Privacy Policy

1. Information We Collect

1.1 Account Information

When you create a Tern account (your "Account"), we collect basic information necessary to provide our services. This includes your email address, which serves as your primary identifier for account creation, authentication, and recovery purposes. We also collect your chosen username and display name, along with any optional profile information you decide to share (such as profile pictures or status messages, collectively "Profile Information"). All authentication credentials are securely hashed using industry-standard cryptographic methods before storage, ensuring your password cannot be accessed even by Tern employees.

Your account information is stored securely and used solely for providing the Tern messaging service. We implement strict access controls to ensure only authorized systems and processes can access this data, and we maintain detailed audit logs of all access attempts for security monitoring purposes.

1.2 Message Content

Your messages (collectively, "Message Content") are transmitted securely using industry-standard encryption protocols. All data in transit between your device and our servers is protected by Transport Layer Security ("TLS") to prevent unauthorized interception. Messages stored on our servers are encrypted at rest to protect against unauthorized access.

We collect message content and metadata (including message timestamps, sender and recipient identifiers, message size, and delivery status, collectively "Message Metadata") to facilitate proper message delivery and maintain service functionality. This information is necessary for routing messages correctly, managing message queues, providing delivery confirmation, and enabling features like message search and synchronization across your devices.

1.3 Usage Data

To maintain service quality, detect technical issues, and prevent abuse, we collect limited technical information about how you interact with Tern (collectively, "Usage Data"). This includes device information (such as your device type, operating system version, and Tern app version), which helps us optimize performance for different platforms and identify compatibility issues. We also collect IP addresses, primarily for security purposes (such as detecting unauthorized access attempts, preventing spam and fraud, and enforcing rate limits to protect our infrastructure).

Our systems generate log data that includes timestamps of connections, error messages, and performance metrics (collectively, "Log Data"). This logging is essential for diagnosing technical problems, monitoring service health, and maintaining system security. All diagnostic data is retained only as long as necessary for operational purposes and is automatically deleted according to our retention schedules. We implement data minimization practices to ensure we collect only what is strictly necessary for service operation.

2. How We Use Your Information

2.1 Service Provision

Your information is used exclusively to provide and maintain the Tern messaging service. This includes facilitating secure message delivery between users, maintaining reliable infrastructure for real-time communication, and ensuring messages reach their intended recipients promptly and securely. We use your account information to authenticate your identity when you log in, preventing unauthorized access to your account and protecting your communications from impersonation attempts.

2.2 Security and Fraud Prevention

We employ your data to detect and prevent fraud, spam, and abuse on our platform. This includes monitoring for unusual activity patterns that might indicate compromised accounts, preventing spam campaigns, and identifying attempts to misuse our service for malicious purposes. Our automated systems analyze technical metadata and usage patterns to identify potential security threats while maintaining appropriate security measures to protect your information.

2.3 Service Improvement

Service improvement and reliability efforts utilize aggregated, anonymized data to optimize performance, identify technical issues, and enhance user experience. We analyze system metrics to ensure high availability, fast message delivery, and minimal downtime. When we discover bugs or performance issues, diagnostic data helps us understand and resolve problems quickly. We also use this information to make informed decisions about feature development and infrastructure scaling.

2.4 Communications

We may send you critical service notifications regarding security alerts, significant policy changes, or important account-related information. These communications are limited to essential service matters and are not used for marketing or promotional purposes. We do not use your information for advertising, do not build advertising profiles, and will never sell your personal data to third parties. Your privacy is our priority, not your attention.

3. Data Storage and Retention

3.1 Message Storage

Your encrypted messages are stored on our servers only as long as necessary to ensure reliable delivery to all intended recipients. Once a message has been successfully delivered to all recipients' devices, it is deleted from our servers. This approach minimizes the window during which encrypted messages exist on our infrastructure. For messages sent to offline recipients, we retain the encrypted message on our servers until the recipient comes online and retrieves it, or for a maximum of 30 days, whichever comes first.

After messages are delivered, they are stored only on recipient devices. We do not maintain a permanent archive of your messages on our servers. If you enable cloud backup features, encrypted backups of your messages may be stored using your chosen cloud storage provider. These backups are encrypted with keys derived from your account credentials, ensuring that even the cloud storage provider cannot access your message content. You maintain full control over backup settings and can disable this feature at any time.

3.2 Account Data

Your account information including email address, username, and profile data is retained for as long as your account remains active. This data is necessary to provide ongoing service and maintain your account identity. If you wish to stop using Tern, you can delete your account at any time through the account settings. Account deletion is immediate and permanent, removing your account information, profile data, and associated metadata from our systems within 90 days.

When you delete your account, we begin immediate removal of your data from our active systems. Some data may persist in encrypted backups for up to 90 days before being permanently deleted as part of our backup rotation cycle. This retention period ensures we can recover from system failures while maintaining reasonable data retention practices. After this period, your account data is completely and irreversibly removed from all Tern systems.

