Privacy Policy

1. Who We Are

Tenure (“Platform,” “we,” “our,” or “us”) is a consumer software service that provides individuals with a private, employer-independent record of their career — including documents, compensation history, equity grants, and lifecycle decision-support tools. We are not an employer, an HR software vendor, or a benefits administrator. We work for you.

Questions about this policy may be directed to: privacy@mytenure.app

2. The Core Promise

Before the details, here is what we will never do:

• We will never sell your data to your employer, a recruiter, an HR platform, or any third party for commercial purposes.
• We will never share your information with any current or former employer without your explicit, affirmative instruction.
• We will never sell your personal information to data brokers or advertising networks.
• We will never serve ads on authenticated surfaces of the Platform.
• We will never use your data to train AI models without your explicit, informed consent.

These commitments are not subject to carve-outs or future policy changes without prominent notice and, for material changes, your affirmative re-consent.

3. Information We Collect

3.1 Information You Provide Directly

When you create an account and use the Platform, you may provide:

• Identity and contact information: name, email address, phone number.
• Work history: employer names, job titles, employment dates, compensation events.
• Equity and financial data: grant types, strike prices, vest schedules, exercise decisions, account identifiers for employer-sponsored accounts.
• Documents: offer letters, equity agreements, separation agreements, performance reviews, employer correspondence, and other career-related files you choose to upload.
• Decisions and events: benefit elections, rollover destinations, exercise decisions, and other choices you log in the Platform.
• Accomplishments and notes: project descriptions, performance narratives, manager interactions, and other self-authored records.

3.2 Information We Collect Automatically

When you use the Platform, we collect limited technical information needed to operate the service:

• Log data: IP address, browser type, pages visited, and timestamps.
• Device information: operating system and browser version.
• Session and usage data: feature usage patterns and error reports, used to improve reliability.

We use privacy-respecting analytics (currently PostHog, configured without third-party tracking pixels on authenticated surfaces) and do not use advertising-network analytics tools.

3.3 Information from Optional Integrations

If you choose to connect optional integrations (such as calendar or email access for accomplishment auto-capture), we will explain exactly what data is accessed at the time of connection. These integrations are opt-in, can be revoked at any time, and the data accessed is used only for the feature you enabled.

4. How We Use Your Information

We use your information to:

• Operate and personalize the Platform — surfacing deadlines, decisions, and workflows relevant to your career phase.
• Provide AI-powered decision-support features that analyze your vault contents to help you navigate post-departure decisions, equity choices, benefits elections, and other lifecycle events.
• Send transactional communications: account confirmations, deadline reminders you have enabled, support responses, and security alerts.
• Improve the Platform through aggregate, non-identifying analysis of usage patterns.
• Fulfill legal obligations and enforce our Terms of Service.

We do not use your data for behavioral advertising, third-party data enrichment, or any purpose not listed above.

5. User-Held-Key Encryption for the Most Sensitive Documents

For documents in the most sensitive categories — including separation agreements, workplace complaint records, personal correspondence with employers, and draft documents in those categories — we apply an additional layer of protection: user-held-key encryption.

Under this scheme:

• Documents in these categories are encrypted such that the ciphertext stored on our servers cannot be read by our staff or systems without your authentication credential.
• Even in the event of a compelled-disclosure request (subpoena, government demand), we can only produce encrypted data that is not readable without your key.
• AI features that operate on these documents require your explicit, per-document or per-category opt-in. We do not process these documents without your affirmative action.

The specific document categories subject to user-held-key encryption are disclosed in the Platform's Security Settings, and you may review encryption status for any document in your vault at any time.

6. How We Share Your Information

6.1 We Do Not Sell Your Personal Information

We do not sell, rent, or trade your personal information to any third party. This applies to all tiers of service, including the free tier.

6.2 Service Providers

We share limited data with vendors who help us operate the Platform under strict contractual obligations:

• Cloud infrastructure and storage providers (currently Railway and Supabase) who store data in encrypted form.
• Payment processor (currently Stripe) for subscription billing — they receive payment information; we do not store card numbers.
• Email delivery provider (currently Resend) for transactional messages.
• Error monitoring and logging (currently Sentry) for platform reliability.

All service providers are contractually prohibited from using your data for their own purposes or sharing it further.

6.3 B2B2C Partners (Outplacement, Advisors, Law Firms)

If you access the Platform through a partner organization — such as an outplacement firm, financial advisor, or employment law firm — that partner may have provided a sponsored seat or co-branded experience. In those cases:

• The partner knows that you are using the Platform (they sponsored your access) but does not receive access to your vault contents.
• Partners receive only aggregate, anonymized utilization reports (e.g., seat activation rates). They never receive individual user data.
• Our B2B2C channel is restricted to outplacement providers, financial advisors, and employment law firms acting on your behalf. We do not partner with employers, recruiters, or HR platforms.

When a partner-sponsored period ends, your account and all vault contents remain yours. You may convert to a direct consumer subscription or export and delete your data.

