1. Identity of Data Controller
ThreadMemory is operated by Aleksandr Soshnikov, Individual Entrepreneur registered in Georgia.
- Personal Number: 304786667
- Registered address: 1 Ilia and Nino Nakashidze St., Apt. 3, Tbilisi 0108, Georgia
- Contact email: [email protected]
- Website: threadmemory.com
No Data Protection Officer (DPO) has been appointed. For any privacy inquiries, please contact [email protected].
2. Data We Collect
Account Data
When you create an account, we collect the following information directly from you or from your OAuth provider (Google, Slack):
- Name, email address, and profile picture
- OAuth provider identifiers (Google account ID, Slack user ID)
- Hashed passwords (only if you sign up with email and password; we never store plain-text passwords)
Workspace Data
When you set up your workspace within ThreadMemory, we store:
- Workspace name and member roles (owner, admin, member)
- Subscription plan and billing status
- Routing policy configuration (your rules for how messages are classified and routed)
Chat Message Data
When you connect a chat platform (such as Slack, Discord, or Telegram), ThreadMemory receives message data from the channels you choose to monitor:
- Message text from monitored channels
- Author display names and channel names
- Thread context and timestamps
- Attachment flags (whether a message has attachments, but not the attachment content itself)
We never access your direct messages or private channels unless you explicitly add them to monitoring.
AI-Derived Data
Our AI pipeline generates the following data from your chat messages:
- Message classifications (signal or noise, topic type such as decision, bug report, task, knowledge, or question)
- Vector embeddings (mathematical representations used for similarity matching)
- Cluster summaries and type classifications
- Generated artifacts (titles, summaries, and formatted content delivered to your destination tools)
- Importance and maturity scores
Connector Credentials
To connect your chat platforms and productivity tools, we store authentication credentials:
- OAuth tokens for Slack, Notion, GitHub, Jira, and Confluence
- Bot tokens for Discord and Telegram
All connector credentials are encrypted at rest using AES-256-GCM encryption. We never store them in plain text.
Usage and Analytics Data
We collect product analytics to improve our service:
- Page views and feature usage events (via PostHog)
- Session recordings with all text inputs automatically masked
- Custom events such as login, signup, source connections, and destination connections
Billing Data
Paddle acts as our Merchant of Record and handles all payment processing. We receive from Paddle:
- Payment card brand, last four digits, and expiry date
- Transaction history and subscription status
Full card details are handled entirely by Paddle and never touch our servers.
3. How We Collect Data
We collect data through the following methods:
- Directly from you when you register an account, configure workspace settings, or set up routing rules.
- From OAuth providers (Google, Slack) when you sign in using their authentication services.
- From connected chat platforms (Slack, Discord, Telegram) via webhook events and API calls when messages are posted in your monitored channels.
- Automatically via analytics (PostHog) as you interact with our web application.
- From Paddle via billing webhooks when you subscribe, update, or cancel your plan.
4. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction that requires a legal basis for processing personal data, we rely on the following grounds:
| Purpose | Legal Basis | GDPR Article |
|---|---|---|
| Core service (AI classification, routing, summarization) | Performance of contract | Art. 6(1)(b) |
| Account authentication | Performance of contract | Art. 6(1)(b) |
| Billing and payment processing | Performance of contract | Art. 6(1)(b) |
| Product analytics (feature usage, page views) | Consent | Art. 6(1)(a) |
| Session recordings (inputs masked) | Consent | Art. 6(1)(a) |
| Security and fraud prevention | Legitimate interest | Art. 6(1)(f) |
| Marketing emails | Consent | Art. 6(1)(a) |
| Service notification emails | Performance of contract | Art. 6(1)(b) |
Is providing your data mandatory?
Under GDPR Art. 13(2)(e), we inform you of the following regarding whether providing personal data is a statutory or contractual requirement:
- Account data (name, email): Required as a contractual necessity to create and manage your account. You cannot use ThreadMemory without providing this information.
