Thinkn, Inc. ("Thinkn," "we," "us," or "our") operates the Thinkn Studio application and the Belief SDK (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Service.
By using the Service, you agree to the collection and use of information in accordance with this policy.
Beta Notice: The Service is currently in private beta. During the beta period, infrastructure, data schemas, and retention practices may change as we develop the platform. While we make reasonable efforts to preserve your data, we cannot guarantee long-term data availability or retention during this phase. Please review our Terms of Use for full details on beta conditions.
1. Information We Collect
Account Information
When you create an account, we collect your email address. If you sign in through a third-party provider (Google or GitHub), we also receive your name and profile picture URL from that provider.
Content You Create
The Service stores content you create, including documents, canvases, whiteboards, chat messages, and belief states. Belief states include claims, evidence, goals, knowledge gaps, confidence scores, and reasoning traces.
Usage Data
We record information about how you use the Service, including which AI models are invoked, token counts, computational costs, and which features you use. This data is associated with your account for billing and service operation purposes.
Device and Technical Data
For security-sensitive actions (such as login attempts, permission changes, and content sharing), we log your IP address, browser user agent, and the type of event in an audit log.
Cookies
We use a single authentication session cookie, managed by our authentication provider (Supabase). This cookie is HttpOnly, Secure (in production), uses SameSite=Lax, and expires after 7 days. We do not use advertising or tracking cookies.
Client-Side Storage
We use browser localStorage to temporarily back up unsaved document edits on your device. This data remains on your device and is cleared when the document is saved. We may also use IndexedDB to cache content locally for faster navigation, if you enable this feature.
Feedback
If you voluntarily submit feedback through the Service, we collect the feedback text, the page URL where you submitted it, and your browser user agent.
Uploaded Files
When you upload files to a workspace, we store the file contents along with metadata such as filename, file type, and file size. Uploaded documents may be processed to extract text and generate vector embeddings for search functionality.
2. How We Use Your Information
We use the information we collect to:
- Provide and operate the Service — authenticate your account, store your content, and deliver features you use.
- Process content with AI — analyze your messages and content to extract beliefs, generate responses, and run agent workflows. See Section 3 for details.
- Maintain security — detect and prevent fraud, unauthorized access, and abuse through audit logging, rate limiting, and access controls.
- Improve the Service — monitor performance and reliability using anonymized metrics (via Vercel Speed Insights). We do not use third-party behavioral analytics, heatmaps, or session recording tools.
- Communicate with you — send account-related emails such as login links, invitation notifications, and policy updates.
3. AI and Machine Learning Processing
The core functionality of the Service involves processing your content with AI models. We believe in transparency about how this works.
Third-Party AI Providers
Your messages, conversation history, and contextual content are sent to third-party AI providers for processing. We currently use:
- Anthropic (Claude models) — for chat, belief extraction, and agent execution. See Anthropic's Privacy Policy.
- OpenAI — for alternative model selection and specific analytical tasks. See OpenAI's Privacy Policy.
We use these providers' API services. Thinkn does not use your content to train AI models. Each provider's own data practices, including whether they use API data for model training, are governed by their respective policies linked above.
Belief Extraction
When you interact with the Service, your content is automatically analyzed to extract structured beliefs — claims, evidence, confidence levels, goals, and knowledge gaps. This processing happens via the AI providers listed above.
Agent Execution
AI agents run inside isolated sandbox environments (Vercel microVMs). Each sandbox is ephemeral and process-isolated. Agent workspace state may be checkpointed for resumability, with snapshots stored in encrypted cloud storage.
Speech-to-Text
If you use voice input, audio is streamed directly from your browser to ElevenLabs for transcription. The audio stream does not pass through Thinkn servers. Thinkn's server only issues a short-lived authentication token to enable the connection. See ElevenLabs' Privacy Policy.
Web Research
When the Service performs research on your behalf, search queries may be sent to Exa, a third-party search provider, to retrieve relevant web content.
