Privacy Policy

1. What Thremark collects

• Marks (saved facts) — stored on your device and synced to our server using an anonymous device ID (not your Apple ID or personal account). Server-side storage powers AI memory features like semantic search, contradiction detection, and cross-fact connections. No personally identifiable information is tied to your marks on the server. You can delete all server data at any time from Settings.
• Chat messages — stored on your device and synced to our server (by anonymous device ID) to enable multi-device access and chat history. Messages are forwarded to AI providers (OpenAI, Google Gemini) to generate responses. Server-stored messages are automatically purged after 90 days.
• Anonymous session — a device-generated UUID to manage your API session. No name, email, or Apple ID is sent to our server. All server-side data is linked only to this anonymous device ID.
• Apple ID (optional) — if you choose Sign in with Apple, your name and email are stored only on your device for display purposes. Your Apple ID is used for subscription management through Apple but is not stored on our server.
• Files — AI-generated files (documents, summaries, plans) are stored on your device and synced to our server (by anonymous device ID) to enable features like cross-device access and server-side search. You can delete all server data at any time from Settings.
• Notifications & Reminders — if you ask Thremark to remind you about something, push notifications may be scheduled on our server and delivered via Apple Push Notification service (APNs). Your device token (anonymous) and reminder details are stored on the server until delivered, then automatically deleted. No personal information is tied to notifications.
• Thinking models — when you select a thinking model (o4-mini, o3), your message is sent to OpenAI reasoning API. The model generates internal reasoning tokens that are not stored. Only the final response is returned to you.
• Photos & Camera — if you attach images to a chat, they are compressed on-device and sent to the AI provider for analysis. Images are not stored on our servers.
• Microphone & Voice AI — if you use voice input or Voice AI conversations, audio is streamed to Google Gemini Live API or OpenAI Realtime API for real-time processing, or to OpenAI Whisper for speech-to-text transcription. Audio is not stored on our servers after processing is complete. Voice conversations can auto-extract marks (facts) and create files, just like text chats.

2. How data is stored

• On your device — marks, chats, messages, and files are stored locally using SwiftData (Apple's on-device database). This data never leaves your device unless you use features that require server sync.
• On our server — marks, chats, messages, and files are synced to our server (Cloudflare D1 database) using your anonymous device ID. This enables AI memory features, cross-device access, and intelligent search. No personally identifiable information is stored — only the anonymous device UUID generated on first launch.
• Semantic search index — marks are embedded as numerical vectors (Cloudflare Vectorize) for semantic search. Each user's vectors are isolated by device ID namespace.
• Retention — messages on our server are automatically purged after 90 days. Marks and files remain until you delete them. Deleting data in Settings removes it from both your device and our server.

3. Third-party services

• OpenAI API — processes chat messages to generate responses, including reasoning models (o3, o4-mini). Subject to OpenAI Privacy Policy.
• Google Gemini API — alternative AI provider. Subject to Google Privacy Policy.
• Tavily Search API — when you use Web Search, your query is sent to Tavily to retrieve real-time results. Subject to Tavily Privacy Policy.
• Google Gemini Live API — default provider for Voice AI conversations. Audio is streamed to Google for real-time processing. Subject to Google Privacy Policy.
• OpenAI Realtime API — alternative Voice AI provider (available for Plus and Pro). Audio is streamed to OpenAI for real-time processing. Subject to OpenAI Privacy Policy.
• Cloudflare — our server infrastructure. Data is stored in Cloudflare D1 (database) and Cloudflare Vectorize (semantic search). Subject to Cloudflare Privacy Policy.
• GitHub (optional) — if you connect GitHub Sync (Plus/Pro), your marks and files are pushed to a private GitHub repository you own. Your GitHub OAuth token is stored on our server. You can disconnect at any time from Settings. Subject to GitHub Privacy Statement.
• Sentry — crash reporting and performance monitoring for the iOS app. No personal data, message content, or marks are included. Subject to Sentry Privacy Policy.

4. Data we do NOT collect

• We do not sell, share, or monetize your personal data.
• We do not track your location.
• We do not use advertising SDKs or trackers.
• We do not collect your name, email, or Apple ID on our server.
• We do not use cross-app tracking (IDFA is not used).

5. Your rights

• Delete all data — available in Settings at any time. Permanently removes all marks, chats, messages, and files from your device AND from our server (D1 database and Vectorize index). This action is irreversible.
• Delete account — if you signed in with Apple, you can delete your account from Settings. This signs you out, removes all local data, deletes all server-side data linked to your device ID, and resets the app to its initial state.
• Export — you can export your marks via the share sheet.
• No account required — Thremark works without signing in. Sign in with Apple is optional.
• GDPR & CCPA — if you are in the EU or California, you have the right to access, correct, or delete your data. Contact us at the email below.

6. Analytics

Thremark uses privacy-friendly analytics to improve the product:

• Website: Plausible Analytics (plausible.io) — cookie-free, no personal data collected, compliant with GDPR/CCPA. Tracks page views and referral sources only. PostHog (posthog.com) — anonymous product analytics for website improvement. No personal data or cross-site tracking.
• iOS app: PostHog (posthog.com) — anonymous usage metrics (screen views, feature usage, session length). No personal information, message content, or marks are included. No cross-app tracking (IDFA is not used). No ATT prompt required. Sentry — crash reports only. No user content included.

All analytics data is aggregated and anonymous. You cannot be personally identified through analytics.

7. Children

Thremark is not intended for children under 13. We do not knowingly collect data from children.

8. Changes

We may update this policy as features ship. Material changes will be noted here with an updated date.