Privacy & Cookie Policy

The controller of your personal data is MH Mariusz Henn, Turonia 10F/1, 30-410 Kraków, Poland (NIP PL4980223431), operating the Tseha service at tseha.io. For any privacy matter, contact us at [email protected].

• Account & authentication data — name or username and email address, obtained when you sign in through our identity providers (Google, Auth0).
• Organization data — organization name, team members, and roles.
• Customer Content — the standards, components, and documentation you add to the Service. This may incidentally include personal data you choose to enter.
• Technical data — IP address, logs, session identifiers, and MCP access tokens, used to operate and secure the Service.
• Billing data — for paid plans, billing details processed by Stripe. We do not store full card numbers.

We do not collect your source code. The MCP server is read-only and outbound — it serves your standards, components, and tokens to your agent and has no capability to read, receive, or store your code. The only data your agent sends to us is a short search description when it looks up a component by use case, which we process to return matching results.

We process personal data on the following GDPR legal bases:

• Performance of a contract — to provide accounts, organizations, and the Service.
• Legitimate interests — to secure, maintain, and improve the Service and prevent abuse.
• Consent — for non-essential cookies and analytics (see section 4).
• Legal obligation — to meet accounting and tax requirements.

We use a small number of cookies. Strictly necessary cookies keep you signed in and operate the Service; these do not require consent. Analytics cookies (Google Analytics, loaded via Google Tag Manager) help us understand how the Service is used and load only after you give consent. We do not use marketing or advertising cookies.

Consent is managed through Termly, our consent management platform. When you first visit, a banner lets you accept or reject non-essential cookies, and Termly stores your choice. You can change your choice at any time using the cookie-preferences control provided by Termly on the site.

We share data with the following providers solely to operate the Service. Business customers can find the full Article 28 terms, including subprocessor locations and transfer safeguards, in our Data Processing Agreement:

• Auth0 / Google — authentication and sign-in.
• Stripe — payment processing for paid plans.
• Resend — transactional email delivery (invitations and account notices).
• Termly — cookie consent management.
• Google (Tag Manager) — tag and analytics management, subject to consent.
• Vercel — application hosting and infrastructure; content is encrypted at rest and hosted in the EU.
• Neon — managed PostgreSQL database hosting (our primary data store), hosted in the EU.
• Upstash — managed Redis for rate limiting and caching, hosted in the EU.
• OpenAI— AI features (embeddings for semantic component search, AI-generated standard summaries, and package analysis). The standards and component content you submit for these features is processed by OpenAI solely to return results to you; under OpenAI’s API data policy it is not used to train OpenAI’s models. Your source code is never sent.

We keep personal data only for as long as your account is active and as needed to provide the Service. After your account is closed, we delete or anonymize your data on the following schedule:

• Account, profile, and Customer Content — deleted within 30 days of account closure.
• Technical logs (IP addresses, session data) — retained for up to 90 days.
• MCP access tokens — kept until revoked or until your account is closed.
• Consent records — kept for up to 3 years to evidence the consent given.
• Invoices and accounting records — retained for 5 years from the end of the calendar year in which the related tax payment was due, as required by Polish law.

Deleted data may persist in encrypted backups for a short period (normally up to 90 days) before those backups are overwritten.

Our hosting is located in the EU. Some providers (such as Google, Auth0, Stripe, Resend, Termly, or OpenAI) may process data outside the European Economic Area. Where this happens, the transfer is protected by an appropriate safeguard, such as the European Commission’s Standard Contractual Clauses.

Under the GDPR you have the right to access, rectify, erase, restrict, and port your personal data, and to object to certain processing. To exercise any of these rights, contact us at [email protected]. Where processing is based on consent, you may withdraw it at any time without affecting prior processing.

We apply technical and organizational measures appropriate to the risk, including encryption of content at rest, access controls, and audit logging. No method of transmission or storage is completely secure, but we work to protect your data and to respond promptly to any incident.

If you believe we have not handled your personal data properly, you may lodge a complaint with the Polish supervisory authority, the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, UODO), or your local supervisory authority.

We may update this policy from time to time. We will post the updated version here and revise the “Last updated” date above. Material changes may be communicated by email or in-product notice.