Back to App
About Thea

Privacy & Data Handling

How we protect your confidential legal information

Our Privacy Commitment

At Thea, we understand that you're working with highly confidential legal information. Privacy and security are not optional features—they're fundamental to how we built this product.

Data Storage & Location

EU-Based Infrastructure

All data is processed and stored exclusively within the European Union:

  • Primary hosting: European data centers
  • Document processing: EU-based servers only
  • AI processing: Azure OpenAI endpoints in EU regions
  • Backups: Encrypted backups within EU

Your documents never leave European jurisdiction.

Encryption

Your data is protected with multiple layers of encryption:

  • In transit: TLS 1.3 encryption for all data transmission
  • At rest: AES-256 encryption for stored documents and databases
  • Backups: Encrypted backup storage with separate encryption keys

What We Collect

Account Information

To operate the service, we collect:

  • Email address (for account identification and recovery)
  • Display name (optional, for timeline version history)
  • Password (hashed and salted, never stored in plain text)
  • Account creation date

See Why does Thea require an email address? for details.

Usage Data

We collect minimal usage data for service operation:

  • Login activity (for security monitoring)
  • Feature usage (to understand what's working well)
  • Error logs (to identify and fix bugs)
  • Performance metrics (to optimize speed)

This data is aggregated and anonymized. We do not track individual user behavior for marketing purposes.

Your Documents

When you upload documents:

  • Files are encrypted immediately upon upload
  • Text is extracted in isolated, secure environments
  • Vector embeddings are created for AI search
  • Original files are stored encrypted in EU data centers

Important: Your documents are never used to train AI models. Your data remains yours.

Data Retention

Documents

  • Active projects: Retained until you delete them
  • Deleted items: Permanently removed within 30 days
  • Account deletion: All documents removed immediately

Timelines & Events

  • Stored indefinitely until you delete them
  • Deleted timelines removed within 30 days
  • Account deletion removes all timeline data immediately

Processing Data

  • Temporary processing files deleted within 24 hours
  • Vector embeddings deleted when documents are deleted
  • Cache data expires automatically

How We Use Your Data

We use your data solely to:

  1. Provide the service - Process documents, generate timelines, store your work
  2. Improve functionality - Identify bugs, optimize performance, develop features
  3. Communicate with you - Send password resets, respond to support requests, occasional product updates
  4. Ensure security - Monitor for suspicious activity, prevent abuse

We never:

  • Sell your data to third parties
  • Use your documents to train AI models
  • Share your information for marketing purposes
  • Access your documents without explicit permission

AI & Machine Learning

Azure OpenAI

Thea uses Azure OpenAI services for text analysis and timeline generation:

  • Data processing: Documents are processed in real-time, not stored by OpenAI
  • Model training: Your data is NOT used to train or improve AI models
  • EU endpoints: We use Azure OpenAI deployments hosted in EU regions
  • Microsoft commitment: Azure OpenAI has contractual data protection guarantees

Vector Embeddings

For AI-powered suggestions and search:

  • Text embeddings are created from your documents
  • Stored securely in vector database (Supabase)
  • Used only for your account's features
  • Deleted when you delete documents

GDPR Compliance

Thea is fully GDPR compliant:

Your Rights

You have the right to:

  • Access your data (export timelines, download documents)
  • Rectify incorrect data (edit account info, timeline details)
  • Erase your data (delete account, remove documents)
  • Restrict processing (contact support for limitations)
  • Data portability (export your timelines and data)
  • Object to processing (opt out of optional features)

Our Role

  • Data Processor: We process data on your behalf to provide the service
  • Your Control: You remain the data controller for your uploaded documents
  • DPA Available: Data Processing Agreement available for enterprise clients

Data Protection Officer

For GDPR-related questions or to exercise your rights:

Email: privacy@patroonlabs.com

Security Measures

Technical Safeguards

  • End-to-end encryption for data transmission
  • Encrypted database storage
  • Secure authentication (Supabase Auth)
  • Regular security audits
  • Automated security monitoring
  • Isolated processing environments

Organizational Measures

  • Staff confidentiality agreements
  • Principle of least privilege (minimal access)
  • Regular security training
  • Incident response procedures
  • Vendor security assessments

Access Control

  • Only you can access your projects and timelines
  • Support staff cannot view your documents without explicit permission
  • Multi-factor authentication (coming soon)
  • Session management and automatic logout

Third-Party Services

Thea uses carefully selected third-party services, all GDPR compliant:

Supabase (Database & Auth)

  • Purpose: Database, authentication, file storage
  • Location: EU servers
  • Data: Account info, timelines, documents
  • Compliance: GDPR compliant, SOC 2 certified

Azure OpenAI (AI Processing)

  • Purpose: Text analysis, timeline generation
  • Location: EU endpoints
  • Data: Document text (temporary processing only)
  • Compliance: GDPR compliant, no data retention

All vendors:

  • Are contractually bound to protect your data
  • Process data only in EU or with adequate safeguards
  • Have undergone security assessments
  • Maintain GDPR compliance certifications

Data Breaches

In the unlikely event of a data breach:

  1. Immediate response - Contain and assess the breach
  2. Notification - Inform affected users within 72 hours
  3. Authority reporting - Report to supervisory authorities as required
  4. Remediation - Take steps to prevent future incidents
  5. Transparency - Provide clear information about what happened

We maintain incident response procedures and conduct regular security drills.

Your Responsibilities

To maintain security:

  • Use a strong, unique password
  • Don't share your login credentials
  • Sign out on shared computers
  • Report suspicious activity immediately
  • Keep your contact email secure (for password resets)

Account Deletion

When you delete your account:

  1. Immediate: Access revoked, account marked for deletion
  2. Within 24 hours: All documents removed from active systems
  3. Within 30 days: Complete removal from backups and archives
  4. Permanent: Data is unrecoverable after deletion

See Delete Account for instructions.

Privacy Policy Updates

We may update this privacy policy as:

  • Features are added or changed
  • Legal requirements evolve
  • Security practices improve

Notification: You'll be notified of significant changes via email and in-app notice.

Review: Previous versions available upon request.

Questions About Privacy

For privacy-related questions or concerns:

Transparency

We believe in transparency about data handling. If you have questions about how your data is processed, stored, or used, please reach out. We're happy to provide additional details.

Next Steps

Contact & Support

Get help with Thea or reach out to our team

Why Choose Thea

Discover how Thea transforms legal work with AI-powered timeline creation

On this page

Our Privacy CommitmentData Storage & LocationEU-Based InfrastructureEncryptionWhat We CollectAccount InformationUsage DataYour DocumentsData RetentionDocumentsTimelines & EventsProcessing DataHow We Use Your DataAI & Machine LearningAzure OpenAIVector EmbeddingsGDPR ComplianceYour RightsOur RoleData Protection OfficerSecurity MeasuresTechnical SafeguardsOrganizational MeasuresAccess ControlThird-Party ServicesSupabase (Database & Auth)Azure OpenAI (AI Processing)Data BreachesYour ResponsibilitiesAccount DeletionPrivacy Policy UpdatesQuestions About PrivacyTransparencyNext Steps