Privacy Policy

Last updated: June 8, 2026

1. Data controller

Tenway is operated by Sole Proprietor Khusnutdinov A. (TIN 164451897102, OGRNIP 322169000119601), a sole proprietor registered in the Russian Federation. The controller's contact e-mail for privacy requests is acxat1984@mail.ru.

Tenway operates under Russian Federation jurisdiction; this English translation is provided for international users. In case of any inconsistency, the Russian version (/privacy) is authoritative for users resident in Russia, and the English version is authoritative for international users to the extent consistent with applicable Russian law.

2. Categories of personal data

  • Registration data: e-mail, display name, country, interface locale.
  • Authentication data: SCRAM-SHA-256 hash of your password — processed by our authentication sub-processor (Supabase Inc., US, servers in EU).
  • Behavioral data: goals, wins, daily check-ins, messages and reactions inside your Ten.
  • Compatibility profile (sensitive category): psychological and behavioral profile derived from your activity. Visible only to you and to the AI coach. Never shared with other Ten members.
  • Financial data: subscription history and payment-event log (no card numbers — those are handled by the payment processor and never reach Tenway).
  • Technical data: IP address, user-agent, cookie identifiers, visit timestamps.

3. Purposes and legal bases (Art. 6 GDPR)

  • Service provision (Art. 6(1)(b) contract): providing access to the subscription service.
  • Matching algorithm (Art. 6(1)(b)): forming Tens based on your stated preferences.
  • AI coaching personalization (Art. 6(1)(b)): tailoring coach responses to your profile.
  • Payment processing (Art. 6(1)(b) + (c) legal obligation under Russian tax law).
  • Analytics and service improvement (Art. 6(1)(f) legitimate interests + your cookie consent for analytics tools).
  • Transactional e-mail (Art. 6(1)(b)): notifications, password recovery, payment receipts.

4. Sub-processors

  • Robokassa (ООО «Бизнес-Софт», TIN 7704702220, RF) — payment processing under an agent agreement.
  • Resend Inc. (US) — transactional e-mail.
  • Supabase Inc. (US, servers in EU) — authentication and backup storage of behavioral data during the migration to the Russian server.
  • Vercel Inc. (US, servers in EU) — application hosting.
  • PostHog (EU Cloud) — product analytics. Mostly de-identified data. Operational error and audit events are stored in our own infrastructure: Supabase EU (for non-Russian users) and a Russian Postgres server (for users in Russia, per 152-ФЗ data residency requirements). No third-party error monitoring service processes Tenway user data.

5. International data transfers

Tenway operates under Russian Federation jurisdiction. Data may be located as follows:

  • Identification + financial data: stored on a server located in the Russian Federation (Moscow region, db.tenway.club).
  • Authentication data: Supabase Inc. (US, servers in EU).
  • Behavioral data: Supabase Frankfurt (EU), with migration to the Russian server scheduled for completion by June 2026.

Transfers between regions use TLS 1.2 or higher. By accepting the Terms of Service you consent to these transfers as necessary for the operation of the service.

6. Retention periods

  • Active account: indefinitely until deletion by the user or the operator.
  • After deletion: 30 calendar days (recovery window), then erasure from primary systems.
  • Exception: data required to be retained under Russian law — payment-event records are retained for 5 years per the Russian Tax Code.

7. Data subject rights

  • access — request a copy of the personal data we hold about you;
  • rectification — correct inaccurate or incomplete data;
  • erasure — request deletion subject to the retention periods above;
  • portability — receive data in a structured machine-readable format;
  • objection — object to processing based on legitimate interests;
  • complaint — lodge a complaint with the supervisory authority of your habitual residence, or with Roskomnadzor (Russian Federation).

To exercise any right, email acxat1984@mail.ru — we respond within 10 business days.

8. Security measures

  • HTTPS on every page of the service;
  • TLS 1.2+ on every database connection;
  • encryption-at-rest on database storage;
  • two-factor authentication on administrative access;
  • access on a need-to-know basis only, under signed confidentiality agreements.

9. Cookies

  • Strictly necessary (session, CSRF, locale selection): processed without consent — required for the service to function.
  • Analytics (PostHog): processed with your consent collected on first visit.
  • Marketing: not used.

10. Data Controller

  • Controller: Sole Proprietor Khusnutdinov A. (Russian Federation)
  • TIN (ИНН): 164451897102
  • State Registration Number (ОГРНИП): 322169000119601
  • Contact address: acxat1984@mail.ru
  • Full registration details are available via the Russian Federal Tax Service (nalog.ru) by TIN lookup.

Formal complaint procedure is detailed in section 6 of the Russian Offer (/offer — Russian only). Contacts page: /contacts.

Last updated: June 8, 2026

Privacy Policy · Tenway