Legal
Privacy Policy
Last updated July 11, 2026
This Privacy Policy describes how Treena Labs, Inc. ("Treena", "we", "us") collects, uses, and shares information when you use the treena mobile application and the cloud services that power it (together, the "Service").
1. Overview
The short version:
- You sign in with GitHub. We receive your GitHub profile basics and an access token.
- Your code goes only where you point it: your GitHub account, your own cloud workspace, and the AI provider you choose under your own key or account.
- We do not sell your data, we do not show ads, and the App contains no third-party advertising or analytics SDKs.
- We record limited usage activity so we can understand how the product is used.
- Signing out clears your tokens, keys, and chat history on your device. To delete your server-side data, email hello@treena.app.
2. Information we collect
GitHub account data. Your numeric GitHub user ID, username, and display name. We do not collect your email address from GitHub. We also receive a GitHub access token with the "repo" and "read:user" scopes; the "repo" scope grants read and write access to all of your public and private repositories.
Repositories and code. When you open a repository in a cloud workspace, it is cloned, including private repositories, onto your workspace's storage volume. We keep a record of the repositories you open (URL, branch, timestamps). If auto-save runs, your uncommitted changes are pushed to dated "treena/" branches on the GitHub repository you opened.
AI session data. When you use AI features, the session includes your prompts, chat history, the name and roughly the first 4,000 characters of the file you have open, code search snippets, and the file contents, command output, and diffs the AI tools read and produce. Agent engine session transcripts are stored on your workspace volume. Your chat history is also stored on your device.
Connected AI credentials. If you connect the Claude or Codex engines, we store your Anthropic OAuth token and your OpenAI authentication data, including refresh tokens, on our servers and on your workspace so the engines can run there under your account. API keys you supply for direct model access (OpenRouter, OpenAI, Anthropic) are stored only in your device's keychain and are never sent to Treena's servers.
Usage and activity data. We record sign-in and activity events (your GitHub user ID, username, coarse timestamps, and which part of the Service was used) and a record of your GitHub push events (repository name, branch, whether the repository is public or private, and timestamp), collected using your own GitHub token. This never includes the contents of your code.
Operational logs. Our servers keep structured logs that include your GitHub user ID, workspace machine IDs, and tool-use audit events. Secrets and tokens are redacted from logs.
Update metadata. The App receives over-the-air updates through Expo's update service, which involves standard update-request metadata from your device.
What we do not collect: your email address, payment information, contacts, location, or advertising identifiers.
3. How we use information
- To operate the Service: authenticate you, provision and manage your cloud workspace, clone and push your repositories at your direction, and run the AI engines you connect.
- To back up your work through auto-save branches.
- To keep the Service secure and prevent abuse.
- To understand usage and improve the product.
We do not sell personal information, we do not use it for advertising, and we do not train AI models on your content.
4. Where your data is stored
On your device. Your GitHub token and any API keys you supply live in the operating system keychain. Your chat history and app state live in app storage, which is protected by your device's encryption but is not additionally encrypted by the App. Local projects live in the App's sandboxed file storage.
On your cloud workspace (Fly.io). Each user gets a dedicated virtual machine and persistent volume. The volume holds your cloned repositories, agent session transcripts, and copies of your GitHub credentials (in the machine's configuration and in standard git and GitHub CLI credential files) so git and the AI engines work.
In Treena's databases (AWS, United States). Your connected AI provider credentials, workspace machine records including the workspace access token, and your repository history.
In our analytics store (Supabase). The usage and activity events described above.
In service logs. Fly.io and AWS CloudWatch, with secrets redacted.
5. How we share information
We do not sell personal information. We share data only with the providers below, who process it to run the Service:
- GitHub: authentication; the source of and destination for your repositories.
- Fly.io: hosts your cloud workspace machine and volume.
- Amazon Web Services: databases, logs, and metrics.
- Supabase: stores usage and activity events.
- Expo: delivers over-the-air app updates.
- Stripe: processes subscription payments made on the web rail. Your card details go directly to Stripe and never touch Treena's servers; we store only your subscription plan and status.
- Apple and Google: process in-app subscription purchases made through the App Store or Google Play under your store account. Treena never sees your payment details.
- RevenueCat: manages in-app purchase entitlements. It receives store purchase receipts and your numeric GitHub user ID so your subscription follows your account across devices.
