Privacy Policy

Last updated: April 16, 2026

1. Introduction

This Privacy Policy describes how Thalian, LLC ("Thalian," "we," "us," or "our") collects, uses, and protects information when you use the Thalian platform ("Service"). We are committed to protecting your privacy and handling your data transparently.

2. Information We Collect

Account Information

• Email address
• Name (if provided)
• Google account information (if using Google OAuth sign-in)
• Workspace name and configuration

Customer Data (from connected integrations)

When you connect third-party platforms, Thalian syncs data including:

• Identities: User accounts, roles, MFA status, group memberships, last login dates
• Applications: SaaS apps, SSO configuration, OAuth grants, license assignments
• Devices: Managed endpoints, compliance status, encryption state, OS versions
• Entitlements: Access relationships between identities and applications
• Audit events: Platform-specific logs (sign-in events, admin actions) where available

Integration Credentials

• API tokens, OAuth tokens, and other authentication credentials you provide to connect platforms
• These are encrypted with AES-256-GCM before storage. Plaintext is never saved to the database

HR Data (if HR integration connected)

When you connect an HR system (Rippling, BambooHR), Thalian syncs employment status, start and termination dates, department, job title, and manager relationships. This data is used solely to enable offboarding gap detection and identity lifecycle analysis across connected platforms.

Usage Data

• Pages visited within the app
• Analysis runs triggered
• AI conversation history (within your workspace)
• Remediation actions taken

Technical Data

• Browser type and version
• IP address (for session management and optional IP allowlisting)
• Error reports via Sentry (10% trace sampling)

3. How We Use Your Information

Purpose	Data Used
Provide the Service	Customer Data, Account Information
Generate findings and analysis	Customer Data (processed by AI engine)
AI conversations	Workspace context, conversation history
Account management	Account Information, Usage Data
Security and fraud prevention	Technical Data, IP addresses
Error monitoring	Technical Data (via Sentry)
Billing	Account Information (via Stripe)

4. AI Data Processing

How AI Analysis Works

• The AI engine processes your workspace data to generate findings, insights, and recommendations
• When you use the AI chat feature, relevant workspace context (identities, applications, findings, etc.) is included in prompts sent to AI providers

Third-Party AI Providers

We use Anthropic (Claude API) as our AI provider for analysis and chat.

AI Data Commitments

• Your data is not used to train AI models by our providers (per their API terms)
• AI prompts contain workspace-scoped data only. No cross-tenant data is included
• Anthropic processes prompts in real time for AI inference and may retain inputs for up to 30 days for trust & safety review purposes; this data is not used for model training
• AI conversation history is stored within your workspace and subject to your plan's data retention period
• We do not share AI outputs with other customers

For a detailed breakdown of what data enters AI prompts, what is excluded, human oversight controls, and accuracy limitations, see our AI Transparency page.

5. Data Storage and Security

Where Data Is Stored

• Database: Supabase (PostgreSQL), hosted in the United States (AWS us-east-1)
• Application: Cloudflare Pages and Workers (global edge network; customer data at rest remains US-only)

Security Measures

• AES-256-GCM encryption for integration credentials at rest
• TLS 1.2 or higher for all data in transit
• Row Level Security (RLS) on all database tables
• Workspace-scoped queries at both application and database layers
• SHA-256 hashed, immutable audit logs
• Configurable session timeouts and MFA enforcement

Full details in our Security & Trust page.

6. Data Retention

Data Type	Free Plan	Pro Plan	Enterprise
Customer Data	7 days	1 year	Unlimited
AI conversation history	7 days	1 year	Unlimited
Audit logs	365 days minimum	365 days minimum	365 days minimum
Account information	Duration of account	Duration of account	Duration of account

Data exceeding the retention window is automatically deleted. Audit logs are exempt from automated deletion. Minimum 365-day retention regardless of plan. Upon account deletion, audit logs are anonymized (PII removed) and retained for an additional 12 months for legal and compliance purposes, then permanently deleted. Upon account termination, all other data is retained for 30 days and then permanently deleted.

7. Data Sharing

We do not sell your data. We share data only in these circumstances:

Recipient	Purpose	Data Shared
Anthropic	AI inference (Claude API)	Workspace context in AI prompts
Stripe	Payment processing	Billing information
Loops	Transactional and lifecycle email	Account email, display name, workspace plan
Sentry	Error monitoring	Technical error data (PII scrubbed; no Customer Data)
Supabase	Database hosting	All Customer Data (encrypted at rest)
Cloudflare	Application hosting and CDN	Request routing metadata
Plain.com	Support chat widget	Name, email, support conversation content

The complete sub-processor registry is available at thalian.ai/security. We may also disclose data if required by law, court order, or to protect our legal rights.

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of your data (available via workspace export)
• Correction: Update your account information at any time
• Deletion: Request deletion of your account and data
• Portability: Export your workspace data as JSON
• Objection: Object to processing of your data for specific purposes

To exercise these rights, submit a data request or email privacy@thalian.ai.

California Residents (CCPA)

• We do not sell personal information
• We do not share personal information for cross-context behavioral advertising
• You have the right to know, delete, and opt-out

European Residents (GDPR)

• Our legal basis for processing is contract performance (providing the Service) and legitimate interest (security, fraud prevention)
• For data processing on behalf of your organization, see our Data Processing Agreement
• You have the right to lodge a complaint with your local data protection authority

9. Cookies

The Thalian platform uses only essential cookies required for authentication and session management. We do not use tracking cookies, advertising cookies, or analytics cookies. We respect your browser's Do Not Track settings.

10. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to workspace administrators. The "Last updated" date at the top indicates the most recent revision.

12. Contact

For privacy questions or data requests, contact us at:

Thalian, LLC
privacy@thalian.ai
thalian.ai

← Back to home