Privacy Policy

1. Introduction

This Privacy Policy describes how Tinfoil, Inc. ('we,' 'our,' or 'us') collects, uses, and shares information about users of our AI chat and API services. We understand that you are aware of and care about your own personal privacy interests, and we take that seriously. This Privacy Notice describes the Tinfoil's policies and practices regarding its collection and use of your personal data, and sets forth your privacy rights. We recognize that information privacy is an ongoing responsibility, and so we will from time to time update this Privacy Notice as we undertake new personal data practices or adopt new privacy policies.

2. Data Protection Officer

Tinfoil is headquartered in San Francisco, in the United States. Tinfoil has appointed an internal Data Protection Officer for you to contact if you have any questions or concerns about Tinfoil's personal data policies or practices. If you would like to exercise your privacy rights, please direct your query to Tinfoil's Data Protection Officer at [email protected].

3. How we collect and use (process) your personal information

Tinfoil collects personal information about its website visitors and customers. With a few exceptions, this information is generally limited to Name, IP addresses, and email addresses. We use this information to provide prospects and customers with services. We do not sell personal information to anyone and only share it with third parties who are facilitating the delivery of our services. From time to time, Tinfoil receives personal information about individuals from third parties. Typically, information collected from third parties will include further details on your employer or industry. We may also collect your personal data from a third party website (e.g., LinkedIn).

3.1. Legal Basis for Processing

We only collect and process personal data that is strictly necessary for providing our services. This processing is based on the necessity to perform our contract with you (when you use our services) and our legitimate interests in maintaining and improving our services. We do not process personal data for any purposes beyond what is essential for service delivery and maintenance.

3.2. What We Can and Cannot Access

In order to provide and support our services, we can access only the following types of information: Account information (e.g., your name, email address, and IP address), usage metrics (such as the number and frequency of requests made, and timestamps), and billing or payment details if you have subscribed to paid features. We cannot access any confidential data that you share with our AI during chat sessions. All chat content is processed within secure enclaves and never stored on any persistent system accessible by our staff. This ensures that your prompts, file uploads, and AI-generated responses remain invisible to us at all times.

4. Use of the Tinfoil Website

As is true of most other websites, Tinfoil's website collects certain information automatically and stores it in log files. The information may include internet protocol (IP) addresses, the region or general location where your computer or device is accessing the internet, browser type, operating system and other usage information about the use of Tinfoil's website, including a history of the pages you view. We use this information to help us design our site to better suit our users' needs. We may also use your IP address to help diagnose problems with our server and to administer our website, analyze trends, and gather broad demographic information that assists us in identifying visitor preferences.

Tinfoil has a legitimate interest in understanding how members, customers and potential customers use its website. This assists Tinfoil with providing more relevant products and services, with communicating value to our sponsors and corporate members, and with providing appropriate staffing to meet member and customer needs.

4.1. Cookies and tracking technologies

Tinfoil does not use cookies or other tracking technologies. To view the notice, visit tinfoil.sh/cookie.

We currently use Plausible Analytics and Cloudflare Analytics to gather anonymous usage statistics that help us improve our services. These analytics tools do not track individual users, do not place invasive cookies, and do not store any personal data. Instead, they collect aggregate metrics (like page views, visit duration, and referral sources) in a privacy-friendly manner. All analytics data is anonymized and cannot be linked back to you. To learn more, you can review Plausible's data policy and Cloudflare's privacy policy.

5. Use of Tinfoil's Services

We use a confidential computing architecture to protect your interactions with our AI services, whether through our chat interface or API. All AI prompts and generated responses ("interaction data") are processed exclusively within secure enclaves that prevent access by our own staff or any external party. No persistent storage of your interaction data is ever maintained, and any data needed for processing is immediately discarded once the response is generated. As a result, we do not log, monitor, or otherwise access the content of your AI interactions. This zero-access design ensures your prompts and responses remain completely private to you.

While Tinfoil's AI service provides strong privacy safeguards, including confidential computing, you are responsible for ensuring that your use of our service complies with any industry-specific regulations or professional standards applicable to your activities (e.g., HIPAA for healthcare, FERPA for education). We do not represent that the Tinfoil AI service is officially certified or compliant with such regulations unless explicitly stated. If you plan to use our service for regulated data, please consult with a legal or compliance professional to ensure all applicable requirements are met.

5.1. Sharing information with third parties

The personal information Tinfoil collects from you is stored in one or more databases hosted by third parties located in the United States. These third parties do not use or have access to your personal information for any purpose other than cloud storage and retrieval. On occasion, Tinfoil engages third parties to send information to you, including information about our products, services, and events.

Our third party sub processors are Amazon Web Services and Google. We do not otherwise reveal your personal data to non-Tinfoil persons or businesses for their independent use unless: (1) you request or authorize it; (2) it is in connection with Tinfoil-hosted and Tinfoil co-sponsored conferences as described above; (3) the information is provided to comply with the law (for example, compelled by law enforcement to comply with a search warrant, subpoena, or court order), enforce an agreement we have with you, or to protect our rights, property or safety, or the rights, property or safety of our employees or others; (4) the information is provided to our agents, vendors or service providers who perform functions on our behalf; (5) to address emergencies or acts of God; or (6) to address disputes, claims, or to persons demonstrating legal authority to act on your behalf. We may also gather aggregated data about our services and website visitors and disclose the results of such aggregated (but not personally identifiable) information to our partners, service providers, advertisers, and/or other third parties for marketing or promotional purposes.