3.3 Metadata and Logs

We retain minimal message metadata such as delivery timestamps, sender and recipient identifiers, and message size information for up to 90 days. This metadata is necessary for operational purposes including debugging delivery issues, monitoring system performance, and detecting abuse. After 90 days, metadata is automatically deleted from our systems. Connection logs and diagnostic data follow similar retention policies, with automated deletion after the data is no longer needed for operational or security purposes.

4. Data Sharing and Disclosure

Tern is committed to protecting your privacy and does not share your personal information with third parties except in specific, limited circumstances where necessary to provide our service or comply with legal obligations. We do not sell, rent, or trade your personal data (collectively, "Personal Data") under any circumstances.

4.1 Service Providers

We work with carefully selected third-party service providers (collectively, "Service Providers") to help operate and maintain our infrastructure. These providers assist with essential functions (such as cloud hosting, content delivery networks for fast message delivery, and infrastructure security). All service providers are bound by strict contractual obligations to protect your data, use it only for specified purposes, and implement appropriate security measures. They are prohibited from using your data for their own purposes or sharing it with others. We regularly audit our service providers to ensure compliance with our privacy standards.

Service providers only have access to the minimum necessary data required to perform their specific functions, such as message routing, storage, or server infrastructure management. We implement encryption and access controls to protect your data when working with service providers.

4.2 Legal Requirements

We may disclose user information when required by law, such as in response to valid legal process (including court orders, search warrants, or subpoenas, collectively "Legal Process"). We carefully review all legal requests to ensure they are valid and appropriately limited in scope. When possible, we notify affected users ("User" or "Users") before disclosing their information, unless legally prohibited from doing so or when providing notice could compromise an investigation of serious crimes.

When compelled by valid legal process, we may provide access to user data (including account information, message content, metadata, connection timestamps, and IP addresses). We maintain transparency by publishing regular transparency reports (collectively, "Transparency Reports") detailing the number and types of legal requests we receive, and we will continue to challenge overly broad or inappropriate requests.

4.3 Security and Fraud Prevention

To protect our platform and users from abuse, spam, and fraud, we may share limited technical data with specialized security service providers. This sharing is restricted to anonymized or aggregated information necessary for identifying and preventing malicious activity such as spam campaigns, DDoS attacks, or account compromise attempts. These security providers are contractually obligated to use the data solely for security purposes and to protect it with appropriate safeguards.

5. Your Privacy Rights

You maintain comprehensive control over your personal information and how it is used. The following rights are available to all users:

5.1 Right to Access

You have the right to access your personal information and receive a copy of the data we hold about you. This includes your account details, profile information, and metadata about your usage of the service. We provide this data in a structured, machine-readable format that allows you to understand what information we have collected.

5.2 Right to Correction

You can correct or update your account information at any time through your account settings. If you discover any inaccurate information, you have the right to have it corrected. For certain changes that you cannot make yourself through the app, you can contact our support team for assistance. We will promptly address requests to correct inaccurate or incomplete information.

5.3 Right to Deletion

You have the right to delete your account and all associated data. Account deletion can be initiated at any time through the account settings in the Tern app. When you delete your account, we immediately begin removing your data from our active systems. As detailed in our retention policy, complete deletion from all systems, including backups, occurs within 90 days. This deletion is permanent and irreversible.

5.4 Right to Data Portability

You can export your data in a portable format, allowing you to transfer your information to other services if desired. This export includes your account information, contact lists, and other data you've provided. For certain types of data like messages, export options are available directly through the app. For comprehensive data exports, you can submit a request to our privacy team.

5.5 Right to Opt-Out

You maintain the right to opt out of optional data collection features. While certain data collection is necessary for the service to function, we provide granular controls over optional features. You can disable analytics, diagnostic data collection, and other optional features through your privacy settings. These controls allow you to balance privacy preferences with service functionality based on your personal comfort level.

5.6 Exercising Your Rights

To exercise any of these rights or if you have questions about your privacy rights, contact our dedicated privacy team at [email protected]. We respond to all rights requests within 30 days and work to accommodate your preferences while maintaining service security and integrity.

6. Security Measures

Security is fundamental to Tern's design and operation. We implement comprehensive, defense-in-depth security measures to protect your data at every layer of our infrastructure. Our security program follows industry best practices and is regularly updated to address emerging threats and vulnerabilities.

6.1 Encryption and Data Protection

All data in transit between your device and our servers is protected by Transport Layer Security (TLS) with perfect forward secrecy, ensuring that even if encryption keys were compromised, past communications remain secure. Messages stored on our servers are encrypted at rest to protect against unauthorized access. We employ strong encryption algorithms that are regularly reviewed and updated to maintain security against evolving threats.

