Privacy Policy

Last updated: March 20, 2026

1. Introduction

Tyndal ("we," "our," or "us") operates the Tyndal AI agent platform at tyndal.ai. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, including our website, web application, and any associated services (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

  • Account information: Name, email address, and password when you create an account.
  • Profile information: Business name, role, preferences, and other details you provide during onboarding.
  • Phone number: If you enable SMS or messaging channels, the phone number(s) you register.
  • Conversation data: Messages you send to and receive from your AI agent across all connected channels.
  • Integration credentials: OAuth tokens and API keys for third-party services you connect (stored encrypted).
  • Payment information: Billing details processed through our payment provider (we do not store credit card numbers directly).

2.2 Information Collected Automatically

  • Usage data: How you interact with the Service, including features used, messages sent, and tools invoked.
  • Device information: Browser type, operating system, IP address, and device identifiers.
  • Log data: Server logs including access times, pages viewed, and referring URLs.

2.3 Information from Third-Party Integrations

When you connect third-party services (Gmail, Google Calendar, Slack, Discord, etc.), we access data from those services only as authorized by you and only to provide the Service. This may include emails, calendar events, messages, and documents - accessed on your behalf by your AI agent.

2.4 Multi-Channel Data Collection

Your AI agent may communicate with you across multiple channels simultaneously, including web chat, email, SMS (via Twilio), Discord, Slack, WhatsApp, and Telegram. You should be aware that:

  • Conversation data from all connected channels feeds into your agent's unified memory. Your agent builds a single, holistic understanding of your preferences and context regardless of which channel you use.
  • Messages sent via third-party channels are processed through their respective infrastructure (e.g., Twilio for SMS, Discord for Discord messages) before reaching Tyndal. Those providers' privacy policies also apply to the transmission of your messages.
  • Channel-specific metadata (e.g., email headers, SMS carrier data, Discord user IDs) may be collected as part of message delivery.

3. AI Memory and Learning

Persistent, evolving memory is a core feature of the Tyndal platform. This section explains how your AI agent learns and remembers.

3.1 What Your Agent Remembers

Your AI agent builds and maintains several types of memory:

  • Knowledge graph: Entities (people, places, organizations) and the relationships between them, extracted from your conversations and connected data sources.
  • Episodic memory: Summaries of past conversations and events, providing context for future interactions.
  • Procedural memory: Learned workflows, preferences, and routines (e.g., "when I say 'schedule standup,' create a 15-minute meeting at 9 AM").
  • Working memory: Short-term context used during active conversations.

3.2 How Memory Is Built

  • Passive extraction: Your agent automatically extracts facts, preferences, and relationships from your conversations. For example, if you mention "my daughter starts college in September," the agent may store this as a fact in your knowledge graph.
  • Active instruction: You can explicitly tell your agent to remember or forget specific information.
  • Integration data: When you connect services (email, calendar, etc.), your agent may extract relevant information from that data to build context.

3.3 Memory Decay

To keep your agent's memory relevant and current, the platform applies confidence decay to stored information. Memories that are not reinforced through ongoing interactions gradually decrease in confidence over time. Low-confidence memories may eventually be archived or removed. Safety-critical information (such as allergies or emergency contacts you have explicitly flagged) is preserved indefinitely regardless of decay.

3.4 Your Control Over Memory

You have full control over your agent's memory:

  • View: You can browse your agent's knowledge graph and stored memories at any time through the Service.
  • Correct: You can edit or correct any stored fact or relationship.
  • Delete: You can delete individual memories, categories of memory, or all memory data entirely.
  • Export: You can export your agent's memory data in structured formats (see Section 8).

4. How We Use Your Information

  • Provide, maintain, and improve the Service.
  • Build and maintain your AI agent's knowledge graph and memory as described in Section 3.
  • Process messages through AI language models to generate agent responses.
  • Authenticate your identity and manage your account.
  • Process payments and manage subscriptions.
  • Send you service-related communications (account confirmations, security alerts, updates).
  • Monitor and analyze aggregate, anonymized usage patterns to improve the Service.
  • Detect, prevent, and address technical issues and security threats.
  • Comply with legal obligations.

