Privacy Policy

1. What this policy covers

This Privacy Policy explains how Tinfoil, Inc. ("Tinfoil," "we," "our," or "us") handles information when you use Tinfoil Chat, the Tinfoil Inference API, Tinfoil Containers, our websites, apps, and related services.

For business customers, Tinfoil generally acts as a service provider or processor for personal data submitted to the Services, and as an independent controller for account, billing, security, and business operations data.

Tinfoil is headquartered in San Francisco, California. If you have privacy questions or requests, email privacy@tinfoil.sh.

2. What Tinfoil can and cannot access

We can access the information needed to run Tinfoil: account information, billing status, usage metrics, security logs, support messages, and similar operational data. We design our products so that Tinfoil, our cloud providers, and other third parties cannot access the contents of your AI interactions or in-enclave workloads during normal operation.

We use "secure enclave" to mean a hardware-isolated confidential virtual machine or equivalent confidential computing environment. These environments rely on hardware, firmware, cloud infrastructure, and vendor attestation roots, including AMD, Intel, and NVIDIA technologies where used.

Confidential computing reduces access risk, but it does not eliminate all security risk. Hardware vulnerabilities, firmware issues, side channels, customer misconfiguration, compromised credentials, and infrastructure outside our control may affect confidentiality.

• Inference API: prompts and responses are processed inside secure enclaves designed to keep content inaccessible to Tinfoil, our cloud providers, and other third parties during normal operation. We do not retain prompt or response content after the response is returned, and we do not use API content to train models.
• Chat: chat inference runs inside secure enclaves designed to keep prompt and response content inaccessible to Tinfoil, our cloud providers, and other third parties during normal operation. Encrypted backups may be stored for sync and history, but the backup encryption keys are held on your device. Tinfoil does not have those keys and cannot decrypt your backups, including in response to legal process. If you lose access to your device-held backup keys, Tinfoil cannot recover or decrypt your encrypted chat backups.
• Containers: your workload runs inside a secure enclave implemented as a hardware-isolated confidential virtual machine. Tinfoil operates the host, orchestration, and networking, but the contents of memory and storage inside the confidential virtual machine are protected by hardware memory encryption and are not accessible to us during normal operation. You are responsible for the data, code, environment variables, and credentials you deploy into the Container, and for verifying attestation before submitting sensitive workloads.

3. Information we collect

We collect a limited set of information to provide, secure, bill, and support the Services:

• Identifiers such as name, email address, and account ID.
• Authentication and account information from Clerk.
• Billing metadata such as subscription tier, payment status, invoices, and transaction identifiers. Payment details are handled by Stripe, RevenueCat, Apple, or Google.
• Usage metrics such as request counts, token counts, feature use, timestamps, and deployment status.
• Internet and device information such as IP address, browser type, device type, and general region.
• Support messages and other communications you send us.
• Container metadata such as container name, image repository and tag, custom domain, resource configuration, and GitHub App installation ID when you authorize repository access.
• Website analytics and advertising identifiers, as described in Section 5.

We collect this information directly from you, automatically when you use our services, and from providers that help us operate Tinfoil, such as Clerk, Stripe, RevenueCat, GitHub, Apple, and Google.

4. How we use information

We use personal data to:

• Provide, maintain, and secure the Services.
• Authenticate accounts and prevent fraud or abuse.
• Process payments and manage subscriptions.
• Provide support and communicate with you.
• Measure aggregate usage and improve the Services.
• Measure marketing campaign effectiveness on our websites.
• Comply with law and enforce our Terms.

If you are in the EEA or UK, the legal bases we rely on to process personal data are:

• Performance of a contract: to provide the Services you sign up for.
• Legitimate interests: to secure, maintain, improve, and market the Services, in a way that does not override your rights.
• Legal obligations: to comply with tax, accounting, and other laws.
• Consent: for non-essential cookies, marketing communications, and other uses where consent is required.

We do not seek sensitive personal information. If you choose to send it to us (for example, in a support email), we will use it only as needed to handle your request. We do not use your personal data to make automated decisions that produce legal or similarly significant effects on you.

5. Website analytics and ads

We use Plausible for aggregate analytics on chat.tinfoil.sh and in the iOS app. Plausible does not use cookies or track individual users.

On other web surfaces, including tinfoil.sh, we may use Google Ads, including conversion tracking, to measure ad effectiveness and attribute signups originating from paid campaigns. These tools may set cookies or advertising identifiers, but they do not access the content of your AI interactions.

In the EEA and UK, we ask for your consent before loading non-essential cookies and advertising tags. Outside those regions, these tags load by default and you can reject them at any time.

We do not sell your personal information for money. Allowing Google Ads to collect data from our website may be considered "sharing" for cross-context behavioral advertising under California and similar U.S. state privacy laws. You can opt out using the controls at tinfoil.sh/cookie, by enabling Global Privacy Control, or by using your browser's privacy controls. We do not knowingly sell or share the personal information of minors under 16 without legally required authorization.

