Website: https://thoughttree.io
Last updated: September 26, 2025
This Privacy Policy explains how ThoughtTree, Inc. (“ThoughtTree,” “we,” “us,” or “our”) collects, uses, discloses, and safeguards personal information when you visit thoughttree.io (the “Site”) and when you use our software-as-a-service platform and related services (together, the “Services”).
By using the Site or Services, you agree to this Policy. If you do not agree, please do not use the Site or Services.
1) Who we are & scope
Controller: ThoughtTree, Inc., a Delaware corporation.
Applies to: Site visitors, beta testers, trial users, customers, and authorized users of customer accounts.
Not covered: Third-party sites or services you connect to the Services (e.g., Stripe, QuickBooks, Google Sheets, CRMs). Those parties’ privacy policies govern their handling of your data.
Contact (privacy): dawson@thoughttree.io
Mailing address: ThoughtTree, Inc., 131 Continental Dr, Suite 305, Newark, DE 19713 US, USA
2) What we collect
We collect personal information in three main ways: (A) you provide it, (B) it’s collected automatically, or (C) we receive it from third parties you connect.
A. Information you provide
• Account & profile: name, email, password (hashed), role, organization.
• Business & billing: company name, tax info, billing contact, limited payment metadata. Card data is processed by Stripe—we do not store full card numbers.
• Content you upload or connect (“Customer Content”): files, spreadsheets/CSV, exports (e.g., Stripe, QuickBooks), and any data ingested to generate reports.
• Communications: support requests, survey responses, feedback, and beta interviews.
B. Information collected automatically
• Usage & telemetry: device/browser info, IP address, timestamps, pages viewed, product events, performance logs, crash reports.
• Cookies & similar tech: used for sign-in, preferences, analytics, and (if enabled) marketing attribution. See Cookies (Section 9).
C. Information from third parties (you connect)
• Integrations you authorize: e.g., Stripe, QuickBooks, Google Sheets/Drive, CRM or marketing tools. We receive only the scopes you grant (such as transactions, invoices, spreadsheets). You can disconnect integrations at any time within the product.
3) How we use information
• Provide & operate the Services: authenticate users, ingest and transform Customer Content, generate reports, and maintain your workspaces.
• Improve & secure: monitor performance, debug issues, prevent fraud/abuse, develop new features, and conduct analytics (aggregated/de-identified where possible).
• Communicate: send service, security, and transactional emails; with your consent or as permitted by law, send product and marketing updates.
• Compliance: meet legal, regulatory, tax, and audit obligations; enforce Terms of Use; handle disputes.
• AI functionality: We use your Customer Content to generate outputs for you and your workspace. Unless you explicitly opt in, we do not use Customer Content to train foundation models shared across customers. We may use de-identified and aggregated usage data to improve system performance and quality.
4) Legal bases (EEA/UK only)
Where GDPR/UK GDPR applies, our legal bases include contract (to provide the Services), legitimate interests (product improvement, security, fraud prevention), consent (marketing/cookies), and legal obligation.
5) How we share information
We do not sell personal information. We may share as follows:
• Service providers / subprocessors: hosting, storage, analytics, email, error tracking, support tools, and payments (e.g., Stripe). These providers process data under contract and only on our instructions. We maintain a current subprocessor list:
Stripe
AWS
MongoDB
Neo4j
Redis
• Business transfers: in a merger, financing, acquisition, or sale, data may transfer as part of the transaction.
• Legal, safety, and rights: to comply with law, lawful requests, or to protect you, us, and others.
• With your direction: when you connect integrations or share reports/links, we disclose according to your settings.
6) Data retention & deletion
• Account information: retained for the life of the account and a reasonable period thereafter (e.g., up to 24 months) for records, audits, and dispute resolution.
• Customer Content: retained until you delete it, your admin deletes it, or the account terminates.
• Logs/telemetry: typically kept 12–18 months; backups 30–90 days.
You can export/delete data from within the product where available or by contacting us at privacy@thoughttree.io. We may retain limited data as required by law or for legitimate business purposes.
7) Security
We use reasonable administrative, technical, and physical safeguards, including encryption in transit and at rest, access controls (least-privilege), audit logging, and vulnerability management. No system is 100% secure; please use strong passwords and protect your credentials. We will notify you of breaches as required by law and applicable contracts.
8) Your rights & choices
A. Global
• Access, update, delete: manage your profile; request access or deletion via dawson@thoughttree.io.
• Marketing opt-out: use unsubscribe links or contact us.
• Integration control: connect/disconnect third-party integrations at any time.
B. U.S. state privacy rights (e.g., CA, CO, CT, VA, UT)
Depending on your state, you may have the right to know/access, delete, correct, port, and opt-out of certain processing (e.g., targeted advertising or “sale/share” of personal information). Submit requests to privacy@thoughttree.io. We will verify your request and respond within the required timeframe. Global Privacy Control (GPC) signals are honored where legally required.
C. EEA/UK
You may have rights to access, correct, delete, restrict, or object to processing, and to data portability. You may also complain to your local supervisory authority. Where we rely on consent, you may withdraw it at any time.
9) Cookies & tracking
We use:
• Strictly necessary cookies for login and core functionality.
• Analytics cookies to understand product usage and improve performance.
• (Optional) Marketing/attribution cookies if we run campaigns.
Controls: You can manage cookies in your browser and, where required (e.g., EEA/UK), via our Cookie Banner & Preferences tool. For U.S. state laws, if we “sell” or “share” personal information for cross-context behavioral advertising, you can opt out via the “Do Not Sell or Share My Personal Information” link and GPC signals.
10) Children’s privacy
The Services are not directed to children under 13 (or under 16 where applicable). We do not knowingly collect personal information from children. If you believe a child has provided data, contact us and we will take appropriate steps to delete it.
11) International transfers
If we transfer personal information outside your region, we rely on lawful mechanisms (e.g., Standard Contractual Clauses and, if applicable, the UK IDTA/Addendum). You may request a copy of relevant safeguards at privacy@thoughttree.io.
12) AI, output ownership & human review
• Model use: Customer prompts and outputs are processed to deliver features. By default, Customer Content is not used to train foundation models shared across customers unless you opt in.
• Human review: We may review limited samples (e.g., for abuse, debugging, or support) under strict access controls and confidentiality.
• Outputs: Subject to our Terms of Use and applicable law, you are responsible for reviewing AI-generated outputs for accuracy and suitability before relying on them.
13) Third-party services & links
When you connect a third-party service (e.g., Stripe, QuickBooks, Google Sheets/Drive, CRM), their terms and privacy policies apply to their handling of your data. We request only the permissions needed and provide ways to disconnect.
14) California “Notice at Collection” (summary)
We collect the following categories of personal information for the purposes described in Sections 3 and 5:
Category (examples) Sources Business/Commercial purposes Retention (typical)
Identifiers (name, email, IP) You; automatic; integrations you connect Provide Services; security; communications; marketing (with consent/legitimate basis) Life of account + up to 24 months
Commercial info (billing metadata, subscription status) You; Strip3Billing, fraud prevention, support As required by tax/finance laws
Internet/telemetry (logs, device, usage) Automatic Security, analytics, improvement 12–18 months (logs); 30–90 days (backups)
Customer Content (files, spreadsheets, connected data) You; integrations Core AI/reporting functionality Until deletion/account closure
Inferences (product preferences) Derived from use Personalize and improve Services While relevant; then de-identified/aggregated
Sensitive data: We do not intentionally collect sensitive data unless you choose to upload it. Do not upload sensitive data unless necessary and permitted by law/contract.
Selling/Sharing: We do not sell personal information as commonly defined. If we engage in activities considered “sharing” for cross-context behavioral advertising, you can opt out via our Do Not Sell/Share link and GPC signals.
Financial incentives: None at this time.
15) Data Processing Addendum (DPA)
For business customers, our DPA (including SCCs/UK addenda and U.S. state requirements) is available upon request or via our customer agreement workflow. We also publish a subprocessor list and provide change notifications.
16) Changes to this Policy
We may update this Policy from time to time. Material changes will be notified via email and/or in-app notice. Continued use of the Services after the effective date constitutes acceptance.
17) How to contact us
Email: dawson@thoughttree.io
Mail: ThoughtTree, Inc., 131 Continental Dr, Suite 305, Newark, DE 19713 US, USA
Quick implementation checklist (internal)
• Add Cookie Banner/Preferences and Do Not Sell/Share link (U.S. states) and GPC support.
• Publish Subprocessor List and offer DPA.
• Add in-product data export/delete and integration disconnect controls.
• Confirm your default: no model training on Customer Content unless explicit opt-in (and provide the toggle).
• Insert your real mailing address above.
