Thoughtstream ("we," "us," or "our") is operated by Centricle LLC. This Privacy Policy explains how we collect, use, and protect your personal information when you use thoughtstream.us (the "Service").
1. Information We Collect
Account Information
When you create an account, we collect your email address, display name, and password. Authentication is handled by Supabase.
Thought Data
When you use the Service, we store the thoughts you capture, including: thought content (text), source tags (web or API/Siri), and timestamps.
API Keys
If you use the Siri integration, we store a SHA-256 hash of your API key. The plaintext key is shown once at generation and is never stored on our servers.
Automatically Collected Information
We collect anonymized usage data through Google Analytics, including pages visited, time spent, device type, browser, and general geographic region. This data is not linked to your account.
2. How We Use Your Information
- Provide and maintain the Service (account management, thought capture and retrieval)
- Authenticate API requests from Siri Shortcuts and other integrations
- Understand how the Service is used so we can improve it (analytics)
- Protect against abuse and maintain security
3. Third-Party Services
We use the following third-party services to operate Thoughtstream:
| Service | Purpose | Data Shared |
|---|---|---|
| Supabase | Database & authentication | Account info, thought data, API key hashes |
| Google Analytics | Usage analytics | Anonymized browsing data |
| Netlify | Hosting & serverless functions | HTTP request data |
Each service operates under its own privacy policy. We encourage you to review them.
4. Cookies & Local Storage
We use minimal browser storage:
| Item | Type | Purpose | Required |
|---|---|---|---|
| Supabase auth token | localStorage | Keeps you signed in | Essential |
| Google Analytics cookies | Cookies | Usage analytics | Non-essential |
We do not use advertising or retargeting cookies.
5. Data Retention
We retain your data for as long as your account is active. If you delete your account, we will remove your personal data within 90 days. Anonymized analytics data may be retained indefinitely.
6. Data Security
We use reasonable measures to protect your information, including encryption in transit (HTTPS), secure authentication, row-level security on our database, and one-way hashing of API keys. No method of transmission over the Internet is 100% secure, so we cannot guarantee absolute security.
7. Children’s Privacy
Thoughtstream is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us.
8. Your Rights
You have the right to:
- Access the personal information we hold about you
- Request correction of inaccurate information
- Request deletion of your account and associated data
- Export your thought data
To exercise any of these rights, contact us.
9. US State Privacy Rights
If you are a resident of California, Virginia, Colorado, Connecticut, or another US state with consumer privacy laws, you may have additional rights including:
- Right to know what personal information we collect and how it is used
- Right to delete your personal information
- Right to opt out of the sale of personal information (we do not sell your data)
- Right to non-discrimination for exercising your privacy rights
To exercise these rights, contact us.
10. Data Breach Notification
In the event of a data breach affecting your personal information, we will notify affected users within 72 hours via email (for account holders) or through a notice on the Service. We will also notify relevant authorities as required by applicable law.
11. International Users
Centricle LLC is based in the United States. If you access the Service from outside the US, your data is transferred to and processed in the United States.
Our legal bases for processing personal data under the GDPR include:
- Consent — analytics and non-essential cookies
- Contract performance — providing account and idea capture features
- Legitimate interests — security, abuse prevention, and service improvement
International users have the right to:
- Access your personal data
- Rectification of inaccurate data
- Erasure of your data
- Data portability
- Restriction of processing
- Object to processing
To exercise these rights, contact us.
12. Do-Not-Track Signals
We do not currently respond to Do-Not-Track browser signals.
13. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. For material changes, we will provide notice through the Service.
14. Contact
If you have questions about this Privacy Policy, please contact us.