Privacy Policy

Last updated: May 5, 2026

Tessa is a mobile application for storing and using loyalty cards. This policy describes what data the app collects, how it is stored, and how it is used. Tessa is privacy-first by design — we keep this short and clear.

1. Data We Collect

Account data (optional): An email address, used only for cloud backup and family sharing. Authentication via one-time email codes (OTP). No passwords stored. Tessa works fully without an account.

Profile data: A display name you choose, used only for family sharing.

Card data: Card name, retailer, barcode/QR value, category, optional note. Encrypted on your device before any cloud sync.

Card photos (optional): Photos you attach to a card. Stored locally, encrypted with a device-only key. Optionally backed up to the cloud (still encrypted).

Household data (optional): If you use family sharing, the email addresses of household members you invite.

2. How Data Is Stored

All card data lives on your device. If you opt into cloud backup, data is encrypted on your phone (AES-256-GCM) before being uploaded to Supabase (our cloud infrastructure provider). The server never sees your barcode values, only encrypted ciphertext.

Encryption keys are derived from a 6-digit PIN you choose, or from device keychain — depending on your settings.

3. How Data Is Used

Your data is used solely to operate the app:

• Display your cards and let you flash them at the checkout
• Sync cards across your devices (cloud mode only)
• Share cards with household members you invite
• Generate encrypted backups (.tessa files)
• Authenticate your identity via email (cloud mode only)

We never use your data for advertising, profiling, analytics, or anything other than running the app. We don't watch where you shop.

4. Data Sharing

Cards you choose to share are visible to household members you invite. This is the core function of family sharing.

We do not sell, rent, or share your data with third parties, except:

• Supabase: Our cloud infrastructure provider — receives only encrypted blobs
• Apple / Google: If you make an in-app purchase, the respective store processes it. We never see payment details

5. Data Retention

Your data is kept on your device as long as the app is installed. Cloud-backed data is kept while your account exists.

You can delete your account and all server data directly in the app's account settings.

6. Children's Privacy

Tessa is intended for adults. We do not knowingly collect personal information from children under 13.

7. Security

Authentication uses one-time email codes. Card data is encrypted on your device with AES-256-GCM. All communication between the app and our servers uses HTTPS.

8. Your Rights

You may access, correct, or delete your personal data directly in the app. You can also contact us — we will respond within 30 days.

9. Changes

If this policy changes, the updated version will be published at this URL. Continued use of the app constitutes acceptance of the updated policy.

10. Contact

If you have questions about this privacy policy or your data, contact us at:
tessa@1tnt.link