Logo Tandem AI assistant

Menu

Logo Tandem AI assistant

Menu

Logo Tandem AI assistant

Menu

Privacy Policy

Last reviewed by the DPO on 28 April 2025.

Tandem Processor Privacy Notice

Effective 28 April 2025 – replaces all prior versions

1. Who We Are

Legal entity

Legal entity

Role

Role

Address

Address

Registration

Registration

Tandem App, Inc.

Tandem App, Inc.

Main processor & service provider

Main processor & service provider

490 Post St, Suite 640, San Francisco CA 94102, USA

490 Post St, Suite 640, San Francisco CA 94102, USA

EIN 33-2652774

EIN 33-2652774

Tandem SAS (Art 27 EU Representative)

Tandem SAS (Art 27 EU Representative)

EU representative & sub-processor

EU representative & sub-processor

3 Bd de Sébastopol, 75001 Paris, France

3 Bd de Sébastopol, 75001 Paris, France

SIRET 932 271 000 00014

SIRET 932 271 000 00014

Contact
Email: privacy@usetandem.ai
DPO: Manuel Darcemont (CTO) – manuel@usetandem.ai – +33 6 22 17 16 04

2. Scope

This Notice applies to all Personal Data that Tandem receives from or on behalf of a Customer through the Tandem “AI Success Agent” platform (including Recorder SDK and analytics APIs).

3. Roles & Responsibilities

Customer = Data Controller – decides the purposes and means of processing.

  • Tandem = Data Processor / Service Provider in the meaning of GDPR Art 4(8), UK GDPR, Swiss FADP and all U.S. state privacy laws.

  • Processing terms are governed by the Tandem Data Processing Agreement (“DPA”).

4. Categories of Personal Data Processed

If the site uses third-party tools (such as Google Analytics, Framer hosting, or embedded forms), those services may collect anonymous usage data. Please review their privacy policies for more information.

Category

Category

Typical data points

Typical data points

Identification

Identification

name, work-email, phone (if provided)

name, work-email, phone (if provided)

Employment

Employment

company name, role

company name, role

Interaction data

Interaction data

page views, click streams, navigation patterns, chat transcripts with the AI agent

page views, click streams, navigation patterns, chat transcripts with the AI agent

Technical

Technical

IP address, user-agent string, geolocation (city/region), referrer URLs

IP address, user-agent string, geolocation (city/region), referrer URLs

Usage analytics

Usage analytics

feature adoption events, success metrics

feature adoption events, success metrics

Optional / Customer-supplied custom fields

Optional / Customer-supplied custom fields

any other data the Controller elects to send via the Tandem API or SDK

any other data the Controller elects to send via the Tandem API or SDK

*Tandem does not knowingly collect children’s data (< 13 US / 16 EEA)

5. Purposes of Processing (on behalf of the Controller)

  1. Deliver contextual onboarding and in-app guidance

  2. Measure and improve user flows and feature adoption

  3. Generate aggregated, Customer-level performance reports

  4. Maintain platform security, availability and fraud prevention

6. Lawful Bases (as determined by the Controller)

Controllers typically rely on Legitimate Interests, Contract Performance or End-user Consent under GDPR Art 6. Tandem processes only under documented instructions (GDPR Art 28 §3).

7. Data Retention

Data set

Data set

Default retention

Default retention

Rationale

Rationale

Raw session recordings

Raw session recordings

90 days

90 days

UX debugging window

UX debugging window

Derived analytics & metrics

Derived analytics & metrics

24 months

24 months

Trend and cohort analysis

Trend and cohort analysis

Support logs

Support logs

13 months

13 months

Security forensics

Security forensics

Back-ups

Back-ups

35 days rolling

35 days rolling

Disaster recovery

Disaster recovery

End of engagement

End of engagement

All Customer data erased or returned within 30 days after contract termination

All Customer data erased or returned within 30 days after contract termination

Disaster recovery

Disaster recovery

*Custom schedules can be agreed in the DPA.

8. International Transfers

EEA/UK → US: Covered by the EU-US & UK-US Data Privacy Frameworks and Standard Contractual Clauses.

  • Sub-processors inside EEA (AWS eu-central-1 / eu-west-1, Azure westeurope) rely on adequacy.

  • Switzerland: transfers rely on the Swiss-US Data Privacy Framework or SCCs.

9. Sub-processors

A live list (with locations and purpose) is maintained at https://www.tandem-ai.link/compliance. Customers receive 60-day advance notice of new sub-processors and may object per the DPA.

10. Security Measures

SOC 2 Type 2 audited (period 13 Jan – 14 Apr 2025)

  • Encryption in transit (TLS 1.2+) & at rest (AES-256)

  • Role-based access; MFA for privileged users

  • Daily full back-ups + intra-day incrementals in separate AWS region

  • 24 h breach notification commitment (Art 33 GDPR & state laws)

  • Last external penetration test: 23 Apr 2025 – no issues found

Details are set out in Appendix 2 of the DPA.

11. Cookies & Similar Tracking

Tandem SDKs use first-party cookies/local-storage solely for session continuity and analytics.  Controllers must obtain any consent required under the EU ePrivacy Directive or equivalent state laws.  See our Cookie Notice for identifier lifetimes and opt-out instructions.

12. Automated Decision-Making / Profiling

Tandem’s AI Success Agents adjust in-app prompts based on user behaviour. The processing does not produce legal or similarly significant effects on individuals. End-users may nevertheless object (see §13).

13. Your Rights (Data Subjects)

Depending on your jurisdiction you may, through the relevant Controller, request:

  • Access, rectification, erasure, portability

  • Restriction or objection to processing

  • Opt-out of targeted advertising / sale / sharing (U.S. state laws)

  • Not to be subject to fully automated decisions with legal or significant effects

How to exercise: Contact the website or app owner (Tandem’s Customer). Tandem will support Controllers and respond within 48 h to rights-request relays from Controllers, per DPA §6.

California & Multi-State Privacy Rights

Residents of California, Colorado, Connecticut, Delaware, Iowa, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia have additional rights under their state consumer-privacy laws, including the right to opt out of the sale or sharing of Personal Data and of targeted advertising. Controllers must surface a “Do Not Sell or Share My Personal Information” link or honour the Global Privacy Control signal where required.

14. Supervisory-Authority Complaints

EEA residents may lodge a complaint with their local data-protection authority. Tandem’s lead authority for processor-level activities is CNIL (France).

15. Changes to This Notice

We will post any material updates here and e-mail Customers 30 days in advance. “Effective” date at the top will change accordingly.

16. Contact

General Support (24 x 7): support@usetandem.ai
Urgent security/privacy: Christophe Barre – christophe@usetandem.ai – +33 6 22 17 16 04