What we collect, why, what you can do.

Last updated 2026-06-01. Pagenta is a product of Tendra Advisory LLC.

1 · What we collect

Three buckets, listed by sensitivity:

Account info— your email address, password hash (we never see your plain-text password; it’s hashed by our auth provider Supabase), and any display name or username you set.
Content you create — pages, drafts, prompts you send to our AI agents, files you upload, brand profiles, comments. Stored in our database (Supabase, EU region).
Usage and diagnostic data— which pages you visit in the dashboard, which features you click, errors your browser hits, and basic device info (browser, OS). Collected via PostHog (analytics) and Sentry (error tracking). We don’t track you across third-party sites.

We don’t collect: SSN, government IDs, financial details beyond what Stripe handles for payments, location data, contacts list, or anything from your device beyond what your browser sends with every web request.

2 · Why we collect it

To deliver the service — emails for sign-in, hosting your pages, running AI generations you request.
To improve the product — anonymized usage data tells us which features matter. Error data tells us what’s broken.
To prevent abuse — rate limits, fraud detection, blocking accounts that violate our terms.
To bill you — only if you’re on a paid plan, and only what Stripe needs.

We don’t sell your data. We don’t target ads at you based on it. We don’t train AI models on your private content.

3 · Who we share it with

The third parties that touch your data, what they see, and why:

Supabase (database + auth) — sees everything stored. Hosts the database in the EU (Ireland).
Vercel (hosting + edge functions) — sees inbound HTTP traffic. Servers in the US/EU.
Resend (transactional email) — sees your email address and the contents of any email we send you.
Stripe (payments, paid plans only) — sees your billing email, card details, transaction amounts.
OpenRouter / OpenAI / Anthropic (AI generation) — sees the prompts you send to our AI agents and the page content if you ask for edits. Their data-retention policies apply.
PostHog (product analytics) — sees pseudonymous events about your dashboard usage. US-hosted. Configured with ip: false so no IP-based geolocation.
Sentry (error tracking) — sees error stack traces and URL where the error happened. Configured with sendDefaultPii: false.
Apple Push Notification Service, Google FCM, Mozilla autopush (browser push vendors) — see the encrypted payloads of notifications sent to your page’s visitors. Each vendor sees only its own users’ endpoints; none can read the payload (end-to-end encrypted with VAPID).

We do not share your data with any other parties unless required by law (e.g., a valid subpoena).

4 · Data on pages you deploy (visitor data)

When you deploy a page, your visitors can interact with features we provide on your behalf — subscribing to notifications, signing up for email broadcasts, browsing your content. For these flows, Pagenta acts as a processor; you (the page author) are the controller. The data we process for you:

Push notification subscriptions — an opaque endpoint URL from the visitor’s browser vendor (Apple/Google/Mozilla), the device’s public encryption keys, a truncated User-Agent string, timestamp, and the visitor’s Pagenta user_id ifthey were signed in. No name, email, phone, IP, or location is stored against the subscription. The endpoint is a pseudonymous device handle: we can re-target the same browser, but we can’t identify the person behind it.
Email subscriptions— the visitor’s email address plus a timestamp and per-broadcast send log, for newsletters and announcements you send from your Command Center.
Page views— aggregated counts and coarse referrer/region data, for the analytics on your Command Center. We don’t fingerprint visitors or persist IPs against view rows.

As the page author, you only ever see aggregate counts of subscribers, never raw endpoints, keys, or user agents. Raw subscription rows are accessible only via service-role database access (the Pagenta team) and only for the operational reasons below: delivering the notifications you send, debugging failed deliveries, and pruning dead endpoints.

Consent and record-keeping.Push and email subscriptions are treated as consented direct communications under the EU ePrivacy Directive. Push consent is captured via the browser’s native permission prompt; email consent is captured by the visitor submitting their address with double opt-in. Each subscription row carries a timestamp, the page it was created against, and the user-agent — that triple is the consent record.

Retention. Push endpoints that return permanent failures (HTTP 404/410) from the browser vendor are deleted immediately. Anonymous push subscriptions (no Pagenta sign-in linked) older than 18 months are deleted automatically by a daily background job. Signed-in subscriptions persist until the user revokes them at /settings or deletes their Pagenta account.

For paying customers selling into the EU/UK: a Data Processing Agreement may be required to cover this processing. A draft template is at /dpa; email help@tendra.io to formalize.

5 · Cookies and similar

We use a small number of cookies:

Auth cookies (necessary) — keep you signed in. Without these, you’d have to log in on every page load.
Theme preference (necessary) — remembers your dark/light mode choice.
Consent choice (necessary) — remembers whether you accepted analytics cookies, so the banner doesn’t reappear on every visit.
Analytics cookies (PostHog, opt-in) — pseudonymous identifier so we can connect your sessions. Only set after you accept; honors browser Do-Not-Track as an automatic opt-out.

See the full table — names, durations, and exact purposes — in our Cookie Policy.

6 · How long we keep it

Account data: while your account is active, plus up to 30 days after deletion (so you can change your mind), then deleted from primary storage. Backup retention up to 90 days.
Page content: same as account data, deleted when the page is deleted.
Analytics events: 12 months (PostHog default), then auto-deleted.
Error logs: 90 days in Sentry, then auto-deleted.
Billing records: 7 years (tax/accounting requirements).

7 · Your rights

Regardless of where you are, you can:

Access the data we hold about you — most of it is in your account settings, the rest you can request via email.
Export your pages — every page has a download/export action in its settings.
Delete your account — from Settings, or by emailing us.
Object to specific processing — if our analytics or error tracking bothers you, set Do-Not-Track in your browser; we honor it.

If you’re in the EU/UK, GDPR/UK-GDPR rights apply: rectification, restriction, portability, and the right to lodge a complaint with your data protection authority.

If you’re in California, CCPA/CPRA rights apply: right to know, right to delete, right to opt out of “sale” (we don’t sell), right to non-discrimination.

8 · International transfers

Data flows between the EU (Supabase, where we store user content) and the US (Vercel edge, PostHog, Sentry). For EU/UK data we rely on Standard Contractual Clauses with our US subprocessors.

9 · Children

Pagenta is not directed at children under 18. We don’t knowingly collect data from anyone under that age. If you believe a child has signed up, email us and we’ll delete the account.

10 · Security

All connections are TLS-encrypted. Passwords are hashed (bcrypt) by our auth provider. Database access is locked down by row-level security so users can only see their own data. Secrets and API keys you give us are encrypted at rest.

No system is perfectly secure. If we discover a breach affecting your data, we’ll notify you within 72 hours of discovery.

11 · Changes to this policy

We’ll update this policy as we change what we collect or how we use it. Material changes get an email; minor wording fixes just get a new “Last updated” date.

12 · Contact

Privacy questions, data requests, or to exercise any right above: help@tendra.io

Postal: Tendra Advisory LLC, Delaware, USA. (Full address available on request.)