Privacy Policy

This Privacy Policy is provided by Merse Originals, Inc., doing business as Dench ("Dench," "we," "us," or "our"). It applies to Dench-operated websites, sign-in flows, managed cloud services, hosted gateway or API endpoints, billing flows, support interactions, and other services we operate at dench.com or under the Dench brand (collectively, the "Services").

It also covers information we process when you download or use Dench software together with Dench-hosted features, including account sign-in, managed sandboxes, hosted model routing, or billing. Open-source or self-hosted copies that you run entirely on your own infrastructure may involve little or no cloud-side processing by us beyond the website or account services you choose to use.

Account and organization details

We collect information you provide or authorize during account creation and organization setup, such as your name, email address, profile image, organization name, organization slug, membership role, invitation details, onboarding state, and current organization selection.

Sign-in and verification data

We support Google sign-in and email one-time-password sign-in. Depending on the method you use, we may receive basic Google profile information, your email address, verification codes, sign-in timestamps, session identifiers, device identifiers for desktop linking, OAuth state or pending sign-in records, and authentication cookies or tokens.

Our current implementation uses 6-digit email sign-in codes that expire after about 10 minutes and auth or session lifetimes that can last up to about 90 days depending on activity and configuration.

Billing and subscription data

If you purchase a paid plan or use metered AI features, payment processing is handled by Stripe. We do not store full card numbers on our servers, but we do store subscription and billing metadata such as Stripe customer IDs, subscription IDs, plan or tier, subscription status, quantities, billing period dates, credit grants, usage totals, and spend-limit settings.

Usage, analytics, and device data

We collect product analytics and operational data about how the Services are used, including page views, page leave events, clicks, navigation flows, referrers, device or browser characteristics, organization context, and service performance. Our current implementation uses PostHog for browser and server-side analytics.

Our implementation also enables session replay and person profiles in some parts of the Services. Depending on page and configuration, replay or autocapture tools may collect on-screen activity and some information entered into the app, and not every input is guaranteed to be automatically masked.

AI requests, outputs, and usage metadata

When you use hosted AI or gateway features, we may process prompts, uploaded context, tool results, model responses, model or provider selection, request IDs, token counts, latency, estimated cost, billed amounts, error details, workspace or organization identifiers, and related operational metadata.

Where AI gateway analytics are enabled, we may send full or partial AI inputs, conversation state, and outputs to our analytics systems to operate, debug, and improve the service.

Cloud infrastructure and stored content

If you use Dench Cloud or a managed sandbox, we may process cloud-side infrastructure data such as sandbox subdomains, compute instance identifiers, network routing identifiers, storage volume identifiers, IP addresses, S3 archive paths, provisioning state, stop or delete schedules, and backup or snapshot metadata. We may also store organization logos or similar uploaded assets.

Communications and support

We collect information from emails, support requests, onboarding reminders, budget alerts, invitations, and other communications you send to us or that we send to you.

• To create and secure accounts, organizations, sessions, and managed access.
• To operate hosted APIs, cloud sandboxes, AI routing, billing, credits, and subscription lifecycle workflows.
• To send sign-in codes, transactional emails, receipts, support replies, reminders, and service notices.
• To measure usage, prevent abuse, investigate incidents, enforce limits, and improve reliability and product quality.
• To personalize the service for your organization, including organization settings, roles, and current workspace context.
• To comply with legal obligations and protect the rights, safety, and security of Dench, our users, and third parties.

Where applicable, we rely on contract necessity, legitimate interests, consent, and legal compliance as bases for processing.

We do not sell your personal information in the ordinary meaning of that term. We share information only as needed to run the Services, comply with law, or complete a business transaction.

• Convex for application backend, authentication, and stored application data.
• Amazon Web Services (AWS) for compute, networking, secrets, backups, archives, and model routing through AWS Bedrock where applicable.
• Stripe for subscriptions, billing, metered usage, customer portal, and payment operations.
• Resend for transactional emails, including sign-in codes and operational notices.
• Google when you choose Google sign-in.
• PostHog for analytics, event capture, and session replay.
• AI model providers, including OpenAI and providers made available through AWS Bedrock or our configured gateway, when you use hosted AI features.
• Professional advisors, acquirers, or regulators when needed for legal, security, or corporate transaction purposes.

Your use of third-party services is also subject to those providers' own terms and privacy practices.

We use cookies and browser storage to keep you signed in, remember state, measure product usage, and improve the Services. Our current implementation includes:

• Authentication cookies or tokens used to maintain your session.
• PostHog cookies and local storage for analytics and replay.
• Session storage used for some onboarding and setup flows.
• Local storage used for certain UI preferences, such as recent sandbox paths or setup state.

You can control cookies and local storage through your browser or device settings, but some parts of the Services may not function correctly if you block them.

We keep information for as long as needed to provide the Services, maintain security and billing records, resolve disputes, and meet legal obligations.

Account, organization, auth, and billing records may be retained while your account is active and for a reasonable period afterward. Analytics and operational logs may be retained for debugging, abuse prevention, financial reconciliation, and product improvement.

For managed cloud sandboxes, our current operational lifecycle may include stopping a canceled sandbox, retaining the stopped environment for roughly 7 days, and retaining final recovery snapshots for up to roughly 90 days before final deletion. We may change these retention windows as the service evolves or where law, security, or disaster recovery requires it.

If you rely on a managed cloud sandbox, you are responsible for exporting or backing up any data you need before cancellation or termination. If you run the local or open-source version, retention on your own device or infrastructure is largely controlled by you.

We use administrative, technical, and organizational safeguards designed to protect the Services. Examples from our current stack include encrypted storage of certain organization gateway secrets, access-controlled infrastructure, and cloud secret management for sensitive configuration.

No system is perfectly secure, and we cannot guarantee absolute security. You are responsible for protecting your devices, credentials, recovery email accounts, and API keys.

• You can update basic account or organization information inside the product where those controls exist.
• You can request access, correction, or deletion of your personal information by emailing us.
• You can choose whether to use local or self-hosted DenchClaw or Dench-hosted cloud features.
• You can manage many browser-side storage settings through your browser, and you can stop using the Services at any time.

Depending on where you live, you may have additional privacy rights under applicable law. We will handle requests in accordance with applicable law and our need to verify identity, preserve security, and comply with legal obligations.

We and our service providers may process information in countries other than where you live. Those countries may have different data protection rules than your home jurisdiction.

The Services are not directed to children under 13, and you may not use the Services if you are not old enough to consent under applicable law.

We may update this Privacy Policy from time to time. If we make material changes, we will update the effective date and may provide additional notice through the Services or by email.

If you have privacy questions, data requests, or want to discuss enterprise privacy terms, contact Merse Originals, Inc. at support@dench.com.