Privacy Policy

• Account information: name, email address, password (hashed)
• Workspace data: projects, thoughts, knowledge graph entries you create
• Usage data: API request counts, run metadata, timestamps
• Billing data: managed via Stripe; we do not store raw card numbers
• Log data: IP addresses, browser type, pages visited (standard server logs)

• To provide and improve the Service
• To process billing and send receipts
• To send transactional emails (password reset, key alerts)
• To detect and prevent abuse
• To comply with legal obligations

We do not sell your data to third parties.

Workspace data is stored in Supabase (Postgres) hosted on Google Cloud. Thought and run data is retained according to your plan tier. Free plan: 30 days. Pro: 1 year. Enterprise: configurable.

We use TLS for data in transit and encryption at rest via GCP default storage encryption. API keys are stored as bcrypt hashes — only you can see the plaintext key at creation time.

We use the following sub-processors:

• Supabase — database and authentication
• Google Cloud Platform — compute and storage
• Stripe — payment processing

We use session cookies for authentication and minimal analytics cookies to measure page traffic. We do not use cross-site tracking cookies.

You may request access to, correction of, or deletion of your personal data at any time by emailing privacy@thoughtbox.dev. Account deletion removes all personally identifiable information within 30 days.

The Service is not directed at children under 13. We do not knowingly collect data from children under 13.

We may update this Privacy Policy periodically. Material changes will be communicated via email at least 14 days before taking effect.

Privacy questions: privacy@thoughtbox.dev