Tenet is a PII (personally identifiable information) detection and redaction layer for AI coding assistants. This privacy policy explains what data Tenet collects, how it is used, and your rights regarding that data.
The most important thing to understand about Tenet’s architecture: Tenet runs entirely on your local machine. PII detection, redaction, storage, and audit logging all happen locally. Tenet Labs does not operate a cloud service that receives, processes, or stores your data in standard deployments.
This policy covers:
tenet command)The following data is processed and stored exclusively on your local machine, in the ~/.tenet/ directory (macOS/Linux) or %APPDATA%\tenet\ (Windows). Tenet Labs never receives, accesses, or stores any of this data:
tokens.db), encrypted with AES-256-GCM. Encryption keys are stored in the system keyring (macOS Keychain, Linux SecretService, Windows Credential Locker) or a local keyfile.audit.db) and JSONL file (audit.jsonl). These logs contain event metadata (entity types, hook names, actions taken, timestamps) but are structurally designed to exclude original text and PII values. The PHI exclusion processor enforces this — the system will not silently log PHI.config.json.api_key with restrictive file permissions (owner read/write only).Anonymous telemetry (opt-out). By default, Tenet sends pre-aggregated, anonymous usage snapshots to telemetry.tenetlabs.com once per reporting window. This telemetry is designed with the following structural privacy guarantees:
device_id (a SHA-256 hash of machine-specific attributes) is included for aggregate product analytics. This hash cannot be reversed to identify your machine. The device_id is not tied to any user account, name, email, or other identifying information held by Tenet Labs, and is used exclusively for aggregate product analytics.darwin-arm64), Python version, install method; aggregate detection counts by entity type; aggregate action counts; aggregate hook invocation counts; performance percentiles (latency p50/p95/p99); configuration snapshot (redaction mode, interaction mode, fail_open setting, active tenet IDs, entity type count, regex pattern count, allowlist size bucket); total tokens processed and error count.How to opt out of telemetry:
telemetry_enabled: false in ~/.tenet/config.jsonTENET_TELEMETRY_DISABLED=1DO_NOT_TRACK=1 (standard convention)Any of these methods immediately and completely disables telemetry. No data is queued or sent retroactively.
HuggingFace (model download). When you install Tenet or download the PII detection model, Tenet downloads ONNX model artifacts from huggingface.co. This is a standard HTTPS download. The information sent to HuggingFace is limited to what any HTTPS request transmits: your IP address, user-agent string, and the specific files requested. Tenet does not send any user data, PII, or usage information to HuggingFace. HuggingFace’s own privacy policy governs their handling of request metadata.
Electron auto-updater (update checks). The Tenet desktop app periodically checks for updates. This check sends your current Tenet version and platform to the update server. No user data, PII, configuration, or usage information is included in update checks.
No other third parties receive data from Tenet. Tenet does not use third-party analytics SDKs, advertising networks, or data brokers within the application itself.
Pro and Enterprise subscribers may route OpenTelemetry (OTel) trace data to Tenet Labs-hosted infrastructure (collector.tenetlabs.com) as part of the core service.
PII-free by design. Tenet Labs-hosted infrastructure is designed to be PII-free by design. Upstream redaction via the Tenet software is required before trace data is exported to Tenet Labs. Traces reaching collector.tenetlabs.com are expected to contain no PII. As an additional safeguard, ingested traces are scanned upon receipt and any PII detected is flagged and removed. Tenet Labs does not retain trace data in any form that contains identifiable PII. If a processing failure results in PII retention, Tenet Labs will treat the event as a data incident subject to the breach notification obligations in Section 1.8.
Access controls. Trace data is accessible only to the customer’s designated administrative users, governed by role-based access control (RBAC) with least-privilege permissions. Tenet Labs personnel do not have routine access to customer trace data. Access by Tenet Labs staff is limited to break-glass incident response scenarios, requires explicit authorization, and is logged and auditable.
PHI commitment. Tenet Labs commits that PHI will not be silently retained in any Tenet Labs-operated system. Detection of PHI in a Tenet Labs system constitutes a data incident subject to breach notification obligations in Section 1.8.
Encryption. All trace data is encrypted in transit via TLS 1.2 or higher and encrypted at rest on Tenet Labs-hosted infrastructure.
HIPAA. Tenet supports HIPAA-compliant use when properly configured. Enterprise customers who process protected health information (PHI) may request a HIPAA Business Associate Agreement (BAA) at privacy@tenetlabs.com. Customers with HIPAA obligations are encouraged to evaluate their deployment configuration and request a BAA as appropriate.
Enterprise customers may enable remote audit log export, which sends audit event metadata to a designated endpoint. This feature:
remote_audit_enabled: false)All user data is stored locally on your machine. You have full control over retention:
audit_retention_days. Expired logs are archived and then deleted locally.You can delete all Tenet data at any time by removing the ~/.tenet/ directory.
Anonymous telemetry snapshots are retained for product analytics purposes. Because these snapshots contain no PII and no linkable identifiers beyond the aggregate-only device_id, they cannot be attributed to any individual or installation.
OTel trace data stored on Tenet Labs-hosted infrastructure is retained for the duration of the active subscription, plus 30 days following termination, after which it is permanently deleted. Deletion obligations extend to backup systems; Tenet Labs will purge customer trace data from backups within a commercially reasonable timeframe, not to exceed 90 days from the applicable deletion trigger. Customers may request written confirmation of deletion upon completion. Custom retention periods may be agreed in the applicable subscription agreement or Data Processing Agreement.
Tenet Labs does not sell, rent, or share user data with third parties. Because Tenet’s architecture ensures that user data never reaches Tenet Labs in standard deployments, there is no user data to share.
Anonymous, aggregated telemetry data (if you have not opted out) may be used in aggregate statistical reports. These reports contain no individual-level data.
For Pro and Enterprise subscribers, Tenet Labs uses named infrastructure sub-processors to operate collector.tenetlabs.com. See Section 1.15 for the current sub-processor list.
Depending on your jurisdiction, you may have rights including access, deletion, correction, portability, restriction, and objection. Because Tenet’s architecture ensures your data remains on your local machine, most rights are exercisable directly without contacting Tenet Labs — delete ~/.tenet/ to remove all local data; edit config.json to correct configuration; opt out of telemetry per Section 1.2.2.
For rights relating to data Tenet Labs centrally processes (Pro/Enterprise OTel traces and anonymous telemetry), see Section 1.12 for the full framework and request process.
Tenet is a developer tool and is not directed at children under 13 (or the applicable age in your jurisdiction). We do not knowingly collect personal information from children.
127.0.0.1, localhost, ::1) and requires Bearer token authentication for all sensitive endpoints.In the event of a confirmed breach affecting Pro/Enterprise trace data or telemetry data attributable to an individual, Tenet Labs will notify affected customers within 48 hours of confirmation. Notification will include: the nature of the incident, categories of data affected, approximate number of records involved, likely consequences, and measures taken or proposed. For breaches affecting only anonymous telemetry (which contains no PII), notification will be provided on a commercially reasonable timeline given the absence of individual impact.
We will update this policy as Tenet evolves. Material changes will be communicated through the Tenet application (release notes) and on tenetlabs.com. The “Last Updated” date at the top reflects the most recent revision.
For privacy questions, data requests, or concerns:
This section applies to personal data that Tenet Labs actually receives and processes. Given Tenet’s local-first architecture, this is limited to: (a) the hashed device_id and pre-aggregated telemetry data described in Section 1.2.2; (b) Pro and Enterprise OTel trace data stored on Tenet Labs infrastructure; and (c) information you provide when contacting us directly.
Performance of a contract. Processing of Pro and Enterprise OTel trace data is necessary to deliver the core service for those tiers. This processing is governed by the applicable subscription agreement and, for enterprise customers, a Data Processing Agreement available upon request at privacy@tenetlabs.com.
Legitimate interests. Processing of anonymous telemetry (hashed device_id, aggregated usage statistics) is based on Tenet Labs’ legitimate interest in understanding aggregate product usage, improving detection accuracy, and maintaining software security. No PII is transmitted, the device_id is not tied to any user identity, and users may opt out at any time without loss of functionality.
Consent. Telemetry is opt-out. Users may withdraw at any time using the methods in Section 1.2.2, without affecting software functionality.
Tenet Labs does not process personal data for advertising, profiling, or any purpose beyond those stated in this policy.
Scope. Because Tenet’s architecture ensures that PII, PHI, and sensitive content never leave your machine in standard deployment, most data subject rights are satisfied by default. The rights below apply specifically to: (a) the limited telemetry data described in Section 1.2.2, and (b) Pro and Enterprise OTel trace data processed by Tenet Labs.
device_id is not tied to your identity; deletion requests are honored to the extent technically feasible.Residents of California, Texas, Colorado, Virginia, Connecticut, and other US states with comprehensive privacy laws have the right to know what personal information is collected and how it is used, the right to delete, the right to correct, and the right to opt out of the sale or sharing of personal information. Tenet Labs does not sell or share personal information. A full summary of collected categories is in Section 1.13.
Email privacy@tenetlabs.com with subject line “Privacy Request.” Include a description of your request and sufficient information to locate any data associated with you (for Pro/Enterprise users, your account email is sufficient). Tenet Labs will respond within 45 days. If additional time is required, we will notify you within the initial 45-day period and may extend by an additional 45 days where permitted by applicable law.
We will verify your identity using the minimum information necessary — typically your account email for Pro and Enterprise users. We will not require you to create an account to exercise your rights.
If we decline to act on your request, we will inform you of the reason. You may appeal by responding to our decision email. If your appeal is denied, you may contact the applicable supervisory authority in your jurisdiction: the California Privacy Protection Agency (CPPA) for California residents, or the applicable state attorney general for residents of Texas, Colorado, Virginia, Connecticut, and other states with comprehensive privacy laws.
All data stored in ~/.tenet/ is under your full control. You do not need to contact Tenet Labs to access, export, correct, or delete local data.
This notice is provided in accordance with the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA), the Texas Data Privacy and Security Act (TDPSA), and equivalent state privacy laws in Colorado, Virginia, Connecticut, and other applicable jurisdictions.
| Category | Specific Data | Source | Business Purpose |
|---|---|---|---|
| Device identifiers | Hashed device_id (SHA-256; non-reversible; not linked to any user identity) |
Automatically collected | Aggregate product analytics only |
| Usage / telemetry data | Pre-aggregated detection counts, action counts, performance percentiles, configuration snapshot | Automatically collected (opt-out) | Product improvement, stability monitoring |
| Pro/Enterprise OTel trace data | OTel trace metadata post-redaction for Pro and Enterprise subscribers | Directly provided via product usage | Core service delivery |
| Contact information | Email address (if you contact us) | Directly provided | Responding to inquiries |
We do not collect: Social Security numbers, financial account information, precise geolocation, biometric data, health information, or any content you scan through the Tenet software.
We do not sell or share personal information. Tenet Labs does not sell personal information to third parties and does not share personal information for cross-context behavioral advertising.
Your rights are summarized in Section 1.12. We will not discriminate against you for exercising any privacy right.
Telemetry data. Tenet Labs acts as the data controller for anonymous telemetry data transmitted to telemetry.tenetlabs.com. Tenet Labs determines the purposes and means of processing this data.
Local data. All data processed by the Tenet software on your local machine is under your sole control. Tenet Labs has no access to and exercises no control over this data.
Pro and Enterprise OTel trace data. Where Pro or Enterprise subscribers route OTel trace data to Tenet Labs-hosted infrastructure, Tenet Labs acts as a data processor on behalf of the subscribing entity (the controller). This processing is governed by the applicable subscription agreement and a Data Processing Agreement available upon request at privacy@tenetlabs.com. Tenet Labs processes this data only as instructed by the controller and for the purpose of delivering the subscribed service.
Customer-configured endpoints. Where subscribers configure OTel export to their own infrastructure, Tenet Labs does not receive or process that data, and no processor relationship exists.
The following third-party services receive limited data as a result of using Tenet:
| Provider | Purpose | Data Received | Role |
|---|---|---|---|
| HuggingFace (huggingface.co) | PII detection model download | IP address, user-agent, requested file names | Independent controller |
| Electron auto-updater | Software update checks | Tenet version, platform identifier | Independent controller |
| Fathom Analytics (usefathom.com) | Website analytics for tenetlabs.com | IP address (temporarily processed; see §1.17), page views, referrer | Independent controller |
No other third parties receive data from Tenet. Tenet Labs does not use advertising networks, data brokers, or third-party analytics SDKs within the application itself.
| Provider | Service | Location | Data Processed |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting and storage | United States | Pro/Enterprise OTel trace data (post-redaction) |
Tenet Labs will provide 30 days’ advance notice to affected customers before adding or replacing sub-processors that process customer trace data. To object to a new sub-processor, contact privacy@tenetlabs.com.
Tenet Labs is headquartered in the United States. Anonymous telemetry and, where applicable, Pro and Enterprise OTel trace data are processed and stored on AWS infrastructure located in the United States.
If you access Tenet from outside the United States, your data (limited to the categories in Section 1.13) will be transferred to and processed in the United States. The United States may not provide the same level of data protection as your home jurisdiction.
For users in the European Economic Area, United Kingdom, or Switzerland, Tenet Labs relies on the European Commission’s Standard Contractual Clauses (SCCs), or equivalent transfer mechanisms recognized under applicable law, as the lawful basis for such transfers. To request a copy of the applicable transfer mechanism, contact privacy@tenetlabs.com.
Given Tenet’s local-first architecture, the practical scope of international transfers is limited: no PII or content you process through the Tenet software is transferred internationally in standard deployment.
This section applies solely to tenetlabs.com.
Tenet Labs uses Fathom Analytics for website analytics. Fathom temporarily processes visitor IP addresses and user-agent strings as part of standard HTTP request handling, solely for unique visitor counting and DDoS/abuse protection. Per Fathom’s own DPA and privacy policy: IP addresses are hashed within 24 hours, are not stored long-term, are not linked to identifiable profiles, and are not used for tracking or behavioral advertising. Fathom does not use cookies. Tenet Labs does not independently receive or retain visitor IP addresses from Fathom’s analytics layer. For full details, see Fathom’s privacy policy at usefathom.com/privacy.
Tenet Labs does not use any other analytics platforms, advertising networks, session recording tools, or tracking pixels on tenetlabs.com.
Tenet Labs may use strictly necessary technical mechanisms (such as session tokens for authenticated areas of the site) required for the website to function. These are not used for tracking or profiling.
The Tenet software uses machine learning — specifically an ONNX-format natural language model and a regex augmentation engine — to detect and classify PII and PHI in text. This processing occurs entirely on your local machine and is not performed by Tenet Labs.
This automated processing does not produce decisions with legal effects on any individual. It is a detection and redaction utility operating under your direct control, with configurable sensitivity, allowlists, and interaction modes.
Tenet Labs does not use automated decision-making that produces legal or similarly significant effects on users in connection with the delivery of its services.