Tassello captures the structure of your app — never its content. This page explains exactly what is and isn't collected, in every mode.
In the default balanced mode (and in strict), the SDK captures no personal data at all, so your App Store privacy label reads "Data Not Collected." Auto-redaction runs before anything leaves the device, and the backend re-scans for PII on arrival as a second line of defense — if it ever matches, the event is dropped and an alert fires.
Wireframes are boxes, types and positions. Never pixels, never text content, never you.
Set once at startup. Auto-redaction runs in all of them, regardless of choice.
.strictAnonymous events only — no wireframes and no text. Still "Data Not Collected."
.balancedWireframe structure captured, all text dropped. The sweet spot — and still "Data Not Collected."
.standardAdds static UI labels like button titles and headers. Declares "User Content" on your label.
All primary storage — Postgres, R2 blobs and Redis — lives in the EU (Frankfurt). Insight generation runs on Anthropic's Claude in the US under Standard Contractual Clauses, and only ever sees anonymized wireframes and event sequences that carry no PII in the default and strict modes.
| Subprocessor | Location | Purpose |
|---|---|---|
| Anthropic | US | Claude API for insight generation — anonymized data only, under SCC |
| DigitalOcean | EU (Frankfurt) | Compute and managed Postgres / Redis storage |
| Cloudflare | EU edges | R2 wireframe blob storage and CDN |
| Postmark | US | Transactional email — address and account metadata only, under SCC / DPA |
Adding a subprocessor requires customer notice per the DPA.
GDPR export and deletion are built into the SDK and dashboard. Insights.exportUserData() returns a user's data on request, and Insights.requestDataDeletion() tombstones it immediately and purges within 30 days. No dark patterns, no waiting on support.