Privacy Policy
Last updated · June 2026
ThreadScanner is built privacy-first. The desktop application analyzes email on your own machine; the contents of the messages you analyze are not transmitted to ThreadScanner. This Privacy Policy explains the limited personal data that ThreadScanner LLC (“ThreadScanner,” “we,” “us”) processes in connection with this website, account purchases, and software licensing, and the choices you have.
1. The short version
- Email content stays on your device. The app does not send the emails, attachments, or raw MIME you analyze to our servers.
- We collect only what we need to run the website, process a purchase, deliver and verify a license, and provide support.
- We don’t sell your data and we don’t run advertising or third-party tracking on this site.
- Cloud AI is opt-in and bring-your-own-key. When you enable a cloud AI provider in the app, requests go directly from your machine to the provider you chose, under their terms.
2. Who we are
The data controller is ThreadScanner LLC (doing business as ThreadScanner). For privacy questions, data-subject requests, or to reach our security team, contact admin@threadscanner.ai or, for security matters, security@threadscanner.ai.
3. Information we process
3.1 Website & “Request access” form
When you submit the waitlist / request-access form, we collect the email address and any optional details you provide (company, team size, use case). This is delivered to our inbox so we can contact you about access. The site itself does not use cookies, analytics, or third-party tracking pixels. Standard request metadata (IP address, user agent, approximate country, referrer) is processed transiently to deliver the message and guard against abuse.
3.2 Purchases & billing
Payments are processed by Stripe. When you buy a subscription, you provide your payment details directly to Stripe; we do not receive or store your full card number. We receive limited billing data from Stripe — such as your email, subscription tier, seat quantity, billing status, and Stripe customer / subscription identifiers — to create and maintain your license.
3.3 Licensing & seat registration
To issue and validate a license we maintain a license registry that stores: a license identifier, tier, seat count, organization name (if provided), the purchaser’s email, status, and the associated Stripe identifiers. The desktop app may perform a periodic license verification (sending the license key and a hashed machine fingerprint) and a soft seat registration that records a per-device identifier and an optional device name so we can show how many seats a license is using. Seat enforcement is “soft”: we report usage but do not block the app.
3.4 Software updates
When the app checks for updates it contacts our update endpoint and sends its current version. As with any internet request, the connecting IP address is visible to our CDN provider. Update artifacts are cryptographically signed and verified by the app before installation.
3.5 Email content analyzed in the app
Email messages, attachments, and raw MIME that you analyze are processed locally and stored only on your device (subject to the retention you configure in the app). They are not transmitted to ThreadScanner. If you explicitly enable a cloud AI advisor, a redacted summary — not the full message body, unless you turn on full-content mode — is sent from your machine directly to the AI provider you configured, using your own API key.
4. How we use this information
- To respond to access requests and provide the service.
- To process payments, issue licenses, and prevent license abuse.
- To deliver software updates and license/receipt emails.
- To provide support and to secure and improve the service.
- To comply with legal obligations.
We rely on the legal bases of performance of a contract (providing the product you purchased), legitimate interests (security, abuse prevention, product operation), consent (the waitlist form, optional cloud AI), and compliance with legal obligations, as applicable.
5. Sub-processors
We use a small number of trusted service providers to operate the service. We do not authorize them to use your data for their own purposes.
- Cloudflare, Inc. — website & Functions hosting, license registry storage (D1), and the update CDN (processes connection metadata, license data, and version).
- Stripe, Inc. — payment processing and subscription billing (processes your payment and billing details).
- Resend (Plus Five Five, Inc.) — transactional email delivery for waitlist, license, and support messages (processes recipient email and message contents).
- Apple, Inc. — macOS notarization of the signed build (processes build artifact hashes, transiently). Note: Developer ID signing and notarization are being finalized ahead of general availability.
- Optional cloud AI providers you enable yourself (e.g. Google, OpenAI, Anthropic, Mistral) — only when you turn them on, using your own API key, sending a redacted prompt directly from your machine under that provider’s terms.
Enterprise customers can request a current sub-processor list and a Data Processing Agreement (DPA). We will give advance notice before adding a new sub-processor that processes customer personal data.
6. Data sharing
We do not sell your personal data and we do not share it for cross-context behavioral advertising. We share data only with the sub-processors above, where required by law, or in connection with a merger or acquisition (with notice).
7. Retention
We keep waitlist submissions until they are no longer needed for the beta program or you ask us to delete them. License and billing records are retained for the life of the license and as required for tax, accounting, and legal purposes. On-device data (scan history, raw MIME, secrets) is retained on your machine according to the retention settings you choose in the app, and you can delete it at any time.
8. Security
We use industry-standard safeguards including TLS in transit, a signature-verified auto-update channel, and storage of secrets in OS-native vaults (macOS Keychain / Windows DPAPI) on your device. Developer ID code-signing and Apple notarization of application builds are being finalized ahead of general availability. No method of transmission or storage is perfectly secure, but we work to protect your information and to notify affected customers of any material incident without undue delay.
9. International transfers
Our providers may process data in the United States and other countries. Where required, we rely on appropriate safeguards such as the EU Standard Contractual Clauses. Enterprise customers may request EU-region processing for certain sub-processors.
10. Your rights
Depending on where you live, you may have rights to access, correct, delete, port, or restrict the processing of your personal data, and to object to certain processing. To exercise any of these, email admin@threadscanner.ai. We will respond within the time required by applicable law. You also have the right to lodge a complaint with your local data protection authority.
11. Children
ThreadScanner is a business tool and is not directed to children. We do not knowingly collect personal data from anyone under 16.
12. Changes to this policy
We may update this policy from time to time. We will revise the “Last updated” date above and, for material changes, provide additional notice where appropriate.
13. Contact
ThreadScanner LLC
Privacy & support: admin@threadscanner.ai
Security: security@threadscanner.ai