Thinkspaces.app

Privacy Policy

Last updated: 26 April 2026

1. Introduction

ThinkSpace (“we”, “us”, “our”) is committed to protecting your privacy. This policy explains what data we collect, how we use it, your rights regarding that data, and how we handle it in compliance with applicable law, including the GDPR and CCPA. ThinkSpace is operated as an independent service. Our infrastructure is hosted in the United States.

2. Data We Collect

We collect the minimum data necessary to operate the Service:

  • Account information: Email address, display name, and profile picture (if you sign in with Google)
  • Authentication credentials: Passwords are hashed with bcrypt and never stored in plain text
  • Space content: Text, images, to-do items, links, and other items you create in your spaces. File uploads are stored in our object storage; all other content is stored in our database
  • Collaboration data: Cursor positions and editing activity during real-time collaboration sessions (not persisted after the session ends)
  • Subscription & billing data: Your plan status and Stripe customer ID. Full payment details (card numbers, billing address) are handled entirely by Stripe and never touch our servers
  • Server logs: Standard request logs (IP address, timestamp, endpoint) retained for 14 days for security and debugging purposes

3. How We Use Your Data

  • To provide and operate the Service (storing your spaces, authenticating your sessions)
  • To send transactional emails (email verification, password resets, account notices)
  • To process subscription payments via Stripe
  • To respond to support and feedback requests
  • To detect and prevent fraud, abuse, and security incidents

We do not use your data for advertising, profiling, or marketing purposes. We do not sell or rent your personal data to third parties.

4. Sub-Processors

We use the following third-party services (“sub-processors”) to operate ThinkSpace. Each has been assessed for compliance and publishes its own privacy policy:

  • Railway — Cloud hosting, PostgreSQL database, and object storage (Railway Buckets). Your data is stored on Railway’s US infrastructure. Privacy policy.
  • Cloudflare — DNS, edge network, and DDoS protection. Request traffic passes through Cloudflare’s network. Privacy policy.
  • Stripe — Payment processing and tax collection. Stripe handles all payment card data directly under PCI DSS Level 1 certification. We only store your Stripe customer ID and subscription status. Privacy policy.
  • Resend — Transactional email delivery (account verification, password resets, billing notices). Your email address is shared with Resend solely for delivery. Privacy policy. Email send logs are retained per Resend’s own policy.
  • Google — Two purposes: (1) OAuth login — if you sign in with Google, we receive your name, email address, and profile picture only; we do not access any other Google account data. (2) AI image generation (Pro plan only) — your text prompts are sent to the Google Gemini API for processing (see Section 11). Privacy policy.
  • Sentry — Error monitoring and crash reporting. Enabled conditionally via environment configuration. When active, Sentry may receive stack traces and request metadata (not content data) to help us diagnose bugs. Privacy policy.

5. Cookies & Local Storage

We use cookies and browser storage strictly for functionality:

  • Authentication cookie: A secure, HTTP-only signed session cookie set by NextAuth. Required to keep you logged in. Expires when you sign out or the session times out.
  • Theme preference (localStorage): Your light/dark mode choice is stored in your browser’s local storage. This data never leaves your device.
  • Collaboration identity (sessionStorage): A temporary random ID, display name, and colour used to identify your cursor during real-time editing sessions. Stored in sessionStorage and cleared automatically when you close the tab.

We do not use analytics cookies, tracking pixels, advertising cookies, or any third-party tracking scripts.

6. Data Storage & Security

All data is stored in a PostgreSQL database and object storage hosted on Railway in the United States. Data is encrypted in transit via TLS/HTTPS. Object storage (file uploads) is encrypted at rest. Passwords are hashed using bcrypt. Authentication tokens are signed with a server-side secret.

We do not store payment card details on our servers. All payment processing is handled by Stripe, which is PCI DSS Level 1 certified.

We maintain nightly automated backups of the database with a 30-day rolling retention window. Backups are encrypted at rest.

7. Data Retention

  • Active accounts: Your account and space data are retained for as long as your account is active.
  • Cancelled subscriptions: Your account and content remain accessible on the free plan. If you request account deletion, the schedule below applies.
  • Account deletion (soft delete): When you initiate deletion, your account enters a 7-day grace period. You can cancel deletion within that window. After 7 days, a daily automated process permanently deletes all database rows, all bucket objects, and your Stripe customer record.
  • Stripe records: Stripe retains financial transaction records independently for up to 7 years to meet tax and legal obligations, regardless of account deletion.
  • Backups: Nightly database backups are retained for 30 days on a rolling basis, then permanently deleted.
  • Server logs: Standard request logs are retained for 14 days, then purged.
  • Email send logs (Resend): Retained per Resend’s own policy.
  • Email verification and password reset tokens: Expire automatically (24 hours and 1 hour respectively) and are deleted on account hard-delete.
  • Real-time collaboration data: Cursor positions and presence are never persisted and are discarded when the session ends.