4. Information Sharing and Third Parties
We do not sell your personal information. We share information only in the following circumstances:
Service Providers
We use the following categories of service providers to operate the Service:
- AI processing — Anthropic, OpenAI (content processing as described in Section 3)
- Authentication and database — Supabase (account authentication, primary data storage, file storage)
- Infrastructure and hosting — Vercel (application hosting, agent sandbox execution, performance monitoring)
- Graph analytics — Neo4j (belief graph storage for reasoning queries; no personally identifiable information is stored in this system)
- Web research — Exa (search queries for research features)
- Speech services — ElevenLabs (voice-to-text transcription, as described in Section 3)
Third-Party Integrations
If you connect a third-party account (such as GitHub), we exchange authentication tokens with that provider to enable the integration. OAuth tokens are encrypted at rest and are never stored in plaintext. You can revoke integrations at any time from your account settings.
User-Initiated Sharing
When you create a share link for a document, canvas, session, or whiteboard, that content becomes accessible to anyone with the link. Share links expire after 7 days by default (maximum 30 days) and can be revoked at any time.
Legal Requirements
We may disclose your information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Thinkn, our users, or the public.
5. Data Retention
| Data Category | Retention Period |
|---|---|
| Your content (documents, canvases, beliefs, messages) | Until you delete it or close your account |
| Audit logs (security events) | 2 years (configurable by organization, minimum 1 year) |
| Tool execution logs | 90 days |
| Deleted content | 30-day grace period, then permanently removed |
| Authentication cookies | 7 days |
| Rate limiting counters | Ephemeral (1–24 hours, in-memory only) |
6. Data Security
We implement technical and organizational measures to protect your data, including:
- Row-Level Security enforced at the database level, ensuring users can only access data they are authorized to see.
- Encryption of integration tokens, OAuth credentials, and sensitive secrets. Tokens and API keys are stored as cryptographic hashes (SHA-256), not in plaintext.
- CSRF protection via origin validation, content-type enforcement, and custom request headers on all state-changing operations.
- Restrictive browser policies — we disable access to your camera, microphone, and geolocation via the Permissions-Policy header. We also opt out of interest-based advertising cohorts (FLoC/Topics).
- Secure cookies — authentication cookies are HttpOnly, Secure, and SameSite=Lax.
- Isolated execution — AI agents run in ephemeral, sandboxed microVMs with process and filesystem isolation.
No method of transmission or storage is completely secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.
7. Your Rights Under the GDPR
If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the General Data Protection Regulation:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate or incomplete data.
- Erasure — request deletion of your personal data.
- Restriction — request that we restrict processing of your data.
- Portability — request your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interests.
To exercise any of these rights, contact us at privacy@thinkn.ai. We will respond within 30 days.
Our legal bases for processing are: performance of a contract (providing the Service), legitimate interests (security, fraud prevention, service improvement), and consent (where applicable).
8. Your Rights Under the CCPA
If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with the following rights:
- Right to Know — request disclosure of the categories and specific pieces of personal information we have collected about you.
- Right to Delete — request deletion of your personal information, subject to certain exceptions.
- Right to Opt-Out of Sale — we do not sell personal information, so this right does not apply.
- Right to Non-Discrimination — we will not discriminate against you for exercising your privacy rights.
To exercise these rights, contact us at privacy@thinkn.ai.
9. Children's Privacy
The Service is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected such information, please contact us at privacy@thinkn.ai and we will promptly delete it.
10. International Data Transfers
Your information is processed and stored in the United States through our infrastructure providers. If you are accessing the Service from outside the United States, your data will be transferred to, stored, and processed in the United States.
For transfers from the EEA or UK, we rely on standard contractual clauses or other approved transfer mechanisms to ensure your data is protected in accordance with applicable data protection laws.
11. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a prominent notice within the Service prior to the change taking effect. Your continued use of the Service after the effective date of the revised policy constitutes your acceptance of the changes.
12. Contact
If you have questions about this Privacy Policy or your data, contact us at:
- Email: privacy@thinkn.ai
- Entity: Thinkn, Inc.