Privacy Policy

Effective date: May 20, 2026.

Controller: OniLink UG (haftungsbeschränkt), Nikopoler Str. 35, 01619 Zeithain, Germany.

Represented by: Niovi Ioannidi. Register: Amtsgericht Dresden, HRB 47126. VAT ID: DE457255743.

Privacy contact: support@tsumuapp.com. General contact: info@tsumuapp.com.

This policy covers the Tsumu web app, account access, workspaces, projects, chats, notebook pages, imported sources, AI-generated project context, decisions, follow-ups, review items, support requests, and related technical operations.

Projects are the plan-limited memory units in Tsumu. Workspaces organize work inside a project, imported sources count toward that project, and active workspace sources are prioritized only within the same project.

If you import, write, paste, or generate content that contains personal data about other people, you are responsible for having their consent, authority, or another lawful basis to process that material through Tsumu and its providers.

Tsumu is controller for account data, billing data, support records, security records, usage and entitlement records, moderation records, and product-operation records.

Tsumu is processor only for customer-uploaded workspace, source, notebook, and chat content to the extent the customer controls personal data inside that content and Tsumu processes it to provide the service.

The Data Processing Addendum describes this processor role for business customers and customer-uploaded content. It does not make the customer controller of Tsumu account, billing, support, security, usage, moderation, or legal compliance records.

Account data: email address, authentication identifiers, login/session data, and account status.

Signup legal acknowledgement data: minimum-age confirmation, Terms acceptance, Privacy Policy acknowledgement, acknowledgement timestamp, acknowledgement source, and Terms/Privacy version metadata.

Security settings data: email verification status, account creation date, last sign-in date, session revocation activity, and account event records for exports, deletion, and security-sensitive account actions.

Workspace content: workspace names, project names, chats and chat messages, notebook pages, uploaded or pasted source material, stored source text, stored notebook markdown, AI-generated project context, decisions, follow-ups, review items, helpful context, and project briefs.

AI assistance data: prompts, source excerpts, chat context, generated summaries, reply metadata, recalled references, model selection, memory update status, chat-to-memory status, AI processing hashes, AI processing model/version metadata, token counts, credit usage, and provider/model identifiers.

Moderation and safety data: hashed IP identifiers, hashed user-agent identifiers, hashed message or reply identifiers, message IDs, subject labels for user messages or assistant replies, input length, moderation model/ID, category flags and scores, moderation decisions, actions, and reasons. Moderation audit records do not store raw IP addresses or raw message text, although the related chat message or generated reply may still exist as workspace content.

Technical data: device/browser metadata, IP-derived request information, Cloudflare Turnstile challenge and security signals where enabled, hashed rate-limit identifiers, rate-limit bucket data, security events, performance logs, error logs, and audit records needed to operate and protect the service.

Language and locale data: saved language or locale preference, browser language headers or browser locale signals such as Accept-Language, and approximate country or region derived from IP address or network metadata where used to choose an initial language default.

Website analytics data: Umami Cloud analytics events, page path without URL query strings or hash fragments, referrer URL, page title, browser, operating system, device type, screen size, language, approximate country/region/city derived from request or network metadata, and aggregate visit metrics such as views, visitors, visits, bounce rate, and visit duration.

Support data: in-app support request records, account email, topic, message, page path, hashed IP/user-agent identifiers, direct emails, issue descriptions, screenshots or files you choose to send, and follow-up messages.

Billing data: Stripe customer identifiers, subscription identifiers, Checkout Session identifiers, PaymentIntent identifiers, product and price identifiers, plan key, billing interval, credit package key, subscription status, current billing period dates, cancellation flags, trial dates if any, plan-change requests, proration previews, scheduled plan-change effective dates, latest invoice reference, collection method, billing name/email, payment status, customer portal activity, Stripe webhook event logs, AI credit grants, credit balances, credit usage, credit expiry, temporary credit reservation records, credit reversal metadata, plan-resolution diagnostics, and related support records.

Tsumu uses Stripe Checkout to start monthly or yearly paid subscriptions, sell one-time AI credit add-ons, and process payment. Tsumu uses Stripe Customer Portal to manage billing details, payment methods, invoices, subscription changes, and cancellations.

Current paid plans are Pro ($20/month or $200/year), Studio ($49/month or $490/year), and Max ($99/month or $990/year). Promotional codes may reduce the amount shown at Checkout.

When a paid user changes plans, Tsumu may use Stripe to preview prorated upgrade charges, apply immediate upgrades, schedule downgrades for the next renewal date, and record the effective date of a scheduled plan change.

Current one-time AI credit add-ons are 500 credits ($20), 1,000 credits ($40), 2,500 credits ($100), and 5,000 credits ($200). Add-on credits require an active paid subscription, are consumed after monthly plan credits for user-triggered AI work, and currently expire one year after they are granted.

For supported AI actions, Tsumu may create temporary server-side credit reservations before generation or processing starts, then finalize, release, or expire those reservations after actual usage is known. These reservations are treated as internal billing-process records.

When you use billing features, Stripe may process billing contact details, payment method details, tax details, transaction details, invoice details, customer portal activity, fraud/security signals, and related identifiers.

Stripe may also process certain payment, fraud, risk, compliance, security, and legal-obligation data under its own controller, service-provider, or independent-provider role and legal terms.

Tsumu may display recent Stripe invoice history on the Billing page, including invoice number, status, date, amount, hosted invoice link, and invoice PDF link where Stripe provides them.

Tsumu stores limited Stripe-derived records needed to run billing and entitlements, including Stripe customer ID, subscription ID, Checkout Session ID, PaymentIntent ID, product/price IDs, plan key, billing interval, credit package key, subscription status, current period dates, cancellation state, trial dates if any, plan-change status where applicable, latest invoice reference, collection method, payment status, credit grant status, credits granted, credits used, credits remaining, expiry date, and the billing name/email returned by Checkout.

Tsumu uses plan and subscription status to decide whether project memory, chat-to-memory processing, source lookup, memory refresh, topic updates, and clean project-memory exports are active, paused, or unavailable.

Tsumu does not store full payment card numbers. Payment method details are handled by Stripe and managed through Stripe-hosted surfaces.

Do not import passwords, API keys, production secrets, payment card numbers, government identifiers, regulated health data, children's data, or other highly sensitive material unless you have a clear legal basis and explicit approval to process it through third-party infrastructure and AI providers.

Imported sources and notebook pages are workspace content. If they contain personal data about other people, you are responsible for ensuring you have consent, authority, or another lawful basis to upload and process that material through Tsumu.

Tsumu is not designed for emergency, medical, legal, financial, employment, credit, insurance, or other high-stakes decision-making workflows.

To provide the service: create accounts, keep users signed in, save workspaces, process sources, store chats, generate AI project context, answer chats, extract eligible chat memory, provide account data exports, provide Max-gated clean project-memory exports, preserve project memory, and run eligible background memory work for Studio and Max.

To perform the contract with you: operate core product features, confirm signup eligibility and legal acknowledgement, remember display and language preferences, infer an initial language default where no saved preference exists, respond to support requests, maintain account access, start and manage paid subscriptions, process renewals, sell and grant one-time AI credit add-ons, reserve and finalize credit usage, track credit balances, apply plan entitlements, and enforce background memory caps.

For legitimate interests: keep the service secure, run safety and moderation checks, suppress reply generation where needed, prevent abuse, debug failures, improve reliability, understand product quality through cookie-free website analytics, and maintain minimal operational records.

For legal obligations: keep records required by law, respond to valid legal requests, handle tax/accounting obligations related to billing, and protect legal rights.

With consent where required: optional marketing, non-essential analytics, or processing that legally requires consent will not be enabled without the required consent flow.

Tsumu uses AI providers such as OpenAI and Anthropic to generate replies, summarize sources, extract project memory, surface follow-ups, create review items, and connect decisions to evidence.

Chat messages are stored as chats. Where available, eligible AI memory features may also extract generated project memory, decisions, follow-ups, topics, or review items from chat when plan limits and regular AI credits allow.

Pro can create project memory automatically from imported sources, but scheduled background memory runs and batch consolidation are Studio and Max features.

When a Free account upgrades to a paid plan, Tsumu may reprocess or review eligible existing sources and chats to make paid source-processing and project-memory features available, subject to plan limits, source limits, regular AI credits, background memory caps where applicable, provider availability, and service safeguards.

Tsumu uses commercial API provider accounts for OpenAI and Anthropic integrations. Tsumu does not intentionally opt customer workspace content into AI-provider model training, but provider-side abuse monitoring, safety, security, debugging, support, legal, or service-retention logs may still apply under provider terms and configured account settings.

AI output can be inaccurate or incomplete. Tsumu shows references and inspection surfaces so users can review important outputs before relying on them.

Tsumu does not use AI to make solely automated decisions that produce legal or similarly significant effects about users.

Tsumu may run automated safety and moderation checks on user messages before reply generation and on assistant replies after stream completion. Flagged user input may suppress assistant generation; flagged assistant output is currently logged for audit rather than interrupting the stream.

Tsumu should not be used to request professional advice or automated judgments about a person in high-risk areas such as health, employment, credit, insurance, housing, education, legal rights, immigration, law enforcement, or public benefits.

For Studio and Max projects, Tsumu may run scheduled background memory refresh and batch consolidation when enough source material or eligible chat context changes or becomes available.

This is meant to keep project context, topics, decisions, follow-ups, and review items useful without requiring a manual cleanup step.

Background refresh stays inside the same project and remains subject to plan limits, the separate background memory cap, source limits, and provider availability.

Tsumu uses Supabase for authentication, database, storage, and edge functions.

Supabase may process limited account, usage, diagnostic, support, security, or service metadata under its own provider terms where it acts as controller or service provider for those purposes.

Tsumu uses Firebase App Hosting and Google Cloud infrastructure to host the web app and related logs.

Tsumu uses Cloudflare Turnstile for bot and abuse prevention on signup, login, password reset, verification resend, and security-sensitive account flows where enabled.

Cloudflare Turnstile may process client-side security signals such as IP address, user-agent header, TLS/browser fingerprints, sitekey and origin, challenge tokens or results, and related bot-detection metadata under Cloudflare's Turnstile privacy terms.

Tsumu may send prompts, source excerpts, chat context, and generated context to OpenAI or Anthropic when a user invokes AI features.

Tsumu may send message or reply text to OpenAI moderation and safety services, including when the selected generation model is provided by another AI provider.

Tsumu uses Stripe for paid plan checkout, one-time AI credit add-on checkout, recurring subscription billing, invoices, payment method updates, failed-payment handling, cancellations, and billing portal access.

Tsumu uses Umami Cloud for cookie-free website analytics, including pageviews, referrers, browser and device information, approximate location, and aggregate visit metrics. Tsumu configures Umami to respect browser Do Not Track, exclude URL query strings, and exclude URL hash fragments.

Tsumu uses Resend for production authentication and transactional account email configured through Supabase Auth.

Resend may process transactional email content and delivery metadata for email delivery, reliability, abuse prevention, and provider compliance. Tsumu does not use Resend for marketing email or support request forwarding at launch.

In-app support requests are stored in Supabase and are not forwarded through Resend support notification email.

Tsumu uses Apple iCloud Mail for direct support, privacy, legal, and contact emails sent to Tsumu support or contact addresses.

Apple iCloud Mail is not treated as a DPA-backed primary support processor; it is disclosed as a direct email fallback under Apple/iCloud public terms.

The Data Processing Addendum describes Tsumu's processor role for customer-uploaded content. The subprocessors page lists production providers, purposes, data categories, and provider legal reference links.

Tsumu may share data with email/support tooling, professional advisers, infrastructure providers, or authorities when required to operate the service, respond to requests, comply with law, or protect rights and security.

Tsumu does not sell workspace data and does not share personal data for cross-context behavioral advertising.

Tsumu and its providers may process personal data in the EEA, the United Kingdom, the United States, and other locations where infrastructure or AI providers operate.

Where GDPR transfer rules apply, Tsumu relies on an adequacy decision, Standard Contractual Clauses, or another lawful transfer mechanism.

Workspace, project, chat, notebook, and source data is kept while the account, workspace, or project is active unless you delete it or request deletion.

After a confirmed valid deletion request, Tsumu removes the relevant data from active systems immediately.

Supabase database backups may retain deleted data for up to 7 days before automatic expiry. Backups are for recovery and are not used to restore deleted user data except where required to recover from an incident.

Support and contact tickets are kept as support history and process records unless the requester asks Tsumu to delete them. If a support or contact ticket is deleted, Tsumu may keep a minimal internal receipt showing the request, action, timestamp, and outcome.

Account-event records, deletion and export receipts, billing-process receipts, Stripe webhook event logs, and other internal process logs may be retained to prove that account, billing, support, deletion, export, security, or entitlement actions were handled.

Performance logs are generally retained for 30 days. Rate-limit buckets are retained until bucket expiry and cleanup. Moderation and security audit records are generally retained for 12 months, or longer if tied to abuse, security, billing, support, legal, or dispute handling.

Billing, invoice, payment, tax, accounting, AI credit grant, temporary credit reservation, credit reversal, and chargeback records may be retained for the period required by applicable law or for dispute, fraud-prevention, accounting, entitlement, and billing-process purposes.