8. International Data Transfers

ThinkSpace stores and processes data in the United States. If you access the Service from the European Economic Area (EEA) or the United Kingdom, your personal data is transferred to and processed in a country that may not provide the same level of data protection as your home jurisdiction.

We rely on Standard Contractual Clauses (SCCs) as the legal mechanism for these transfers to each of our US-based sub-processors (Railway, Cloudflare, Stripe, Resend, Google, and Sentry), all of which publish SCCs as part of their compliance programmes. To request a copy of the relevant SCCs, contact us at communications@thinkspaces.app.

9. Your Rights (GDPR & General)

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you. Most of your data is visible within the app.
  • Rectification: Update your name and email address in your account settings.
  • Erasure: Request permanent deletion of your account and data (subject to the retention schedule in Section 7).
  • Portability: Export your spaces from within the app.
  • Restriction: Ask us to restrict processing of your data while a dispute is resolved.
  • Objection: Object to processing based on legitimate interest.
  • Withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Lodge a complaint: If you are in the EEA or UK, you have the right to lodge a complaint with your local supervisory authority (e.g. the ICO in the UK or your national DPA in the EU).

Legal bases for processing (GDPR Art. 6):

  • Contract performance (Art. 6(1)(b)): Operating your account, storing your content, processing payments.
  • Legitimate interest (Art. 6(1)(f)): Security monitoring, fraud prevention, error logging, and maintaining service reliability.
  • Consent (Art. 6(1)(a)): Sending optional product update communications (you can opt out at any time).

To exercise any of these rights, contact us at communications@thinkspaces.app or via our FAQ & Support page. We will respond within 30 days.

10. California Residents (CCPA / CPRA)

If you are a California resident, this section applies to you in addition to the rest of this policy.

Categories of personal information we collect:

  • Identifiers: Email address, display name, Google profile picture (if OAuth sign-in)
  • Commercial information: Subscription plan, Stripe customer ID, billing history
  • Internet or network activity: Server request logs (IP address, timestamps, pages visited), session data
  • Inferences: None — we do not build profiles or inferences about you
  • Sensitive personal information: Account credentials (password hash); we do not collect social security numbers, precise geolocation, health data, or other sensitive categories

We do not sell or share your personal information for cross-context behavioural advertising. We have not done so in the preceding 12 months.

Your CCPA rights:

  • Know: Request disclosure of the categories and specific pieces of personal information we have collected about you
  • Delete: Request deletion of your personal information, subject to certain exceptions
  • Correct: Request correction of inaccurate personal information
  • Opt out of sale/sharing: We do not sell or share personal information, so no opt-out is required
  • Limit use of sensitive personal information: You may request that we limit use of sensitive personal information to what is necessary to provide the Service
  • Non-discrimination: We will not discriminate against you for exercising any of these rights

To submit a CCPA request, contact us at communications@thinkspaces.app or via our FAQ & Support page. We will respond within 45 days.

11. AI Image Generation (Pro Plan)

Pro subscribers may use the AI image-generation feature, which sends text prompts to the Google Gemini API. When you use this feature:

  • Your prompt text is transmitted to Google for processing
  • Prompts are not retained on our servers after the API response is returned
  • Google processes your prompt in accordance with their Gemini API terms and privacy policy
  • Generated images are stored in your account storage and subject to the same retention rules as other content

Do not include personal data or confidential information in AI prompts.

12. Data Breach Notification

In the event of a confirmed personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you by email within 72 hours of our becoming aware of the breach, in line with GDPR Article 33 and 34 obligations. The notification will describe the nature of the breach, the categories of data affected, the likely consequences, and the measures we are taking to address it.

13. Children’s Privacy

ThinkSpace is not intended for children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

14. Updates to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email at least 30 days before the new policy takes effect, giving you time to review the changes. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

15. Contact & Data Protection Requests

For privacy questions, data subject access requests, or DPA-related enquiries, you can reach us:

Terms & ConditionsFAQ & Support