Privacy policy
Last updated: June 22, 2026
Tend (“we”, “us”), operated by Convect, helps small shops manage their Instagram DM and comment conversations with customers, and lists eligible shops on its public marketplace at tendto.you so nearby shoppers can discover them. This policy explains what personal data we collect when shop owners sign in and use the product, when shoppers browse the marketplace, why, and how we protect it.
Roles
Two kinds of personal data flow through Tend:
- Shop-owner data: your sign-in identity and the configuration you enter (menu, policies, notes). For this we are the data controller.
- Customer message content: the DMs and comments your shop receives from third-party Instagram users, and the order details (including any delivery address) that come out of them. For this content your shop is the data controller and Tend acts as a processor on your behalf, under instructions set by your use of the product. A data processing addendum (DPA) is available on request at hello@tendto.you.
What we collect
You can sign in three ways, and what we receive depends on which you use:
- Instagram: your Instagram user id, username, and an access token scoped to read your Instagram DMs and comments and to reply on your behalf (scopes:
instagram_business_basic,instagram_business_manage_messages,instagram_business_manage_comments). We do not receive your email or phone number from Meta. - Google: your name, email address, and Google account id, returned by Google when you choose to sign in with it.
- Email & password: the email address you register. Passwords are kept only as a salted hash, never in plain text. We send verification and password-reset emails to that address through our email provider, Resend.
We store the customer-facing DM threads your shop receives: message text, attachments, sender Instagram handle, and timestamps. If you use comment replies, we also store the public comments left on your Instagram posts that the feature reads and responds to (comment text, commenter handle, timestamps). We also store any shop policies, products, or notes you enter into the app yourself.
If you choose to enable the owner-call feature, we collect a phone number from you and verify it with a one-time SMS code. Your phone number is used only to call you when the bot needs a directive on a customer message; it is never shared with customers and never used for marketing.
Owner calls are recorded and transcribed for the duration of the call. We store the transcript turns and a written summary of what was decided so the resulting customer reply can be composed and audited. The audio itself is not retained.
If you join the waitlist before signing up, we collect the email address you submit. We use it only to contact you about beta access and you can ask for it to be removed at any time.
For paying accounts, we store billing-related identifiers from Stripe for your own Tend subscription (your Stripe customer id, subscription id, plan, status, and current-period end date). We do not see or store your card number, CVC, or bank details. Those live with Stripe.
To take payment from your own customers you can connect a card payment rail, and we store what we need to create checkouts on your behalf and to record the result. With Stripe Connect (the main option) we store your connected-account id and its charge status, and per order the Stripe Checkout Session / payment-intent id and whether it was paid. SumUp is an optional alternative (its access tokens, merchant code, and per-order checkout and transaction status). For non-card rails you offer (a Revolut handle, bank-transfer details, or “pay in person” instructions) we store the details you enter so we can show them to your customer. In every case we never see or store your customers' card or bank numbers; the connected provider handles those. This is separate from the Stripe subscription that bills you for Tend: there, Stripe is our payment processor; here, your own connected account collects money straight from your customers and Tend never holds the funds.
We track per-day usage counters (number of drafts produced, owner calls placed, call minutes used, inbound and outbound messages) for billing, capacity planning, and the in-app usage dashboard. These counters are aggregate per shop and don't contain message content.
When a customer gives a delivery address in a conversation, we store it on the order and send it to Google's Maps Geocoding API to turn it into coordinates, so the bot can check it against the delivery area you've drawn. That address is your customer's personal data; your shop is its controller, the same as for message content.
If you choose to connect your Google Calendar, we ask Google for permission to create and manage one calendar in your Google account (named “Tend”). We do not request, and Google does not grant us, access to your primary calendar or any other calendar you own or share, only the single calendar Tend creates. We store an OAuth refresh token, an OAuth access token, and your Google account email (so we can show “Connected as <email>” in Settings). Tokens are encrypted at rest with the same AES-256-GCM scheme used for Instagram tokens.
We log standard request metadata (timestamps, IP addresses, user agents) for security and debugging. These logs are retained for up to 90 days.
How we use it
DM and comment content is processed by AI models (currently provided by Anthropic via AWS Bedrock) to: classify customer messages, propose draft replies for your review, and surface order details. The shop owner reviews every draft before it's sent unless they explicitly enable an auto-send rule for safe routine confirmations.
We do not sell, rent, or share your data with advertisers. We do not use customer DM content to train AI models. The model providers we use have configured zero data retention for our traffic.
For shops that connect Google Calendar: when a booking is created, updated, or cancelled in Tend, we write the same information to your Tend calendar in Google. The booking time and duration, the product name, the customer name or Instagram handle, and any notes you saved on the appointment. We do not read events from your calendar, and we cannot see any of your other calendars.
Marketplace (tendto.you)
Tendruns a public marketplace at tendto.you where shoppers can find local shops. Your shop is listed there automatically once it meets the listing requirements: a claimed public shop handle, a shop name, a location, and a connected Instagram account. The listing is drawn from information you have already published or entered: your shop name and handle, your tagline and trade, your logo, your location at the precision you choose in Settings (a neighbourhood or area such as “Rathmines, Dublin 6”, or a full street address if you opt into that), your products and prices, your opening hours, your published answers to common questions, and your public Instagram posts (their captions and images). It does not include your DMs, your customers' messages, or your contact details. You choose your public location precision in Settings; your shop stays listed for as long as it continues to meet the listing requirements above.
To power search, this published shop content is turned into numerical embeddings by an embedding model running on AWS Bedrock (Cohere's model), including the images on your Instagram posts. When a shopper searches, their typed query is embedded the same way and matched against shops. Marketplace browsing is anonymous: shoppers don't need an account, and we store the search conversation (the queries typed and the results shown) to run the session and improve results. We don't attach it to a named person.
Google API user data
Tend's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We use Google Calendar data only to provide the calendar sync feature you opted into, reflecting your Tend bookings on your phone & desktop alongside the rest of your life.
- We do not transfer Google user data to any third party except as necessary to provide that feature, comply with applicable law, or as part of a merger or acquisition with equivalent privacy protections.
- We do not use Google user data to serve advertisements.
- We do not allow humans to read Google user data unless we have your explicit consent for a specific message, it is necessary for security investigations or to comply with law, or it is aggregated and de-identified for internal operations.
You can disconnect Google Calendar at any time from Settings → Calendar in Tend, or by revoking access at myaccount.google.com/permissions. On disconnect we revoke our token at Google and delete the encrypted token + email from our database. The Tend calendar in your Google account remains under your control; you can delete or keep it as you wish.
Subprocessors
We rely on a small set of infrastructure providers to run the service:
- Meta Platforms: the source and delivery channel for Instagram DMs and comments, and for WhatsApp messages (including phone-number verification codes and owner notifications).
- Amazon Web Services: serverless compute (Lambda, EC2), queueing (SQS), photo storage (S3), and AI inference (Bedrock). Region: EU (Ireland).
- Anthropic: the AI model provider used through AWS Bedrock for classification and draft generation.
- Cohere: the embedding model used (through AWS Bedrock, in-region) to turn marketplace shop content and shopper search queries into vectors for semantic search. Accessed via Bedrock the same way as the Anthropic models above.
- Google: three distinct services: (i) the Gemini Live audio model, used during owner phone calls to converse with you and extract a directive (audio is processed in real time and not retained by Google for our traffic); (ii) Google Calendar, used to sync your Tend bookings into a dedicated calendar in your Google account if you opt in (scoped narrowly: we cannot read or write any calendar other than the single one Tend created); and (iii) Google Maps (Geocoding), used to turn a customer's delivery address into coordinates so the bot can test it against your delivery area.
- Stripe: processes your Tend subscription payments, and, via Stripe Connect, the card and bank-debit payments your shop takes from its own customers when you connect a Stripe account. Stripe stores the card / bank details; we never see card numbers, only Stripe identifiers, subscription state, and per-order payment status.
- SumUp: when a shop opts in, processes card payments from that shop's own customers (via hosted checkout links) and holds the underlying card details. We receive only SumUp tokens, a merchant code, and checkout / transaction status, never card numbers.
- Resend: sends our transactional emails (email-address verification and password resets) for accounts that sign in with email and password. Receives the recipient address and message content; never used for marketing.
- Vercel: hosts the web app and, for shops on a custom domain, serves that domain.
Cookies & local storage
We use a session cookie (set by our authentication library) to keep you signed in. We do not use third-party advertising cookies, analytics cookies, or tracking pixels. The app uses browser local storage only for non-tracking UI preferences.
Your rights
You can:
- Disconnect a linked account at any time: Instagram via its Settings → Apps and Websites, or Google via your Google account permissions. We'll receive the deauthorization signal (or revoke our own token) and immediately drop the linked credentials.
- Request access, correction, export, or deletion of all data associated with your account by emailing hello@tendto.you. We'll respond within 30 days.
- Use Meta's data deletion request flow; we honour those via the data-deletion callback registered with our Meta app.
- If you're in the EU/UK, you can lodge a complaint with your local data protection supervisory authority. The Irish Data Protection Commission is our lead authority.
Customers of your shop
If you're an Instagram user who has messaged a shop that uses Tend: your messages reach Tend only because you chose to contact that shop. Your shop is the controller of that content and is the right party to handle deletion or access requests in the first instance. You can also contact us directly at hello@tendto.you and we'll route or action the request as appropriate.
Children's privacy
Tendis a tool for shop owners and is not directed at children. We don't knowingly collect personal data from anyone under 16. If a customer message arrives that you believe came from a child, treat it according to your local rules and contact us if you need the data removed.
Data location and retention
All data is processed and stored in the European Union (AWS eu-west-1, Vercel EU regions where applicable). DM messages are retained for as long as your account is active; once your account is deleted, message data is removed within 30 days. Backups roll off within 90 days.
Security
Access tokens are stored encrypted at rest. Webhook payloads are HMAC-verified using your Meta app secret. Database connections are TLS-encrypted. We use IAM-scoped credentials for all infrastructure access, with no shared secrets between environments. No system is perfectly secure; we'll notify affected accounts without undue delay if we become aware of a breach.
Changes to this policy
We'll update this page when our practices change and bump the “Last updated” date above. Material changes will be communicated to active accounts via email.
Contact
Questions? Reach us at hello@tendto.you.