Thoughtbase - Feedback tools for product engineers

This Privacy Policy describes how Thoughtbase (“we,” “our,” or “us”) collects, uses, and shares your personal information when you use our feedback collection and management platform (the “Services”). By using our Services, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

We collect information that you provide directly to us and information that is automatically collected when you use our Services.

1.1 Information You Provide

Account Information:

Name
Email address
Profile image (optional)
Password (stored in encrypted form)

Organization and Workspace Information:

Organization name
Workspace settings and preferences
Team member information

Content You Submit:

Feedback and ideas
Comments on feedback
Changelog entries
Roadmap items
Any other content you choose to submit through our Services

Payment Information:

Billing details (processed through Polar, our payment processor)
Subscription information

Communication Information:

Support requests
Feedback you provide to us

1.2 Information Automatically Collected

Usage Data:

Browser type and version
Device information
Pages visited and time spent on pages
Features used
Referral sources

Cookies and Tracking Technologies:

Session cookies for authentication
Preference cookies
Analytics cookies (on our marketing website)

Log Data:

Server logs
Error logs
Access logs

1.3 Information from Third Parties

OAuth Providers (if you choose to sign in with):

GitHub: Profile information, email address
Google: Profile information, email address

Payment Processor (Polar):

Subscription status
Payment history
Billing information

External Authentication (for widget users):

User identification from your organization’s SSO system
Email address and name (if provided by your organization)

2. How We Use Your Information

We use the information we collect to:

Provide and Maintain Services:

Create and manage your account
Process transactions and manage subscriptions
Deliver the Services you request
Enable team collaboration features
Send you service-related communications

Improve Our Services:

Analyze usage patterns
Identify and fix technical issues
Develop new features
Understand how our Services are used

Communicate With You:

Send you administrative messages
Respond to your inquiries
Send you important updates about our Services
Send you marketing communications (with your consent, where required)

Security and Compliance:

Protect against fraud and abuse
Enforce our Terms of Service
Comply with legal obligations
Protect our rights and the rights of our users

We do not sell your personal information. We share your information only in the following circumstances:

3.1 Service Providers

We share information with third-party service providers who perform services on our behalf:

Polar: Payment processing and subscription management
Resend: Email delivery services
Neon/PostgreSQL: Database hosting and storage
Vercel: Application hosting and analytics (on marketing website)
Other service providers: As needed to operate our Services

These service providers are contractually obligated to protect your information and use it only for the purposes we specify.

3.2 Public Content

Content you submit to public boards (ideas, comments, changelogs) may be visible to other users and the general public, depending on your organization’s settings.

3.3 Legal Requirements

We may disclose your information if required by law, court order, or government regulation, or if we believe disclosure is necessary to:

Comply with legal obligations
Protect our rights and property
Protect the safety of our users
Prevent fraud or abuse

3.4 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control.

We may share your information in other ways with your explicit consent.

4. Data Retention

We retain your personal information for as long as necessary to:

Provide you with our Services
Comply with legal obligations
Resolve disputes
Enforce our agreements

When you delete your account, we will delete or anonymize your personal information, except where we are required to retain it for legal or legitimate business purposes. Some information may remain in backup systems for a limited period.

Specific Retention Periods:

Account information: Retained while your account is active and for a reasonable period after deletion
Content (ideas, comments): Retained according to your organization’s settings or until account deletion
Payment records: Retained as required by law (typically 7 years for tax purposes)
Log data: Retained for up to 90 days

5. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information:

5.1 Access and Portability

You can access and download your personal information through your account settings or by contacting us.

5.2 Correction

You can update your account information at any time through your account settings.

5.3 Deletion

You can request deletion of your account and personal information by contacting us. Note that some information may be retained as required by law or for legitimate business purposes.

5.4 Objection and Restriction

You can object to certain processing of your information or request that we restrict processing in certain circumstances.

5.5 Opt-Out of Marketing

You can opt out of marketing communications by clicking the unsubscribe link in our emails or by contacting us.

5.6 Cookies

You can control cookies through your browser settings. Note that disabling certain cookies may affect the functionality of our Services.

5.7 Exercising Your Rights

To exercise any of these rights, please contact us at support@thoughtbase.app. We will respond to your request within 30 days, or as required by applicable law.

6. International Data Transfers

Our Services are hosted and operated in the United States. If you are located outside the United States, your information may be transferred to, stored, and processed in the United States. By using our Services, you consent to this transfer.

