Privacy Policy

Effective on launch · last revised 8 June 2026

Tendo is a daily puzzle that runs without ads, accounts, or tracking. We collect almost nothing — and we never sell your data.

The short version. Tendo stores your game progress on your own device. The only things we send to our server are an anonymous device ID, your country (from your network connection), and your solve scores — used to power leaderboards and your personal percentile. Purchases are handled by Apple or Google. Crash logs are optional and stripped of personal data. We show no ads, run no third-party analytics, and never sell or share your data for advertising. You can turn off crash reporting and delete your data at any time.

1. Who we are

Tendo (点導) is a daily Hamilton-path puzzle game built by KKD studios. This policy explains exactly what we do and do not collect, why, and the controls you have.

Data controller: KKD studios
Contact: tendo@smartrich.ai
Registered address: [to be finalized]

2. What we collect

We deliberately collect almost nothing. Here is the complete list, by data type.

Data	Why we collect it	Stored where
Anonymous device ID — a random ID generated on first launch, never linked to your name or identity	To attribute your solve scores and percentile without an account	Locally on your device, plus our Cloudflare Worker when you submit a solve
Country — derived from your network connection (IP), via Cloudflare; we do not store your IP address itself	To place you on your country's leaderboard	Cloudflare Worker / D1 (country code only)
Solve scores — the puzzle you solved and your solve time	Personal percentile ("Beat 87%"), country leaderboards, anti-cheat checks	Cloudflare D1
Purchase history — your subscription status and any consumable purchases (no payment details)	To unlock what you bought across your devices	The app store and RevenueCat; status mirrored in our records
Crash logs (optional) — device model, OS version, app version, stack trace, time of crash	To find and fix bugs; you can turn this off	Sentry (IP dropped, no personal identifiers)

2.1 Game state stays on your device

Your day-to-day game state — the daily puzzles you've solved, journal entries, streak, and settings — is stored locally on your device (the app's private storage, or your browser's localStorage / IndexedDB on Web and Telegram). Tendo has no account and no login; your identity is simply an anonymous device ID kept in local storage. This local game state is never sent to our servers, except for the solve scores described above.

2.2 Solve events

When you complete a daily puzzle, we receive your anonymous device ID, the puzzle's seed hash, your solve time, and your country code (derived from your IP via Cloudflare — we do not store the IP). We use this only to calculate your percentile, build country leaderboards, and detect cheating. This data is never shared with third parties.

2.3 In-app purchases

Tendo is free and the free game is 100% complete — no puzzle, leaderboard, or core feature is locked. There are exactly two optional purchases, handled through RevenueCat over Apple's StoreKit 2 (iOS) and Google Play Billing (Android):

Tendo Plus — an auto-renewing subscription, com.kkdstudios.tendo.plus_monthly at $1.99/month (an annual variant, plus_yearly at $14.99/year, grants the same entitlement). A quality-of-life upgrade; it does not gate any puzzle or feature.
Streak Shield — a consumable, com.kkdstudios.tendo.streak_shield at $1.99, which grants one streak shield.

We store your subscription status (active / cancelled / expired), your tier, and your consumable purchase history. We do not store your payment method — card numbers and billing are handled entirely by Apple or Google.

3. What we do NOT collect

To be explicit, Tendo does not collect:

Your name, email, phone number, or any contact information
Your real identity
Your IP address (Cloudflare receives it to route traffic, but our Worker does not log it)
Advertising identifiers (Apple IDFA / Google GAID) — Tendo does not show the iOS App Tracking Transparency prompt because it has nothing to track
Your precise location (only country, from your connection)
Your contacts, photos, microphone, or camera
Your browsing or search history
Cookies — the Web/PWA version uses none
Any third-party analytics (no Google Analytics, Mixpanel, or Amplitude)
Cross-app tracking, or demographic / interest profiling

Data used to track you: none.