- Chat message data: Required for the core service. ThreadMemory cannot classify, route, or summarize messages without access to the message content you choose to monitor.
- Billing data: Required for paid subscriptions. Payment processing is handled by Paddle and is necessary to maintain your subscription.
- Marketing consent: Entirely voluntary. You can use the full service without opting in to marketing emails.
- Analytics data: Collected only with your consent. Analytics cookies are blocked until you give consent through our cookie consent banner. You can withdraw consent at any time by clicking “Cookie Settings” in the website footer.
5. Purpose of Processing
We process your personal data for the following purposes:
- Provide the core service: Classify, route, and summarize important discussions from your team's chat platforms and deliver them to your connected productivity tools (Notion, Jira, GitHub Issues, Confluence).
- Authenticate users and manage accounts: Verify your identity, manage sessions, and maintain workspace membership.
- Process payments and manage subscriptions: Handle plan upgrades, downgrades, cancellations, and billing through our Merchant of Record, Paddle.
- Send service notifications: Deliver transactional emails such as welcome messages, connection alerts, weekly digests, and billing updates.
- Improve the product: Analyze usage patterns and feature adoption through PostHog analytics. We do not use your chat messages or AI-generated content to train AI models.
- Maintain security and prevent abuse: Monitor for unauthorized access, verify webhook signatures, and enforce rate limits.
- Comply with legal obligations: Retain records as required by applicable tax, accounting, and data protection laws.
6. AI Processing Disclosure
ThreadMemory uses artificial intelligence to process your chat messages. This section explains exactly what happens when your messages are processed by AI.
How AI processes your messages
- Messages from your monitored channels are sent to the OpenAI API for classification, embedding generation, and content generation.
- The AI determines: whether a message is important (signal vs. noise), its topic type (decision, bug report, task, knowledge, or question), the maturity of a discussion (whether enough context has been gathered), and which destination tool should receive the summarized content.
- Vector embeddings (mathematical representations) are generated and stored in our database to enable similarity matching and topic clustering.
Data protection in AI processing
- OpenAI does not train on your data: Under OpenAI's API data usage policy, data submitted through the API is not used to train or improve OpenAI's models.
- Limited retention by OpenAI: OpenAI retains API inputs and outputs for a maximum of 30 days for abuse monitoring purposes, then deletes them.
- Automatic PII scrubbing: Personally identifiable information such as email addresses, phone numbers, and API keys is automatically scrubbed from AI output before it is stored or delivered.
- Content classification, not profiling: The AI processes message content to classify and route information. It does not make automated decisions about individuals, assess personal characteristics, or build user profiles.
Transparency
You may contact us at [email protected] to request an explanation of how our AI processing logic works, including the criteria used for classification and routing.
7. Data Sharing & Third-Party Recipients
We share your data with the following third-party service providers (sub-processors) as necessary to operate ThreadMemory:
| Recipient | Data Shared | Purpose |
|---|---|---|
| OpenAI | Message text, author names, channel names | AI classification, embedding generation, content generation |
| Google (OAuth) | User profile data | Authentication |
| Neon | All database content (encrypted at rest) | PostgreSQL database hosting |
| Vercel | Request and response data, webhooks | Application hosting and edge delivery |
| Paddle | Customer email, billing events | Merchant of Record — handles payments, taxes, invoicing, and refunds |
| PostHog (EU) | User ID, email, page views, session replays | Product analytics |
| Resend | Recipient email address, email content | Transactional email delivery |
| Notion, GitHub, Jira, Confluence | AI-generated artifacts (titles, summaries, formatted content) | Delivering classified content to your connected tools |
| Slack, Discord, Telegram | API requests with bot tokens | Reading messages from your monitored channels |
We do not sell your personal data to any third party. We do not share data with advertising networks or data brokers.
A full, up-to-date list of sub-processors is maintained at threadmemory.com/legal/subprocessors.
8. International Data Transfers
ThreadMemory is operated from Georgia, which is not a member of the European Union or European Economic Area. Georgia has an EU Association Agreement but does not currently hold an EU adequacy decision for personal data protection.
Your data may be processed in the following locations:
- United States: OpenAI (AI processing), Vercel (application hosting), Resend (email delivery)
- European Union: PostHog (analytics, EU-hosted)
- Neon's infrastructure: PostgreSQL database hosting (location depends on your selected region)
Transfer safeguards
- EU-to-Georgia transfers: Where personal data of EEA residents is transferred to Georgia, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission.
- EU-to-US transfers: Where applicable, transfers are protected by the EU-US Data Privacy Framework (DPF). For sub-processors not covered by the DPF, we rely on Standard Contractual Clauses.
You may contact us at [email protected] to request information about the specific transfer mechanisms applied to your data.
9. Data Retention
We retain different types of data for different periods based on necessity and legal requirements:
| Data Type | Retention Period | Purge Method |
|---|---|---|
| Noise messages (raw text) | 24 hours | Text replaced with [purged]; embedding cleared |
| Signal and ambiguous messages (raw text) | 48 hours | Text replaced with [purged]; embedding cleared |
| AI-generated artifacts | Lifetime of workspace | Deleted when workspace is deleted |
| Archived topic clusters | 90 days | Permanently deleted |
| Processing logs | 30 days | Permanently deleted |
| Audit logs | 365 days | Permanently deleted |
| Account data | Lifetime of account + 30 days | Deleted 30 days after account closure |
| Analytics data | Per PostHog retention policy | Managed by PostHog |
| Billing data | As required by law (typically 7 years) | Managed by Paddle |
OpenAI sub-processor retention: OpenAI retains API processing logs for up to 30 days for abuse monitoring, even after ThreadMemory has purged the original message text from our systems. After 30 days, OpenAI deletes these logs.
10. Your Rights
Rights available to all users
Regardless of your location, you have the right to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete personal data
- Delete your account and associated personal data
- Export your data in a machine-readable format (JSON)
- Object to processing of your data
Additional rights under GDPR (EU/EEA residents)
If you are located in the EEA, you also have the right to:
- Restrict processing of your personal data in certain circumstances
- Data portability — receive your personal data in a structured, commonly used, machine-readable format
- Withdraw consent at any time for processing based on consent (such as marketing emails), without affecting the lawfulness of processing prior to withdrawal
- Lodge a complaint with your local data protection supervisory authority
Rights under Georgian data protection law
The supervisory authority in Georgia is the Personal Data Protection Service (PDPS), which can be contacted at pdps.ge.
Rights under CCPA/CPRA (California residents)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, disclose, and sell
- Delete personal information we have collected from you
- Opt-out of sale of personal information — however, ThreadMemory does not sell personal information
- Non-discrimination — we will not discriminate against you for exercising your privacy rights
- Limit use of sensitive personal information to what is necessary to provide the service
Rights under CASL (Canadian users)
For Canadian users, we comply with Canada's Anti-Spam Legislation (CASL):
- Express consent is required before sending commercial electronic messages, including our purpose, identity, contact information, and an unsubscribe mechanism
- Express consent does not expire; implied consent (such as from a business relationship) expires after two years
- Transactional and service-related emails are exempt from CASL consent requirements
How to exercise your rights
To exercise any of the rights described above, email us at [email protected]. We will respond within:
- 30 days for GDPR requests
- 45 days for CCPA/CPRA requests (extendable by an additional 45 days with notice)
We may ask you to verify your identity before processing your request to protect your privacy.
11. Cookies & Tracking
ThreadMemory uses a limited set of cookies and tracking technologies:
| Cookie / Technology | Type | Purpose |
|---|---|---|
| Auth session cookie | Essential | Maintains your authenticated session. Required for the service to function. |
| PostHog analytics | Analytics | Product analytics and session replay (all text inputs are automatically masked). Only loaded after you give consent. |
| Paddle checkout | Essential | Payment processing during checkout. Set by Paddle when you start a payment flow. |
| Locale preference | Functional | Remembers your selected language setting. |
tm_cc | Strictly Necessary | Stores your cookie consent preferences. Retained for 365 days. |
What we do not use
- No third-party advertising cookies
- No cross-site tracking pixels
- No data broker integrations
Cookie consent
Analytics cookies (PostHog) are blocked by default for all users and only loaded after you give consent through our cookie consent banner. You can change your preferences at any time by clicking “Cookie Settings” in the website footer. Strictly necessary cookies (authentication, payment processing, cookie consent preferences) do not require consent as they are essential for the service to function.