6.4 Legal Requirements

We may disclose information if required by law, court order, or government demand. Where legally permitted, we will notify you before complying. For user-held-key-encrypted documents, we can only produce ciphertext — we do not have the ability to decrypt them on your behalf in response to third-party demands.

6.5 Business Transfers

If we are acquired or merge with another entity, your data may transfer to the successor. We will provide prominent notice and, if the acquirer's privacy practices materially differ from ours, give you the opportunity to export and delete your data before the transfer takes effect. The core commitments in Section 2 of this policy (never sharing with employers, never selling data) must be assumed by any acquirer as a condition of any transaction.

7. Data Retention

We retain your data for as long as you have an active account. When you close your account:

• Your account enters a 30-day soft-delete period during which you may reactivate.
• After 30 days, we initiate hard deletion across all primary systems, including encrypted document storage.
• Deletion from encrypted backups is completed within 90 days following the hard-delete trigger.
• We maintain a deletion log (containing only the fact that deletion occurred, not the deleted content) for compliance purposes.

There is no “deactivation” that preserves your data indefinitely. When you delete, your data is deleted.

8. Your Rights and Controls

You have the following rights with respect to your personal information:

• Access: Request a copy of the personal data we hold about you.
• Correction: Correct inaccurate information in your account.
• Deletion: Delete your account and all associated data as described above.
• Export: Download a complete, machine-readable export of your vault contents at any time, with no friction or “please don't go” interstitial.
• Restriction: Request that we restrict processing of your data in specific circumstances.
• Portability: Receive your data in a structured, commonly used format.
• Objection: Object to processing of your data for purposes beyond operating the service.

To exercise any of these rights, contact us at privacy@mytenure.app or use the data controls in your Account Settings. We will respond within 30 days.

Residents of California (CCPA), Virginia (VCDPA), and other states with applicable privacy laws have additional rights as described in Section 12.

9. AI Features and Your Data

The Platform uses AI (currently the Anthropic Claude API) to power document analysis, decision-support workflows, and natural-language guidance. Here is how AI interacts with your data:

• AI features process only the documents and data you actively submit to them. We do not run background AI analysis on your vault without your action.
• For user-held-key-encrypted documents, AI processing requires your explicit opt-in per document or per category.
• AI outputs on regulated surfaces (tax, benefits, employment law, equity decisions) are framed as decision-support, not advice. Each surface carries a plain-English disclosure noting that we are not your tax advisor, lawyer, or financial advisor.
• We do not use your data to train or fine-tune AI models. Your vault contents are inputs to inference, not training data.
• We maintain a model-agnostic architecture; the AI provider may change. Any change to the AI provider that affects data handling will be disclosed to you in advance.

10. Security

We take security seriously given the sensitivity of the data in your vault. Our measures include:

• Encryption at rest: all vault data is encrypted at rest. Sensitive document categories use user-held-key encryption (Section 5).
• Encryption in transit: all data in transit uses TLS 1.2 or higher.
• Access controls: staff access to user data is role-based, logged immutably, and requires a documented reason for every access event. Staff cannot read user-held-key-encrypted documents.
• Authentication: we support TOTP-based two-factor authentication (strongly recommended) and passkey/WebAuthn login. High-sensitivity admin actions require step-up re-authentication.
• Audit log: all administrative actions affecting your account are written to an append-only, immutable audit log.
• Third-party security assessment: we target SOC 2 Type II certification by end of Year 2.

In the event of a security incident affecting your data, we will notify you promptly and transparently — including what happened, what data was affected, and what we are doing about it.

11. Children's Privacy

The Platform is not intended for or directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have inadvertently collected information from a minor, we will delete it promptly. If you believe a minor has created an account, please contact us at privacy@mytenure.app.

12. State-Specific Privacy Rights

California (CCPA/CPRA)

California residents have the right to know, delete, correct, and opt out of the sale or sharing of personal information. We do not sell or share personal information as defined under California law. To submit a request, contact us at privacy@mytenure.app. We will not discriminate against you for exercising your rights.

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Other States

Residents of states with applicable consumer privacy laws have similar rights to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of targeted advertising (which we do not engage in). To exercise these rights, contact us at privacy@mytenure.app.

13. Cookies and Tracking

We use a minimal set of cookies necessary to operate the Platform:

• Session cookies to maintain your authenticated session.
• Preference cookies to remember your settings.
• Analytics cookies from our privacy-respecting analytics provider (PostHog), configured without cross-site tracking.

We do not use advertising cookies, third-party tracking pixels, or ad-network analytics on authenticated surfaces. On public marketing pages, we may use standard analytics tools subject to our cookie policy.

14. Changes to This Policy

We will notify you of material changes to this Privacy Policy by email (to the address on your account) and by in-app notice at least 30 days before the change takes effect. For changes that materially reduce your privacy protections — including any change to the core commitments in Section 2 — we will seek your affirmative re-consent before the change applies to your data.

The effective date at the top of this document reflects the most recent revision. Prior versions are available upon request.

15. Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or have a privacy concern, please contact us:

We take privacy concerns seriously and will respond within 30 days. If you are not satisfied with our response, you may have the right to lodge a complaint with your applicable state privacy authority.