Privacy by architecture

No PII leaves the device. By design, not by promise.

Tassello captures the structure of your app — never its content. This page explains exactly what is and isn't collected, in every mode.

"Data Not Collected" — by default

In the default balanced mode (and in strict), the SDK captures no personal data at all, so your App Store privacy label reads "Data Not Collected." Auto-redaction runs before anything leaves the device, and the backend re-scans for PII on arrival as a second line of defense — if it ever matches, the event is dropped and an alert fires.

What we capture — and what we never do

Wireframes are boxes, types and positions. Never pixels, never text content, never you.

Captured

clean
  • Screen structure — wireframe boxes, element types and positions
  • Anonymous interactions — taps, scrolls and custom events
  • Network breadcrumbs — method and host only, after redaction
  • Anonymous device id — a random UUID stored in the Keychain
  • Crash reports — symbols and stack frames, in every mode

Never captured

never
  • User text or dynamic content shown on screen
  • Text input or TextField / SecureField content
  • Images, pixels or screenshots of any kind
  • Email, phone, credit card or IBAN — auto-redacted on device
  • IDFA, IDFV or precise location
  • Network request or response bodies

Three modes, one knob

Set once at startup. Auto-redaction runs in all of them, regardless of choice.

.strict

Maximum privacy

Anonymous events only — no wireframes and no text. Still "Data Not Collected."

.balanced

Default

Wireframe structure captured, all text dropped. The sweet spot — and still "Data Not Collected."

.standard

Maximum insight

Adds static UI labels like button titles and headers. Declares "User Content" on your label.

EU-only storage, transparent subprocessors

All primary storage — Postgres, R2 blobs and Redis — lives in the EU (Frankfurt). Insight generation runs on Anthropic's Claude in the US under Standard Contractual Clauses, and only ever sees anonymized wireframes and event sequences that carry no PII in the default and strict modes.

Subprocessors

SubprocessorLocationPurpose
AnthropicUSClaude API for insight generation — anonymized data only, under SCC
DigitalOceanEU (Frankfurt)Compute and managed Postgres / Redis storage
CloudflareEU edgesR2 wireframe blob storage and CDN
PostmarkUSTransactional email — address and account metadata only, under SCC / DPA

Adding a subprocessor requires customer notice per the DPA.

Your data, your call

GDPR export and deletion are built into the SDK and dashboard. Insights.exportUserData() returns a user's data on request, and Insights.requestDataDeletion() tombstones it immediately and purges within 30 days. No dark patterns, no waiting on support.