Privacy Policy
Effective Date: January 1, 2026
Last Updated: June 10, 2026
This Privacy Policy explains how Thread Inc. ("Thread," "we," "us," or "our") collects, uses, shares, and protects information in connection with MaXi, our AI-powered personal finance assistant, and our related websites, applications, and messaging services (collectively, the "Service").
MaXi connects to your financial accounts and email, analyzes your financial activity, and communicates with you over web chat and Apple iMessage. Because the Service handles sensitive financial information, please read this policy carefully. By using the Service, you agree to the practices described here.
The Service is intended only for individuals located in the United States who are 18 years of age or older.
1. Information We Collect
A. Information you provide to us
Identity and contact information: name, email address, phone number, and time zone.
Onboarding questionnaire responses, which may include: birth year, income range, total debt, investment holdings, emergency-fund status, retirement timeline, your stated financial goals and values, how you describe your relationship with money, and how you heard about us.
Payment-handle identifiers you choose to provide, such as Venmo, Zelle, or Cash App handles, used to generate payment-request links.
Cryptocurrency wallet addresses you choose to add for tracking.
Communications you send us, including chat messages and support requests.
B. Information collected automatically from your connected accounts
When you connect a financial account through Plaid or connect your email through Google, we receive:
Financial account data via Plaid: transaction history (merchant, amount, date, category, location, payment channel), account balances, account types, masked account numbers (last four digits), credit limits, interest rates (APRs), loans and other liabilities, and recurring subscriptions and charges.
Email-derived bill data via your Google account (read-only access): sender, subject, amounts, and due dates for messages our system identifies as bills or financial notices. We request read-only access and do not send email on your behalf.
C. Information generated by the Service
Conversation data: the full content of your conversations with MaXi, including your messages, MaXi's responses, and the internal tool actions MaXi takes to answer you.
AI-generated insights and profiles, including behavioral insights and a long-term preference and financial-behavior profile we maintain to personalize the Service.
D. Information collected through technology
Usage and device information, including IP address, browser/user-agent, and interactions with the Service.
Administrative and audit logs, including IP address and user agent associated with account activity.
Product analytics and session recordings. We use Amplitude for product analytics, which includes session-replay recordings of your interactions with our interfaces.
2. How We Use Information
We use the information above to:
provide, operate, and maintain the Service, including syncing and categorizing transactions, tracking balances, debts, and subscriptions, and detecting fees and notable financial events;
set budgets you create, calculate budget pacing (such as "safe to spend"), and send reminders you ask for;
generate payment-request links (e.g., Venmo/Zelle/Cash App) for bill splits, which you must act on — the Service does not move money;
send you the messages and proactive alerts described in Section 6 below;
personalize the Service and maintain MaXi's long-term memory of your preferences;
process your subscription and payments;
secure the Service, prevent fraud and abuse, and maintain audit logs;
comply with legal obligations and enforce our Terms of Service.
We do not use your financial data or conversation content to serve third-party advertising, and we do not sell your personal information (see Section 8).
3. AI and Automated Processing
MaXi is an automated, AI-powered assistant. When you message MaXi, you are interacting with software, not a human. To provide the Service, your information — including transaction data, your financial profile, and conversation content — is processed by third-party large-language-model providers (currently OpenAI and Anthropic; see Section 4).
MaXi's outputs, insights, categorizations, and any figures it presents (such as estimated savings) are automated estimates that may be incomplete or inaccurate. MaXi does not provide financial, investment, legal, or tax advice, and you should not rely on it as a substitute for a qualified professional. Your use of MaXi's outputs is governed by our Terms of Service.
4. How We Share Information — Service Providers and Sub-processors
We share information with the service providers ("sub-processors") below to operate the Service. Each receives only the information needed for its function and is contractually obligated to protect it.
Plaid Inc. — Financial account connectivity. Receives account credentials (entered into Plaid, not us), account and transaction data.
OpenAI — AI chat, categorization, and insights. Receives transaction data, financial profile, conversation content.
Anthropic — AI onboarding and messaging. Receives name, goals, questionnaire responses, phone number.
Mem0 — Long-term AI memory. Receives user identifier and conversation exchanges.
PropelAuth — Authentication. Receives email, identity, session data.
Stripe — Subscription billing. Receives customer and payment data (card data handled directly by Stripe).
Composio — Bill detection from email. Receives read-only inbox access and relevant email content.
Linq — iMessage delivery. Receives phone number, message content.
Resend — Transactional email. Receives email address and message content.
Amplitude — Analytics and session replay. Receives usage behavior, identity, session recordings.
Supabase — Database hosting. Stores all user data.
Vercel — Application hosting and scheduled jobs. Receives infrastructure-level data.
Cloudflare Workers — Scheduled reminders. Receives reminder data.
We may also share information: (a) to comply with law, legal process, or a government request; (b) to protect the rights, safety, and property of Thread, our users, or others; (c) in connection with a merger, acquisition, financing, or sale of assets, in which case we will notify you; and (d) with your direction or consent.
5. Third-Party Platforms and Their Terms
Your use of certain features is also subject to third parties' own terms and privacy practices:
Plaid. We use Plaid to connect your financial accounts. Information you provide through Plaid is governed by Plaid's End User Privacy Policy (https://plaid.com/legal/#end-user-privacy-policy). You can review and manage your Plaid connections at Plaid's Privacy Portal.
Google (Gmail). MaXi's use and transfer of information received from Google APIs to any other application will adhere to the Google API Services User Data Policy (https://developers.google.com/terms/api-services-user-data-policy), including its Limited Use requirements. We request only read-only Gmail access, use it solely to detect and surface your bills and financial notices, do not transfer or use it for advertising, and do not allow humans to read it except as permitted under that policy (e.g., with your consent, for security, or as required by law).
Stripe. Payments are processed by Stripe under its own terms and privacy policy.
6. Messaging and Proactive Communications
The Service communicates with you over Apple iMessage, including:
Responses to messages and questions you send MaXi; and
Proactive, automated alerts that MaXi sends when it detects something it thinks you should know (for example, a possible bill split, a subscription price change, an unusual charge, or a spending spike).
Proactive messaging requires your explicit opt-in consent, which we obtain and document at signup. You can stop messages at any time by replying STOP, and get help by replying HELP. Data rates may apply. Full details, including frequency and consent terms, are in our Messaging Terms. We may also send you transactional emails (such as receipts and security notices) and, with your consent, promotional emails you can opt out of at any time.
7. How We Protect Information
We use technical and organizational measures designed to protect your information, including:
encrypting sensitive access credentials at rest — specifically your Plaid access tokens and Google OAuth tokens — using AES-256 encryption;
transmitting data over encrypted (TLS) connections, and encrypting chat messages in transit between your device and our servers;
hashing certain account identifiers;
isolating each user's data on a per-account basis; and
maintaining administrative audit logs.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
8. Your Privacy Rights and Choices
Choices available to all users
Disconnect a financial account, disconnect your email, or cancel your subscription at any time, independently of one another.
Mute or adjust proactive notifications, including per-biller muting and frequency controls.
Stop messages and emails. Reply STOP to stop iMessages, and use the unsubscribe link in any promotional email to opt out of marketing emails. Transactional messages necessary to operate the Service (such as billing and security notices) may continue while your account is active.
Delete your account. Deleting your account triggers deletion of your associated data, removal of your Plaid connections, cancellation of your Stripe subscription, and deletion of your stored AI memories, subject to Section 9.
Rights for California and other state residents
Depending on your state of residence (e.g., California, Virginia, Colorado, Connecticut), you may have the right to: know or access the personal information we hold about you; request correction; request deletion; obtain a portable copy of your information; and opt out of the "sale" or "sharing" of personal information and certain profiling. We do not sell your personal information or share it for cross-context behavioral advertising.
Some of your financial and questionnaire data may be considered sensitive personal information. We use it only to provide the Service and do not use or disclose it for purposes requiring a right to limit under applicable law.
To exercise any right, contact us at privacy@usethread.io. We will verify your request and respond within the time required by law. You may also designate an authorized agent. We will not discriminate against you for exercising your rights. [COUNSEL: confirm whether a data-export mechanism exists; if not, one must be built to satisfy access/portability requests. See Section 9.]
9. Data Retention
We retain your information for as long as your account is active. After you delete your account, we delete or de-identify your personal information within [30] days, and purge it from routine backups within [90] days, except where we must retain certain records to comply with legal, tax, accounting, or fraud-prevention obligations (for example, payment and transaction records may be retained for up to [7] years). We retain conversation logs for [the life of your account / a defined period — to be set].
10. Children's Privacy
The Service is not directed to and may not be used by anyone under 18. We do not knowingly collect personal information from minors. If we learn we have done so, we will delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the Service or by email and update the "Last Updated" date above.
12. Contact Us
Thread Inc. 1111B S Governors Ave # 6141 Dover, DE 19904
Email: privacy@usethread.io
