Privacy Policy
Effective date: March 4, 2026 · Last updated: March 12, 2026
Thought Free ("we", "us", or "our") is operated by WholenessMedia. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our application at thoughtfree.io.
We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws of the European Union and the Republic of Lithuania.
1. Data Controller
The data controller responsible for your personal data is:
WholenessMedia
Email: support@thoughtfree.io
2. Data We Collect
2.1 Account Data
When you sign in with Google OAuth, we receive your email address and display name from Google. We do not receive or store your Google password.
2.2 Thoughts & Content
The core of Thought Free is your captured thoughts — text notes, voice recordings, images, and links. This content is stored in our database (Supabase) and synchronized across your devices. A full copy is also stored locally on your device in IndexedDB for offline access.
2.3 Diary Entries
If you use the diary feature, we store your mood ratings, energy levels, focus areas, and reflections. These are synced to our database.
2.4 AI Processing
When you use AI-powered features (auto-classification, research, summaries, pipelines), your thought content is sent to third-party AI providers for processing:
- OpenRouter (routing to Claude by Anthropic) — for classification, research, and summaries
- OpenAI — for generating text embeddings used in semantic search
These providers process your data according to their respective privacy policies and data processing agreements. We do not use your data to train AI models.
2.5 Voice Transcription
If you use voice capture, your audio stream is sent to Deepgram for real-time transcription. We do not store the raw audio — only the resulting text transcript is saved as a thought.
2.6 Billing Data
If you subscribe to a paid plan, payment processing is handled by RevenueCat (revenuecat.com) via Stripe (web) or Google Play (Android). RevenueCat handles subscription management and payment routing. We do not store your credit card number, expiration date, or CVV.
2.7 Kindle Delivery
If you use the Send-to-Kindle feature, we generate an EPUB file from your thoughts and send it via email through Resend to your Kindle email address. Your Kindle email address is stored only for delivery purposes.
2.8 Cover Image Generation
For EPUB cover images, we may send the title and category of your export to Replicate for AI image generation. No personal content from your thoughts is included in cover generation prompts.
2.9 Audit Trail
For security and compliance, we log certain data mutations along with your IP address and user agent. These logs are used solely for security investigations and are not shared with third parties.
2.10 Local Storage & Analytics
We store data locally on your device using IndexedDB (full thought database for offline access) and localStorage (drafts, preferences, theme settings).
We use Google Analytics 4 for aggregate usage statistics (page visits and feature usage). Google Analytics operates in Consent Mode with analytics storage denied by default — meaning no analytics cookies are set and no persistent identifiers are stored. In this mode, Google Analytics processes data without personal identifiers and provides only aggregate statistics. Legal basis: legitimate interest (Art. 6(1)(f)).
We do not use tracking cookies or advertising cookies.
2.11 API Usage Monitoring
We log metadata about your use of AI-powered features (token counts, response times, model used) for cost management and service quality. This data is associated with your user ID and retained for 180 days. No thought content is stored in these logs — only aggregate metadata. Legal basis: legitimate interest (Art. 6(1)(f)).
2.12 Error Tracking
We use Sentry for error tracking. When an error occurs, Sentry collects technical data (error message, stack trace, browser type). All user content is masked — your thoughts and diary entries are never sent to Sentry. Legal basis: legitimate interest (Art. 6(1)(f)).
3. Legal Basis for Processing
We process your personal data under the following legal bases (GDPR Article 6):
- Contract performance (Art. 6(1)(b)) — Processing necessary to provide the Thought Free service you signed up for: storing thoughts, syncing data, AI classification.
- Legitimate interest (Art. 6(1)(f)) — Security logging, audit trails, API usage monitoring, and error tracking to protect your account, manage costs, and maintain service quality.
- Consent (Art. 6(1)(a)) — Optional features like voice transcription, AI research, Kindle delivery, and cover image generation are initiated by your explicit action.
4. Third-Party Data Processors
We use the following third-party services to operate Thought Free:
| Service | Purpose | Data Region |
|---|---|---|
| Supabase | Database, authentication, file storage | US / EU (configurable) |
| Vercel | Application hosting | Global edge network |
| OpenRouter / Anthropic | AI classification, research, summaries | US |
| OpenAI | Text embeddings for semantic search | US |
| Deepgram | Voice transcription | US |
| RevenueCat | Subscription management & payment processing | US |
| Resend | Email delivery (Kindle) | US |
| Replicate | AI cover image generation | US |
| Google Analytics | Aggregate usage analytics (cookieless mode) | US (SCCs) |
| Sentry | Error tracking | US / EU (SCCs) |
Where data is transferred outside the EU/EEA, these providers rely on Standard Contractual Clauses (SCCs) or equivalent safeguards as permitted under GDPR Chapter V.
5. Data Retention
- Thoughts and diary entries — Retained until you delete them or delete your account. Soft-deleted items (trash) are permanently purged after 30 days.
- Audit logs — Retained for 90 days, then automatically pruned.
- Classification logs — Retained for 30 days, then automatically pruned.
- API usage logs — Retained for 180 days, then automatically pruned.
- Account data — Retained until you request account deletion.
- Local data — Stored on your device until you clear your browser data or uninstall the app.
6. Your Rights Under GDPR
As an EU resident, you have the following rights regarding your personal data:
- Right of Access (Art. 15) — You can request a copy of all personal data we hold about you.
- Right to Rectification (Art. 16) — You can correct inaccurate personal data directly in the app (edit thoughts, update profile) or by contacting us.
- Right to Erasure (Art. 17) — You can delete individual thoughts and diary entries from the app. To delete your entire account and all associated data, contact us at support@thoughtfree.io.
- Right to Data Portability (Art. 20) — You can export your data at any time using the built-in export feature (JSON, Markdown, or Obsidian vault format).
- Right to Restrict Processing (Art. 18) — You can request that we limit how we process your data by contacting us.
- Right to Object (Art. 21) — You can object to processing based on legitimate interest by contacting us.
- Right to Withdraw Consent (Art. 7(3)) — Where processing is based on consent (e.g., optional AI features), you can withdraw consent at any time by simply not using those features.
To exercise any of these rights, contact us at support@thoughtfree.io. We will respond within 30 days as required by GDPR.
7. Data Security
We implement appropriate technical and organizational measures to protect your data:
- All data in transit is encrypted via TLS/HTTPS
- Database access is protected by Row-Level Security (RLS) — each user can only access their own data
- API keys are stored as SHA-256 hashes, never in plaintext
- Server-side operations use service role keys with minimal required permissions
- Audit logging tracks all sensitive data mutations
8. Children's Privacy
Thought Free is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us and we will promptly delete it.
9. Cookies
We do not use tracking cookies or advertising cookies. Google Analytics operates in Consent Mode with analytics storage denied, meaning no analytics cookies are set. No cookie consent banner is required as we do not set any cookies (GDPR Recital 30, ePrivacy Directive Art. 5(3)).
10. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you via an in-app notification or email. The "Last updated" date at the top of this page reflects the most recent revision.
11. Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. For the Republic of Lithuania, this is:
State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija)
Website: vdai.lrv.lt
Email: ada@ada.lt
12. Contact Us
If you have any questions about this Privacy Policy or your personal data, contact us at: