ThesisOSBack to Home

Privacy Policy

Last updated: March 14, 2026

1. Introduction

ThesisOS (“Company,” “we,” “us”) operates ThesisOS.ai (the “Platform”). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Platform. By using ThesisOS, you consent to the data practices described in this policy.

2. Information We Collect

2.1 Information You Provide Directly

  • Account Information: Name, email address, and password when you create an account
  • Business Configuration Inputs: Business type, budget, timeline, description, and all responses to onboarding questions
  • Payment Information: Processed securely by Stripe, Inc. We do not store full credit card numbers, CVVs, or bank account details on our servers
  • Communications: Any messages, feedback, or support requests you send us

2.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, time spent, click patterns, and navigation paths
  • Device Information: Browser type, operating system, device identifiers, screen resolution
  • Network Information: IP address, approximate geolocation (city/region level), ISP
  • Cookies & Tracking: Session cookies for authentication, analytics cookies (see Section 7)

2.3 Information Generated by AI Processing

When you use the Platform, your inputs are processed by AI language models to generate business plans, strategies, projections, and deliverables. The AI processes your business type, budget, timeline, feature preferences, target audience, monetization choices, and description to produce outputs. Your inputs may be used to improve the quality and accuracy of AI-generated outputs across the Platform, but will be aggregated and anonymized before use in model training.

3. How We Use Your Information

We use collected information for the following purposes:

  • Service Delivery: To generate business plans, process payments, and provide core Platform functionality
  • Account Management: To authenticate your identity, manage subscriptions, and communicate account-related information
  • Platform Improvement: To analyze usage patterns, diagnose technical issues, and improve features
  • AI Model Improvement: Anonymized and aggregated inputs may be used to improve AI output quality
  • Communication: To send service updates, security alerts, and (with your consent) marketing communications
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes
  • Fraud Prevention: To detect, prevent, and address abuse, fraud, and security threats

4. How We Share Your Information

We do not sell your personal information. We may share data with:

  • Service Providers: Stripe (payments), Supabase (database/auth), Vercel (hosting), OpenAI/Anthropic (AI processing) — all bound by data processing agreements
  • Legal Requirements: When required by law, subpoena, court order, or government request
  • Business Transfers: In connection with a merger, acquisition, or sale of assets
  • With Your Consent: When you explicitly authorize a specific disclosure

5. Data Retention

We retain your account data and generated business plans for as long as your account is active. After account deletion, we retain anonymized usage analytics for up to 24 months for Platform improvement. Payment records are retained as required by financial regulations (typically 7 years). You may request deletion of your personal data at any time (see Section 8).

6. Data Security

We implement industry-standard security measures including: TLS encryption in transit, AES-256 encryption at rest, secure authentication via Supabase Auth, PCI-DSS compliant payment processing via Stripe, regular security audits, and access controls based on the principle of least privilege. However, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of your data.

7. Cookies & Tracking Technologies

We use the following types of cookies:

  • Essential Cookies: Required for authentication and core functionality. Cannot be disabled.
  • Analytics Cookies: Help us understand usage patterns and improve the Platform. Can be opted out.
  • Preference Cookies: Store your UI preferences (theme, layout settings).

You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent you from using the Platform.

8. Your Rights

8.1 GDPR Rights (EU/EEA Residents)

Under the General Data Protection Regulation, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your personal data (“right to be forgotten”)
  • Restriction: Request limitation of processing
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to processing based on legitimate interests
  • Withdraw Consent: Where processing is based on consent, withdraw at any time

Legal Basis for Processing: We process your data based on: (a) contract performance (service delivery), (b) legitimate interests (Platform improvement, security), and (c) consent (marketing communications).

8.2 CCPA Rights (California Residents)

Under the California Consumer Privacy Act, you have the right to:

  • Know: What personal information we collect, use, and disclose
  • Delete: Request deletion of your personal information
  • Opt-Out: Opt out of the “sale” of personal information (we do not sell personal information)
  • Non-Discrimination: Not be discriminated against for exercising your rights

Categories of Information Collected: Identifiers (name, email, IP), commercial information (purchase history), internet activity (usage data), and inferences (AI-generated business profiles).

8.3 Exercising Your Rights

To exercise any of these rights, contact us at privacy@thesisOS.ai. We will respond within 30 days (GDPR) or 45 days (CCPA). We may need to verify your identity before processing your request.

9. International Data Transfers

Your data may be processed in the United States and other countries where our service providers operate. For EU/EEA residents, we ensure adequate safeguards for international transfers through Standard Contractual Clauses (SCCs) and data processing agreements with all sub-processors.

10. Children’s Privacy

ThesisOS is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or Platform notification at least 30 days before they take effect. Your continued use after changes constitutes acceptance.

12. Contact Us

For privacy-related inquiries, data requests, or complaints:

If you are an EU/EEA resident and believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority.