Skip to content
Tenvo
LEGAL · PRIVACY

Privacy Policy

How upDevTeam LTD (the company behind Tenvo) collects, uses, and protects personal data when you visit tenvoai.com, sign up for an account, or use the Tenvo remote access client. Written for the GDPR, the UK GDPR, the California Consumer Privacy Act, and Brazil's Lei Geral de Proteção de Dados (LGPD).

Last updated: 2026-05-06
TL;DR

We try to collect the minimum data we need to run the service. Session content (your screen, keystrokes, files transferred) is encrypted in transit, and end-to-end encrypted on direct connections. We do not record or sell your sessions.

If you live in the EU, the EEA, the UK, Switzerland, California, or Brazil, the rights described below apply to you. To exercise any of them, write to support@tenvoai.com — we will respond within 30 days (15 days for LGPD requests, per ANPD guidance).

Contents
  1. 01Who is responsible for your data
  2. 02What data we collect
  3. 03Why we use your data
  4. 04Lawful basis for processing
  5. 05Who we share data with
  6. 06International data transfers
  7. 07How long we keep your data
  8. 08Your rights
  9. 09Notice for California residents (CCPA / CPRA)
  10. 10Notice for Brazilian residents (LGPD)
  11. 11Security
  12. 12Children
  13. 13Automated decisions
  14. 14Personal data breaches
  15. 15Changes to this policy
  16. 16How to contact us

01Who is responsible for your data

The data controller for personal data described in this policy is upDevTeam LTD, a company registered in the Republic of Cyprus. The controller's contact details are:

Company name
upDevTeam LTD
Registration no.
HE 438173
VAT no.
10438173A
Registered office
Republic of Cyprus (full address available from the Cyprus Department of Registrar of Companies and Intellectual Property)
Email
support@tenvoai.com
Telephone
+357 95964531
Data Protection contact
support@tenvoai.com

We have not appointed an EU Article 27 representative because we are established inside the EU. If you write to support@tenvoai.com we will route your request to the right person internally.

02What data we collect

We collect the following categories of personal data:

  • Account data. Email address, hashed password (or magic-link / OTP login if used), display name, and the timestamps of account creation and last login.
  • Service telemetry. Public peer IDs of devices you connect with, session start and end timestamps, total bytes relayed, and the IP address you connected from. We need these to enforce relay quotas, debug connectivity, and ban abusive IDs.
  • Billing data. When paid plans are live, billing name, address, VAT number, and the last 4 digits / expiry / brand of the payment card. The full card number is collected and stored only by Stripe — we never see it.
  • Support correspondence. Anything you write to us at support@tenvoai.com or through the help form, including any attachments you choose to send.
  • Website analytics. If you opt in to analytics on the cookie banner, Google Analytics 4 (property G-L1D5Z114P2) records page views, referrer, approximate (IP-truncated) location, a pseudonymous client identifier, and conversion events: select_plan (which paid plan you clicked on /pricing), download_click (which platform you downloaded from /download), app_activated (a desktop activation we matched back to your download), and purchase (which subscription you completed via Stripe). To measure which ads bring installs, we also briefly retain — for up to 14 days — the IP address your download request came from and match it to the IP a desktop device first connects from on the same network; the resulting conversion, including the Google click identifier (gclid) where one is present, may be uploaded to Google Ads. We never upload your name, email, or session content. Stripe's payment processing is governed by Stripe's own privacy policy. If you decline analytics, none of these events fire.

We do not knowingly collect special-category data (race, health, biometrics, political views, religion, sexual orientation). Do not put such data into peer names, machine names, or support tickets.

03Why we use your data

We process the data above for the following purposes only:

  • Operating the service: routing connections, authenticating you, applying quota and abuse limits.
  • Customer support: replying to questions, debugging issues you report, and improving documentation.
  • Billing and accounting: charging you for paid plans, issuing invoices, complying with Cyprus tax law.
  • Security and abuse prevention: detecting credential stuffing, banning abusive peer IDs, investigating violations of the Acceptable Use Policy.
  • Service improvement: aggregated and anonymised usage statistics that inform what we build next.
  • Legal obligations: responding to lawful court orders, retaining records required by law (e.g. invoices for 7 years under Cypriot tax law).

04Lawful basis for processing

Under GDPR Article 6, we rely on the following lawful bases:

Contract
Most processing related to running your account and delivering the service is necessary to perform the contract you have with us (Article 6(1)(b)).
Legitimate interest
Anti-abuse, server log retention, and basic product analytics fall under our legitimate interest in operating a secure service (Article 6(1)(f)). We have balanced this against your rights and consider it proportionate.
Consent
Optional analytics cookies, marketing emails, and any other optional processing rely on the consent you give via the cookie banner or the relevant opt-in (Article 6(1)(a)). You can withdraw consent at any time without affecting prior processing.
Legal obligation
Tax, accounting, and statutory record-keeping rely on Article 6(1)(c).

05Who we share data with

We do not sell your personal data. We share it only with the following sub-processors, each bound by a written data-processing agreement:

Supabase, Inc.
Account database, magic-link auth, telemetry storage. Hosted in the EU (eu-west-1, Frankfurt). United States parent — see international transfers below.
Our VPS hosting provider
Compute and bandwidth for our relay and web infrastructure, provided by our VPS hosting provider, whose servers are located in the United States.
Google LLC (GA4)
Optional website analytics (only if you accept the cookie banner).
Stripe Payments Europe
Card processing for paid plans, when launched. Stripe acts as an independent controller for fraud-prevention purposes.

We may also share data with our auditors, tax advisers, and legal counsel under strict confidentiality, and with law-enforcement authorities where compelled by a valid order issued under Cypriot or EU law.

06International data transfers

Personal data is processed on our hosting providers' infrastructure. Some data is held in Supabase (managed PostgreSQL) in the EU; your account and billing records, connection metadata and IP addresses are processed on our relay, cabinet and web servers, which are hosted in the United States. Processing in the United States is an international transfer, for which we rely on appropriate safeguards including the EU Standard Contractual Clauses and a transfer impact assessment.

If you would like a copy of the relevant SCCs or transfer impact assessments, write to support@tenvoai.com.

07How long we keep your data

We delete personal data when it is no longer needed for the purpose it was collected for, applying the schedule below. If you delete your account, we permanently erase or anonymise the corresponding data, except where law requires us to retain it (e.g. invoices).

Account data
Until you delete the account, plus 30 days of soft-delete buffer for accidental-deletion recovery.
Session telemetry
90 days, then aggregated into anonymous monthly counters.
Server access logs
30 days for routine logs; up to 12 months where we are actively investigating an abuse incident.
Invoices and tax records
7 years from the end of the financial year, as required by Cypriot tax law.
Support tickets
24 months after the last activity in the ticket.

08Your rights

If GDPR, UK GDPR, or comparable EEA law applies to you, you have the following rights with respect to your personal data:

  • Right of access. Ask for a copy of the personal data we hold about you and information about how we use it.
  • Right to rectification. Ask us to correct inaccurate or incomplete data.
  • Right to erasure. Ask us to delete your data, subject to exceptions for legal-obligation retention and pending legal claims.
  • Right to restrict processing. Ask us to stop using your data while we resolve a complaint or accuracy dispute.
  • Right to data portability. Ask for a machine-readable export of the data you provided to us, in JSON format.
  • Right to object. Object to processing based on our legitimate interest, including any direct-marketing emails.
  • Right to withdraw consent. Where processing relies on consent, you may withdraw it at any time without affecting earlier processing.

To exercise any of these rights, write to support@tenvoai.com. We will reply within 30 days. We may need to verify your identity before acting on a request.

If you believe we are mishandling your data, you have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus, or with the supervisory authority of your country of residence.

09Notice for California residents (CCPA / CPRA)

If you are a California resident, you have the right to know what personal information we collect, the right to request deletion, the right to correct inaccurate information, and the right to opt out of any 'sale' or 'sharing' of personal information. We do not sell or share personal information for cross-context behavioural advertising.

We treat verifiable consumer requests under the CCPA on a non-discriminatory basis: exercising your rights will not affect the level of service or pricing you receive.

To submit a CCPA request, email support@tenvoai.com. You may also designate an authorised agent in writing to act on your behalf.

10Notice for Brazilian residents (LGPD)

If you are a Brazilian resident, the Lei Geral de Proteção de Dados (LGPD, Law 13.709/2018) applies to our processing of your personal data. We act as the controller (controlador) for the data we collect about you directly, and as the processor (operador) for data you process on the Service about others.

Under LGPD Article 18 you have the following rights with respect to your personal data: confirmation that processing is occurring; access to the data; correction of incomplete, inaccurate, or outdated data; anonymisation, blocking, or deletion of unnecessary or excessive data; data portability to another service provider; deletion of personal data processed on the basis of consent (with the exceptions of LGPD Article 16); information about the public and private entities with which we share data; information about the option to refuse consent and the consequences of such refusal; and revocation of consent.

Our lawful bases under LGPD Article 7 are: contractual performance and pre-contract steps (for account and billing data); legitimate interest (for security telemetry — balanced against your rights and freedoms, with you having an unconditional right to object); legal obligation (for tax records under Brazilian law where applicable); and consent (for optional analytics).

International transfers: where your data is processed outside the EEA, we rely on appropriate safeguards such as the EU Standard Contractual Clauses with the relevant sub-processor.

To exercise any LGPD right, write to support@tenvoai.com. We respond within 15 days as guided by the Autoridade Nacional de Proteção de Dados (ANPD). If you believe we are mishandling your data, you may file a complaint directly with the ANPD at gov.br/anpd.

11Security

We protect personal data with administrative, technical, and organisational measures appropriate to the risk: encryption in transit (TLS 1.3), encryption at rest for backups, role-based access control with least-privilege defaults, audit logging, mandatory two-factor authentication for staff, and an annual review of access rights.

Session content is encrypted in transit and is not recorded by us. See the Security Practices page for details on how connections are secured.

12Children

Tenvo is not directed at children under 16 and we do not knowingly collect personal data from children. If you believe a child has created an account, contact support@tenvoai.com and we will delete the account promptly.

13Automated decisions

We do not subject you to decisions based solely on automated processing that produce legal or similarly significant effects. Anti-abuse systems may temporarily flag suspicious traffic, but a human reviews any account suspension before it becomes final.

14Personal data breaches

If a breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the Commissioner for Personal Data Protection within 72 hours and inform affected users without undue delay, in line with GDPR Articles 33 and 34.

15Changes to this policy

We may update this policy to reflect product or legal changes. Material changes are announced by email (where we have your address) and on this page at least 30 days before they take effect, except where the change is required by law to take effect sooner.

16How to contact us

For privacy questions or to exercise any right, write to support@tenvoai.com. For general questions about the company, write to support@tenvoai.com.

Postal mail can be sent to the registered office of upDevTeam LTD (HE 438173) in the Republic of Cyprus.

This policy is provided in good faith but does not constitute legal advice. If a translated version conflicts with the English version, the English version controls.