AI providers (Anthropic, OpenAI, OpenRouter) receive your data only when you connect your own account or supply your own key, as described in Section 6. MCP servers you configure are third parties acting at your direction; their own policies apply.
We may also disclose information if required by law, or as part of a merger, acquisition, or sale of assets, in which case this policy continues to apply to your data.
6. AI provider data flows
When you use AI features, your source code, prompts, file contents, command output, and diffs are sent to the model provider you selected, under your own API key or your own provider account.
- Direct model chat sends data from your device straight to the provider. Treena does not proxy this traffic and never receives your API keys.
- The Claude and Codex engines run on your cloud workspace under the accounts you connected. They can read your entire cloned repository and may send any part of it to the provider during a session.
- MCP servers you enable receive tool calls generated by the model, which can include code, plus any credentials you put in their configuration.
The provider's own privacy policy and data-use terms, including any training or retention choices you have made with them, govern what happens to data they receive.
7. GitHub access and activity
The GitHub token you grant has broad scope: read and write access to all of your repositories. GitHub does not offer a narrower OAuth scope for this kind of access. Treena only acts on repositories you open, and you can audit or revoke the grant at any time in your GitHub settings under authorized OAuth apps.
To make the Service work, your GitHub token is sent to Treena's API with your requests, stored in your workspace machine's configuration, and written to standard git and GitHub CLI credential files on your workspace.
We record your GitHub push events (repository name, branch, public or private flag, timestamp, never code contents) using your token, to understand product usage.
Auto-save creates dated "treena/" branches on the repositories you open. A cleanup tool is available in settings, and the client-side auto-save can be turned off in settings. Moving your workspace to a new region still saves uncommitted changes to a branch first, so they survive the move.
8. Data retention
- Workspace volume (repositories, transcripts, on-disk credentials): persists across sessions and after sign-out, until you request deletion or the workspace is torn down. Agent session transcripts on the volume are pruned after 45 days.
- Server-side records (repository history, connected AI credentials, machine records): retained until you request deletion.
- Usage and activity events: retained until you request deletion.
- On-device data (chat history, tokens, keys): until you sign out or uninstall the App.
- Logs: kept for a limited period by our logging providers.
9. Security
- Your GitHub token and the API keys you supply are stored in the operating system keychain. Your workspace access token is kept in app storage on your device.
- Connections to Treena's services, GitHub, and AI providers use TLS.
- Tokens and secrets are redacted from server logs.
- Each user's workspace is an isolated machine and volume with its own access token.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security. On-device chat history relies on your device's own encryption.
10. Your choices and deletion
- Sign out clears your tokens, keys, and chat history on your device. It does not delete local projects stored on your device, your cloud workspace, server-side records, or auto-save branches.
- Revoke GitHub access at any time in your GitHub settings under authorized OAuth apps. This disables the Service's access going forward but does not delete data already stored.
- Disconnect AI engines in settings to remove their stored credentials from our servers.
- Auto-save: turn the client-side auto-save off in settings, and delete "treena/" branches with the storage cleanup screen. A workspace region move still saves your uncommitted work to a branch first.
- Delete your data: email hello@treena.app from a way we can verify, or use any in-app deletion feature we provide, to request deletion of your cloud workspace, volume, and server-side records. We fulfill deletion requests within 30 days.
11. Children
The Service is not directed to children under 13, and we do not knowingly collect their information. If you believe a child has used the Service, contact us and we will delete the data.
12. International data transfers
Treena Labs, Inc. is a United States company. Data is processed and stored in the United States and in the cloud region that hosts your workspace, which may be closer to your location. If you use the Service from outside the United States, you understand your data will be transferred to and processed in these locations.
13. Your privacy rights
Wherever you live, you can ask us to access, correct, or delete your personal information, or to tell you what we hold about you, by emailing hello@treena.app. We honor these requests regardless of whether a specific law requires it, and we will not discriminate against you for making one.
If you are in the United States, this covers the rights granted by state privacy laws such as the CCPA. We do not sell personal information or share it for cross-context advertising.
If you are in the EEA, UK, or Switzerland: we process your data to perform our contract with you (operating the Service), for our legitimate interests (security and product improvement), and with your consent where applicable. You also have rights to portability, restriction, and objection, and the right to lodge a complaint with your supervisory authority.
14. Changes to this policy
We may update this policy from time to time. The "last updated" date at the top reflects the current version. For material changes we will provide notice in the App.
15. Contact
Treena Labs, Inc. (Delaware, USA) hello@treena.app