We will not use Your Data to train AI models. Your conversations, knowledge graph, and agent memory are used solely to provide the Service to you. "Improving the Service" means analyzing aggregate, anonymized usage patterns (e.g., feature adoption, error rates) - not training models on your content.

5. How We Share Your Information

We do not sell, rent, or share your personal information for marketing purposes. We may share information in the following circumstances:

  • AI model providers: Conversation content is sent to third-party AI providers to generate agent responses. We currently use Anthropic (Claude) as our primary AI provider. The platform's model routing system may direct your messages to different model tiers based on task complexity (e.g., simpler models for routine queries, more capable models for complex reasoning). All providers operate under data processing agreements that prohibit them from using your data for model training. Links to provider privacy policies are available at tyndal.ai/providers.
  • Messaging providers: When you use SMS, your messages are transmitted through Twilio. When you use Discord, Slack, WhatsApp, Telegram, or other channels, messages pass through those platforms' infrastructure. Each provider's privacy policy applies to the transmission of your data.
  • Third-party integrations: When you connect services (Google Workspace, GitHub, etc.), data flows between Tyndal and those services as authorized by you. Your agent reads data from these services on your behalf and may store relevant information in your knowledge graph.
  • Service providers: We use trusted third-party vendors for hosting (Amazon Web Services), payment processing, and infrastructure operations.
  • Legal compliance: When required by law, subpoena, or legal process.
  • Business transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.

6. Autonomous Agent Actions

Your AI agent can take actions on your behalf through connected integrations, such as sending emails, scheduling calendar events, managing tasks, and executing workflows. When your agent takes these actions:

  • The agent accesses only the data necessary to complete the requested action (minimum necessary principle).
  • Actions may be subject to configurable approval gates - you can require explicit confirmation before certain actions are executed.
  • The agent may read content from connected services (e.g., email content to draft a reply, calendar data to suggest a meeting time) and may store relevant context in your knowledge graph.
  • Integration credentials are stored in encrypted vaults and are never exposed to the AI model directly - the platform handles authentication on your behalf.

7. Data Security

We implement industry-standard security measures to protect your data:

  • All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
  • Integration credentials are stored in encrypted vaults, separate from application data.
  • Multi-tenant isolation ensures your data is logically separated from other users at the database level. Your agent's memory is completely separate from other tenants' agents.
  • Information barriers prevent unauthorized access between users within the same organization, enforcing per-client data isolation.
  • Row-level security (RLS) is enforced at the database level, ensuring queries can only return data belonging to the authenticated tenant.
  • Regular security audits, penetration testing, and vulnerability assessments.
  • Platform employee access to tenant data is limited, logged, and auditable.

8. Data Retention

8.1 While Your Account Is Active

  • Conversation logs: Raw conversation transcripts are retained for the duration of your account to enable context, search, and continuity.
  • Knowledge graph: Entities, relationships, and facts are retained and subject to the confidence decay process described in Section 3.3. Low-confidence data may be archived automatically.
  • Episodic memory: Conversation summaries and event records are retained and subject to decay.
  • Integration data: Data from connected services (emails, calendar events, etc.) is accessed on-demand where possible. Cached data is refreshed periodically and not retained beyond what is needed for agent context.
  • Safety-critical information: Information you explicitly flag as safety-critical (allergies, emergency contacts, critical medical information) is preserved indefinitely and exempt from decay.

8.2 After Account Deletion

When you delete your account or request data deletion, we will remove your data within 30 days of account deactivation. This includes:

  • All conversation logs and transcripts.
  • All knowledge graph data, including entities, relationships, and derived memories.
  • All episodic and procedural memory data.
  • All cached integration data.
  • Your account information and profile.

Data in encrypted backups will be purged within 90 days of account deletion as backups rotate. We may retain anonymized, aggregated data that cannot be used to identify you. Data required by law (e.g., billing records) will be retained for the legally mandated period.

9. Cookies and Tracking Technologies

  • Essential cookies: Required for authentication, session management, and security. These cannot be disabled.
  • Preference cookies: Store your settings and UI preferences (theme, language, layout).
  • Analytics: We use privacy-respecting analytics to understand aggregate usage patterns (e.g., feature adoption, page views). We do not use third-party advertising trackers.
  • Local storage: The web application may store data in your browser's local storage for performance and offline functionality.

