Privacy Policy | Threadmind

Welcome to Threadmind ("Company", "we", "our", "us"). Threadmind is an AI-powered negotiation assistant designed to help professionals analyze negotiations, manage deal risks, and draft strategic responses through our web application and Chrome browser extensions.

We are deeply committed to protecting your privacy and ensuring the security of your most sensitive communication data. This Privacy Policy explains our practices regarding the collection, use, and disclosure of your information. Please also review our Terms of Service, which governs your use of Threadmind.

1. Google User Data Privacy & Limited Use

Threadmind's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Chrome Extension and Gmail Integration

When you install and authorize the Threadmind Chrome Extension, or connect your Google Account via OAuth, we access email content only after explicit user action within your currently open Gmail tab to provide our core AI negotiation functionality. We handle your email data securely and in accordance with this policy.

Why We Access Gmail Data: We access Gmail data solely to provide negotiation analysis, risk detection, and response generation requested by the user. We do not access any emails unless you explicitly choose to analyze them.

Chrome Extension Permissions Usage

We adhere strictly to the principle of least privilege. We only request the permissions necessary to function. Permissions are used only to enable the core functionality described above. Threadmind does not automatically access or monitor Gmail content at any time.

storage: Used to securely store your local user preferences and cached session states.

Data FlowGmail ➔ Extension ➔ Threadmind Backend ➔ AI Processing ➔ Results ➔ Extension

Email content and attachments are processed only upon user request, used solely to provide the requested functionality, and not stored permanently.

Explicit User-Triggered Access: We only read the email text or extract attachments after an explicit user action (e.g., actively clicking "Analyze Thread" or selecting an attachment checkbox). We collect and process only the minimum amount of data necessary to provide the requested functionality.
Attachment Processing: We only read and process email attachments when you provide explicit permission by actively selecting them for extraction. We do not read password-protected attachments. Attachments are processed ephemerally and are deleted immediately after analysis. Data encoding methods (such as Base64) are used only for secure transmission and do not change our data retention practices.
How We Use Data (Limited Use): Your email data is securely transmitted to our backend infrastructure solely to provide our core features: generating negotiation intelligence, identifying deal risks, creating summaries, and drafting AI responses.
No Raw Email Storage: We do not permanently store the raw text bodies of your emails in our database. The raw text is processed temporarily by our AI to generate metadata and analyses. We only store the generated insights and the Gmail Thread ID.
No Third-Party Brokers or Ads: We never transfer, sell, or share your email data (or any data derived from it) with third parties for the purposes of serving advertisements or data brokering.
Limited Human Access: Humans at Threadmind do not read your raw email data unless you explicitly grant written consent to investigate a bug, it is necessary to resolve a security vulnerability, or we are legally compelled.

We Do NOT:

- We do not store your raw email content permanently.
- We do not access or scan data without your explicit action.
- We do not sell or share Gmail data.
- We do not use your email data for advertising.

2. Explicit AI Processing Disclosure

No Training on User Data: We maintain strict Zero Data Retention (ZDR) agreements with our enterprise LLM providers. Your email data is never used to train, improve, or fine-tune their AI models.
Strictly Transient Processing: Data is sent to the AI models strictly to generate instantaneous outputs (summaries, risk flags, drafts). Once the output is generated, the raw source data is immediately discarded from the AI provider's memory.

3. Information We Collect

A. Information You Provide to Us

Account Information: Name, email address, password, and subscription/billing information via Dodopayments.
Integration Data: Authentication tokens for connected third-party platforms (HubSpot, Slack) to post updates on your behalf.
Customer Support: Information provided when you contact us for support or feedback.

B. Information Collected Automatically

Usage Data: Automated analytics on how you interact with our Service to improve our product.
Technical Data: IP address, browser type, operating system, and Chrome extension installation ID for diagnostic and security purposes.
Cookies & Tracking Technologies: We use essential cookies to manage secure sessions and Cloudflare Turnstile for bot protection. We also use tracking pixels (e.g., Meta Pixel, Google Tag) on our website to measure ad performance. These tracking technologies are never bundled within the Chrome Extension, and they never interact with or track your Gmail content.

4. How We Use Your Information

We use the information we collect to:

Provide, operate, and maintain the Service.
Process transactions and manage your subscription.
Generate AI-driven negotiation strategies and risk assessments.
Push status updates to your authorized integrations (e.g., Slack notifications).
Detect, investigate, and prevent fraudulent transactions or security incidents.
Communicate regarding updates, security alerts, and support messages.

5. How We Secure Your Data

Security is foundational to Threadmind. We employ industry-standard security measures:

Authenticated Encryption

All sensitive integration tokens and session data are stored using AES-256-GCM authenticated encryption.

Transit Security

All data transmitted is encrypted using strict TLS 1.2+ protocols and enforced by HTTP Strict Transport Security (HSTS).

