Privacy Policy

Effective May 4, 2026

Ten0n is an iPhone app that catalogs what's already on your phone — photos, calendar, contacts, reminders, anything you actively share — and surfaces meaningful connections between them. The architecture is the privacy story: your data lives on your iPhone, not on our server. Our server is a thin proxy used only to forward two short summary strings to Anthropic's Claude when the on-device model is uncertain about a bridge candidate. It doesn't log, store, or persist any of those requests. This page explains what stays on your phone, what leaves it, and exactly when.

Section 1What lives on your iPhone

Every piece of data Ten0n collects is stored locally in an iOS-protected SwiftData database on your device. Specifically:

Sightings — short summaries of items Ten0n has noticed (e.g. "wine label, Sangiovese 2019, Tuscany"). Generated on-device by Apple's Foundation Models from photo metadata, calendar events, contact cards, reminders, and items you've shared into Ten0n via the iOS share sheet.
Embeddings — small numeric vectors used by Ten0n's bridge detector. Generated on-device by Apple's natural-language embedder.
Bridges — detected connections between two sightings, and whether each was surfaced.
Audit log — a complete record of every read, summary, evaluation, surface, and (if you opted into cloud) escalation. Visible to you in-app at any time.
Settings — your backfill window choice and audit-log defaults. Stored in iOS preferences on your device.

None of the above is uploaded anywhere. Hard-deleting from the in-app Settings → Danger Zone wipes the whole graph.

Section 2What Ten0n reads from iOS

Ten0n reads only what you explicitly grant during onboarding or in iOS Settings, and only the categories that map to the four built-in bridge features:

Photos — for visual-recall bridges. OCR + scene description happen on-device via Apple's Vision and Foundation Models frameworks. Images themselves are never copied outside the Photos library.
Calendar — for promise-tracker, contact-warmth, and cross-app follow-through bridges. Read via EventKit.
Contacts — for contact-warmth bridges. Read via the Contacts framework.
Reminders — for promise-tracker bridges. Read via EventKit.
Share-sheet inputs — when you long-press a message, link, image, or Wallet pass and tap Ten0n in the share sheet, that single item is queued for ingest. iOS does not expose other apps' inboxes; share-only is the only way Ten0n learns about Mail or Wallet content.

You can revoke any source at any time via iOS Settings → Ten0n. The next pipeline pass treats the source as cold; you can also erase a single source's data from Settings → Danger Zone without affecting the others.

Section 3What leaves your phone

By default: only short text summaries, only when the on-device model is uncertain. Ten0n's pipeline runs on-device first using Apple's Foundation Models. When the on-device model can't confidently classify a bridge candidate, Ten0n briefly forwards the two short summary strings (each ≤ 280 characters) to Anthropic's Claude for a second opinion.

How the cloud trip happens:

The iOS app sends the two summary strings to ten0n.com/api/escalate over HTTPS. We host this endpoint on Vercel.
Our endpoint forwards the request to Anthropic's Messages API and returns Claude's verdict to your phone. The endpoint is a transparent proxy — it does not log, store, or persist the request body or the response.
What never leaves your phone: raw photos, mail bodies, contact card details, calendar event notes, reminder bodies. Only the on-device summary text — short prose Ten0n already wrote — is forwarded.
Each cloud trip is recorded in your in-app Audit Log with the exact time and the bridge it was evaluating. You can verify every escalation.

Why we proxy instead of having you bring your own API key: the proxy lets the app "just work" without requiring users to set up a developer account, and lets us cap abuse via rate limits. The trade-off is that the request transits our server briefly. We chose this trade-off — and document it precisely above — because the alternative (every user gets their own API key) is friction users shouldn't have to navigate.

What the server does log:

Vercel's standard request logs — request timestamp, IP address, response status code, latency. These are operational logs, retained per Vercel's policy. The request body and response body are not logged.
An Upstash Redis counter keyed on IP address, used purely for daily rate limiting. The counter resets every 24 hours. No request content is associated with the counter.

Section 4What Ten0n does NOT collect

Real names, email addresses, or phone numbers (other than what's already in the iOS data sources you've granted access to, which never leaves your phone)
Location data
Device identifiers, advertising IDs, or fingerprints
Analytics or usage telemetry of any kind
Cookies or cross-site tracking — there is no Ten0n website tracking, only static pages
Crash reports sent to a Ten0n server (we use Apple's on-device MetricKit, which Apple aggregates and anonymizes — no third-party crash SDK)

Section 5Third parties

Ten0n integrates with exactly the services it needs to do its job. None of them receive personally identifying data from us:

Apple frameworks — Foundation Models, Vision, PhotoKit, EventKit, Contacts, Core Spotlight, WidgetKit, BGTaskScheduler, Keychain. All run on-device. Apple's privacy practices apply to system-level behavior.
Anthropic — receives the two summary strings during the cloud-escalation path described in Section 3. Anthropic's privacy policy applies to data they receive.
Vercel — hosts ten0n.com, including the static marketing/privacy pages and the /api/escalate proxy endpoint. Vercel retains standard request logs (timestamp, IP, status, latency) per its own policy. Request and response bodies are not logged.
Upstash Redis — stores per-IP daily rate-limit counters for the escalation proxy. Counters auto-expire after 24 hours. No request content is stored.

Section 6Data deletion

You control your data because it lives on your device. Three levels:

Forget one item — swipe left on a sighting in the Memory tab. The audit trail is preserved; the item is hidden from bridge detection going forward.
Erase one source — Settings → Danger Zone → Erase <source> data. Removes every sighting, audit row, and dependent bridge from that source. Other sources untouched.
Erase everything — Settings → Danger Zone → Erase all of Ten0n's memory. Wipes the entire graph plus the Lock Screen widget cache and any pending share-sheet items.

Since Ten0n stores nothing on a server, there is no server-side deletion to request.

Section 7Children's privacy

Ten0n is not directed at children under 13. The app reads content the user has already chosen to put on their iPhone (calendar, contacts, photos, reminders) — content that often contains adult or family information. Use of Ten0n by users under 13 is not supported. We do not knowingly collect any data from children.

Section 8Security

All network calls (iPhone to ten0n.com, our server to Anthropic) use HTTPS / TLS 1.3. The on-device SwiftData store is protected by iOS Data Protection (encrypted at rest when your device is locked). The Anthropic API key is held only on our server, never on your device, never in the app binary.

Section 9Changes to this policy

We may update this policy as Ten0n evolves. Material changes will be communicated through an in-app notice. The effective date at the top of this page indicates the latest revision.

Section 10Contact

Questions about this privacy policy? Reach us at:

privacy@ten0n.com

Built with care, on-device.