You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent the Service from functioning properly.

10. SMS/Messaging Communications

If you enable SMS or messaging channels for your AI agent, you consent to receiving messages from your agent at the phone number(s) you provide. Please review the SMS/Messaging Terms in our Terms of Service (Section 9) for complete details on opt-out procedures, message frequency, and carrier disclosures.

We do not share your phone number with third parties for marketing purposes. Phone numbers are used solely to deliver your AI agent's responses via the Twilio messaging platform, subject to Twilio's Privacy Policy.

11. Your Privacy Rights

11.1 General Rights

All users may:

  • Access the personal data we hold about you.
  • Correct inaccurate personal data.
  • Delete your personal data (subject to Section 8.2).
  • Export your data in portable formats (JSON, CSV).
  • Object to or restrict processing of your data.
  • Withdraw consent at any time.

11.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to know: You may request the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we share it.
  • Right to delete: You may request deletion of your personal information, subject to legal exceptions.
  • Right to opt out of sale or sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
  • Right to limit use of sensitive personal information: You may limit our use of sensitive personal information to what is necessary to provide the Service.
  • Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

Categories of personal information collected: Identifiers (name, email, phone number, IP address); commercial information (subscription history, payment records); internet/electronic activity (usage data, log data); professional information (business name, role); and inferences drawn from the above (agent knowledge graph, learned preferences).

To submit a verifiable consumer request, email privacy@tyndal.ai or use the privacy controls in your account settings. We will respond within 45 days.

11.3 Utah Residents (UCPA)

If you are a Utah resident, you have rights under the Utah Consumer Privacy Act (UCPA), including the right to access, delete, and obtain a portable copy of your personal data, and the right to opt out of targeted advertising and the sale of personal data. We do not sell personal data or engage in targeted advertising. To exercise your rights, contact privacy@tyndal.ai.

12. HIPAA Compliance

For users handling protected health information (PHI), Tyndal provides HIPAA-ready infrastructure. If you intend to process PHI through the Service, you must:

  • Enter into a Business Associate Agreement (BAA) with Tyndal before processing any PHI. Contact compliance@tyndal.ai to initiate a BAA.
  • Enable HIPAA-compliant settings on your account (enhanced audit logging, restricted access controls, PHI-specific data handling).

Our HIPAA-ready infrastructure includes:

  • Encryption: PHI is encrypted in transit (TLS 1.2+) and at rest (AES-256).
  • Access controls: Role-based access, minimum necessary standard enforcement, and per-client data isolation.
  • Audit logging: Comprehensive, immutable audit logs of all access to and actions on PHI, retained for a minimum of six years.
  • Breach notification: In the event of a breach involving PHI, we will notify affected individuals and the Department of Health and Human Services within 60 days as required by the HIPAA Breach Notification Rule.
  • Employee safeguards: Tyndal personnel with potential access to PHI-handling environments receive HIPAA training and operate under strict access controls.

13. International Data Transfers

The Service is hosted on Amazon Web Services (AWS) in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

For users in the European Economic Area (EEA), United Kingdom, or other jurisdictions with data transfer restrictions, we will implement appropriate safeguards (such as Standard Contractual Clauses) upon request. Contact privacy@tyndal.ai for details.

14. Data Processing Agreements

Business customers in regulated industries may require a Data Processing Agreement (DPA). DPAs are available for customers on Team and Enterprise plans. Contact legal@tyndal.ai to request a DPA.

15. Children's Privacy

The Service is not intended for individuals under 18 years of age (or the age of majority in your jurisdiction). We do not knowingly collect information from anyone under 18. If you believe we have collected such information, please contact us immediately at privacy@tyndal.ai and we will delete it promptly.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page, updating the "Last updated" date, and sending a notification through the Service or via email. Your continued use of the Service after changes constitutes acceptance of the updated policy.

17. Contact Us

If you have questions about this Privacy Policy, please contact us:

  • Privacy inquiries: privacy@tyndal.ai
  • HIPAA/compliance: compliance@tyndal.ai
  • General: support@tyndal.ai
  • Website: https://tyndal.ai