Privacy Policy

We collect and process the categories of personal data described below.

Data you provide when creating an account

• email address;
• display name (provided by you, or imported from your Google account when you sign in with Google);
• avatar image (uploaded by you or imported from your Google account).

Profile data you optionally add

• handle, bio, website, social profile URLs (X, Indie Hackers, LinkedIn).

Content you create on the service

• problems you post (requests);
• Experience Notes you write under other people's requests;
• private messages you send (one-shot contact forms, including the reason, questions, and the contact details you choose to share);
• signal clicks (I need this, I've been through this, I know someone) and content flags.

Technical and usage data

• authentication and session information (handled by Supabase, including session cookies);
• event records for rate limiting and abuse prevention (action type, timestamp, your user id) — see our Terms section on acceptable use;
• aggregated traffic measurement via Vercel Analytics. Vercel Analytics is privacy-friendly: it does not set cookies or build cross-site fingerprints, and we do not receive raw IP addresses.
• transactional email metadata (delivery status of magic-link and private-message notification emails) from our email provider Resend.

We process personal data only when we have a legal basis to do so. For users in the EEA and UK, the bases under GDPR Art. 6(1) are as follows.

To provide the service (Art. 6(1)(b))

To create and manage your account, render the wall, store and display your content, route private messages, and send the transactional emails the service depends on.

Legitimate interest in a usable, safe service (Art. 6(1)(f))

To moderate content, enforce rate limits, prevent abuse, run community flagging and admin review, measure traffic in aggregate, debug, and improve the product. We have weighed our interests against yours and concluded these uses are necessary and proportionate.

To comply with legal obligations (Art. 6(1)(c))

To retain records required by tax, accounting, or law-enforcement obligations, and to respond to lawful requests from competent authorities.

Consent (Art. 6(1)(a))

We rely on consent only where it is required and we have asked for it explicitly. You may withdraw consent at any time; this does not affect the lawfulness of processing carried out before the withdrawal.

We do not sell your personal data and we do not share it with advertising networks. We share data only with the service providers (sub-processors) we need to operate Thruwise:

• Supabase, Inc. — authentication, database, and file storage. Database hosted in the European Union.
• Vercel, Inc. — frontend hosting and privacy-friendly traffic analytics (United States).
• Resend, Inc. — transactional email delivery (United States).
• Google LLC — only when you choose to sign in with Google. We receive your name, email, and avatar from Google; we do not access any other Google account data.

We may also disclose data when required by law, in response to valid legal process, or to protect the rights, safety, or property of users or the public.

• Account and profile data: for as long as your account is active.
• Content you post: until you remove it or your account is deleted; some hidden or removed content may be retained for a limited period for moderation review and dispute handling.
• Private messages: until you or the other participant request deletion, or for up to 24 months after the conversation ends.
• Event logs for rate limiting and security: up to 90 days.
• After account deletion: we delete or anonymise personal data within 30 days, except where longer retention is required by law (for example, tax records).

If you are located in the EEA, the UK, or Switzerland, you have the following rights with respect to your personal data:

• Access — request a copy of the personal data we hold about you;
• Rectification — ask us to correct inaccurate or incomplete data;
• Erasure — ask us to delete your personal data;
• Restriction — ask us to restrict processing in defined circumstances;
• Portability — receive your data in a structured, machine-readable format;
• Objection — object to processing based on our legitimate interests;
• Withdraw consent — where processing is based on consent;
• Complain to a supervisory authority — for example the Polish Personal Data Protection Office (UODO) or the supervisory authority in your country of residence.

To exercise these rights, email hello@thruwise.com. We will respond within one month and may ask you to verify your identity.

If you are a California resident, you have the following rights in respect of personal information we collect:

• Right to know what categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties we share with;
• Right to delete personal information we have collected, subject to permitted exceptions;
• Right to correct inaccurate personal information;
• Right to opt out of sale or sharingof personal information — Thruwise does not sell or "share" personal information for cross- context behavioural advertising;
• Right to limit use of sensitive personal information — we do not use sensitive categories beyond what is necessary to provide the service;
• Right to non-discrimination — we will not deny service, charge different prices, or otherwise penalise you for exercising any of these rights.

To exercise these rights, email hello@thruwise.com. We may request information necessary to verify your identity before acting. Authorised agents may make requests on your behalf subject to written authorisation.