Legal
Privacy Policy
Last updated: June 29, 2026
This Privacy Policy explains how BaseThread LLC, the California limited liability company that operates BaseThread ("BaseThread," "we," "us"), collects, uses, and protects your information when you use our website and Service. By using the Service you agree to this Policy.
1. Information we collect
- Account information: your name, email, and profile details when you sign up (including via Google sign-in).
- Your Content: the workspaces, activity and decisions ledger entries, files, and other data you and your team create in the Service.
- Usage and device data: how you interact with the Service, plus technical data such as browser, device, and IP address, collected through analytics and error-monitoring tools.
- Communications: messages you send us, including support requests and feedback.
- AI provider key (optional): if you supply your own AI provider API key, we store it encrypted and use it only to process your content on your behalf. You can remove it at any time.
2. How we use your information
We use your information to provide, secure, maintain, and improve the Service; to operate core features including cross-member harmonization and semantic search; to communicate with you; and to comply with legal obligations.
3. AI processing
To provide features like harmonization and search, your content is processed by Anthropic (and, if you supply your own key, the AI provider whose key you provide), and by Voyage AI for embeddings. Your content is not used to train AI models. It is processed only to provide the Service to you. When you connect an external AI tool such as ChatGPT or Claude Code, that tool's provider also processes your context under their own privacy policy, outside our control.
4. Connected data sources
How your tools' context reaches BaseThread: the AI tools you connect (such as Claude, Cursor, or ChatGPT) read your sources using their own access and write the distilled signal into your BaseThread workspace over MCP. In this flow BaseThread does not connect to those tools itself and does not hold their credentials. If you choose to connect a data source directly to BaseThread, an optional capability, BaseThread reads and distills only the content you authorize, stores the distilled output plus a source pointer rather than a full copy, and lets you disconnect at any time.
5. Domain and company discovery
We use your email domain to suggest your company's existing workspace and to let colleagues on the same domain see that a workspace exists and request access. We do not expose its contents. During the beta, your email domain may also be used for access gating.
6. How we share information
We do not sell your personal information. To run the Service we rely on a small set of trusted subprocessors: Supabase, Vercel, Cloudflare (DNS and CDN), Anthropic, Voyage AI, Paddle, Resend, Sentry, PostHog, Aptabase, and Google (for sign-in and Workspace connections). Each is bound to protect your data and use it only to provide its service to us. This list may change with notice. We may also disclose information when required by law or in connection with a business transfer.
7. Cookies and analytics
We use a small number of cookies and similar technologies, including product analytics and error monitoring, to operate and improve the Service. Our analytics tools are PostHog (product), GA4 and Vercel Web Analytics (website), Aptabase (desktop app), and Sentry (errors). Product analytics may be associated with your account. Where required, we ask for your consent before setting non-essential cookies. You can manage your preferences through our cookie notice or your browser settings.
8. Data retention
We retain your information while your account is active. Inactive solo accounts go through reminders, then a temporary lock, then deletion after notice to the account email. Content you contributed to a shared team workspace stays with that workspace if you leave or are deleted. File revision history is kept to a bounded number of versions, and live-edit presence is ephemeral. Ledger history may be subject to plan limits; data beyond a Free plan's history window is locked, not deleted, and is restored if you upgrade. You can request deletion of your account and associated data at any time (see Your rights); we process deletion requests within a reasonable period, though residual copies may remain in backups for a limited window before they are purged. Because the Service is in beta, please keep your own backups.
9. Security
We protect your data with measures including encryption in transit and at rest, role-based access controls, and row-level security. If you supply an AI provider API key, we store it encrypted. If a data breach affects your personal information, we will notify affected users without undue delay as required by law. No system is perfectly secure, and we cannot guarantee absolute security, particularly during beta.
10. Your rights
Depending on where you live (including under GDPR and CCPA), you may have rights to access, correct, export, or delete your personal information, and to object to or restrict certain processing. We do not sell personal information. To exercise any right, contact us.
11. Cookie details
Essential cookies are required for the Service to function (such as keeping you signed in). Analytics and monitoring cookies help us understand usage and fix problems; where required, these are set only with your consent. You can withdraw consent at any time.
12. International transfers
Your data is primarily processed in the United States (Supabase us-west-1 and Vercel sfo1). For users outside the United States, we rely on appropriate safeguards for such transfers where required.
13. Children
The Service is not directed to anyone under 18, and we do not knowingly collect data from children under 13.
14. Changes
We may update this Policy. If we make material changes, we will take reasonable steps to notify you. The "Last updated" date reflects the latest version.
15. Contact
Privacy questions or requests: contact us.
Data Processing Agreement
BaseThread LLC is the data controller. A DPA is available on request, contact us.