Privacy Policy

Last updated: April 2026

1. What we collect

  • Account information: name, email address, password (hashed)
  • Workspace data: projects, thoughts, knowledge graph entries you create
  • Usage data: API request counts, run metadata, timestamps
  • Billing data: managed via Stripe; we do not store raw card numbers
  • Log data: IP addresses, browser type, pages visited (standard server logs)

2. How we use your data

  • To provide and improve the Service
  • To process billing and send receipts
  • To send transactional emails (password reset, key alerts)
  • To detect and prevent abuse
  • To comply with legal obligations

We do not sell your data to third parties.

3. Data storage and retention

Workspace data — sessions, thoughts, knowledge graph entries, and run telemetry — is stored in Supabase (Postgres). The MCP server that processes your requests runs on Google Cloud Run. Data is retained for the life of your active subscription. If you cancel or delete your account, personal data and workspace contents are purged within 30 days. See Supabase's privacy notice for details on their underlying infrastructure.

4. Data security

We use TLS for data in transit and encryption at rest via the default storage encryption provided by Supabase and Google Cloud. API keys are stored as bcrypt hashes — only you can see the plaintext key at creation time.

5. Third-party services

We use the following sub-processors:

  • Supabase — database and authentication
  • Google Cloud Platform — compute (Cloud Run) and observability
  • Vercel — web app hosting
  • Stripe — payment processing

6. Cookies

We use session cookies for authentication and minimal analytics cookies to measure page traffic. We do not use cross-site tracking cookies.

7. Your rights

You may request access to, correction of, or deletion of your personal data at any time by emailing thoughtboxsupport@kastalienresearch.ai. Account deletion removes all personally identifiable information within 30 days.

8. Children

The Service is not directed at children under 13. We do not knowingly collect data from children under 13.

9. Changes to this policy

We may update this Privacy Policy periodically. Material changes will be communicated via email at least 14 days before taking effect.

10. Contact

Privacy questions: thoughtboxsupport@kastalienresearch.ai