In the event that Tinfoil undergoes a merger, acquisition, divestiture, restructuring, reorganization, or sale of some or all of its assets, your personal data may be transferred to the acquiring or surviving entity. Should such a transfer occur, Tinfoil will use reasonable efforts to ensure that the new entity follows the terms of this Privacy Policy (or provides you notice of any significant changes). We will notify you if any ownership changes happen and whether your personal data is subject to a different Privacy Policy as a result.

5.2. Payment Processing

For handling subscription payments or other paid features, we use Stripe, a leading third-party payment processor. When you provide your payment information, it is transmitted directly to Stripe's secure systems; we never store your full credit card information on our own servers. Stripe is certified as PCI DSS Level 1 compliant, which is the highest standard of payment data security. For more information on how Stripe processes personal data, please review Stripe's Privacy Policy.

6. Transferring personal data to the U.S.

Tinfoil has its headquarters in the United States. Information we collect about you will be processed in the United States. By using Tinfoil's services, you acknowledge that your personal information will be processed in the United States. The United States has not sought nor received a finding of "adequacy" from the European Union under Article 45 of the GDPR. Pursuant to Article 46 of the GDPR, Tinfoil is providing for appropriate safeguards by entering binding, standard data protection clauses, enforceable by data subjects in the EEA and the UK. These clauses have been enhanced based on the guidance of the European Data Protection Board and will be updated when the new draft model clauses are approved.

Depending on the circumstance, Tinfoil also collects and transfers to the U.S. personal data with consent; to perform a contract with you; or to fulfill a compelling legitimate interest of Tinfoil in a manner that does not outweigh your rights and freedoms. Tinfoil endeavors to apply suitable safeguards to protect the privacy and security of your personal data and to use it only consistent with your relationship with Tinfoil and the practices described in this Privacy Statement. Tinfoil also enters into data processing agreements and model clauses with its vendors whenever feasible and appropriate. Since it was founded, Tinfoil has received zero government requests for information. For more information or if you have any questions, please contact us at [email protected].

7. Data Subject rights

The European Union's General Data Protection Regulation (GDPR) and other countries' privacy laws provide certain rights for data subjects. Data Subject rights under GDPR include the following: Right to be informed, Right of access, Right to rectification, Right to erasure, Right to restrict processing, Right of data portability, Right to object, and Rights related to automated decision making including profiling.

This Privacy Notice is intended to provide you with information about what personal data Tinfoil collects about you and how it is used. If you wish to confirm that Tinfoil is processing your personal data, or to have access to the personal data Tinfoil may have about you, please contact us. You may also request information about: the purpose of the processing; the categories of personal data concerned; who else outside Tinfoil might have received the data from Tinfoil; what the source of the information was (if you didn't provide it directly to Tinfoil); and how long it will be stored. You have a right to correct (rectify) the record of your personal data maintained by Tinfoil if it is inaccurate. You may request that Tinfoil erase that data or cease processing it, subject to certain exceptions. You may also request that Tinfoil cease using your data for direct marketing purposes. In many countries, you have a right to lodge a complaint with the appropriate data protection authority if you have concerns about how Tinfoil processes your personal data. When technically feasible, Tinfoil will—at your request—provide your personal data to you. Reasonable access to your personal data will be provided at no cost. If access cannot be provided within a reasonable time frame, Tinfoil will provide you with a date when the information will be provided. If for some reason access is denied, Tinfoil will provide an explanation as to why access has been denied. For questions or complaints concerning the processing of your personal data, you can email us at [email protected]. Alternatively, if you are located in the European Union, you can also have recourse to the European Data Protection Supervisor or with your nation's data protection authority.

8. Security of your information

In the unlikely event of a security incident that affects your personal data, we will notify you (and any relevant supervisory authorities) in no later than 72 hours of becoming aware of the incident, as required by the GDPR. Our notification will include details about the nature of the incident, the data affected, and the steps we are taking to secure your information and prevent further incidents. We may also provide guidance on any precautionary measures you can take to protect yourself.

8.1. Data storage and retention

Your personal data is stored by Tinfoil on its servers, and on the servers of the cloud-based database management services Tinfoil engages, located in the United States. Tinfoil retains service data for the duration of the customer's business relationship with Tinfoil and for a period of time thereafter, to analyze the data for Tinfoil's own operations, and for historical and archiving purposes associated with Tinfoil's services. Tinfoil retains prospect data until such time as it no longer has business value and is purged from Tinfoil's systems. All personal data that Tinfoil controls may be deleted upon verified request from Data Subjects or their authorized agents. For more information on where and how long your personal data is stored, and for more information on your rights of erasure and portability, please contact us at: [email protected].

9. Children's data

We do not knowingly attempt to solicit or receive information from children.

10. Questions, concerns or complaints

If you have questions, concerns, complaints, or would like to exercise your rights, please contact us at: [email protected].