Tulip

Tulip Privacy Policy

Last updated: March 2026

This Privacy Policy explains how Tulip ("we", "us", "our") collects, uses, stores, and protects your information when you use the Tulip platform. By using Tulip, you agree to the practices described here.

For questions, contact us at support@tulip.md.

1. Information We Collect

Account information

When you sign in with Google, we receive your email address, display name, and profile photo from your Google account. We store this to identify you and personalise your experience.

Usage data

We collect information about how you use Tulip — including pages visited, features used, wizard steps completed, and agent configuration choices. This is used to improve the product and identify drop-off points in onboarding.

Billing information

We store your credit balance and a ledger of transactions within our system. We do not store payment card details directly — payments are processed by a third-party payment provider.

Agent runtime data

Your agent runs on a dedicated cloud server provisioned in your name. The contents of that server — including conversation history, files, configuration, and any data processed by your agent — are stored on that server. Tulip does not routinely access the content of your runtime. See Section 4 for more details.

Communications

If you contact us by email, we retain that correspondence to respond to your enquiry.

2. How We Use Your Information

  • To provide the service: create and manage your account, provision and deprovision agents, process credits.
  • To improve the product: analyse usage patterns and funnel data to improve onboarding, identify bugs, and prioritise features.
  • To communicate with you: send service notifications, security alerts, and respond to support requests.
  • To detect and prevent abuse: monitor for violations of our Terms of Service.

    • We do not sell your personal data to third parties.

    3. Data Retention

    DataRetention ------ Account dataRetained while your account is active. Deleted within 30 days of account deletion. Billing ledgerRetained for 7 years for financial compliance. Agent runtime dataPermanently deleted immediately when you deprovision an agent. No backups are kept. Usage analyticsRetained in aggregated form indefinitely; personally-identifiable data deleted after 24 months.

    4. Your Agent Runtime

    Your agent's server is provisioned exclusively for you. Tulip does not read your agent's conversation history, files, or secrets as part of normal operations. We may access runtime infrastructure only:

  • In response to a security incident or abuse report.
  • As required by law or a valid legal order.
  • With your explicit permission for support purposes.

    • All access tokens are encrypted at rest using AES-256-GCM. When you deprovision an agent, the server and all its data are permanently and irrecoverably deleted.

    5. Third-Party Services

    Tulip uses the following third-party services which may process your data:

    ServicePurposePrivacy Policy --------- Google (Firebase)Authentication, database, analyticspolicies.google.com DigitalOcean / HetznerCloud server hostingSee their respective privacy policies CloudflareSecure tunnels and DNScloudflare.com/privacypolicy

    We choose providers that adhere to industry-standard security and privacy practices.

    6. Cookies and Tracking

    Tulip uses Firebase Authentication session cookies to keep you signed in. We use Firebase Analytics to collect anonymised usage statistics. We do not use third-party advertising cookies or cross-site tracking.

    7. Your Rights

    Depending on your location, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your account and associated personal data.
  • Export your data in a portable format.
  • Object to certain types of processing.

    • To exercise any of these rights, email support@tulip.md. We will respond within 30 days.

    8. Data Security

    We implement industry-standard security measures including encryption at rest, TLS in transit, and access controls. However, no system is completely secure. You are responsible for the security of your own runtime environment and any secrets stored within it. See our Terms of Service for the full security disclaimer.

    9. Children

    Tulip is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us at support@tulip.md.

    10. Changes to This Policy

    We may update this policy from time to time. We will notify you of significant changes by email or via an in-app notice. Continued use of Tulip after changes are posted constitutes acceptance.

    11. Contact

    Email: support@tulip.md Website: tulip.md

    Questions? support@tulip.md