Provider retention windows may apply separately to AI API abuse logs, hosting or runtime logs, website analytics records, transactional email delivery records, payment or compliance records, support correspondence, backups, and security or audit logs under provider terms and active account settings.

Depending on where you live, you may have rights to access, correct, delete, export, restrict, or object to the processing of your personal data.

Signed-in users can download a JSON account export from Settings. It includes account records, owned workspace and project records, source records and stored source text where available, notebook folders, chats and messages without AI-picked reference lists, support request records, billing records, AI credit records, usage records, account event records, performance logs, and moderation audit records tied to the account. Payment card details are not included because Tsumu does not store full payment card numbers.

Internal billing-process records, such as temporary credit reservations used to prevent concurrent credit overruns, may be excluded from the account export while retained as internal process receipts where needed.

Tsumu-generated project memory is not included in the account export. This excludes generated project memory, including memory extracted from chats, project topics, AI-made memory details, generated decisions and follow-ups, review items, chat reference metadata generated from memory, and behind-the-scenes ranking and matching details.

Clean project-memory exports are separate Max product features and may be summarized or capped.

A plan downgrade or cancellation may pause use or export of Tsumu-generated project memory, but original project data remains readable and the account export remains focused on stored account, workspace, project, source, notebook, chat, billing, usage, support, and account-event records.

Account deletion may require cancelling an active paid plan first so subscription billing can be stopped through Stripe before the account is removed.

When projects or imported sources exceed current plan limits or required tier gates, AI memory actions, chat-to-memory processing, memory refresh, source lookup, topic updates, and clean project-memory exports may pause until the account returns within limits or upgrades.

Where processing is based on consent, you may withdraw consent. This does not affect processing that happened before withdrawal.

EU/EEA users may lodge a complaint with their local data protection authority.

California users may have rights to know, delete, correct, limit sensitive personal information, opt out of sale or sharing, and receive equal service for exercising privacy rights. Tsumu does not sell or share personal data for cross-context behavioral advertising.

To make a request, email support@tsumuapp.com from the email address connected to your Tsumu account. Include the workspace or project name when relevant.

Tsumu uses hosted infrastructure, authentication controls, database access controls, rate limits, Cloudflare Turnstile security checks where enabled, and operational logging to protect account and workspace data.

No internet service can be guaranteed completely secure. Users should avoid importing secrets or material that would create serious risk if exposed.

Security concerns can be reported to support@tsumuapp.com.

Tsumu uses Supabase authentication/session cookies and an appearance preference cookie named `tsumu-appearance` to keep users signed in and remember their display preference.

Tsumu may store a language or locale preference in a cookie, local storage, or account setting so the app can remember the selected language across sessions or devices where supported.

When no saved language preference is available, Tsumu may use approximate country or region inferred from IP address or network metadata, browser language headers, or browser locale signals to select an initial language default. You can change the language in Settings where the feature is available.

Tsumu may store chat drafts under `tsumu:chat-draft:*`, the selected AI model under `tsumu:chat-model`, dismissed credit warnings under `tsumu:chat-credit-warning:*`, a pending confirmation email in sessionStorage under `tsumu.pendingConfirmationEmail`, and verification resend cooldowns under `tsumu.confirmationResendCooldowns`.

Cloudflare Turnstile may run security challenges and strictly necessary challenge storage or signals on security-sensitive forms where enabled.

These browser storage items and challenge checks support authentication, security, user preferences, draft preservation, and abuse-prevention workflows. They are not advertising cookies.

Tsumu loads the Umami Cloud analytics script for cookie-free website analytics. The script is configured to respect browser Do Not Track settings and to exclude URL query strings and hash fragments before analytics data is sent.

The Firebase project currently has a Google Analytics measurement ID, but the Tsumu app code reviewed for this policy does not load a Google Analytics script or Firebase Analytics client.

If Tsumu adds advertising cookies, marketing pixels, Google Analytics, Firebase Analytics, or analytics that requires additional consent, this policy and any required consent controls will be updated first.

Tsumu is not directed to children and should not be used by anyone under 16 or below the minimum age required by local law without valid consent from a parent or guardian.

Do not import source material containing children's personal data unless you have a lawful basis and explicit permission to process it.

Tsumu may update this policy as the product, providers, billing setup, or law changes.

Material changes should be communicated in the app or by email where legally required.

The German statutory reference copy at /datenschutz is provided because OniLink UG (haftungsbeschränkt) is established in Germany. It does not mean that Tsumu targets, solicits, or markets to consumers habitually resident in Germany.