Do Not Track (DNT) signals
ThreadMemory does not currently respond to Do Not Track browser signals. You can control tracking by using our cookie consent banner or by contacting us at [email protected] to opt out of analytics tracking.
12. Children's Privacy
ThreadMemory is a business-to-business service designed for team use in professional settings. It is not intended for use by children.
- We do not knowingly collect personal data from children under 16 years of age (as required by GDPR) or under 13 years of age (as required by COPPA in the United States).
- If we discover that we have inadvertently collected personal data from a child, we will promptly delete that data and terminate the associated account.
- If you believe a child has provided us with personal data, please contact us at [email protected].
13. Security Measures
We implement technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:
- Encryption at rest: All connector credentials and sensitive message fields are encrypted using AES-256-GCM
- Per-tenant key derivation: Each workspace has its own derived encryption key using HKDF(SHA-256) with envelope encryption
- Encryption in transit: All communications use HTTPS/TLS
- Database isolation: PostgreSQL Row Level Security enforces tenant data isolation at the database level
- Webhook verification: HMAC-SHA256 signature verification for all incoming webhooks
- Automatic PII scrubbing: Personally identifiable information is automatically removed from AI-generated output
- Password security: User passwords are hashed using bcrypt (never stored in plain text)
- Audit logging: Security-relevant events are logged and retained for 365 days
14. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms:
- We will notify affected users within 72 hours of becoming aware of the breach, as required by GDPR Art. 33.
- Notification will include: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
- We will notify the relevant supervisory authority where required by law.
- Notifications will be sent via email to the address associated with your account, and where appropriate, posted on our website.
15. Automated Decision-Making
ThreadMemory uses AI to automatically classify, cluster, and route message content. We want to be transparent about the scope and limitations of this automated processing:
- Content-focused, not people-focused: Our AI classifies message content (determining importance, topic type, maturity, and routing destination). It does not make automated decisions about individuals.
- No legal or significant effects: The automated processing does not produce legal effects concerning you or similarly significantly affect you as defined under GDPR Art. 22.
- Human control: Workspace owners have full control over routing policies and can adjust, override, or disable any routing rule at any time.
- Explanation available: You may contact us at [email protected] to request an explanation of the logic behind our automated classification and routing.
16. Changes to This Privacy Policy
- Material changes: If we make material changes to this privacy policy (such as changes to the types of data collected, new data sharing arrangements, or changes to your rights), we will notify you via email at least 30 days before the changes take effect.
- Minor changes: Non-material updates (such as clarifications, formatting, or corrections) become effective when posted on this page.
- Continued use of ThreadMemory after the effective date of any change constitutes your acceptance of the updated privacy policy.
- Previous versions of this privacy policy are available upon request by emailing [email protected].
17. Contact
For any questions, concerns, or requests related to this privacy policy or your personal data, please contact us:
- Email: [email protected]
- Entity: Aleksandr Soshnikov, Individual Entrepreneur
- Address: 1 Ilia and Nino Nakashidze St., Apt. 3, Tbilisi 0108, Georgia
EU Representative (GDPR Art. 27)
As a Georgian entity offering services to individuals in the European Economic Area, we are required to appoint an EU representative under GDPR Art. 27. Our EU representative is:
To be appointed before launch. This section will be updated with the representative's name, address, and contact details once appointed.
UK Representative (UK GDPR)
Under UK data protection law, we are required to appoint a UK representative. Our UK representative is:
To be appointed before launch. This section will be updated with the representative's name, address, and contact details once appointed.