4. Why we keep it this way

Tendo is built to be useful, not invasive. We process the minimum data needed to run the game, and that is the whole design:

No ads, ever. Tendo serves no advertising of any kind — no banners, interstitials, rewarded ads, or advertising SDKs.
No selling or sharing for advertising. Your data is used to run the game, and nothing else.
The free game stays complete. Tendo Plus is a thank-you, not a paywall — free players get the same puzzles and the same leaderboards.

5. Third-party services we use

The only outside services Tendo relies on are:

Service	Purpose	Data shared
Cloudflare	Hosting, CDN, Workers, D1, KV	Standard HTTP request data (TLS, headers, country). Access logs retained ~24h.
RevenueCat	In-app purchase validation & entitlement management	Anonymous app user ID + store receipt / purchase token only; no advertising identifiers
Sentry	Crash diagnostics (optional, opt-out)	Crash logs as listed in §2; IP dropped server-side, no personal identifiers
Apple StoreKit 2 (iOS)	Payment processing	Receipt token only
Google Play Billing (Android)	Payment processing	Purchase token only

Tendo uses no advertising SDKs of any kind. Each service above has its own privacy policy; we configure each to minimize data collection wherever it allows.

6. Your controls

6.1 Turn off crash reporting

Crash reporting is on by default but fully optional. Turn it off any time in Settings → Privacy → Crash reporting → Off.

6.2 Delete your data

You can permanently delete your data via Settings → Privacy → Delete my data. This is irreversible. Within 7 days, your records tied to your device ID — including your solve events and any server-side game data — are hard-deleted, and your local data on the device is wiped (uninstalling the app removes any remaining local copies). An active subscription is cancelled (no refund for the unused period unless required by law).

6.3 Access and portability

Because we hold so little, you can request a copy of the data associated with your device ID. Email tendo@smartrich.ai and we will provide it in a portable format.

6.4 Correcting your country

If your country is detected incorrectly (for example, over a VPN), submitting a solve from your home network corrects it.

7. Children

Tendo is rated 4+ / Everyone. We do not knowingly collect personally identifiable information from children under 13. If you are a parent and believe we have inadvertently collected information from your child, email tendo@smartrich.ai and we will delete it within 7 days.

8. Data retention

Data	Retention
Crash logs (Sentry)	90 days
Solve events	Kept while your device record is active; deleted within 7 days of a deletion request
Subscription / purchase records	Retained for accounting and tax purposes (typically up to 7 years, where legally required)
Cloudflare access logs	~24 hours
All other data	Local to your device only; not retained on our servers

9. International data transfers

Tendo's backend runs on Cloudflare's global network, so your data may pass through Cloudflare edge nodes and regional data centers worldwide. All transfers are encrypted in transit (TLS 1.2 or higher). For Apple StoreKit 2, Google Play Billing, RevenueCat, and Sentry, please refer to each provider's own privacy policy for their international transfer terms.

10. Regional notes

We apply the same minimal-collection commitments everywhere. Wherever you live, you can ask us to access, correct, or delete the limited data we hold (see §6), and you may have the right to complain to your local data protection authority. We do not sell or share personal information for cross-context behavioral advertising, and we do not use automated decision-making about you. Where a Data Protection Officer or specific local representative is required, that appointment is [to be finalized]; in the meantime, all privacy requests go to tendo@smartrich.ai.

11. Security

We protect your data with encryption in transit (TLS 1.2+) and at rest (Cloudflare D1 and KV are encrypted by default). Secrets are stored in Cloudflare Workers Secrets, not in code, and no payment data lives in our systems. If a security incident affects data we hold, we will notify affected users within 72 hours.

12. Languages

Tendo and this policy are available in English, 日本語, 繁體中文, and 简体中文. If there is any inconsistency between language versions, the English version governs.

13. Changes to this policy

We may update this policy as Tendo evolves. For material changes we will notify you via an in-app banner and update the "last revised" date above. Continuing to use Tendo after a change means you accept the updated policy.

14. Contact

Questions about privacy, your data, or this policy: tendo@smartrich.ai.

← Back to Tendo