ThreadPilot Privacy Policy

1. Information We Collect

1.1 Information You Provide

• Account Information: Name, email address, and authentication credentials when you sign up via Google, Microsoft, or other OAuth providers.
• Connected Accounts: Email accounts (Gmail, Outlook), calendar data, contact lists, and other third-party integrations you authorize.
• User Content: Emails, messages, calendar events, contacts, notes, and other data you upload or create within ThreadPilot.
• AI Interactions: Questions, commands, and conversations with the AI assistant.

1.2 Information Collected Automatically

• Usage Data: Pages visited, features used, time spent, and interaction patterns.
• Device Information: Browser type, operating system, IP address, device identifiers.
• Log Data: API calls, error logs, performance metrics.
• Cookies & Tracking: Session cookies, authentication tokens, and analytics data.

1.3 Information from Third Parties

• OAuth Providers: Profile information from Google, Microsoft when you authenticate.
• Email & Calendar Services: Message content, metadata, contact information via authorized API access.
• AI Service Providers: Processing data sent to OpenAI, Google Gemini for AI features.

2. How We Use Your Information

We use collected information to:

• Provide the Service: Process emails, manage calendars, sync contacts, and deliver AI-powered features.
• Personalization: Customize your experience, remember preferences, and improve AI responses.
• AI Training & Improvement: Analyze usage patterns and conversation history to improve AI models and features.
• Communication: Send service updates, security alerts, and feature announcements.
• Security & Fraud Prevention: Detect suspicious activity, prevent abuse, and protect user data.
• Analytics: Understand how users interact with ThreadPilot to improve performance and features.
• Legal Compliance: Comply with applicable laws, regulations, and legal processes.

3. How We Share Your Information

We do not sell your personal information. We may share information in the following circumstances:

• AI Service Providers: Your queries and content are sent to OpenAI GPT-4.5, Google Gemini, and other AI APIs to generate responses. These providers have their own privacy policies.
• Infrastructure Providers: Cloud hosting (Railway), database services (Turso libSQL, Redis), and storage providers (Google Cloud Storage, R2, S3).
• Email & Calendar Services: We access Gmail, Outlook, and other integrated services on your behalf using OAuth authorization.
• Analytics Services: Anonymous usage statistics may be shared with analytics platforms.
• Legal Requirements: When required by law, court order, or government request.
• Business Transfers: In connection with a merger, acquisition, or sale of assets.
• With Your Consent: When you explicitly authorize sharing with third parties.

4. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: All data in transit uses TLS/SSL encryption. Sensitive credentials are encrypted at rest.
• OAuth Authentication: We use secure OAuth 2.0 flows and never store your email passwords.
• Access Controls: Strict internal access policies and role-based permissions.
• Regular Audits: Security reviews, vulnerability scanning, and penetration testing.
• Data Isolation: User data is logically separated and isolated in our database systems.

However, no system is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

5. Data Retention

• User Content: Retained for as long as your account is active or as needed to provide services.
• AI Conversation History: Stored to improve AI responses and provide context. You can delete conversations at any time.
• Vector Memory: Embedded facts stored in Redis for up to 90 days or until manually cleared.
• Logs & Analytics: Typically retained for 30-90 days for debugging and security purposes.
• Account Deletion: When you delete your account, we remove your personal data within 30 days, except where retention is required by law.

6. Your Privacy Rights

Depending on your location, you may have the following rights:

• Access: Request a copy of your personal data.
• Correction: Update or correct inaccurate information.
• Deletion: Request deletion of your data (right to be forgotten).
• Portability: Export your data in a machine-readable format.
• Opt-Out: Unsubscribe from marketing emails or disable certain data processing.
• Revoke Consent: Disconnect integrated accounts at any time.

To exercise these rights, contact us at privacy@threadpilot.app.

7. Cookies & Tracking Technologies

ThreadPilot uses cookies and similar technologies:

• Essential Cookies: Required for authentication, session management, and core functionality.
• Analytics Cookies: Help us understand usage patterns and improve the Service.
• Preference Cookies: Remember your settings and customization choices.

You can control cookies through your browser settings, but disabling certain cookies may limit functionality.

8. Third-Party Services & Links

ThreadPilot integrates with third-party services, each with their own privacy policies:

• OpenAI: OpenAI Privacy Policy
• Google: Google Privacy Policy
• Microsoft: Microsoft Privacy Statement

We are not responsible for the privacy practices of third-party services. We recommend reviewing their policies before connecting accounts.

9. Children's Privacy

ThreadPilot is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we discover that a child has provided personal data, we will delete it immediately. If you believe a child has provided information, contact us at privacy@threadpilot.app.

10. International Data Transfers

ThreadPilot is operated from the United States. If you access the Service from outside the U.S., your data may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

By using ThreadPilot, you consent to the transfer of your information to countries that may have different data protection laws than your jurisdiction.

11. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected
• Right to know whether personal information is sold or disclosed
• Right to opt-out of the sale of personal information (we do not sell data)
• Right to deletion
• Right to non-discrimination for exercising your rights

To exercise these rights, contact privacy@threadpilot.app.

12. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR):

• Right to access your personal data
• Right to rectification
• Right to erasure (right to be forgotten)
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent

Our legal basis for processing includes consent, contract performance, legal obligations, and legitimate interests. To exercise GDPR rights, contact privacy@threadpilot.app.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through an in-app notice. The "Last updated" date at the top reflects the most recent version. Continued use of ThreadPilot after changes constitutes acceptance of the updated Privacy Policy.

14. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us: