web Services (AWS) Bedrock to provide features like brainstorming assistance, character tracking, and story organization. Here is exactly how AI interacts with your content:
4.1 How AI Processes Your Content
- Real-time Processing: When you use AI features, your content is sent to AWS Bedrock for processing and the response is returned to you immediately
- Session-based: AI interactions are processed in real-time; we do not maintain persistent AI memory of your content beyond what you store in your account
- Your Data Stays Yours: AWS Bedrock does not use customer inputs to train its models
4.2 What AI Does
- Responds to your questions about your story and characters
- Helps you brainstorm and think through plot challenges
- Identifies characters, locations, and story elements you've written to help you track them
- Organizes information you provide
4.3 What AI NEVER Does
- Generate prose, dialogue, or narrative text for your story
- Suggest changes to your writing style or voice
- Learn from your content to improve its own capabilities
- Store your content for training purposes
- Share your content with other users or third parties
No Training Commitment: Neither Tandem nor our AI infrastructure provider (AWS Bedrock) uses your creative content to train, fine-tune, or improve any AI or machine learning models. This is a firm, contractual commitment—not a default setting you need to opt out of.
5. Data Retention and Archival
5.1 Active Account
While your account is active, we retain all your data to provide the Service.
5.2 Account Cancellation and Archival
When you cancel your subscription:
- Archival Period: Your data is archived and retained for 6 months after cancellation
- Export Before Cancellation: You can export all your data before canceling using our export feature
- Reactivation: If you reactivate your subscription within 6 months, your archived data will be restored
- After 6 Months: Archived data is permanently deleted and cannot be recovered
5.3 Account Deletion
You may request immediate deletion of your account and all associated data at any time. Upon deletion request:
- Account information is deleted within 30 days
- Creative content is permanently deleted within 30 days
- Backups are purged on their regular rotation schedule (maximum 90 days)
- Anonymized usage analytics may be retained
5.4 Data Export
You can export your data at any time through your account settings. Exports include:
- All creative content (manuscripts, notes, characters, etc.)
- Account information
- Conversation history with AI assistant
Export formats: JSON, Markdown, and plain text.
6. Data Security
We implement comprehensive security measures to protect your data:
- Encryption in Transit: All data transmitted between your device and our servers uses TLS 1.3 encryption
- Encryption at Rest: Your creative content is encrypted using AES-256 when stored on our servers
- Access Controls: Strict role-based access controls limit employee access to user data
- Infrastructure Security: Our services run on AWS with SOC 2 Type II compliance
- Password Security: Passwords are hashed using bcrypt with appropriate cost factors
- Regular Audits: We conduct regular security assessments and penetration testing
No system is 100% secure. If we discover a security breach affecting your data, we will notify you in accordance with applicable law.
7. Data Sharing and Disclosure
We do not sell your personal information. We do not share your creative content with third parties.
7.1 Service Providers
We share limited information with service providers who help us operate:
- Amazon Web Services (AWS): Cloud hosting and AI processing (AWS Bedrock)
- Stripe: Payment processing
- Email Service Provider: Transactional emails (account verification, password reset)
These providers are contractually bound to protect your information, use it only for the services they provide to us, and not use it for their own purposes.
7.2 Legal Requirements
We may disclose information if required by law, such as:
- Valid subpoena, court order, or government request
- To protect the safety of any person
- To protect our legal rights
We will notify you of legal requests when legally permitted to do so.
7.3 Business Transfers
If Tandem is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.
8. Your Privacy Rights
Depending on your location, you have specific rights regarding your personal information.
8.1 Rights for All Users
Access
Request a copy of the personal information we hold about you
Export
Download your data in portable, machine-readable formats
Correction
Update or correct inaccurate personal information
Deletion
Request deletion of your account and personal information
8.2 California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to Know: You can request details about the categories and specific pieces of personal information we have collected, the sources, the purposes, and the third parties we share it with
- Right to Delete: You can request deletion of your personal information, subject to certain exceptions
- Right to Correct: You can request correction of inaccurate personal information
- Right to Opt-Out of Sale: We do not sell personal information, so this right does not apply
- Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond what is necessary to provide the Service
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
California "Shine the Light" Law: California residents may request information about disclosure of personal information to third parties for direct marketing. We do not disclose personal information to third parties for their direct marketing purposes.
Categories of Personal Information Collected (Last 12 Months)
| Category | Collected | Sold | Disclosed for Business Purpose |
|---|---|---|---|
| Identifiers (name, email) | Yes | No | Yes (service providers) |
| Commercial Information (subscription) | Yes | No | Yes (payment processor) |
| Internet Activity (usage data) | Yes | No | Yes (analytics) |
| Professional Information | No | No | No |
| Sensitive Personal Information | No | No | No |
8.3 Canadian Residents (PIPEDA)
If you are a Canadian resident, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA):
- Access: You can request access to your personal information held by us
- Correction: You can request correction of inaccurate or incomplete information
- Consent Withdrawal: You can withdraw consent for certain processing activities
- Complaint: You can file a complaint with the Office of the Privacy Commissioner of Canada
PIPEDA Compliance Statement
We comply with PIPEDA's ten fair information principles:
- Accountability: We are responsible for personal information under our control
- Identifying Purposes: We identify the purposes for collection at or before the time of collection
- Consent: We obtain meaningful consent for collection, use, and disclosure
- Limiting Collection: We collect only information necessary for identified purposes
- Limiting Use, Disclosure, and Retention: We use information only for stated purposes and retain it only as needed
- Accuracy: We keep personal information accurate and up-to-date
- Safeguards: We protect information with appropriate security measures
- Openness: We make our policies readily available
- Individual Access: We provide access to personal information upon request
- Challenging Compliance: We have procedures to address complaints
8.4 How to Exercise Your Rights
To exercise any of these rights:
- Self-Service: Many actions (export, deletion) can be performed directly in your account settings
- Email: Contact us at privacy@tandem.app
We will respond to verifiable requests within 45 days (CCPA) or 30 days (PIPEDA). We may require identity verification before processing requests.
9. Cookies and Tracking Technologies
We use minimal cookies necessary for the Service to function:
| Cookie Type | Purpose | Duration |
|---|---|---|
| Authentication | Keep you logged in securely | Session / 30 days |
| Preferences | Remember your settings (theme, etc.) | 1 year |
| Security | CSRF protection, fraud prevention | Session |
| Analytics | Understand feature usage (no personal content analyzed) | 1 year |
We do not:
- Use tracking cookies for advertising
- Share cookie data with third-party advertisers
- Use cross-site tracking
- Sell data collected through cookies
Do Not Track: We honor Do Not Track (DNT) browser signals by disabling non-essential analytics.
10. Children's Privacy
Tandem is not intended for users under 13 years of age (or 16 in some jurisdictions). We do not knowingly collect personal information from children under 13.
If we discover that we have collected personal information from a child under 13, we will delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us at privacy@tandem.app.
11. International Data Transfers
Our Service is operated from the United States. If you are accessing the Service from Canada, your information will be transferred to and processed in the United States.
We ensure appropriate safeguards are in place for international data transfers, including:
- Standard contractual clauses with service providers
- Compliance with PIPEDA cross-border transfer requirements
- Use of service providers with appropriate certifications (SOC 2, etc.)
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes:
- We will update the "Last Updated" date at the top of this page
- For material changes, we will provide prominent notice (email notification or in-app notice)
- We will maintain an archive of previous versions upon request
Your continued use of the Service after changes constitutes acceptance of the updated policy.
13. Contact Us
If you have questions about this Privacy Policy, our data practices, or wish to exercise your privacy rights:
- Email: privacy@tandem.app
- Subject Line: Include "Privacy Request" for faster routing
For Canadian Residents: If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.
For California Residents: If you are not satisfied with our response, you may contact the California Attorney General's Office.
For general trust and transparency questions, please see our Trust Promise.
Our Commitment
We built Tandem because we believe writers deserve AI tools they can trust. Your creative work is yours—to own, to protect, to share on your terms. This policy exists to protect that fundamental right. We will never train on your content. We will never sell your data. Your words stay yours.