ThreadScope.

Privacy Policy

Last updated: 14 May 2026

1. Who we are

ThreadScope is operated by Venn Labs LLC, a Missouri limited liability company ("we", "us", "our"). ThreadScope is operated from the United States and is primarily intended for users in the United States. We are responsible for the data we collect and process through the service, including publicly available Reddit data that we fetch to provide our monitoring features.

For privacy inquiries, contact hello@threadscope.io.

2. What we collect

  • Account information - your email address and a hashed password. We never store your password in plain text.
  • Subreddit preferences - the subreddit names and search terms you configure.
  • Reddit public data - posts and comments from public subreddits, fetched via public archive APIs. We do not access private or restricted subreddits.
  • AI chat history - conversations with the AI assistant are stored to provide continuity within your session.
  • AI request and response logs - we log the prompts sent to and responses received from AI models, along with metadata (model, token counts, latency). These logs are used to evaluate response quality, debug issues, and refine how prompts are constructed. We do not use these logs to train, fine-tune, or otherwise modify any AI model. Logs are retained for up to 90 days.
  • AI usage - model selections, token counts, and costs for credit accounting.
  • API keys - if you connect via OpenRouter OAuth, the resulting API key is encrypted at rest with AES-256-GCM before storage.
  • Payment information - if you purchase a paid plan, payment details are processed and stored exclusively by our payment processor (Polar), who acts as the merchant of record. We do not store your payment card details.

3. Why we process your data

We process your personal data for the following reasons:

  • To provide the service - processing your account information, subreddit preferences, and AI chat data is necessary to deliver the functionality you signed up for.
  • Service quality and reliability - we analyse AI request and response logs to evaluate response quality and refine prompt construction; we use rate limiting and abuse detection to protect the service and its users; and we use error tracking to maintain service reliability.
  • Legal and tax obligations - we retain transaction records and usage data as required by tax and accounting laws.
  • With your consent - where you explicitly opt in to optional features such as email notifications. You may withdraw consent at any time.

4. How we use it

  • To provide and operate the service.
  • To send transactional emails (verification, password reset, notification digests).
  • To enforce rate limits and detect abuse.
  • To track AI credit usage and billing.
  • To evaluate AI response quality and refine prompt construction by analysing request and response logs.

We do not sell your data. We do not use your data for advertising. We do not use your data to train, fine-tune, or otherwise modify any AI model.

Our transactional emails (such as notification digests and password resets) comply with the CAN-SPAM Act. Every email includes our physical mailing address and a one-click unsubscribe mechanism. We do not send unsolicited marketing or promotional emails.

5. How we store it

All data is stored in a PostgreSQL database. Sensitive fields (API keys) are encrypted at rest with AES-256-GCM. Passwords are hashed with bcrypt. Sessions use signed, HTTP-only cookies. Data is encrypted in transit with TLS.

6. Data retention

We retain your data for as long as your account is active. When you delete your account, all associated data -- including subreddit preferences, tags, post status, chat history, AI credits, usage logs, AI request and response logs, and encrypted API keys -- is permanently removed within 30 days, except where retention is required by law (such as transaction records for tax purposes). The 90-day retention period for AI request and response logs described in Section 2 applies only to active accounts; account deletion overrides this retention period. AI system logs may temporarily retain references to Reddit content that was included in AI conversation context; these logs are automatically purged within 90 days.

7. Reddit public data and third-party individuals

ThreadScope fetches publicly available Reddit posts and comments, including usernames of their authors. This data is obtained from public archive APIs and was originally posted publicly by the authors on Reddit.

If you are a Reddit user whose post or comment appears in ThreadScope and you would like to request access to, correction of, or deletion of your data, please contact hello@threadscope.io with your Reddit username. We will respond within 30 days.

We periodically check whether Reddit posts and comments stored in our system have been deleted from Reddit. When we detect that content has been removed at its source, we delete it from our systems as well.

8. Third-party services

We use the following third-party services to operate ThreadScope. For a complete list with data types and security details, see our Sub-Processors page.

  • OpenRouter - LLM routing provider used for AI chat. Your messages are sent to OpenRouter, which routes them to the specific model provider you select (such as OpenAI, Anthropic, or Google). See our Sub-Processors page for the full list of downstream providers.
  • Polar - merchant of record and payment processor for subscriptions and credit purchases. Payment details are processed and stored by Polar.
  • Resend - transactional email delivery.
  • Arcjet - rate limiting and bot detection. Arcjet receives request metadata (IP, headers), not message content.
  • Sentry - error tracking. Sentry receives error reports and performance data, not message content.

9. Cookies

We use a single session cookie managed by Auth.js. It is HTTP-only and signed. We do not use analytics cookies, advertising cookies, or third-party tracking.

10. Your rights

Regardless of where you are located, we provide all users with the following rights:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data.
  • Request a copy of your data in a portable format.
  • Object to or restrict processing of your data.
  • Withdraw consent at any time for consent-based processing.

You can delete your account and all associated data from the Account settings page at any time. For other requests, contact hello@threadscope.io. We will respond within 30 days.

11. US state privacy rights

If you are a resident of California, Virginia, Colorado, Connecticut, or another US state with a comprehensive consumer privacy law, you may have additional rights regarding your personal information:

  • Right to know/access - you may request the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
  • Right to delete - you may request deletion of your personal information, subject to certain legal exceptions.
  • Right to correct - you may request correction of inaccurate personal information we hold about you.
  • Right to limit use of sensitive information - you may request that we limit the use of sensitive personal information to what is necessary to provide the service.
  • Right to opt out of automated decision-making - we do not engage in automated decision-making or profiling that produces legal or similarly significant effects.
  • Right to data portability - you may request a copy of your personal information in a portable format.
  • Right to non-discrimination - we will not discriminate against you for exercising any of your privacy rights.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not engage in profiling in furtherance of decisions that produce legal or similarly significant effects concerning consumers. The categories of personal information we collect are described in Section 2 above.

We are aware of the Global Privacy Control signal. Because ThreadScope does not sell personal information and does not engage in cross-context behavioral advertising, GPC signals do not trigger additional opt-out obligations for our service.

This section is provided to comply with applicable US state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), and the Connecticut Data Privacy Act (CTDPA).

To exercise your rights, contact hello@threadscope.io. We will respond within 30 to 45 days as required by applicable law.

12. International transfers

ThreadScope is operated from the United States. Your data is stored and processed in the United States and may also be processed in other countries where our sub-processors operate. By using the service, you acknowledge that your data will be transferred to and processed in these locations. For details on our sub-processors and their locations, see our Sub-Processors page.

13. Data breach notification

In the event of a security breach involving personal data, we will notify affected users and applicable regulatory authorities in accordance with applicable law. For users in the United States, we will comply with applicable state data breach notification laws, which generally require notification within 30 to 60 days of discovery. Notification will include a description of the incident, the types of information involved, and steps individuals can take to protect themselves.

14. Law enforcement and government requests

We may disclose personal data when required by law, subpoena, court order, or other legal process. When permitted by law, we will notify affected users before disclosing their data in response to a legal request, unless we are legally prohibited from doing so or we believe notification would create a risk of harm.

We evaluate each request to ensure it is legally valid and appropriately scoped. We do not provide law enforcement with direct access to our systems. All responses to legal requests are provided through our legal contact.

15. Children

ThreadScope is not intended for use by anyone under 16. We do not knowingly collect data from children. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly.

16. Changes

If this policy changes, we will update the date at the top and notify registered users by email at least 30 days before material changes take effect. If you do not agree to the updated policy, you may delete your account before the changes take effect.

17. Contact

Version history

  • 14 May 2026 -- Initial version.