6. Who we share information with

We do not sell or share your personal data for others to use independently. We share personal data only in these situations:

• At your request or with your direction.
• With our vendors and service providers acting on our behalf to operate the Services.
• To comply with law, legal process, or valid government requests.
• To protect the rights, property, or safety of Tinfoil, our users, or others.
• To handle emergencies or resolve disputes.
• In aggregated or non-identifying form.

We may update this list as our practices evolve. Our current subprocessors are listed below.

For business and enterprise customers, we offer a Data Processing Addendum (including Standard Contractual Clauses where applicable). If you need additional certifications or arrangements, such as a Business Associate Agreement for HIPAA or a region-specific data processing agreement, contact privacy@tinfoil.sh.

Our subprocessors include:

• Amazon Web Services, Cloudflare, Vercel: hosting, CDN, and networking.
• Clerk: authentication and account management.
• Stripe: payment processing for web subscriptions and Containers usage.
• RevenueCat: mobile subscription status and entitlements.
• GitHub: OAuth sign-in and repository access when you authorize our GitHub App.
• Resend: transactional and marketing email delivery.
• Plausible: cookieless aggregate website analytics.
• Google Ads: ad-campaign measurement and conversion tracking on web surfaces other than chat.tinfoil.sh.
• Cloudflare Turnstile: bot and abuse protection.
• Sentry: anonymized backend error and crash reporting.
• Tigerdata: account, usage, and billing metrics storage.
• Google Workspace: internal email, documents, and productivity tools.

If Tinfoil is involved in a merger, acquisition, financing, reorganization, or sale of assets, personal data may be transferred as part of that transaction. We will use reasonable efforts to ensure the successor handles personal data consistently with this Policy or gives notice of material changes.

7. Legal requests and government access

We disclose personal data to law enforcement or government authorities only when we have a good-faith belief that disclosure is required by applicable law or legal process. We will challenge requests we believe are overbroad or unlawful, and where lawful we will notify affected users before complying.

As of the Effective Date of this Privacy Policy (May 15, 2026), Tinfoil has received zero government requests for personal data. Because our chat, API, and Container architectures are designed so that we cannot access the contents of AI interactions or in-enclave workloads, we cannot disclose that content in response to legal process even if compelled.

8. International transfers

Tinfoil is based in the United States, and personal data may be processed in the United States and other locations where our providers operate. If you are in the EEA or UK, we use Standard Contractual Clauses and other appropriate safeguards for transfers where required.

9. Retention and deletion

We keep personal data only as long as needed for the purposes described in this Policy, unless a longer period is required for legal, tax, accounting, security, fraud-prevention, dispute-resolution, backup, or operational reasons.

• Account data: for the life of your account and up to 30 days after deletion to complete deletion across backups.
• Billing records: as required by tax and accounting laws, typically up to 7 years.
• Encrypted chat backups: until you delete them or close your account. We only hold ciphertext.
• API and Container usage metrics: while your account is active for billing and operations, then aggregated or anonymized.
• IP and request logs: for anti-abuse and security, collected and managed by Clerk under its retention policy.
• Mailing list subscriptions: until you unsubscribe.
• Support communications: as needed to resolve your request and for reasonable record-keeping.

Upon a verified request, we will delete or de-identify personal data that Tinfoil controls, subject to the exceptions described above.

10. Your privacy rights

Depending on where you live, you may have the following rights over your personal data:

• Be informed about how your data is used.
• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Delete your data.
• Restrict or object to certain processing.
• Port your data to another service.
• Opt out of cross-context behavioral advertising.
• Appeal a privacy-rights decision we make.

To exercise your rights, email privacy@tinfoil.sh. We respond within 30 days and will explain any limits that apply.

11. Security

We use technical and organizational measures designed to protect personal data. Tinfoil has completed a SOC 2 Type II examination covering security, availability, and confidentiality through our Trust Center provider, Probo. For more information, visit our Trust Center.

If a security incident affects your personal data, we will notify you and relevant supervisory authorities as required by law, and no later than 72 hours after becoming aware of the incident where the GDPR applies. Our notice will explain what happened, what data was affected, the steps we are taking, and any precautions you can take.

12. Children

Our Services are not directed to children under 13, and we do not knowingly collect personal data from children under 13. Users under 18 may use the Services only with permission from a parent or legal guardian. If you use paid plans, API access, or Tinfoil Containers as an individual, you must be 18 or older. If you use them for an organization, you must be authorized to act for that organization. If you believe a child under 13 has provided us personal data, email privacy@tinfoil.sh so we can delete it.

13. Changes and contact

We may update this Policy when our practices change or as required by law. If you have questions, concerns, complaints, or privacy requests, contact privacy@tinfoil.sh.