PRIVACY POLICY

Tessera AI Limited (“Tessera”, “we”, “us”, or “our”) respects your privacy. This Privacy Policy explains how we collect, use, and protect your personal data when you use our platform, including the Tracker Agent and other Tessera products (the “Services”).

1. WHO WE ARE

Tessera (Tessera AI Limited) is a company incorporated in England and Wales with its registered office at Flat 23, 163 Iverson Road, London, England, NW6 2RB. We act as the data controller for information we collect directly from you.

2. INFORMATION WE COLLECT

We collect information necessary to deliver and improve our Services, including:

  • Account and contact details (name, email, company, billing info)

  • Communication data (emails, messages, campaign interactions)

  • Integration data from connected systems (Gmail, Outlook, etc.)

  • Usage and analytics data about how you use our platform

  • Payment and transaction information processed through secure providers

3. HOW WE USE INFORMATION

We use personal data to provide and operate our Services, manage billing, improve functionality, communicate with users, develop features, and comply with legal obligations. Tessera may also use aggregated and anonymised data to train AI models and improve features and functionality of the Services. Such data will never identify individual users or customers.

4. LEGAL BASES FOR PROCESSING

We process data under one or more lawful bases including performance of a contract, legitimate interests (to improve and secure our platform), compliance with legal obligations, and consent where required (e.g., marketing communications).

5. SHARING OF DATA

We use the following trusted subprocessors:

OpenAI (Global: United States, Europe, Asia-Pacific) — AI processing for email summarization and campaign insights

Cloudflare (Global: 200+ data centers worldwide) — Infrastructure, CDN, and application platform

Neon (Global: AWS/Azure multi-region) — PostgreSQL database hosting

Google Workspace (Global) — Authentication and file storage (your data remains in your Google Drive)

Postmark (United States) — Transactional email delivery

All subprocessors are subject to written Data Processing Agreements requiring equivalent data protection and security standards. A complete Subprocessor Register with contact details is available upon request at privacy@usetessera.com.

5.1 Third-Party AI Processing (OpenAI)

To provide AI-powered email summarization and campaign tracking features, we use OpenAI’s API services. When you use our Services, email content from your connected Gmail or Outlook accounts is transmitted to and processed by OpenAI to:

  • Generate email thread summaries

  • Extract dates, deliverables, and pricing information

  • Track negotiation status and next steps

  • Aggregate campaign-level insights

OpenAI processes this data under a Data Processing Agreement (DPA) that prohibits using your data to train their models. Your email content is sent to OpenAI only for the specific purpose of providing these features.

OpenAI processes data in multiple regions globally (United States, Europe, and Asia-Pacific) to provide data residency options for compliance with local regulations.

For more information about OpenAI’s data practices, see: https://openai.com/policies/privacy-policy

5.2 Google and Microsoft API Usage

API Services Compliance:

Tessera’s use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Our use of Microsoft Graph APIs complies with Microsoft API Terms of Use.

Scopes We Request:

When you connect your Google or Microsoft account to Tessera, we request permission to:

  • Read your email (gmail.readonly / Mail.Read) — To discover and track email threads with influencer contacts for your campaigns

  • Compose emails (gmail.compose / Mail.Send) — To create email drafts and send campaign-related communications

  • Manage email labels (gmail.labels) — To apply “Tracked” labels to organised processed emails in your inbox

  • Access Drive/OneDrive (drive / Files.ReadWrite.All) — To create campaign folders and manage folder sharing with team members

  • Access Sheets/Lists (spreadsheets / Sites.ReadWrite.All) — To create and update campaign tracking sheets and lists

  • View workspace users (admin.directory.user.readonly / User.Read.All) — To suggest team members from your organisation during agency setup (Google Workspace and Microsoft 365 organisations only)

  • Your profile information (userinfo.email, userinfo.profile / User.ReadBasic.All) — For account identification and display in the application

How We Access Your Email:

Tessera enables team collaboration on influencer outreach campaigns. When you authorise email access:

  • What We Read: Only emails from/to influencer contacts you’ve explicitly added to your campaigns. We do NOT access your personal emails, internal team communications, or unrelated business correspondence.

  • Team Sharing (Shared Inbox Model): Email threads involving campaign contacts are shared with all members of your marketing agency for team coordination. This is a core feature of our platform, designed to prevent duplicate outreach and enable campaign collaboration.

  • AI Processing: Email content is sent to OpenAI (under a Data Processing Agreement) to generate summaries, extract deliverables and pricing, and track negotiation status. OpenAI does not use your data to train their models.

  • Storage: Email summaries, metadata, and extracted information are stored in campaign tracking sheets (Google Sheets or SharePoint Lists) accessible to your agency team members.

Consent Model:

By connecting your Google or Microsoft account and joining an agency, you provide affirmative consent to:

  • Tessera reading emails involving your campaign contacts

  • Sharing these email threads with your agency team members

  • AI processing of email content for campaign insights

  • Storing email summaries and data in shared campaign tracking sheets

Privacy Protections:

  • Query Filtering: We only fetch emails matching tracked contacts using email-specific queries

  • Sheet Import Privacy: When importing contact lists, we verify that you have permission to access the source sheet before importing

  • Access Revocation: You can revoke Tessera’s access anytime via Google Account Security or Microsoft Account Privacy

  • Member Removal: When agency administrators remove members, we immediately invalidate their sessions and conditionally revoke their OAuth tokens

Limited Use Compliance:

We limit our use of Google and Microsoft data to displaying email threads and AI-generated summaries in campaign trackers, team collaboration within your agency (with your explicit consent), and campaign tracking and reporting. We do NOT sell or transfer your data to third parties (except subprocessors under Data Processing Agreements), use your email data for advertising or marketing, or allow humans to read raw email data except for debugging with your explicit permission, security investigations, or legal compliance requirements.