Strict Access Controls

Our infrastructure rests on isolated virtualized environments with robust CORS policies, server-side session validation, and strict rate limiting to prevent unauthorized access and brute-force attacks.

6. Sharing Your Information

We only share your data with categorized sub-processors strictly required to operate the Service:

Cloud Infrastructure: Supabase (Database and Auth) and Vercel (Hosting/Compute).
AI Infrastructure: We utilize enterprise LLM providers to process data. We maintain strict Zero Data Retention (ZDR) agreements ensuring your data is never used to train their models and is discarded immediately.
Payment Processing: Dodopayments handles all billing explicitly; we do not store raw credit card information.
Analytics & Observability: We utilize Posthog, Google Analytics (for usage tracking), Sentry (for crash reporting), and Langfuse (for AI tracing) to monitor and improve our Service. These sub-processors only collect aggregated or pseudonymized usage data and exceptions, not your raw email contents.
Marketing & Advertising: We run paid advertising campaigns (e.g., Google Ads, Facebook Ads, TikTok Ads, Native Ads). We share limited website visitor data (such as page views or signup events) with these ad networks to measure campaign performance and deliver personalized ads. Strict Firewall: These ad networks NEVER receive access to your Gmail data, AI analyses, or extension usage.
Your Authorized Integrations: Data pushed to Slack or HubSpot only occurs based on your explicit authorization.

7. Data Retention and Deletion

We retain account profile information as long as your account is active.

Analyses: AI-generated analyses and chat histories are stored so you can review them. You can delete individual thread analyses via the dashboard.
Cache: Intermediate data is stored in transient caches (e.g., Redis) that are explicitly invalidated upon task completion or manual deletion.

If you request account deletion, we will purge all your personally identifiable information, stored analyses, and integration tokens from our active databases within 30 days.

8. GDPR & European Privacy Rights

If you are a resident of the European Economic Area (EEA) or the United Kingdom (UK), Threadmind acts as the Data Controller. Our legal bases for processing your data include: (a) Performance of a Contract (to provide the Service); (b) Legitimate Interests (to improve and secure the Service); and (c) Explicit Consent (for optional integrations or marketing).

Your GDPR Rights

Right of Access (Art. 15): You may request a copy of the personal data we hold about you.
Right to Rectification (Art. 16): You may request corrections to inaccurate or incomplete data.
Right to Erasure / Right to be Forgotten (Art. 17): You may request the deletion of your personal data when it is no longer necessary for the purposes collected.
Right to Object (Art. 21): You may object to the processing of your data based on legitimate interests.
Right to Data Portability (Art. 20): You may request your data in a structured, commonly used format.
Right to Withdraw Consent: You may revoke OAuth access (e.g., Google or Slack) directly from your account settings at any time.

To exercise these rights, email privacy@trythreadmind.com. You also maintain the right to lodge a complaint with your local Data Protection Authority (DPA) if you believe our processing violates applicable law.

9. CCPA & California Privacy Rights

Under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), California residents are afforded specific rights regarding their personal information.

Notice at CollectionThreadmind DOES NOT Sell or Share your personal information (including email data) for targeted advertising or to data brokers. We utilize data strictly under the "Service Provider" exemption.

Right to Know: You may request the specific pieces and categories of personal information we have collected, the sources, and the business purposes.
Right to Delete: You may request the deletion of personal information we collected from you.
Right to Limit: You may direct us to limit the use of your sensitive personal information (such as explicit email contents) strictly to providing the requested service.
Right of Non-Discrimination: We will not deny services, charge different prices, or provide a different level of quality for exercising your CCPA rights.

10. International Data Transfers

Threadmind operates globally. If you reside in the EEA, UK, or Switzerland, your data may be transferred to and processed in the United States or other jurisdictions where our cloud infrastructure (Vercel, Supabase) is located. We safeguard these transfers according to Chapter V of the GDPR by relying on the European Commission's approved Standard Contractual Clauses (SCCs) and implementing strict supplementary measures, such as transit encryption and logical isolation, to ensure your data receives an adequate level of protection globally.

Children's Privacy

Our Service is designed for professionals and is not intended for individuals under 13 (or 16 in certain jurisdictions). We do not knowingly collect personal data from children.

Data Breach Notification

In the highly unlikely event of a data breach compromising your personal data, Threadmind will promptly notify affected users and relevant supervisory authorities in accordance with applicable laws (such as the GDPR 72-hour notification rule).

11. Changes to This Policy

We may update this Privacy Policy periodically to reflect legal adjustments or product changes. If we make material changes affecting how we process your sensitive Google data or alter our compliance frameworks, we will notify you via email or a prominent notice on our Service prior to the changes taking effect.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, your rights under the GDPR/CCPA, or our security practices, please contact our Data Protection Officer at:privacy@trythreadmind.com