Legal

Privacy Policy

Last updated: March 2026 · Version 1.0 · Applies to thoughtportal.app
Contents
  1. Who we are
  2. What data we collect
  3. How we use your data
  4. Aggregated & anonymised data
  5. How we share your data
  6. Data retention
  7. Your rights (GDPR)
  8. Cookies & tracking
  9. Security
  10. Children
  11. Changes to this policy
  12. Contact & complaints

Plain-language summary: Thought Portal is a personal intelligence platform. You give us your thoughts; we process them to give you self-insights. We protect your raw data. We may use aggregated, non-identifiable behavioural and pattern data for business purposes, including sharing with partners or successors. Your raw text is never sold or shared with third parties without your consent.

1. Who we are

Thought Portal is operated by Thought Portal B.V. (or its legal predecessor/successor entity), hereinafter referred to as "Thought Portal", "we", "us", or "our". We are the data controller for all personal data processed under this policy.

For questions about this policy or your data, contact us at privacy@thoughtportal.app.

2. What data we collect

We collect data that you provide directly and data that is generated automatically through your use of the platform.

2.1 Data you provide

CategoryExamplesLegal basis
Account dataEmail address, password (hashed), display nameContract performance (Art. 6(1)(b) GDPR)
Thought contentText entries submitted via app or Telegram botContract performance; Consent (Art. 6(1)(a))
Billing dataPayment method (tokenised), subscription statusContract performance; Legal obligation
Communication dataSupport messages, feedback submissionsLegitimate interest (Art. 6(1)(f))

2.2 Data generated automatically

CategoryExamplesLegal basis
Scored metadataValence score, agency score, activation score, MPS (Mental Power Score)Contract performance
Semantic vectors1536-dimensional embedding representation of thought contentContract performance
Behavioural patternsSubmission frequency, time-of-day patterns, theme clusters, synapse connectionsLegitimate interest
Technical dataIP address, device type, browser, session data, error logsLegitimate interest

3. How we use your data

We use your data to operate and improve the platform. Specifically:

  • Deliver core features — scoring thoughts, generating your Mind View, detecting semantic synapses, clustering themes, synthesising your Inner Voice.
  • Personalise your experience — trend analysis, MPS tracking, weekly narratives, and AI-generated insights tailored to your patterns.
  • Manage your account — authentication, subscription management, billing, and customer support.
  • Improve the platform — analyse usage patterns, fix bugs, develop new features, train and improve our AI models using aggregated and anonymised data.
  • Communicate with you — transactional emails (account, billing), product updates (where opted in), and security notifications.
  • Comply with legal obligations — fraud prevention, tax obligations, and responding to lawful requests from authorities.

4. Aggregated & anonymised data

We process your data to generate aggregated, statistical, and anonymised derivatives — information that cannot be reasonably used to identify you. These may include:

  • Population-level emotional and cognitive patterns (e.g. average valence across user segments)
  • Thematic cluster frequencies and co-occurrence statistics
  • Anonymised behavioural models and engagement metrics
  • De-identified semantic embeddings and pattern libraries
  • Derived insights and statistical models that do not contain or reflect personal data

Anonymised and aggregated data is not personal data under GDPR. We may use, licence, share, monetise, and otherwise exploit such data for any lawful business purpose — including commercial partnerships, platform development, research, and business transactions — without restriction and without further notice to you. Your raw thought content and personal identifiers are never included in such data.

We maintain strict technical and organisational safeguards to ensure that anonymisation is robust and irreversible before any data is used for these purposes.

5. How we share your data

We do not sell your personal data. We share personal data only in the following circumstances:

5.1 Service providers (data processors)

We use trusted third-party sub-processors to operate the platform. All are bound by data processing agreements ensuring GDPR compliance:

  • Supabase Inc. — database and authentication hosting (EU region)
  • Google LLC (Gemini API) — AI scoring and labelling of thought content
  • OpenAI Inc. — semantic embedding generation
  • ElevenLabs Inc. — voice synthesis for the Inner Voice feature
  • Vercel Inc. — platform hosting and delivery
  • Stripe Inc. — payment processing
  • Telegram Messenger Inc. — optional bot-based thought input
  • n8n GmbH — workflow automation (self-hosted)

5.2 Business transfers

If Thought Portal is involved in a merger, acquisition, investment round, asset sale, or other corporate transaction, your data — including personal data — may be transferred to the relevant third party as part of that transaction. We will notify you via email and/or a prominent notice on the platform prior to your personal data becoming subject to a different privacy policy. You may request deletion of your data before any such transfer takes effect.

5.3 Aggregated & anonymised data

As described in Section 4, we may share aggregated and anonymised data with third parties — including commercial partners, investors, and research collaborators — at our discretion. No personal data is included in such transfers.

5.4 Legal requirements

We may disclose personal data if required by law, court order, or regulatory authority, or if necessary to protect the rights, property, or safety of Thought Portal, its users, or the public.

5.5 With your consent

We may share data in other ways with your explicit prior consent.

6. Data retention

We retain your personal data for as long as your account is active or as necessary to provide services. Specifically:

  • Free plan users: Thought content and associated metadata are retained for 7 rolling days. Account data is retained for the lifetime of the account.
  • Pro plan users: All data retained for the lifetime of the subscription plus 12 months following cancellation.
  • After deletion: Upon account deletion, personal data is purged within 30 days. Anonymised and aggregated derivatives may be retained indefinitely.
  • Legal holds: We may retain certain data longer where required by law (e.g. financial records for 7 years under Dutch tax law).

7. Your rights (GDPR)

If you are in the European Economic Area or United Kingdom, you have the following rights regarding your personal data:

  • Right of access — request a copy of all personal data we hold about you
  • Right to rectification — request correction of inaccurate or incomplete data
  • Right to erasure ("right to be forgotten") — request deletion of your personal data
  • Right to restriction — request that we restrict processing of your data
  • Right to data portability — receive your data in a machine-readable format (JSON/CSV available via account settings)
  • Right to object — object to processing based on legitimate interests
  • Right to withdraw consent — where processing is based on consent, you may withdraw at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at privacy@thoughtportal.app. We will respond within 30 days. We may ask you to verify your identity before processing your request.

You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl if you believe we are not processing your data lawfully.

8. Cookies & tracking

We use strictly necessary cookies to enable core platform functionality (authentication sessions). We do not use third-party advertising cookies or cross-site tracking cookies.

We may use analytics tools to collect anonymised usage data (e.g. page views, feature usage) for the purpose of product improvement. Where required by law, we will obtain your consent before setting non-essential cookies.

9. Security

We apply industry-standard technical and organisational security measures to protect your data, including:

  • Encryption in transit (TLS 1.2+) and at rest for all personal data
  • Row-level security policies on all database tables
  • Access controls limited to authorised personnel on a need-to-know basis
  • Regular security reviews and dependency audits

No method of electronic transmission or storage is 100% secure. In the event of a personal data breach, we will notify affected users and relevant supervisory authorities as required under GDPR (within 72 hours where applicable).

10. Children

Thought Portal is not directed at children under 16 years of age. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by email or by posting a notice on the platform at least 14 days before the changes take effect. Your continued use of the platform after the effective date constitutes acceptance of the updated policy.

The version number and date at the top of this page always reflect the current version.

12. Contact & complaints

For any questions, requests, or concerns about this policy or our data practices, contact our privacy team:

Questions about your data?

We're committed to transparency. Reach out and we'll respond within 2 business days.

privacy@thoughtportal.app →