TendSign in

Privacy policy

Last updated: June 13, 2026

Tend (“we”, “us”), operated by Convect, helps small shops manage their Instagram DM and comment conversations with customers. This policy explains what personal data we collect when shop owners sign in and use the product, why, and how we protect it.

Roles

Two kinds of personal data flow through Tend:

  • Shop-owner data: your sign-in identity and the configuration you enter (menu, policies, notes). For this we are the data controller.
  • Customer message content: the DMs and comments your shop receives from third-party Instagram users, and the order details (including any delivery address) that come out of them. For this content your shop is the data controller and Tend acts as a processor on your behalf, under instructions set by your use of the product. A data processing addendum (DPA) is available on request at hello@tendbyconvect.app.

What we collect

You can sign in three ways, and what we receive depends on which you use:

  • Instagram: your Instagram user id, username, and an access token scoped to read your Instagram DMs and comments and to reply on your behalf (scopes: instagram_business_basic, instagram_business_manage_messages, instagram_business_manage_comments). We do not receive your email or phone number from Meta.
  • Google: your name, email address, and Google account id, returned by Google when you choose to sign in with it.
  • Email & password: the email address you register. Passwords are kept only as a salted hash, never in plain text. We send verification and password-reset emails to that address through our email provider, Resend.

We store the customer-facing DM threads your shop receives: message text, attachments, sender Instagram handle, and timestamps. If you use comment replies, we also store the public comments left on your Instagram posts that the feature reads and responds to (comment text, commenter handle, timestamps). We also store any shop policies, products, or notes you enter into the app yourself.

If you choose to enable the owner-call feature, we collect a phone number from you and verify it with a one-time SMS code. Your phone number is used only to call you when the bot needs a directive on a customer message; it is never shared with customers and never used for marketing.

Owner calls are recorded and transcribed for the duration of the call. We store the transcript turns and a written summary of what was decided so the resulting customer reply can be composed and audited. The audio itself is not retained.

If you join the waitlist before signing up, we collect the email address you submit. We use it only to contact you about beta access and you can ask for it to be removed at any time.

For paying accounts, we store billing-related identifiers from Stripe for your own Tend subscription (your Stripe customer id, subscription id, plan, status, and current-period end date). We do not see or store your card number, CVC, or bank details. Those live with Stripe.

If you connect SumUp to take card payments from your own customers, we store the SumUp access tokens and merchant code we need to create checkouts on your behalf, plus, per order, the SumUp checkout and transaction ids and the resulting payment status. We never see or store your customers' card numbers; those are handled entirely by SumUp. (Stripe bills you for Tend; SumUp is how your shop charges its own customers. They are separate.)

We track per-day usage counters (number of drafts produced, owner calls placed, call minutes used, inbound and outbound messages) for billing, capacity planning, and the in-app usage dashboard. These counters are aggregate per shop and don't contain message content.

When a customer gives a delivery address in a conversation, we store it on the order and send it to Google's Maps Geocoding API to turn it into coordinates, so the bot can check it against the delivery area you've drawn. That address is your customer's personal data; your shop is its controller, the same as for message content.

If you choose to connect your Google Calendar, we ask Google for permission to create and manage one calendar in your Google account (named “Tend”). We do not request, and Google does not grant us, access to your primary calendar or any other calendar you own or share, only the single calendar Tend creates. We store an OAuth refresh token, an OAuth access token, and your Google account email (so we can show “Connected as <email>” in Settings). Tokens are encrypted at rest with the same AES-256-GCM scheme used for Instagram tokens.

We log standard request metadata (timestamps, IP addresses, user agents) for security and debugging. These logs are retained for up to 90 days.

How we use it

DM and comment content is processed by AI models (currently provided by Anthropic via AWS Bedrock) to: classify customer messages, propose draft replies for your review, and surface order details. The shop owner reviews every draft before it's sent unless they explicitly enable an auto-send rule for safe routine confirmations.

We do not sell, rent, or share your data with advertisers. We do not use customer DM content to train AI models. The model providers we use have configured zero data retention for our traffic.

For shops that connect Google Calendar: when a booking is created, updated, or cancelled in Tend, we write the same information to your Tend calendar in Google. The booking time and duration, the product name, the customer name or Instagram handle, and any notes you saved on the appointment. We do not read events from your calendar, and we cannot see any of your other calendars.