5.3 Influencer Contact Data (GDPR Article 14)

Where our customers use Tessera to manage influencer outreach campaigns, we process personal data about influencer contacts on behalf of those customers. This data (name, email address, and campaign interaction history) is provided to us by our customers and is used solely to deliver the campaign tracking features of our Services. We act as a data processor in relation to this data; our customer is the data controller.

Under Article 14 of the UK GDPR, individuals whose data is collected indirectly (i.e., not directly from them) have the right to be informed about how their data is used. If you are an influencer whose data has been added to a Tessera campaign by one of our customers, you may contact us at privacy@usetessera.com to request details of the processing or to exercise your data subject rights. We will assist our customer in responding to your request in accordance with applicable data protection law.

6. INTERNATIONAL TRANSFERS

Your data may be transferred to and processed in countries outside the UK or European Economic Area. Where such transfers occur, we ensure appropriate safeguards  are in place. Transfers from the UK to the United States are made in reliance on the UK-US Data Bridge (where the recipient is certified under the US Data Privacy Framework) or, where applicable, the ICO-approved International Data Transfer Agreement (IDTA). Transfers to other third countries may rely on EU Standard Contractual Clauses or other adequacy mechanisms approved by the relevant supervisory authority.

7. DATA RETENTION

We retain personal data for as long as necessary to provide the Services, comply with legal obligations, and resolve disputes. When data is no longer needed, it is securely deleted or anonymised in accordance with our internal data deletion procedures.

Specific retention periods:

  • Active subscription data: Duration of your subscription

  • Deleted account data: Immediate deletion upon account deletion (OAuth tokens revoked at providers, all sessions invalidated, personal data removed from database)

  • Audit logs: 12 months, then automatically deleted via monthly cleanup job. When you delete your account, audit logs are anonymised (your email is replaced with a non-reversible anonymous identifier)

  • Application logs (Cloudflare): 12 months (SOC 2 and ISO 27001 requirement), stored in Cloudflare R2 with automated lifecycle deletion

  • AI debug artifacts: 90 days (GDPR data minimisation principle), then automatically deleted

  • Email attachments: Stored in your Google Drive or Microsoft OneDrive (you control deletion via your own storage provider)

  • Business data: Retained until you delete them or close your account

  • Anonymised analytics: Indefinitely (cannot identify individuals)

  • Legal/regulatory data: As required by law (typically 6–7 years for financial records)

When you delete your account, we immediately:

  • Revoke OAuth tokens at Google and Microsoft (prevents future API access)

  • Invalidate all active sessions (forces logout from all devices)

  • Delete your user profile and OAuth credentials from our database

  • Anonymise audit log entries (replaces your email with anonymous identifier)

  • Remove you from all agency memberships (or delete agencies where you’re sole owner)

8. YOUR RIGHTS

You have the right to access, correct, delete, or restrict the processing of your personal data, and to withdraw consent where applicable. You also have the right to data portability (export your data in machine-readable format). Tessera responds to privacy requests within 30 days of receipt. Requests may be submitted to privacy@usetessera.com.

Your Rights Include:

  • Right of Access (GDPR Article 15): Request a copy of your personal data

  • Right to Rectification (Article 16): Correct inaccurate data

  • Right to Erasure (Article 17): Delete your account and personal data

  • Right to Data Portability (Article 20): Export your data in JSON format

  • Right to Object (Article 21): Object to processing of your personal data carried out on the basis of legitimate interests

  • Right to Withdraw Consent: Revoke OAuth access or delete your account anytime

8A. ADDITIONAL RIGHTS FOR CALIFORNIA RESIDENTS (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) may afford you additional rights in relation to your personal information. These rights apply to personal information Tessera processes about you as a controller (such as account and contact details). For personal information Tessera processes on behalf of a business customer, please direct your request to that customer as the controller.

Your California rights include:

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the purposes for which it is used, and any third parties with whom it is shared

  • Right to Delete: Request deletion of personal information we have collected about you, subject to certain exceptions

  • Right to Correct: Request correction of inaccurate personal information

  • Right to Opt Out of Sale or Sharing: We do not sell or share personal information as those terms are defined under the CCPA/CPRA

  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights

To exercise any of these rights, submit a verifiable consumer request to privacy@usetessera.com. We will respond within 45 days, with a possible extension of a further 45 days where reasonably necessary.

9. SECURITY

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or misuse. Tessera maintains an Information Security Management System (ISMS) aligned with ISO 27001 and SOC 2 Type II standards.

Security Controls include:

  • Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256-GCM for OAuth tokens)

  • Access Controls: Role-based access control and principle of least privilege

  • Monitoring: Continuous security monitoring and incident response procedures

  • Vendor Security: All subprocessors assessed for security compliance before onboarding

10. UPDATES TO THIS POLICY

We may update this Privacy Policy from time to time and will post updates on our website with a revised effective date. Material changes will be communicated via email to registered users at least 30 days before taking effect.

11. CONTACT AND COMPLAINTS

For privacy questions or to exercise your rights, contact us at privacy@usetessera.com