Tandem lets you build your own in-app AI agent and copilot. It lives inside your product interface so users can prompt your app to do actions, ask questions, and get explanations — a new way to use your product.

What use cases does Tandem support?

Tandem supports user onboarding, activation, feature adoption, product usage, support ticket deflection, revenue expansion, trial conversion, and self-service success. For internal tools: employee onboarding, software training, IT self-service, and process compliance.

How do I add AI to my product without rebuilding?

With a single JavaScript snippet. No backend changes or API integrations. Navigate to any page, click to place an AI agent. Non-technical teams configure and deploy without engineering.

What can the in-app AI agent do?

It understands natural language, executes actions like clicking buttons and filling forms, navigates anywhere in your app, drives multi-step processes, triggers proactively, and resolves support questions in context.

How does Tandem reduce support tickets?

The AI agent resolves issues in context before they become tickets, handles complex questions, and delivers consistent help across every touchpoint. Customers report up to 70% ticket deflection.

Yes. SOC2 Type II certified, GDPR compliant, and AES-256 encrypted for enterprise-grade security.

Privacy Policy

Last reviewed by the DPO on 28 April 2025.

Tandem Processor Privacy Notice

Effective 28 April 2025 – replaces all prior versions

1. Who We Are

Legal entity

Role

Address

Registration

Tandem App, Inc.

Main processor & service provider

490 Post St, Suite 640, San Francisco CA 94102, USA

EIN 33-2652774

Tandem SAS (Art 27 EU Representative)

EU representative & sub-processor

3 Bd de Sébastopol, 75001 Paris, France

SIRET 932 271 000 00014

Contact
Email: privacy@usetandem.ai
DPO: Manuel Darcemont (CTO) – manuel@usetandem.ai – +33 6 22 17 16 04

2. Scope

This Notice applies to all Personal Data that Tandem receives from or on behalf of a Customer through the Tandem “AI Success Agent” platform (including Recorder SDK and analytics APIs).

3. Roles & Responsibilities

Customer = Data Controller – decides the purposes and means of processing.

Tandem = Data Processor / Service Provider in the meaning of GDPR Art 4(8), UK GDPR, Swiss FADP and all U.S. state privacy laws.
Processing terms are governed by the Tandem Data Processing Agreement (“DPA”).

4. Categories of Personal Data Processed

If the site uses third-party tools (such as Google Analytics, Framer hosting, or embedded forms), those services may collect anonymous usage data. Please review their privacy policies for more information.

Category

Typical data points

Identification

name, work-email, phone (if provided)

Employment

company name, role

Interaction data

page views, click streams, navigation patterns, chat transcripts with the AI agent

Technical

IP address, user-agent string, geolocation (city/region), referrer URLs

Usage analytics

feature adoption events, success metrics

Optional / Customer-supplied custom fields

any other data the Controller elects to send via the Tandem API or SDK

*Tandem does not knowingly collect children’s data (< 13 US / 16 EEA)

5. Purposes of Processing (on behalf of the Controller)

Deliver contextual onboarding and in-app guidance
Measure and improve user flows and feature adoption
Generate aggregated, Customer-level performance reports
Maintain platform security, availability and fraud prevention

6. Lawful Bases (as determined by the Controller)

Controllers typically rely on Legitimate Interests, Contract Performance or End-user Consent under GDPR Art 6. Tandem processes only under documented instructions (GDPR Art 28 §3).

7. Data Retention

Data set

Default retention

Rationale

Raw session recordings

90 days

UX debugging window

Derived analytics & metrics

24 months

Trend and cohort analysis

Support logs

13 months

Security forensics

Back-ups

35 days rolling

Disaster recovery

End of engagement

All Customer data erased or returned within 30 days after contract termination

Disaster recovery

*Custom schedules can be agreed in the DPA.

8. International Transfers

EEA/UK → US: Covered by the EU-US & UK-US Data Privacy Frameworks and Standard Contractual Clauses.

Sub-processors inside EEA (AWS eu-central-1 / eu-west-1, Azure westeurope) rely on adequacy.
Switzerland: transfers rely on the Swiss-US Data Privacy Framework or SCCs.

9. Sub-processors

A live list (with locations and purpose) is maintained at https://www.tandem-ai.link/compliance. Customers receive 60-day advance notice of new sub-processors and may object per the DPA.

10. Security Measures

SOC 2 Type 2 audited (period 13 Jan – 14 Apr 2025)

Encryption in transit (TLS 1.2+) & at rest (AES-256)
Role-based access; MFA for privileged users
Daily full back-ups + intra-day incrementals in separate AWS region
24 h breach notification commitment (Art 33 GDPR & state laws)
Last external penetration test: 23 Apr 2025 – no issues found

Details are set out in Appendix 2 of the DPA.

11. Cookies & Similar Tracking

Tandem SDKs use first-party cookies/local-storage solely for session continuity and analytics. Controllers must obtain any consent required under the EU ePrivacy Directive or equivalent state laws. See our Cookie Notice for identifier lifetimes and opt-out instructions.

12. Automated Decision-Making / Profiling

Tandem’s AI Success Agents adjust in-app prompts based on user behaviour. The processing does not produce legal or similarly significant effects on individuals. End-users may nevertheless object (see §13).

13. Your Rights (Data Subjects)

Depending on your jurisdiction you may, through the relevant Controller, request:

Access, rectification, erasure, portability
Restriction or objection to processing
Opt-out of targeted advertising / sale / sharing (U.S. state laws)
Not to be subject to fully automated decisions with legal or significant effects

How to exercise: Contact the website or app owner (Tandem’s Customer). Tandem will support Controllers and respond within 48 h to rights-request relays from Controllers, per DPA §6.

California & Multi-State Privacy Rights

Residents of California, Colorado, Connecticut, Delaware, Iowa, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia have additional rights under their state consumer-privacy laws, including the right to opt out of the sale or sharing of Personal Data and of targeted advertising. Controllers must surface a “Do Not Sell or Share My Personal Information” link or honour the Global Privacy Control signal where required.

14. Supervisory-Authority Complaints

EEA residents may lodge a complaint with their local data-protection authority. Tandem’s lead authority for processor-level activities is CNIL (France).

15. Changes to This Notice

We will post any material updates here and e-mail Customers 30 days in advance. “Effective” date at the top will change accordingly.

16. Contact

General Support (24 x 7): support@usetandem.ai
Urgent security/privacy: Christophe Barre – christophe@usetandem.ai – +33 6 22 17 16 04