Your privacy matters. This Privacy Policy explains what data we collect, how we use it, and your rights regarding your information when you use Tommy.app ("Service," "we," "us," or "our").
1. Information We Collect
We collect the following categories of information:
Account information:
- Email address (provided during signup)
- Username (chosen during onboarding)
- Telegram user ID and username (linked when you start your agent)
- Subscription plan and billing status
Usage data:
- Messages sent to your AI agent (chat history)
- Token usage counts (prompt and completion tokens)
- Files and pages your agent creates on your subdomain
- Agent memory and workspace files (MEMORY.md, SOUL.md, etc.)
- Timestamps of account creation and activity
Technical data:
- IP addresses (collected by our hosting infrastructure)
- Browser type and device information (via standard server logs)
- Referral source (how you found Tommy.app)
Payment data:
- We do not store your payment card details — all payment processing is handled by Stripe
- We store your Stripe customer ID and subscription ID for billing management
2. How We Use Your Information
We use your information to:
- Provide the Service — run your AI agent, host your subdomain, route Telegram messages
- Personalize your experience — your agent reads its memory files to remember you across sessions
- Manage billing — process payments, send receipts, enforce plan limits
- Improve the Service — analyze aggregate usage patterns to improve performance and features
- Communicate with you — send transactional emails (receipts, trial expiry, account notices)
- Enforce our Terms — detect abuse, enforce rate limits, protect platform integrity
- Legal compliance — comply with applicable laws and respond to lawful requests
We do not sell your personal data. We do not use your chat history to train AI models.
3. Third-Party Services
Tommy.app relies on the following third-party services to operate:
| Service |
Purpose |
Data shared |
| Stripe |
Payment processing & billing |
Email, subscription details, payment method |
| Anthropic |
AI model (Claude) powering your agent |
Messages sent to your agent, subject to Anthropic's privacy policy |
| Telegram |
Messaging interface for your agent |
Telegram user ID, messages you send via Telegram |
| Hetzner Cloud |
Server hosting infrastructure |
All data is stored on Hetzner servers (EU/US) |
| Cloudflare |
DNS, CDN, and DDoS protection |
IP address, request metadata |
Each third party has its own privacy policy governing their use of data. We encourage you to review their policies.
4. Data Storage & Security
Your data is stored on servers located in the United States and European Union (Hetzner Cloud). We implement industry-standard security practices including:
- Encrypted connections (HTTPS/TLS) for all data in transit
- Isolated Docker containers per user — your data is not accessible by other users
- API keys and tokens stored in environment variables, not in application code
- Regular security updates and access control on our servers
No system is perfectly secure. In the event of a data breach that affects your personal information, we will notify you as required by applicable law.
5. Data Retention
- Active accounts: Data is retained for the duration of your subscription
- Cancelled accounts: Your data is retained for 30 days after cancellation, then deleted
- Backups: Backups may retain data for up to 90 days after deletion
- Legal holds: We may retain data longer if required by law or ongoing legal proceedings
6. Your Rights
You have the following rights regarding your personal data:
- Access: Request a copy of the data we hold about you
- Correction: Request correction of inaccurate or incomplete data
- Deletion: Request deletion of your account and associated data
- Export: Request an export of your agent's memory, workspace, and website files
- Portability: Receive your data in a machine-readable format
- Objection: Object to certain uses of your data
To exercise any of these rights, email tom@tommy.app. We will respond within 30 days. Some requests may require identity verification.
Deleting your account: To permanently delete your account and all associated data, email
tom@tommy.app with subject line "Delete my account." We'll confirm deletion within 7 business days.
7. Cookies
Tommy.app uses minimal cookies:
- Session cookies: Temporary cookies to maintain your login state on the dashboard. These expire when you close your browser.
- No tracking cookies: We do not use advertising cookies, third-party tracking pixels, or behavioral analytics cookies.
You can disable cookies in your browser settings. Note that disabling session cookies may prevent dashboard functionality from working properly.
8. Children's Privacy
The Service is intended for users who are 18 years of age or older. We do not knowingly collect personal information from children under 18. If you believe a child has provided us with personal information, please contact us at tom@tommy.app and we will delete it promptly.
9. International Users
Tommy.app is operated from the United States. If you access the Service from outside the United States, your data may be transferred to and processed in the United States. By using the Service, you consent to this transfer.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email at least 14 days before they take effect. The "Effective date" at the top of this page reflects the date of the last revision. Continued use of the Service after changes take effect constitutes your acceptance.
11. Contact Us
Questions, concerns, or requests regarding this Privacy Policy should be directed to:
Tommy.app
Email: tom@tommy.app
Website: https://tommy.app
We take privacy concerns seriously and will respond within 5 business days.