Google API user data

Tend's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We use Google Calendar data only to provide the calendar sync feature you opted into, reflecting your Tend bookings on your phone & desktop alongside the rest of your life.
  • We do not transfer Google user data to any third party except as necessary to provide that feature, comply with applicable law, or as part of a merger or acquisition with equivalent privacy protections.
  • We do not use Google user data to serve advertisements.
  • We do not allow humans to read Google user data unless we have your explicit consent for a specific message, it is necessary for security investigations or to comply with law, or it is aggregated and de-identified for internal operations.

You can disconnect Google Calendar at any time from Settings → Calendar in Tend, or by revoking access at myaccount.google.com/permissions. On disconnect we revoke our token at Google and delete the encrypted token + email from our database. The Tend calendar in your Google account remains under your control; you can delete or keep it as you wish.

Subprocessors

We rely on a small set of infrastructure providers to run the service:

  • Meta Platforms: the source and delivery channel for Instagram DMs and comments, and for WhatsApp messages (including phone-number verification codes and owner notifications).
  • Amazon Web Services: serverless compute (Lambda, EC2), queueing (SQS), photo storage (S3), and AI inference (Bedrock). Region: EU (Ireland).
  • Anthropic: the AI model provider used through AWS Bedrock for classification and draft generation.
  • Google: three distinct services: (i) the Gemini Live audio model, used during owner phone calls to converse with you and extract a directive (audio is processed in real time and not retained by Google for our traffic); (ii) Google Calendar, used to sync your Tend bookings into a dedicated calendar in your Google account if you opt in (scoped narrowly: we cannot read or write any calendar other than the single one Tend created); and (iii) Google Maps (Geocoding), used to turn a customer's delivery address into coordinates so the bot can test it against your delivery area.
  • Stripe: processes your Tend subscription payments and stores your card / bank details. We never see your card number; we receive only Stripe identifiers and subscription state.
  • SumUp: when a shop opts in, processes card payments from that shop's own customers (via hosted checkout links) and holds the underlying card details. We receive only SumUp tokens, a merchant code, and checkout / transaction status, never card numbers.
  • Resend: sends our transactional emails (email-address verification and password resets) for accounts that sign in with email and password. Receives the recipient address and message content; never used for marketing.
  • Vercel: hosts the web app and, for shops on a custom domain, serves that domain.

Cookies & local storage

We use a session cookie (set by our authentication library) to keep you signed in. We do not use third-party advertising cookies, analytics cookies, or tracking pixels. The app uses browser local storage only for non-tracking UI preferences.

Your rights

You can:

  • Disconnect a linked account at any time: Instagram via its Settings → Apps and Websites, or Google via your Google account permissions. We'll receive the deauthorization signal (or revoke our own token) and immediately drop the linked credentials.
  • Request access, correction, export, or deletion of all data associated with your account by emailing hello@tendbyconvect.app. We'll respond within 30 days.
  • Use Meta's data deletion request flow; we honour those via the data-deletion callback registered with our Meta app.
  • If you're in the EU/UK, you can lodge a complaint with your local data protection supervisory authority. The Irish Data Protection Commission is our lead authority.

Customers of your shop

If you're an Instagram user who has messaged a shop that uses Tend: your messages reach Tend only because you chose to contact that shop. Your shop is the controller of that content and is the right party to handle deletion or access requests in the first instance. You can also contact us directly at hello@tendbyconvect.app and we'll route or action the request as appropriate.

Children's privacy

Tendis a tool for shop owners and is not directed at children. We don't knowingly collect personal data from anyone under 16. If a customer message arrives that you believe came from a child, treat it according to your local rules and contact us if you need the data removed.

Data location and retention

All data is processed and stored in the European Union (AWS eu-west-1, Vercel EU regions where applicable). DM messages are retained for as long as your account is active; once your account is deleted, message data is removed within 30 days. Backups roll off within 90 days.

Security

Access tokens are stored encrypted at rest. Webhook payloads are HMAC-verified using your Meta app secret. Database connections are TLS-encrypted. We use IAM-scoped credentials for all infrastructure access, with no shared secrets between environments. No system is perfectly secure; we'll notify affected accounts without undue delay if we become aware of a breach.

Changes to this policy

We'll update this page when our practices change and bump the “Last updated” date above. Material changes will be communicated to active accounts via email.

Contact

Questions? Reach us at hello@tendbyconvect.app.