Privacy Policy
Effective date: March 4, 2026 · Last updated: June 13, 2026
Thought Free ("we", "us", or "our") is operated by WholenessMedia. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our application at thoughtfree.io.
We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws of the European Union and the Republic of Lithuania.
1. Data Controller
The data controller responsible for your personal data is:
WholenessMedia
Email: support@thoughtfree.io
2. Data We Collect
2.1 Account Data
You can sign in with Google, with a magic link, or with an email address and password. When you sign in with Google, we receive your email address and display name from Google — we do not receive or store your Google password. For email/password sign-in, your password is stored only as a salted hash by our authentication provider (Supabase) and is never visible to us.
2.2 Thoughts & Content
The core of Thought Free is your captured thoughts — text notes, voice recordings, images, and links. This content is stored in our database (Supabase) and synchronized across your devices. A full copy is also stored locally on your device in IndexedDB for offline access.
2.3 Diary Entries (Health & Special-Category Data)
If you use the diary feature, we store your mood ratings, energy levels, focus areas (which may include sleep, nutrition, movement, and finances), and reflections. Because this can reveal information about your health and wellbeing, we treat diary entries as special-category data under GDPR Article 9 and process them only on the basis of your explicit consent (Art. 9(2)(a)), which you give by choosing to use the diary. Diary entries are synced to our database and stored locally on your device.
Your diary is never sent to AI providers. Unlike your captured thoughts, diary entries are deliberately excluded from all AI processing — including weekly insights, automated pipelines, and semantic search. They are never transmitted to OpenRouter, OpenAI, or any other third-party AI service. You can withdraw consent at any time by deleting your diary entries or your account.
2.4 AI Processing
When you use AI-powered features (auto-classification, research, summaries, pipelines), your thought content is sent to third-party AI providers for processing:
- OpenRouter (routing to Claude by Anthropic) — for classification, research, and summaries
- OpenAI — for generating text embeddings used in semantic search
These providers process your data according to their respective privacy policies and data processing agreements. We instruct our AI providers not to retain or train on your content: every request is sent with a provider data-collection policy of "deny," which restricts routing to providers that do not store or train on the input. We never use your data to train AI models. As noted in section 2.3, your diary entries are never sent to AI providers — only captured thoughts are processed when you use an AI feature.
2.5 Voice Transcription
If you use voice capture, your audio stream is sent to Deepgram for real-time transcription. We do not store the raw audio — only the resulting text transcript is saved as a thought.
2.6 Billing Data
If you subscribe to a paid plan, payment processing is handled by RevenueCat (revenuecat.com) via Stripe (web) or Google Play (Android). RevenueCat handles subscription management and payment routing. We do not store your credit card number, expiration date, or CVV.
2.7 Kindle Delivery
If you use the Send-to-Kindle feature, we generate an EPUB file from your thoughts and send it via email through Resend to your Kindle email address. Your Kindle email address is stored only for delivery purposes.
2.8 Cover Image Generation
For EPUB cover images, we may send the title and category of your export to Replicate for AI image generation. No personal content from your thoughts is included in cover generation prompts.
2.9 Audit Trail
For security and compliance, we log certain data mutations along with your IP address and user agent. These logs are used solely for security investigations and are not shared with third parties.
2.10 Local Storage & Analytics
We store data locally on your device using IndexedDB (full thought database for offline access) and localStorage (drafts, preferences, theme settings).
We use Google Analytics 4 for aggregate usage statistics (page visits and feature usage). Google Analytics operates in Consent Mode with analytics storage denied by default — meaning no analytics cookies are set and no persistent identifiers are stored. In this mode, Google Analytics processes data without personal identifiers and provides only aggregate statistics. Legal basis: legitimate interest (Art. 6(1)(f)).
We do not use tracking cookies or advertising cookies.
2.11 API Usage Monitoring
We log metadata about your use of AI-powered features (token counts, response times, model used) for cost management and service quality. This data is associated with your user ID and retained for 180 days. No thought content is stored in these logs — only aggregate metadata. Legal basis: legitimate interest (Art. 6(1)(f)).
2.12 Error Tracking
We use Sentry for error tracking. When an error occurs, Sentry collects technical data (error message, stack trace, browser type). All user content is masked — your thoughts and diary entries are never sent to Sentry. Legal basis: legitimate interest (Art. 6(1)(f)).
2.13 Push Notifications
If you enable notifications (such as reminders or your weekly summary), we store a device notification token to deliver them. On the web this uses the browser's standard Web Push service; in the Android app, delivery is handled by Firebase Cloud Messaging (Google). Only the notification token and the message content needed for delivery are processed — you can turn notifications off at any time in Settings. Legal basis: consent (Art. 6(1)(a)).
2.14 Infrastructure & Rate Limiting
To keep the service reliable and prevent abuse, we may use Upstash Redis as a short-lived cache for rate-limiting counters. This stores only your user ID and request metadata transiently — never your thought or diary content. Legal basis: legitimate interest (Art. 6(1)(f)).
