Data Processing Agreement

How Tycana handles your personal data as a processor — what we collect, how we protect it, and your rights.

Data Processing Agreement

Effective date: March 2, 2026

Tycana is operated by Mark Hudson. This Data Processing Agreement (“DPA”) is part of the Terms of Service between Tycana (“we”, “us”, “Tycana”) and you (“Customer”, “you”). It describes how we handle your personal data when providing the Tycana service.

By using Tycana, you agree to this DPA. If you have questions, email us at privacy@tycana.com.

The short version

You own your data. We process it only to provide you the Tycana service. We don’t sell it. We don’t use it to train models. When you delete your account, we delete your data.

1. Definitions

Personal Data means any information that identifies or could identify you or is linked to you as an individual — names, email addresses, task content, and usage patterns.

Processing means anything we do with Personal Data: collecting, storing, organizing, retrieving, using, or deleting it.

Data Controller means you — the person who decides what data to put into Tycana and why.

Data Processor means us — Tycana processes your data on your behalf, under your instructions, to provide the service.

Sub-processor means a third-party service we use that may process your Personal Data as part of delivering Tycana.

2. What data we process

When you use Tycana, we process:

  • Account information: your email address and authentication credentials
  • Task data: titles, descriptions, due dates, effort and energy levels, project assignments, completion outcomes, and notes
  • Relationship data: links between tasks (blocking, related, spawned from)
  • Behavioral data derived from usage: completion velocity, effort accuracy patterns, and other intelligence signals computed from your task data
  • Context notes: information you provide via the set_context tool to help your AI assistant understand your situation
  • Access tokens: bearer tokens and OAuth credentials for AI assistant connections
  • Calendar feed tokens: unique URLs for calendar subscriptions
  • Technical data: IP addresses, access timestamps, and session information for security purposes

We do not process sensitive personal data such as health information, financial account numbers, government IDs, or biometric data.

3. How we process it

We process your data solely to provide the Tycana service. Specifically:

  • Store and retrieve your tasks, projects, and context across AI conversations
  • Compute behavioral intelligence signals (effort estimates, velocity trends, stale detection) to make the service smarter over time
  • Generate daily briefing emails and calendar feeds
  • Authenticate your access via OAuth when connecting through AI assistants
  • Maintain security and prevent abuse

We do not use your data for advertising, profiling for third parties, or any purpose unrelated to delivering the Tycana service to you.

4. Anthropic telemetry disclosure

When you connect Tycana through Claude (via Anthropic’s MCP protocol), Anthropic collects telemetry data including all parameters passed into tool calls and the responses from our server. This is Anthropic’s data collection, governed by their privacy policy, not ours. We want you to be aware of it.

5. Sub-processors

We use the following sub-processors to provide the Tycana service:

Sub-processorPurposeData processed
RenderApplication and database hostingAll service data
PaddlePayment processingEmail, billing information
ResendTransactional and briefing emailsEmail address, email content
CloudflareWebsite hosting and CDNIP addresses, request metadata

We will update this list if we add new sub-processors. We maintain data processing agreements with each sub-processor to ensure they handle your data in accordance with applicable data protection laws.

6. Security

We protect your data with:

  • Encryption in transit (TLS) for all connections
  • Encryption at rest for database storage
  • OAuth 2.0 authentication with secure token management
  • Per-user data isolation — queries are always scoped to your user ID
  • Access controls limiting who at Tycana can access production data

No Tycana human looks at your task data unless you explicitly ask us to for support purposes, or we need to investigate a technical issue that affects your account (and we’ll tell you if that happens).

7. Data retention and deletion

Your data is retained for as long as your Tycana account is active.

Self-serve account deletion: When you delete your account from Settings, all task data, tokens, preferences, and computed intelligence data are deleted immediately. A minimal account record (email address) is retained to prevent abuse.

Subscription cancellation: If you cancel or pause your subscription, your data is retained for 30 days in case you resubscribe. We send a warning email 5 days before cleanup. After 30 days, your data is automatically deleted.

Expired trials: If your trial expires, your data is retained for 30 days. We send a warning email 5 days before cleanup.

Backups: Deleted data may persist in encrypted database backups for a limited period after deletion.

Payment records may be retained longer as required by tax and financial regulations.

8. Your rights

You have the right to:

  • Access your Personal Data — ask us what we have, and we’ll tell you
  • Export your data — we can provide your task data in a machine-readable format
  • Correct inaccurate data — update your information at any time through the service
  • Delete your data — cancel your account or request deletion
  • Object to processing — though this may mean we can no longer provide the service
  • Restrict processing in certain circumstances
  • Lodge a complaint with your local data protection authority

To exercise any of these rights, email privacy@tycana.com. We respond within 30 days.

9. Data breach notification

If we become aware of a breach affecting your Personal Data, we will:

  • Notify you without undue delay, and no later than 72 hours after becoming aware of the breach
  • Describe the nature of the breach, the data affected, and the measures we’re taking to address it
  • Notify the relevant supervisory authority where required by law

10. International transfers

Tycana is operated from the United States. If you are located outside the US, your data will be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection for data transferred from the EEA or UK.

11. GDPR specifics

For users in the European Economic Area or United Kingdom:

  • Lawful basis: We process your data based on the performance of our contract with you (the Terms of Service). For security logging, we rely on our legitimate interest in protecting the service.
  • Data Protection Officer: For DPO inquiries, contact privacy@tycana.com.
  • Supervisory authority: You have the right to lodge a complaint with your local data protection authority.

12. CCPA specifics

For California residents:

  • We do not sell your personal information
  • We do not share your personal information for cross-context behavioral advertising
  • You have the right to know what personal information we collect, request deletion, and opt out of any future sale (though we don’t sell)

13. Changes to this DPA

If we make material changes to this DPA, we will notify you by email before the changes take effect. Continued use of Tycana after the effective date constitutes acceptance of the updated terms.

14. Contact

For questions about this DPA or how we handle your data:

Email: privacy@tycana.com Website: https://tycana.com