Privacy Policy

Last updated: May 18, 2026

What we collect

Almost nothing.

• Email address — if you sign up for the beta. Used only to send TestFlight invitations.
• Apple Sign-In — your name and email. Handled entirely by Apple. We receive the minimum they share.

That's it. No phone numbers. No device IDs. No location. No browsing history. No usage analytics.

What stays on your device

Everything else.

• Journal entries — stored locally in SwiftData, synced through your private iCloud
• AI-generated insights — same. Local + your iCloud
• Photos and shared items — local storage + iCloud
• Schedule, preferences, settings — local only
• SSH private key — iOS Keychain, optionally synced via iCloud Keychain (end-to-end encrypted by Apple)

Apple holds the iCloud encryption keys. Not us. If you have Advanced Data Protection enabled, even Apple can't read it.

What goes to third parties

Google Gemini API. When Tamago analyzes your journal entries to find patterns and generate insights, your journal text is sent to Google's Gemini API. This happens through our Cloudflare Worker proxy. The proxy adds the API key server-side and forwards the request. It does not log, store, or forward your data anywhere else.

• What Google receives: your journal entry text, analysis prompts, existing USER.md and MEMORY.md content (if connected to a Hermes server)
• What Google returns: structured insights and memory updates
• What we store: nothing. The proxy is stateless.

Google's privacy policy: policies.google.com/privacy

Base blockchain RPC. If you use the wallet feature, the app queries your USDC balance from the Base mainnet. Only your wallet address is sent. This is public blockchain data.

BYOA — Bring Your Own Agent

If you connect to your own Hermes server, the following data flows directly from your device to your server over SSH:

• Chat messages and attachments
• File reads and writes (USER.md, MEMORY.md, SOUL.md, workspace files)
• Agent commands and responses
• Cron jobs, session history, skill management

We are not in the middle. The SSH connection is direct. Device to your server. End-to-end encrypted. We cannot read, intercept, or access any of it.

What we never do

• No analytics. No Mixpanel, Firebase, Amplitude, PostHog, or Segment.
• No crash reporting. No Crashlytics or Sentry.
• No ads. No Facebook SDK, Google Ads, or ad networks.
• No tracking pixels, no device fingerprinting.
• No selling, sharing, or transferring your data to anyone.
• No access to your journal, your chat, or your files. Ever.

Data retention

Your journal and insights stay in your iCloud until you delete them. We don't have a copy.

Beta signup emails are kept in a Google Sheet until the beta ends, then deleted.

Children

Tamago is not for anyone under 13.

Changes

If this policy changes, the updated date at the top will change. Significant changes will be noted in the app.

Questions

Reach out via the TestFlight feedback channel or the contact info in the app.