Privacy Policy
Tenderly by NEXASPHERE
Effective Date: June 6, 2026 · Operator: NEXASPHERE INC., an Ohio corporation (“NexaSphere,” “we,” “us”), Dublin, Ohio, USA · Contact: [email protected]
The short version
Tenderly is built to keep your family's most private words private. The app works entirely on your device by default. If you choose to sign in, your data syncs so your family can share letters and entries — but the contents of sealed letters are encrypted on your device before they ever leave it, and we never hold the keys. We cannot read your sealed letters on our servers, and neither can anyone else until the delivery date you chose. (We do store limited delivery details such as recipient name and delivery date, described below.)
Local-first by default
Until you sign in, Tenderly runs in local-only mode: your letters, journal entries, and drafts live in the app's storage on your iPhone and are never transmitted to us. In this mode we collect nothing, because there is no account and no server connection.
What we collect when you sign in
Signing in is optional and enables syncing across devices and sharing with family. When you sign in, we process:
- Account identity. If you use Sign in with Apple, we receive the identifier Apple provides and, on first sign-in only, the name and relay email you choose to share. We store a display name so your family can recognize you.
- Your public key. So family members can encrypt letters to you, we store the public half of your encryption key. The private key never leaves your device.
- Family membership. The family you create or join, its name, its invite code, and which members belong to it.
- Sealed letters. Stored as encrypted blobs we cannot decrypt, along with non-content metadata needed to deliver them: recipient name, delivery date, and timestamps.
- Shared journal entries. Entries you explicitly choose to share with your family, stored encrypted. Private entries stay on your device unless and until you share them.
We use the relay email from Sign in with Apple only to send account- and delivery-related messages (for example, letting a recipient know a letter is ready). We do not use it for marketing without your separate consent.
Why we are allowed to process this (legal basis)
For users in the EU/UK, we process your synced data to perform our agreement with you (GDPR Article 6(1)(b)). Notifications rely on your consent (Article 6(1)(a)), which you can withdraw any time in Settings. Limited security and abuse-prevention processing rests on our legitimate interests (Article 6(1)(f)).
What we never collect
- The readable contents of your sealed letters (we hold no key to decrypt them)
- Advertising identifiers or cross-app tracking data
- Third-party analytics, behavioral profiles, or telemetry
- Your contacts, photo library, or location
- Any data at all while you use the app in local-only mode
Tenderly contains no advertising SDKs and no third-party analytics SDKs. We do not sell or “share” personal information as those terms are defined under U.S. state privacy laws — so there is nothing to opt out of.
End-to-end encryption
Sealed letter contents are encrypted on your device using modern public-key encryption (X25519 key exchange with the libsodium library) before being stored or synced. Because the decryption keys exist only on family members' devices, we are technically unable to read sealed letter contents on our servers. A time-locked letter cannot be opened by anyone — including us — before the delivery date you set. This protects letter content; the delivery details described above are not encrypted in this way because we need them to deliver on schedule.
On-device safety check
Before a letter is saved, Tenderly runs a keyword check entirely on your device to spot language associated with crisis or self-harm. If it matches, the app shows you supportive resources (such as the 988 Suicide & Crisis Lifeline). This check never blocks your letter, and its results are not transmitted to us.
Notifications
If you enable notifications, Tenderly schedules reminders on your device (for example, weekly writing prompts) and, where supported, can notify you when a family member sends you a letter. You can turn notifications off at any time in Settings or in iOS Settings.
Data about people who don't use Tenderly
Letters and entries you write may name people who are not Tenderly users, including children. When you write about your own minor child, you do so as that child's parent or legal guardian and on that authority. Please do not enter personal information about a child under 13 who is not your own. Because Tenderly letters are often surprises or time-capsules, we do not proactively notify people named in your content that they appear in it. A person identified in your content — or a parent or guardian on a child's behalf — may request access to, correction of, or deletion of that information by emailing [email protected].
Sub-processors
When you sign in, we rely on the following service providers:
- Supabase (United States) — authentication, database, and storage for synced and shared data, including encrypted letter blobs.
- Apple — Sign in with Apple, push notifications, and in-app subscription processing through the App Store.
Tenderly is offered from the United States and synced data is stored in the United States (Supabase, US-East). Where we serve users outside the United States, any international transfers rely on appropriate safeguards such as Standard Contractual Clauses.
Retention
We retain your synced account data for as long as your account is active. When you delete your account, your on-device data is erased immediately and we initiate deletion of your synced data from our servers; routine encrypted backups expire on a rolling cycle thereafter. We never retain readable letter contents at any point, because we cannot decrypt them.
Deleting your data
You can delete your account at any time from Settings → Delete Account. This immediately and permanently erases all data stored on your device. If you are signed in, we also submit a request to delete your synced data from our servers; to confirm or expedite server-side deletion, email [email protected]. Deleting your account cancels any future letter deliveries from that account — if you want a letter delivered, do not delete your account before its delivery date.
Your privacy rights
Depending on where you live (for example, under the GDPR/UK GDPR and the California CCPA/CPRA), you may have the right to know about and access the data we hold, to delete it, to correct it, to opt out of any sale or sharing (we do none), to limit use of sensitive personal information, and not to be discriminated against for exercising these rights. To make a request, email [email protected]. Note that because sealed-letter contents are end-to-end encrypted and unreadable by us, some requests can only be fulfilled from your own device.
Children
Tenderly is not directed to children under 13. During setup we ask for your date of birth. If you indicate you are under 13, the app blocks account creation and use — we do not create an account and do not store your date of birth. Users aged 13 to 17 may use Tenderly only after confirming in the app that a parent or guardian has reviewed Tenderly and consents to their use; we process their data on the same data-minimizing basis as everyone else. Parents and guardians who need to review or delete information about their child that appears in Tenderly content may email [email protected].
Changes
We may update this policy as the app evolves. Material changes will be reflected here with a new effective date.
Questions about your privacy? Email [email protected].