6.2 Authentication and Access Control

User authentication is protected through secure password hashing using bcrypt with high work factors, making password cracking computationally infeasible even if our database were compromised. We support and encourage the use of two-factor authentication, adding an additional layer of protection beyond passwords. Session management employs secure, randomly generated tokens with appropriate expiration policies to prevent unauthorized access to accounts.

6.3 Security Auditing and Testing

We conduct regular security audits and penetration testing performed by both internal security teams and independent third-party security researchers. These assessments help identify and address potential vulnerabilities before they can be exploited. We maintain an active security researcher program and respond promptly to responsible disclosure of security issues. All identified vulnerabilities are prioritized and addressed according to their severity and potential impact.

6.4 Infrastructure Security

Our infrastructure is hosted in secure data centers with comprehensive physical security controls including 24/7 monitoring, access controls, and environmental protections. All servers are hardened against attack, with unnecessary services disabled and security updates applied promptly. We implement network segmentation and firewalls to limit the potential impact of any security breach. Access to production systems is strictly controlled, logged, and monitored, with access granted only to essential personnel on a need-to-know basis.

6.5 Threat Monitoring and Incident Response

We maintain detailed security logs and employ automated monitoring systems to detect anomalous activity. Our security operations team monitors for potential threats 24/7 and can respond rapidly to security incidents. We have comprehensive incident response procedures to contain, investigate, and remediate security issues. In the event of a security incident that affects user data, we are committed to transparent communication with affected users and appropriate authorities.

7. International Data Transfers

Tern operates as a global messaging platform, serving users around the world. To provide reliable, low-latency service, your information may be transferred to and processed in countries other than your own, including countries that may have different data protection laws. Regardless of where your data is processed, we maintain the same strong privacy protections described in this policy.

When transferring data internationally, we implement appropriate safeguards to ensure your information remains protected. These safeguards include standard contractual clauses approved by relevant data protection authorities, technical measures like encryption, and organizational security controls. For data transfers from the European Economic Area, we comply with GDPR requirements and use approved transfer mechanisms. Our encryption and security measures ensure that your data remains protected regardless of where it is processed or stored.

We carefully evaluate our international service providers and data processing locations to ensure they meet our security and privacy standards. We maintain data processing agreements with all providers that handle user data, requiring them to implement appropriate technical and organizational measures to protect your information in compliance with applicable data protection laws.

8. Children's Privacy

Protecting children's privacy is particularly important to us. Tern is not intended for use by individuals under the age of 13 in the United States, or under the applicable age of digital consent in other jurisdictions (typically 13-16 years old, collectively "Minimum Age"). We do not knowingly collect personal information from children ("Minors") below these age thresholds. Our terms of service (the "Terms of Service") explicitly prohibit use by individuals below the minimum age requirement.

If we become aware that we have collected personal information from a child without appropriate parental consent, we will take immediate steps to delete that information from our systems. Parents or guardians who believe their child has provided personal information to Tern should contact us immediately at [email protected], and we will promptly investigate and delete any such information.

While users who meet our minimum age requirements can use Tern, we encourage parents and guardians to be involved in their children's online activities and to help them understand privacy and security best practices for digital communications. We recommend that families discuss appropriate messaging behavior and privacy settings together.

9. Cookies and Tracking

Our website and services use cookies and similar technologies (collectively, "Cookies") sparingly and only for essential functionality. Cookies are small data files stored on your device that help us provide and improve our services. We use cookies for essential purposes (such as maintaining your login session, remembering your preferences, and ensuring security). These cookies are necessary for the website to function properly and cannot be disabled without affecting core functionality.

We do not use advertising cookies, tracking cookies, or third-party analytics cookies that follow you across websites. We do not sell data collected through cookies to third parties, and we do not use cookies to build advertising profiles. Our use of cookies is strictly limited to what is necessary to provide our service securely and efficiently.

You can manage cookie preferences through your browser settings. Most browsers allow you to refuse cookies or delete existing cookies. However, disabling essential cookies may prevent you from using certain features of our website or app. For mobile applications, similar local storage mechanisms are used for essential functionality, and you can manage these through your device settings.

10. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technologies, legal requirements, or other operational needs. When we make changes, we will update the "Last updated" date at the top of this policy. For minor changes that do not affect how we collect or use your personal information, we may not provide additional notice beyond updating this policy on our website.

For material changes that significantly affect how we handle your personal information, we will provide prominent notice through the Tern app, via email to your registered email address, or through other appropriate means. Material changes include significant modifications to what information we collect, how we use it, with whom we share it, or your rights regarding your information. We will provide reasonable advance notice of such changes to allow you to review the updated policy before it takes effect.

Continued use of Tern after a privacy policy update indicates your acceptance of the revised policy. If you do not agree with changes to our privacy policy, you should discontinue use of Tern and may delete your account. For significant changes, we may require you to explicitly accept the new policy before continuing to use our services. We encourage you to review this privacy policy periodically to stay informed about how we protect your information.