Skip to content

Privacy Policy

Last updated: June 27, 2026

This Privacy Policy explains how Tenrai ("we," "us," or "our") collects, uses, stores, shares, and protects information when you access or use the Tenrai website, application programming interfaces, documentation, status pages, and related services (collectively, the "Services"). Tenrai is operated by the Tenrai Project.

We are committed to privacy by design. We do not run advertisements, do not sell personal data, do not deploy behavioral-tracking or marketing cookies, and collect only the minimum information necessary to operate, secure, and improve the Services. By using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the Services.

1. Data controller

For the purposes of the EU General Data Protection Regulation (GDPR) and equivalent data-protection laws, the data controller is the Tenrai Project. You can contact us at [email protected] for any privacy-related inquiries or requests.

2. Information we collect

We collect and process only the categories of information described below. We do not collect sensitive personal data (e.g., racial or ethnic origin, political opinions, health data, biometric data) or data about children under 13.

2.1 Information collected automatically

When you access the Services, our servers and infrastructure providers automatically record certain technical data:

  • IP address — used for rate limiting, abuse prevention, and security.
  • Request metadata — HTTP method, endpoint URL, response status code, response time, cache status, rate-limit tier, and a unique request identifier.
  • User-Agent string — the browser or HTTP client identifier sent with your request.
  • Timestamps — the date and time of each request.

We do not log request or response bodies. API request logs are retained for operational and security purposes and are automatically purged on a rolling basis (typically no longer than 90 days).

2.2 Information you provide voluntarily

If you request a Server Key, contact us, or register for support, we may collect:

  • API credentials — the email address or developer details associated with your key request.
  • API keys — server keys we issue to you are stored in hashed form; we cannot view your full key after initial issuance.
  • Communications — the content of emails, support requests, or messages you send to us.

2.3 Information from third-party platforms

If you support Tenrai through Patreon or a similar platform, we may receive your platform username, email address, and membership or payment status solely to provision or revoke associated benefits (e.g., server keys or higher rate limits). We do not receive or store your payment card details.

3. How we use your information

We process information only for the purposes described below. We do not use your data for advertising, profiling, behavioral targeting, or sale to third parties.

  • Operating the Services — routing requests, serving responses, managing rate limits, caching, and ensuring system availability.
  • Security and abuse prevention — detecting and blocking malicious traffic, enforcing acceptable-use policies, investigating incidents, and protecting the infrastructure.
  • Credential management — provisioning, authenticating, and managing your API credentials and Server Keys.
  • Service improvement — analyzing aggregated, non-identifying usage patterns to improve performance, reliability, and capacity planning.
  • Communications — responding to inquiries, sending essential service notifications (e.g., security alerts, Terms updates), and, where you have opted in, occasional project updates.
  • Legal compliance — fulfilling obligations under applicable law, responding to lawful requests, and establishing, exercising, or defending legal claims.

4. Legal bases for processing (EEA/UK users)

If you are located in the European Economic Area, Switzerland, or the United Kingdom, we rely on the following legal bases under the GDPR:

  • Legitimate interests (Art. 6(1)(f)) — operating, securing, and improving the Services, including processing server logs for security and abuse prevention. We have assessed that these interests are not overridden by your fundamental rights and freedoms.
  • Performance of a contract (Art. 6(1)(b)) — processing necessary to provide the Services to you under our Terms of Service.
  • Legal obligation (Art. 6(1)(c)) — processing required to comply with applicable law.
  • Consent (Art. 6(1)(a)) — where you have given explicit consent, for example to receive optional communications. You may withdraw consent at any time.

5. Cookies and local storage

We use only strictly necessary cookies and local storage parameters. We do not use advertising, marketing, analytics, or behavioral-tracking cookies. The only storage technologies we use are:

  • Theme Preferences: We use browser local storage (via next-themes) to persist your light, dark, or system appearance preference across visits.
  • Security: We utilize state tokens in local storage or cookies where necessary to protect our systems against Cross-Site Request Forgery (CSRF) attacks.

Most web browsers allow you to block or delete cookies and local storage through their settings. Please note that if you disable these functional storage parameters, certain features of our site (such as theme toggle preferences) may not function correctly.

6. Sharing and disclosure

We do not sell, rent, or trade your personal data. We may share information only in the following limited circumstances:

  • Infrastructure and service providers — we use trusted third-party providers to host, deliver, and protect the Services. These include Cloudflare (CDN, DDoS protection, DNS), cloud hosting providers, and database services. These providers process data on our behalf under contractual obligations that require them to protect your information and use it only as instructed.
  • Legal requirements — we may disclose information if required by law, regulation, court order, subpoena, or governmental request, or where we believe in good faith that disclosure is necessary to protect our rights, your safety, the safety of others, investigate fraud, or respond to a law-enforcement request.
  • Business transfers — if the Services are transferred to another operator as part of a reorganization, merger, or acquisition, your information may be transferred as part of that transaction, subject to the same privacy commitments.
  • With your consent — in any other circumstance, we will share your information only with your explicit consent.

7. International data transfers

The Services are operated from Sweden. If you access the Services from outside Sweden, your data may be transferred to and processed in Sweden or in the countries where our infrastructure providers operate. Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission or reliance on an adequacy decision.

8. Data retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy:

  • Server and access logs — retained for up to 90 days, then automatically purged.
  • API credential data — retained for the duration your Server Key remains active. If your key is deactivated or deleted, we will delete or anonymize the associated data within 30 days, except where retention is required by law or necessary to resolve disputes.
  • Communications — retained for as long as necessary to resolve the matter and for a reasonable period afterward for record-keeping.
  • Aggregated and anonymized data — may be retained indefinitely because it cannot be used to identify you.

9. Your rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request correction of inaccurate or incomplete data.
  • Erasure — request deletion of your personal data, subject to legal retention obligations.
  • Restriction — request that we limit the processing of your data in certain circumstances.
  • Data portability — receive your data in a structured, commonly used, machine-readable format.
  • Objection — object to processing based on legitimate interests, including for direct marketing purposes.
  • Withdraw consent — where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.
  • Lodge a complaint — file a complaint with your local supervisory authority. In Sweden, this is Integritetsskyddsmyndigheten (IMY).

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (or within the period required by applicable law). We may request verification of your identity before fulfilling a request.

10. Security

We implement appropriate technical and organizational measures to protect your data, including encrypted connections (TLS/HTTPS), hashed credentials, access controls, automated threat detection, infrastructure-level DDoS protection, and regular security reviews. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security. You are responsible for keeping your credentials confidential and notifying us promptly if you believe they have been compromised.

11. Children's privacy

The Services are not directed to children under 13. We do not knowingly collect personal data from children under 13. If you believe that a child under 13 has provided us with personal data, please contact us at [email protected] and we will promptly delete the information.

12. Third-party links and services

The Services may contain links to third-party websites, platforms, or services (such as Discord, Patreon, or MyAnimeList). We are not responsible for the privacy practices, content, or security of those third parties. We encourage you to review their respective privacy policies before providing them with any personal data.

13. Changes to this Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, the Services, or applicable law. The updated policy will be posted on this page with a revised "Last updated" date. If a change materially affects how we handle your personal data, we will provide reasonable advance notice through the Services when practicable. Your continued use of the Services after an updated policy takes effect constitutes acceptance of the updated policy. Mandatory consumer and data-subject rights are unaffected.

14. Contact

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at [email protected]. Please include enough information for us to understand and respond to your request.