Privacy Policy

ThreadPM operates threadpm.com and the ThreadPM service — an AI-assisted project manager that works through email. References to "we," "our," or "us" mean ThreadPM. Questions? privacy@threadpm.com

Account data

When you sign up (via Clerk), we receive your name and email address. We store your Stripe customer ID when you subscribe. We never see your password — Clerk handles authentication.

Email thread content

When you CC your agent address into an email thread, Postmark forwards the message to us. We store:

• Sender and recipient email addresses and names
• Subject line
• Plain-text body (quoted reply history is stripped)
• Attachment metadata (file name, type, size — not the file contents)
• Message headers (Message-ID, References, In-Reply-To) for thread matching

Email bodies are sent to the Anthropic Claude API to extract structured project data (title, action items, deadlines, status). Anthropic processes the request and returns the result — they do not retain your data after the API call. See anthropic.com/privacy.

Usage data

Monthly counts of emails processed and active projects, used only to enforce plan limits and show you your usage dashboard. We do not use third-party analytics that track individuals across sessions.

Payment data

Stripe processes all payments. We store only your Stripe customer ID and subscription status — never raw card numbers, CVVs, or bank details.

• Service delivery — processing inbound emails, creating and updating project records, sending automated PM replies into threads.
• AI analysis — extracting project metadata from email content via the Anthropic API.
• Billing — enforcing plan limits, processing payments via Stripe.
• Transactional email — sending welcome emails, usage alerts, and upgrade notices to the account owner. No marketing emails unless you opt in.
• Support — if you contact us, we use your information only to respond.

We do not use your data to train AI models, build advertising profiles, or benchmark against other customers.

We share data only with the vendors required to run the service:

We do not sell, rent, or share your data with advertisers, data brokers, or any third party for marketing or commercial purposes — ever.

When you CC your agent address into a thread, other participants' email addresses and message content are processed by ThreadPM. By using the service you confirm that you have a legitimate business purpose for routing those threads through ThreadPM. We store participant metadata (email, name) only to maintain project context. We never contact, market to, or store profiles on non-account-holder participants.

• Active project and email thread data: retained while your account is active
• Completed and dormant projects: retained until you delete them
• Account data: deleted within 30 days of account closure request
• Billing records: retained for 7 years per financial regulations
• Webhook delivery logs and notifications: auto-purged after 90 days

You have direct, self-serve control over your data — no need to email us first:

• Download everything — visit Settings → Data & Privacy → "Download my data" for a full JSON export of all stored projects, emails, action items, and usage history.
• Purge a project — delete all data for a specific thread from Settings, or reply "purge thread" in any email thread.
• Purge all account data — Settings → Data & Privacy → "Purge all account data." Permanently deletes every project, email, and action item. Your login is preserved so you can start fresh.
• Close your account — email privacy@threadpm.com. We will delete your account and all associated data within 30 days.

If you are located in the European Economic Area or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate data.
• Erasure ("right to be forgotten") — request deletion of your personal data. Most of this is available self-serve (see Section 7).
• Portability — receive your data in a machine-readable format (use the JSON download in Settings).
• Restriction — ask us to limit processing while a dispute is resolved.
• Objection — object to processing based on legitimate interests.

Our legal basis for processing email content is performance of a contract (providing the ThreadPM service you signed up for). To exercise any right, email privacy@threadpm.com. We respond within 30 days. If you believe we have not adequately addressed a concern, you may lodge a complaint with your local supervisory authority (e.g., the ICO in the UK).

Under the California Consumer Privacy Act (CCPA) you have the right to:

• Know what personal information we collect, use, and share.
• Delete personal information we hold (self-serve in Settings, or email us).
• Opt out of sale — we do not sell personal information, so no opt-out is needed.
• Non-discrimination — we will not treat you differently for exercising your privacy rights.

To submit a verifiable consumer request, email privacy@threadpm.com.

We use industry-standard security practices including:

• TLS 1.3 for all data in transit
• AES-256 encryption for data at rest (Railway managed)
• Hashed and salted API keys (bcrypt)
• Parameterized SQL queries to prevent injection attacks
• Webhook signature verification for all inbound requests
• Stripe-hosted payment forms — we never touch raw card data

No system is perfectly secure. If you discover a security issue, please report it to privacy@threadpm.com.

We use only essential session cookies required for authentication (set by Clerk). No advertising or tracking cookies. See our Cookie Policy for details.

ThreadPM is hosted in the United States (Railway, US region). If you are located outside the US, your data is transferred to and processed in the US. We rely on Standard Contractual Clauses and equivalent transfer mechanisms where required by applicable law.

ThreadPM is not directed at anyone under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us data, contact us and we will delete it promptly.

We may update this policy. Material changes will be communicated by email to account holders and by updating the date at the top of this page. Continued use after the effective date constitutes acceptance.

Privacy questions, data requests, or security reports: privacy@threadpm.com