Privacy Policy

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, and password (stored as a bcrypt hash). If you sign in with Google OAuth, we receive your name, email, and profile image from Google. We also store your organization membership, role, and preferences.

1.2 Usage Data

We collect information about how you use the Service, including pages visited, features used, AI model selections, token usage, request timestamps, and response times. This data helps us improve the Service and monitor for abuse.

1.3 AI Conversation Data

When you interact with our AI features, we store your conversation history, questions and answers, generated PRDs, stakeholder views, and other AI-generated content. This data is associated with your projects and organization.

1.4 Payment Information

Payment processing is handled by Dodo Payments, our Merchant of Record. We do not store your credit card details directly. We store your Dodo Payments customer ID and subscription information to manage your account and billing status.

2. How We Use Your Information

• Provide the Service: Power AI conversations, generate PRDs, manage projects, and deliver features you request
• Improve AI Quality: Analyze usage patterns and conversation quality to improve our AI prompts, templates, and recommendations. We do not use your content to train third-party AI models.
• Billing and Accounts: Process subscriptions, enforce usage limits based on your plan tier, and send billing-related communications
• Security and Abuse Prevention: Detect unauthorized access, enforce rate limits, monitor for suspicious activity, and maintain account lockout protections
• Communications: Send transactional emails such as account verification, password resets, usage alerts (at 80% and 100% of limits), and important service updates

3. Data Storage and Security

Your data is stored in Supabase-hosted PostgreSQL databases. We implement multiple layers of security to protect your information:

• Encryption: Sensitive data such as API keys (for Bring Your Own Key functionality) is encrypted using AES-256-GCM with unique initialization vectors per encryption operation
• Multi-Tenant Isolation: All data is scoped by organization with row-level security policies ensuring strict tenant isolation
• Password Security: Passwords are hashed using bcrypt and never stored in plaintext. Account lockout applies after 5 failed login attempts
• Access Control: Role-based access control at both organization and platform levels restricts data access to authorized users only
• Infrastructure: Our infrastructure is based in India with Supabase providing managed database hosting with automated backups and disaster recovery

4. Data Sharing

We do not sell your personal data. We share data only with the following third-party services as necessary to operate the platform:

• OpenAI and Anthropic: Your conversation inputs and context are sent to these AI providers to generate responses, PRDs, and other AI-powered content. These providers process data according to their own privacy policies and data processing agreements.
• Dodo Payments: Your billing information, email address, and subscription details are shared with Dodo Payments to process payments and manage subscriptions. Dodo Payments acts as the Merchant of Record.
• Resend: Your email address is shared with Resend to deliver transactional emails such as account verification, password resets, and usage alerts.

We may also disclose data when required by law, to protect our rights, or in connection with a merger or acquisition.

5. Your Rights

You have the following rights regarding your data:

• Access: You can access your data at any time through the Service dashboard and admin panels. You can view your projects, PRDs, conversation history, and usage statistics.
• Deletion: You can request deletion of your account and all associated data by contacting us at [email protected]. We will process deletion requests within 30 days.
• Export: You can export your PRDs in Markdown and DOCX formats. Organization administrators can export project data through the admin backup feature.
• Correction: You can update your account information, profile details, and organization settings at any time through the Service.

6. Cookies

We use session cookies to maintain your authentication state and ensure secure access across the platform. These cookies are essential for the Service to function and include session tokens managed by NextAuth. We also use a custom domain cookie for subdomain authentication sharing. We do not currently use third-party tracking cookies, advertising cookies, or analytics cookies.

7. Data Retention

• Active Accounts: Your account data, projects, and conversation history are retained for as long as your account remains active.
• Deleted Accounts: When you request account deletion, your personal data and associated content will be permanently deleted within 30 days. Some anonymized usage data may be retained for analytics purposes.
• Usage Logs: AI usage logs (token counts, costs, model selections) are retained for billing reconciliation and service improvement. These logs are anonymized after 12 months.
• Backups: Database backups managed by our hosting provider may retain data for up to 30 days after deletion from the primary database.

8. Children's Privacy

The Service is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal information, please contact us at [email protected].

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new policy on this page and updating the "Last updated" date. For material changes, we may also send an email notification to active account holders. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

10. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

• Privacy inquiries: [email protected]
• Legal inquiries: [email protected]
• Website: thig.ai