3. Legal Basis for Processing
We process your personal data under the following legal bases (GDPR Article 6):
- Contract performance (Art. 6(1)(b)) — Processing necessary to provide the Thought Free service you signed up for: storing thoughts, syncing data, AI classification.
- Legitimate interest (Art. 6(1)(f)) — Security logging, audit trails, API usage monitoring, and error tracking to protect your account, manage costs, and maintain service quality.
- Consent (Art. 6(1)(a)) — Optional features like voice transcription, AI research, Kindle delivery, cover image generation, and push notifications are initiated by your explicit action.
- Explicit consent for special-category data (Art. 9(2)(a)) — Diary entries that may reveal health or wellbeing information are processed only on the basis of the explicit consent you give by choosing to use the diary feature. They are never sent to AI providers.
4. Third-Party Data Processors
We use the following third-party services to operate Thought Free:
| Service | Purpose | Data Region |
|---|---|---|
| Supabase | Database, authentication, file storage | US / EU (configurable) |
| Vercel | Application hosting | Global edge network |
| OpenRouter / Anthropic | AI classification, research, summaries | US |
| OpenAI | Text embeddings for semantic search | US |
| Deepgram | Voice transcription | US |
| RevenueCat | Subscription management & payment processing | US |
| Resend | Email delivery (Kindle) | US |
| Replicate | AI cover image generation | US |
| Google Analytics | Aggregate usage analytics (cookieless mode) | US (SCCs) |
| Firebase Cloud Messaging (Google) | Push notification delivery (Android) | US (SCCs) |
| Upstash | Rate-limiting cache (transient metadata) | EU / US (configurable) |
| Sentry | Error tracking | US / EU (SCCs) |
Where data is transferred outside the EU/EEA, these providers rely on Standard Contractual Clauses (SCCs) or equivalent safeguards as permitted under GDPR Chapter V.
5. Data Retention
- Thoughts and diary entries — Retained until you delete them or delete your account. Soft-deleted items (trash) are permanently purged after 30 days.
- Audit logs — Retained for 90 days, then automatically pruned.
- Classification logs — Retained for 30 days, then automatically pruned.
- API usage logs — Retained for 180 days, then automatically pruned.
- Account data — Retained until you delete your account (Settings → Danger Zone → Delete account, or by request), after which it is permanently erased from our servers.
- Local data — Stored on your device until you clear your browser data or uninstall the app.
6. Your Rights Under GDPR
As an EU resident, you have the following rights regarding your personal data:
- Right of Access (Art. 15) — You can request a copy of all personal data we hold about you.
- Right to Rectification (Art. 16) — You can correct inaccurate personal data directly in the app (edit thoughts, update profile) or by contacting us.
- Right to Erasure (Art. 17) — You can delete individual thoughts and diary entries from the app at any time. To erase your entire account, open Settings → Danger Zone → Delete account: this permanently removes all of your data from our servers — thoughts, diary entries, attachments, embeddings, and preferences — along with your account itself. The action is immediate and irreversible. You can also contact us at support@thoughtfree.io if you prefer. Note that a paid subscription must be cancelled separately in the App Store or Play Store, as store billing is managed by Apple/Google.
- Right to Data Portability (Art. 20) — You can export your data at any time using the built-in export feature (JSON, Markdown, or Obsidian vault format).
- Right to Restrict Processing (Art. 18) — You can request that we limit how we process your data by contacting us.
- Right to Object (Art. 21) — You can object to processing based on legitimate interest by contacting us.
- Right to Withdraw Consent (Art. 7(3)) — Where processing is based on consent (e.g., optional AI features), you can withdraw consent at any time by simply not using those features.
To exercise any of these rights, contact us at support@thoughtfree.io. We will respond within 30 days as required by GDPR.
7. Data Security
We implement appropriate technical and organizational measures to protect your data:
- All data in transit is encrypted via TLS/HTTPS
- All data at rest is encrypted (AES-256) by our infrastructure providers
- Database access is protected by Row-Level Security (RLS) — each user can only access their own data
- API keys are stored as SHA-256 hashes, never in plaintext
- Server-side operations use service role keys with minimal required permissions
- Audit logging tracks all sensitive data mutations
8. Children's Privacy
Thought Free is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us and we will promptly delete it.
9. Cookies
We do not use tracking cookies or advertising cookies. Google Analytics operates in Consent Mode with analytics storage denied, meaning no analytics cookies are set. No cookie consent banner is required as we do not set any cookies (GDPR Recital 30, ePrivacy Directive Art. 5(3)).
10. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you via an in-app notification or email. The "Last updated" date at the top of this page reflects the most recent revision.
11. Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. For the Republic of Lithuania, this is:
State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija)
Website: vdai.lrv.lt
Email: ada@ada.lt
12. Contact Us
If you have any questions about this Privacy Policy or your personal data, contact us at: