Privacy Policy

This policy covers the hosted tela instance at tela.cagdas.io and its built-in MCP server at tela.cagdas.io/api/mcp. tela is a markdown-native team wiki that AI agents can read and write through the Model Context Protocol.

What we collect

Account data

Email address, username, and a hashed (never plaintext) password. Used to authenticate you and to send account email (verification, password reset).

Content you create

Spaces, pages (markdown bodies), comments, backlinks, and feedback you submit. This is the wiki content itself — stored so you and your team can read and edit it.

MCP / agent activity

When you connect an AI host (e.g. Claude or ChatGPT) via OAuth, that host calls tela's tools on your behalf to read, search, create, update, move, or delete the content your account can access. Tool calls run with your account's permissions.

Operational data

Standard request metadata (IP address, timestamps, user agent) used for rate-limiting, security, and debugging.

How we use it

• To operate the wiki — store, render, search, and sync your content.
• To authenticate you and authorize agent tool calls via OAuth.
• To power semantic search — page text is sent to a self-hosted embedding model to build search vectors (see below).
• To send transactional email (verification, password reset).
• To protect the service — rate-limiting, abuse prevention, and debugging.

We do not sell your data, serve ads, or use your content to train third-party models.

Who we share it with

tela relies on a small set of processors to run:

WorkOS (authentication)

The OAuth 2.1 authorization flow for MCP connections is handled by WorkOS AuthKit. Your email and authentication events pass through WorkOS to issue access tokens.

The AI host you connect

When you connect Claude, ChatGPT, or another MCP client, the content returned by tool calls is sent to that host so the agent can use it. Their handling of that content is governed by their own privacy policies.

Email provider

Transactional email (verification, password reset) is delivered through an SMTP email provider.

Embedding model (self-hosted)

Semantic search embeds page text with a self-hosted model on operator-controlled infrastructure. Content is not sent to a third-party embedding API.

We may also disclose data where required by law, or to protect the rights, safety, and security of the service and its users.

Retention

• Account and content data is retained while your account is active.
• Deleting a page or space removes it from the live service; deleting your account removes your account data.
• Authentication tokens and share links can be revoked at any time and expire on rotation of the server's secrets.
• Operational logs are kept only as long as needed for security and debugging.

Your choices

• Access & edit — your content is yours; read, edit, export, or delete it in the app at any time.
• Disconnect agents — revoke an MCP connection from the connected host, or rotate your access token, to cut off agent access.
• Delete your account — contact us to delete your account and associated data.
• Self-host — run your own instance to keep all data on infrastructure you control.

Security

Traffic is served over HTTPS. Passwords are hashed, authentication tokens and share secrets are stored hashed (the raw value lives only in the link), and the MCP endpoint authenticates every request. No system is perfectly secure, but we take reasonable measures to protect your data.

Contact & security

Questions about this policy or your data? Email [email protected]. To report a security vulnerability, email [email protected] privately rather than opening a public issue — we investigate reports in good faith. The source for tela is public at github.com/zcag/tela.

Changes

We may update this policy as the service evolves. Material changes will be reflected by the "last updated" date above.