We take appropriate measures to ensure that your information receives an adequate level of protection in the jurisdictions where we process it.

7. Children’s Privacy

Our Services are not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us, and we will delete such information.

8. Security

We implement appropriate technical and organizational measures to protect your personal information, including:

Encryption of data in transit (HTTPS/TLS)
Encryption of sensitive data at rest
Regular security assessments
Access controls and authentication
Secure password storage

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

9. Third-Party Services

Our Services may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to third-party services. We encourage you to review the privacy policies of any third-party services you use.

Third-Party Services We Use:

Polar: Payment processing (Privacy Policy)
Resend: Email delivery (Privacy Policy)
Vercel: Hosting and analytics (Privacy Policy)
GitHub/Google: OAuth authentication (subject to their respective privacy policies)

10. Cookies and Tracking Technologies

We use cookies and similar technologies to:

Authenticate you and maintain your session
Remember your preferences
Analyze usage of our marketing website
Improve our Services

Types of Cookies We Use:

Essential Cookies: Required for the Services to function
Analytics Cookies: Help us understand how visitors use our marketing website
Preference Cookies: Remember your settings and preferences

You can control cookies through your browser settings, but disabling essential cookies may affect the functionality of our Services.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

Posting the updated policy on our website
Sending an email to the address associated with your account
Displaying a notice within our Services

The “Last Updated” date at the top of this policy indicates when it was last revised. Your continued use of our Services after changes become effective constitutes acceptance of the updated policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: support@thoughtbase.app
Website: https://thoughtbase.app

13. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020 (“CCPA”), provides you with additional rights regarding your personal information.

13.1 Categories of Personal Information We Collect

The following chart details the categories of personal information we collect, the purposes for which we use it, and the categories of third parties with whom we share it:

Category of Personal Information	Purposes of Use	Categories of Third Parties
Contact information (name, email address)	Provide Services; Communicate with you; Analyze and improve services; Comply with law; Security/fraud prevention	Service providers; Entities for legal purposes
Account credentials (username, password - encrypted)	Provide Services; Security/fraud prevention; Comply with law	Service providers; Entities for legal purposes
Content you submit (feedback, ideas, comments)	Provide Services; Enable collaboration	Service providers; Public (for public boards)
Payment and billing information	Process payments; Manage subscriptions	Polar (payment processor)
Usage data (IP address, device information, interaction data)	Provide Services; Analyze and improve services; Security/fraud prevention	Service providers; Analytics providers (marketing website only)
Professional information (organization name, role)	Provide Services; Communicate with you	Service providers

13.2 Your CCPA Rights

As a California resident, you have the right to:

Know: Request information about the categories and specific pieces of personal information we collect, use, and disclose
Delete: Request deletion of your personal information (subject to certain exceptions)
Opt-Out of Sale/Sharing: We do not sell your personal information as defined by the CCPA, and we have not done so in the past 12 months
Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
Correction: Request correction of inaccurate personal information

13.3 Exercising Your CCPA Rights

To exercise your CCPA rights, please contact us at support@thoughtbase.app. We will verify your identity before processing your request and respond within 45 days (or as required by law).

13.4 Shine the Light Disclosure

California’s “Shine the Light” law gives California residents the right to request information about how we share certain categories of personal information with third parties for their direct marketing purposes. We currently do not disclose your personal information to third parties for their own direct marketing purposes.

13.5 Sensitive Personal Information

The CCPA allows you to limit the use or disclosure of your “sensitive personal information” (as defined in the CCPA) if it is used for certain purposes. We do not use or disclose sensitive personal information other than for business purposes for which you cannot opt out under the CCPA.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

Right of Access: You can request a copy of your personal data
Right to Rectification: You can request correction of inaccurate data
Right to Erasure: You can request deletion of your personal data
Right to Restrict Processing: You can request that we limit how we use your data
Right to Data Portability: You can request a copy of your data in a machine-readable format
Right to Object: You can object to certain processing of your data
Right to Withdraw Consent: Where processing is based on consent, you can withdraw it at any time

To exercise these rights, please contact us at support@thoughtbase.app.

Legal Basis for Processing: We process your personal information based on:

Your consent
Performance of a contract (providing our Services)
Legitimate interests (improving our Services, security, fraud prevention)
Legal obligations

15. Effective Date

This Privacy Policy was last updated on January 1, 2024, and is effective as of that date.

Privacy