Legal

Privacy Policy

Effective · April 15, 2026Updated · April 15, 2026Jurisdiction · United States

Privacy Policy

Effective: April 16, 2026 Last updated: April 16, 2026

⚠️ Draft — requires legal review before public launch. This policy is a starting-point draft assembled from industry norms and the data flows Thread actually performs. Have a privacy attorney review and adapt to your jurisdiction, the CCPA, the GDPR, and any sector- specific laws that apply to your users, before publishing.

1. Who we are

Thread is a desktop task-management application published by Conjuring.ai LLC ("we", "us", "our"), a limited liability company. If you contact us about privacy, you can reach us at privacy@conjuring.ai. For security vulnerabilities, use security@conjuring.ai or the instructions at conjuring.ai/.well-known/security.txt.

This policy describes what information we collect when you use Thread (the desktop app), conjuring.ai (the website), and any related services (together, the Services).

2. Plain-English summary

  • Your tasks stay on your computer. Thread stores tasks, notes, subtasks, and settings in your Mac's local storage. We never upload your task content to our servers.
  • We do collect your email and payment information so we can keep your license active and email you about updates and billing.
  • AI features are opt-in. If you enable them, we send the specific prompts you choose (and the tasks they reference) to your chosen AI provider. You can bring your own API key or use our hosted proxy.
  • We don't sell your data. Full stop.
  • You can delete your account and all server-side data at any time by emailing privacy@conjuring.ai.

3. What we collect and why

Information you give us

Data Why we need it
Email address Account sign-in, license verification, receipts
Name (optional) Personalizing billing receipts and support replies
Payment information Processed by Stripe — we never see your card number
Support correspondence Answering your questions and diagnosing issues

Information we collect automatically

Data Source
App version and OS version Sent with update checks and crash reports
Anonymous crash reports Sentry (you can opt out in Settings)
Subscription status Stripe webhooks
Last license-check timestamp Needed to enforce the 7-day offline grace period

We do not collect your task content, notes, calendar events, emails, or anything else you put into Thread — that data lives on your device.

Information our AI features send to third parties (only if you enable them)

If you turn on AI features (Phase 2+), any prompt you run plus the task context it references is sent to the AI provider you selected:

  • Anthropic (Claude) — if you bring an Anthropic key or use our hosted Claude option
  • OpenAI — if you bring an OpenAI key
  • OpenRouter — if you use our hosted fallback

We never send your data to an AI provider unless you explicitly trigger an AI action. You can turn AI features off at any time in Settings.

4. How we use the information

We use the information we collect to:

  1. Provide the Services — keep your license valid, deliver updates
  2. Process payments — through our processor, Stripe
  3. Communicate with you — transactional emails (receipts, trial warnings, release announcements). You can opt out of release announcements but not billing emails
  4. Improve Thread — aggregated, anonymous usage patterns from crash reports and update-check pings
  5. Protect the Services — detecting abuse, license fraud, and security incidents
  6. Comply with legal obligations — responding to lawful requests, enforcing our Terms

We don't use your information for advertising, tracking across other websites, or training AI models.

5. Sharing with service providers

We use a small set of vendors to operate Thread. Each one receives only the data they need to do their job, under a written data-processing agreement:

Vendor Purpose Data shared
Cloudflare Website hosting, update-manifest CDN IP address, request logs
Supabase Auth + license database Email, license metadata
Stripe Payment processing Email, card (tokenized)
Resend Transactional email delivery Email, name, send metadata
Sentry Crash reporting (opt-out) Stack traces, app version
Apple macOS notarization + App Store Connect Build metadata only
Anthropic / OpenAI / OpenRouter AI inference (opt-in only) Prompts you submit

We do not sell, rent, or trade your personal information.

6. Cookies and local storage

The conjuring.ai website uses only strictly-necessary cookies for authentication. We don't use advertising cookies or cross-site tracking pixels.

The Thread desktop app uses local storage (on your computer, not our server) to persist your tasks, settings, and a cached license token. A separate encrypted keychain entry holds your sign-in token via keytar.

7. Data retention

  • Account and license records: kept until you delete your account, plus 7 years if we're legally required to retain for tax/accounting.
  • Payment records: retained by Stripe per their schedule.
  • Crash reports: 90 days, then deleted.
  • Support correspondence: 2 years, then deleted.
  • Your task data: only on your device. Delete the app and the data goes with it.

8. Your rights

Depending on where you live, you may have the right to:

  • Access the personal information we hold about you
  • Correct information that's inaccurate
  • Delete your personal information ("right to be forgotten")
  • Export your information in a portable format
  • Object to or restrict certain processing
  • Withdraw consent you previously gave
  • Lodge a complaint with your local data-protection authority

To exercise any of these rights, email privacy@conjuring.ai. We'll respond within 30 days. We'll never charge you for exercising a right granted by law.

California residents

California law gives you additional rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of "sale" or "sharing." We do not sell or share your personal information as those terms are defined. To submit a request, email privacy@conjuring.ai.

EU/UK/Swiss residents

Our lawful basis for processing under the GDPR/UK GDPR is:

  • Contract — to deliver the app you bought
  • Legitimate interests — to secure the service and prevent fraud
  • Consent — for optional AI features and release-announcement emails
  • Legal obligation — for tax and fraud-prevention retention

You have the right to withdraw consent at any time. Data is processed in the United States; we rely on Standard Contractual Clauses for transfers out of the EEA/UK.

9. Children

Thread is not directed to children under 16. We don't knowingly collect personal information from children. If you believe a child has given us personal information, email privacy@conjuring.ai and we'll delete it.

10. Security

We use industry-standard safeguards: TLS everywhere, encrypted databases at rest, short-lived auth tokens, OS-keychain storage on device, and the CSP/sandbox hardening described in our security documentation. No system is perfectly secure, but we take this seriously. Report vulnerabilities to security@conjuring.ai.

11. International data transfers

Our servers are in the United States. If you're in the EEA, UK, or Switzerland, your information will be transferred to and processed in the US under Standard Contractual Clauses.

12. Changes to this policy

We may update this policy to reflect changes in the Services or the law. When we make material changes, we'll notify you by email and show an in-app banner before the new policy takes effect. The "Last updated" date at the top always reflects the current version.

13. Contact

Questions about this policy or your data:

Conjuring.ai LLC privacy@conjuring.ai Security reports: security@conjuring.ai Web: conjuring.ai/legal/privacy