Data Processing Addendum

1. Definitions

• "Controller" - the entity determining purposes and means of processing.
• "Customer Data" - all data submitted to the service by the customer.
• "Data Protection Laws" - all applicable data protection and privacy legislation, including US state privacy laws (CCPA/CPRA, VCDPA, CPA, CTDPA, and others) and any other applicable international data protection laws.
• "Personal Data" - customer data relating to identified or identifiable natural persons.
• "Processor" - the entity processing personal data on behalf of the controller.
• "Security Incident" - a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
• "Sub-processor" - any third party engaged by the Processor to process personal data on behalf of the Controller.

2. Relationship of parties

ThreadScope (Venn Labs LLC) is responsible for publicly available Reddit data it collects and processes to provide the service. For the data you submit to the service (such as your account information, preferences, and AI chat content), ThreadScope processes it to provide and operate the service as described in the Terms of Service. ThreadScope will process your submitted data only as necessary to provide the service or as required by applicable law.

3. Processing of personal data

3.1 Purpose limitation

ThreadScope will process personal data only to:

• Provide the service as described in the Terms of Service.
• Comply with your documented instructions.
• Comply with applicable laws.

3.2 Duration

Processing continues for the duration of your use of the service and for up to 30 days after account termination, as necessary to complete deletion and fulfill legal obligations.

4. Confidentiality

ThreadScope ensures that all persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to personal data is limited to personnel who require it to perform their duties.

5. Security measures

5.1 Technical measures

• Encryption at rest (AES-256-GCM for sensitive fields).
• Encryption in transit (TLS).
• Password hashing (bcrypt).
• Signed, HTTP-only session cookies.
• Rate limiting and bot detection (Arcjet).
• Error tracking and monitoring (Sentry).

5.2 Organizational measures

• Access on a need-to-know basis.
• Confidentiality obligations for all personnel with access to personal data.
• Security incident response procedures.
• Regular dependency updates and security patches.

6. Sub-processors

6.1 Authorized sub-processors

You consent to ThreadScope's use of the sub-processors listed on our Sub-Processors page. ThreadScope imposes data protection obligations on each sub-processor no less protective than those in this DPA.

6.2 New sub-processors

• We will provide at least 30 days advance notice by email before adding new sub-processors.
• You have 14 days from the date of notice to object with reasonable grounds.
• If the objection cannot be resolved, you may terminate your account and we will refund any prepaid fees covering the remainder of the subscription period.

7. Data subject rights

ThreadScope assists you with data subject requests for access, rectification, erasure, portability, restriction, and objection, taking into account the nature of the processing. We will notify you promptly if we receive a data subject request directly and will not respond to it without your instructions, unless legally required to do so. Contact hello@threadscope.io to initiate a request.

8. Security incidents

ThreadScope will notify you without undue delay upon becoming aware of a Security Incident affecting your personal data, and in any event within the timeframes required by applicable law. The notification will include:

• The nature of the incident, including where possible the categories and approximate number of data subjects and records affected.
• The likely consequences of the incident.
• The measures taken or proposed to address the incident, including measures to mitigate its possible adverse effects.
• The name and contact details of the point of contact for further information.

9. International transfers

Personal data may be transferred to and processed in the United States and other countries where our sub-processors operate. ThreadScope is operated from the United States. By using the service and agreeing to this DPA, you acknowledge and consent to the transfer of personal data to the jurisdictions where our sub-processors are located. For details on sub-processor locations, see our Sub-Processors page.

10. Audit

ThreadScope will make available to you all information reasonably necessary to demonstrate compliance with the obligations in this DPA, and will allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you. Audits are subject to the following conditions:

• You must provide at least 30 days written notice of any audit request.
• Audits may be conducted no more than once per 12-month period, unless required by a regulatory authority.
• Audits must be conducted during normal business hours and must not unreasonably disrupt ThreadScope's operations.
• You bear the costs of any audit, except where the audit reveals material non-compliance by ThreadScope.

11. Data deletion

Upon termination of your account, ThreadScope will delete all personal data within 30 days, except where retention is required by applicable law (such as transaction records for tax purposes). You can initiate account deletion at any time from the Account settings page. At your request, we will provide written confirmation of deletion.

Annex I: Details of processing

A. List of parties

Customer: The individual or entity who has agreed to the ThreadScope Terms of Service and this DPA.

Service provider: Venn Labs LLC, a Missouri limited liability company operating the ThreadScope service. 1302 Platte Falls Rd Ste D #429, Platte City, MO 64079, United States. Contact: hello@threadscope.io.

B. Description of processing

Annex II: Technical and organisational measures

The following measures are implemented to protect personal data:

Encryption

• All data encrypted in transit using TLS.
• Sensitive fields (API keys) encrypted at rest using AES-256-GCM.
• Passwords hashed using bcrypt with appropriate cost factor.

Access control

• Signed, HTTP-only session cookies for authentication.
• Access to production systems limited to need-to-know basis.
• No shared credentials for infrastructure access.

Availability and resilience

• Application hosted on managed infrastructure with automated scaling (Railway).
• Database backups maintained by hosting provider.
• Rate limiting and bot detection (Arcjet) to prevent abuse and ensure availability.

Monitoring

• Error tracking and performance monitoring (Sentry).
• Regular dependency updates and security patches.

Data minimisation

• Only publicly available Reddit data is fetched; no private or restricted subreddit access.
• Payment card details are never stored; processed exclusively by the merchant of record (Polar).
• AI request/response logs retained for a maximum of 90 days.

Annex III: List of sub-processors

The current list of authorised sub-processors is maintained on our Sub-Processors page, which includes each sub-processor's name, location, purpose, data types processed, and security measures. Changes to the sub-processor list are communicated by email with at least 30 days advance notice.

12. Contact

• Privacy inquiries: hello@threadscope.io
• Security concerns: ops@threadscope.io
• Mail: Venn Labs LLC, 1302 Platte Falls Rd Ste D #429, Platte City, MO 64079, United States

Version history

• 14 May 2026 -- Initial version.