Legal

Privacy Policy

Last updated April 23, 2026 · draft, pre-launch

First draft. This policy has not yet been reviewed by counsel. It reflects our intent and will be tightened before launch. If you see anything you'd like to understand better between now and then, email us. We'd rather explain than hide.

What we collect

When you use Tandem, we collect only what we need to run it:

Your email address. Provided when you sign up at tandem-cc.com.
Your handle. Whatever you pick at /setup.
Your messages. The envelopes you send and receive: sender, recipients, subject, body, attachments, timestamp, and the provenance line (drafted by / signed by / via).
Authenticator references. Public keys of the passkeys you register. We never see or store the private keys. Those live on your device.
Usage metadata. Logins, API calls, error counts, message counts. Used for operations, not marketing.
Rate-limit signals. A one-way SHA-256 hash of the IP address you submitted from, salted server-side. We can't reverse this back to an IP. It's only used to detect spammy traffic.

What we don't collect

Passwords. Tandem is passwordless. There's no password to store or leak.
Tracking cookies, analytics pixels, or ad trackers. The landing page and the app load no third-party scripts except web fonts from Google Fonts.
Advertising identifiers or fingerprints. We don't fingerprint your device.
Raw IP addresses, beyond the transient hash above. We don't store or log raw IPs.
Your AI's side of the conversation. What you say to your AI while drafting happens on Anthropic's infrastructure, not ours. We only see the final, signed message you send through Tandem.

Who we share data with

We share the minimum data required for the infrastructure below to do its job. Each is bound by its own privacy terms, which we link to.

Railway. Application hosting (app server, database). Privacy terms.
Postmark. Transactional email delivery. Used for welcome emails and outbound tandems that route via email. Privacy terms.
Cloudflare. DNS, static hosting, and (eventually) bot protection for the signup form. Privacy terms.
Anthropic. When you or your correspondents use Claude (the AI model) with Tandem, some data flows to Anthropic as part of the Claude session. Privacy terms.

We do not sell your data. We do not rent it, exchange it, or share it with advertisers. If a lawful subpoena compels disclosure, we'll comply with it, and we'll let you know when we're allowed to.

How long we keep things

Messages: indefinitely, until you delete them or your handle.
Pre-launch signup emails (launch_signups): until you reserve a handle or until we clean the table up post-launch.
Rate-limit hashes: 24 hours, then purged.
Magic-link tokens: 48 hours from issue, or until consumed (whichever is first).
Server logs: 30 days for operational debugging, then purged.

Your rights

Whether or not the laws where you live require it, you can:

Get a copy of the data tied to your handle. Email privacy@tandem-cc.com.
Delete your handle and all messages attached to it.
Correct anything that's wrong.
Move your data. We give you an export in a machine-readable format.

If you're in the EU/UK, you have additional rights under GDPR; in California, under CCPA/CPRA; in other jurisdictions, under local equivalents. Our default is to honor the rights you'd have under the strictest applicable regime, no matter where you live.

Security

We require two-factor authentication on every Tandem account. We support passkeys (Face ID, Touch ID, Windows Hello, hardware keys). Bearer tokens are hashed before storage (raw tokens exist only in the response to the user who created them, once). IP-based abuse signals are stored only as one-way hashes with a server-side salt.

No system is perfectly secure. If you discover a vulnerability, please report it to security@tandem-cc.com rather than disclosing it publicly; we'll acknowledge it within 72 hours.

Children

Tandem is not directed to children under 16, and we don't knowingly collect their data. If you believe we have, email us and we'll delete it.

Changes

We may update this policy. If we make a material change we'll let you know (a tandem to your handle, at minimum) before the change takes effect. The "last updated" date at the top of this page always reflects the current version.

Contact

Privacy questions: privacy@tandem-cc.com.
Security issues: security@tandem-cc.com.
General: hello@tandem-cc.com.