Privacy Policy

Thread ("we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our writing and worldbuilding platform at thread.app (the "Service"), including our web application, AI-powered features, and related services.

This policy applies to all users of the Service, regardless of location. For California residents, additional disclosures are provided in the California Privacy Rights section. For EU/EEA residents, this policy complies with the General Data Protection Regulation (GDPR).

Information you provide directly:

• Account information: Email address, password (stored as a hash by our authentication provider, Supabase), and display name when you create an account.
• Content you create: Documents, notes, metadata, and worldbuilding content you write or upload. This is stored locally in your browser via IndexedDB and, if you subscribe to a paid plan, synced to our servers via Supabase.
• Payment information: When you subscribe, our payment processor Polar (polar.sh) collects billing information. We do not store your credit card details — Polar handles all payment data.
• Communications: If you contact us via email, we collect the content of your message.

Information collected automatically:

• Usage data: Pages visited, features used, time spent, click patterns, and interaction data within the Service.
• Device information: Browser type, operating system, screen resolution, and device identifiers.
• Log data: IP address, access times, referring URLs, and server request logs.
• Cookies and tracking: See our Cookie Policy for details.

Information from third parties:

• Google OAuth: If you sign in with Google, we receive your email address and basic profile information (name) from your Google account.

We use your information to:

• Provide, maintain, and improve the Service
• Create and manage your account and authenticate you
• Store, sync, and display your documents and content
• Process AI-powered features (suggestions, rewrites, spell check, connection analysis, search) by sending relevant text to our AI provider OpenRouter
• Process payments and manage subscriptions via Polar
• Communicate with you about your account, updates, and support requests
• Monitor and analyze usage to improve the Service
• Detect, prevent, and address technical issues, fraud, or security threats
• Comply with legal obligations

Thread offers AI-powered features including suggestions, rewrites, spell check, connection analysis, and semantic search. When you use these features:

• Your content is sent to OpenRouter (openrouter.ai), our AI service provider, to process your request and generate a response.
• OpenRouter may temporarily retain your input to process the request but does not use your content to train AI models.
• You own your content. Using AI features does not transfer ownership to us or to OpenRouter.
• AI output is not guaranteed and should be reviewed before use. See our AI Features Disclosure for full details.

You can choose not to use AI features. The Free tier does not include any AI calls. On paid tiers, AI call limits apply and are clearly displayed.

For more details, please refer to our dedicated AI Features Disclosure.

We share your data with the following service providers, each of whom processes data only under instructions and contractual safeguards:

We do not sell your personal data to third parties. We do not share your content with anyone except as described above to provide the Service.

Free tier: Your content is stored locally in your browser using IndexedDB. We do not have access to this locally stored content unless you explicitly sync it.

Paid tiers: Cloud-synced content is stored in Supabase and retained for as long as your account is active. If you delete your account, we will delete your synced content within 30 days.

AI processing: Content sent to OpenRouter for AI features is processed in real-time and not permanently stored by OpenRouter.

Account data: Email, authentication data, and usage information are retained for as long as your account exists. Upon account deletion, personal data is removed within 30 days except where retention is required by law.

Backups: We maintain encrypted backups for up to 30 days. Deleted data will be purged from backups within this period.

Thread is operated from Germany (European Union). However, some of our processors (Supabase, OpenRouter, Vercel, Google) are based in or process data in the United States. When your data is transferred outside the EEA, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): We rely on EU-approved Standard Contractual Clauses with our processors to ensure adequate protection for data transfers outside the EEA.
• Processor agreements: We have data processing agreements in place with all third-party processors as required by GDPR Art. 28.
• Google and Supabase provide data processing addendums incorporating SCCs.

By using the Service, you acknowledge that your data may be transferred to and processed in countries outside your residence that may have different data protection laws.

We implement industry-standard security measures to protect your data, including:

• Encryption in transit (TLS/HTTPS) for all data
• Encryption at rest for cloud-stored data via Supabase
• Local-first architecture: your content stays in your browser by default
• Authentication tokens and password hashing managed by Supabase Auth
• Access controls limiting data access to authorized personnel only

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

If you are a resident of the European Economic Area, you have the following rights under the GDPR:

• Right of access (Art. 15 GDPR): You can request a copy of the personal data we hold about you.
• Right to rectification (Art. 16 GDPR): You can request correction of inaccurate personal data.
• Right to erasure (Art. 17 GDPR): You can request deletion of your personal data ("right to be forgotten"). We will delete your data within 30 days, except where retention is required by law.
• Right to data portability (Art. 20 GDPR): You can request your data in a structured, commonly used, machine-readable format (e.g., JSON or Markdown).
• Right to restriction (Art. 18 GDPR): You can request that we restrict processing of your data in certain circumstances.
• Right to object (Art. 21 GDPR): You can object to processing of your data based on legitimate interests.
• Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on consent, you can withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at contact@use-thread.com. We will respond within 30 days. You also have the right to lodge a complaint with a supervisory authority in your EU member state.

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you the following rights:

• Right to know: You can request details about the personal information we have collected, used, disclosed, and sold in the past 12 months.
• Right to delete: You can request deletion of your personal information, subject to certain exceptions.
• Right to correct: You can request correction of inaccurate personal information.
• Right to opt out of sale/sharing: We do not sell or share your personal information for advertising purposes. You have the right to opt out regardless.
• Right to limit use of sensitive personal information: You can request that we limit our use of your sensitive personal information.
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

Categories of personal information collected in the last 12 months:

To exercise your California privacy rights, contact us at contact@use-thread.com. We will respond within 45 days.

We use cookies and similar tracking technologies. Essential cookies are used for authentication and security. Analytics and preference cookies require your consent. For full details, see our Cookie Policy.

You can manage your cookie preferences at any time via the cookie banner or your browser settings.

Thread is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13. If you are under 13, you may not create an account or use the Service.

If we become aware that we have collected personal information from a child under 13 without parental consent, we will take steps to delete that information promptly. If you believe we have inadvertently collected such information, please contact us at contact@use-thread.com.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Art. 33
• Notify affected users without undue delay when the breach is likely to result in a high risk to their rights and freedoms, per GDPR Art. 34
• Provide information about the nature of the breach, the data affected, and the measures taken

We may update this Privacy Policy from time to time. For material changes, we will:

• Update the "Last updated" date at the top of this page
• Provide notice via email or a prominent banner on the Service for material changes
• For California residents, provide 30 days' notice before changes take effect

Continued use of the Service after changes constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

• Email: contact@use-thread.com
• Impressum: Legal Notice (Impressum)

For the purposes of GDPR, the data controller is the person or entity listed in our Impressum.