Skip to main content

Privacy Policy & Data Practices

Last updated: February 2026

1. Information We Collect

We collect information you provide directly to us, including:

  • Name and contact information
  • Company information
  • Account credentials
  • Payment information (processed securely by Stripe)
  • Communications with us

2. How We Use Your Information

We use the information we collect to:

  • Provide and maintain our services
  • Process transactions and send related information
  • Send technical notices, updates, and support messages
  • Respond to your comments and questions
  • Improve our services and develop new features

3. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. All data is encrypted in transit and at rest.

4. Your Rights

You have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion of your data
  • Export your data in a portable format
  • Opt out of marketing communications

5. Your Rights Under GDPR

If you are located in the European Union or European Economic Area, you have specific rights under GDPR, including:

  • Right to be informed: Clear information about how we use your data (this policy)
  • Right of access: Request a copy of your personal data
  • Right to rectification: Correct inaccurate or incomplete data
  • Right to erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to restrict processing: Limit how we use your data
  • Right to data portability: Receive your data in a structured, machine-readable format
  • Right to object: Opt out of certain data uses including marketing

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including:

  • Active account data: Retained while your account is active
  • Inactive accounts: Data deleted after 2 years of inactivity
  • Payment records: Retained for 7 years for tax and legal compliance
  • Analytics data: Anonymized after 26 months

When we no longer need your data, we securely delete or anonymize it in accordance with our data retention policies.

7. International Data Transfers

Thalamus AI is based in the United States. If you access our services from outside the US, your data may be transferred to, stored, and processed in the United States or other countries where our servers or service providers are located. We ensure appropriate safeguards are in place to protect your data during these transfers, including:

  • Standard Contractual Clauses (SCCs) for EU data transfers
  • Adequacy decisions where applicable
  • Data Processing Agreements with all third-party processors

8. Children's Privacy

Our services are not intended for individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child under 16, please contact us immediately and we will delete such information.

9. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make significant changes, we will:

  • Update the "Last updated" date at the top of this policy
  • Notify active users via email for material changes
  • Display a prominent notice on our website

We encourage you to review this policy periodically to stay informed about how we protect your data.

10. Related Policies

For more information about how we protect your data and use cookies, please review our related policies:

11. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how we handle your data, please contact us:

We aim to respond to all privacy-related inquiries within 48 hours. For formal GDPR requests, we will respond within 30 days as required by law.