Privacy Policy for Thalora

Last Updated: February 10, 2026

1. Introduction

Welcome to Thalora ("we," "our," or "us"). Thalora is an AI-powered personal timeline and decision analysis tool designed to help you visualize your life's journey. We are committed to protecting your privacy and ensuring you have control over your data.

This Privacy Policy explains how we collect, use, and protect your information when you use our application (the "Service"). By using the Service, you agree to the collection and use of information in accordance with this policy.

Disclaimer: This document is effective as of the Last Updated date and may be updated from time to time.

2. Our Philosophy: "Deep Ocean" Privacy

Thalora is built with a "Local-First / Cloud-Hybrid" architecture. This means:

  • Your Journal is Yours: Your timeline nodes, goals, and chat history are stored locally in your browser's memory (sessionStorage) by default. We do not automatically sync this data to our servers.
  • Cloud for Services: We only transmit data to the cloud when necessary for specific features (e.g., Authentication, Payments, or AI Analysis) and only as described below.

3. Information We Collect

A. Information You Provide to Us

  • Account Information: When you sign up, we collect your email address and authentication credentials via Supabase (our backend provider).
  • Payment Information: If you subscribe to a paid plan, our payment processor, Stripe, collects your payment details. We do not store your full credit card information.
  • Feedback & Support: If you contact us via our support forms, we collect your email and the content of your message (processed via Resend).

B. Information We Collect Automatically

  • Usage Data: We track AI token usage (input/output tokens) linked to your account to enforce subscription limits.
  • Device Information: Standard server logs (IP address, browser type) may be processed by our hosting provider (Vercel) for security and performance monitoring.

C. Data Processed Locally (Not Collected by Us)

  • Journal Content: Your timeline events, decisions, goals, and chat logs reside in your browser's sessionStorage. This data is ephemeral and is lost if you close the tab without exporting it.
  • Voice Data:
    • Speech-to-Text: Uses your browser's native SpeechRecognition API. Validity and data handling depend on your browser vendor (e.g., Google for Chrome, Apple for Safari).
    • Text-to-Speech: Processed locally using WebGPU/WASM (Kokoro/Piper). No audio is sent to our servers.

4. How We Use Information

We use the collected information for the following purposes:

  • To Provide the Service: Authenticating you and managing your subscription.
  • To Facilitate AI Analysis: When you use AI features (e.g., "Chat with Life Coach"), specific journal context is sent to our AI providers (see Section 5).
  • To Prevent Fraud: We assume a legitimate interest in retaining email hashes in a trial_history table indefinitely to prevent abuse of our free trial system. This data is retained even if you delete your main account.
  • To Communicate: Sending transactional emails (receipts, password resets).

5. Sharing Your Data (AI & Third Parties)

We do not sell your personal data. We share data only with the following service providers to operate the Service:

| Service Provider | Purpose | Data Shared | Privacy Policy | | :--- | :--- | :--- | :--- | | Supabase | Backend/Auth | Email, User ID, Usage Metadata | Link | | Stripe | Payments | Payment Info, Email, Customer ID | Link | | OpenRouter / Google Gemini | AI Analysis | User Prompts, Journal Context, Soul Map | OpenRouter / Google | | Resend | Transactional Email | Email Address, Support Messages | Link | | Vercel | Hosting/Edge Functions | IP Address, Request Logs | Link |

Important regarding AI:

  • Zero-Retention (API): We access AI models via paid/commercial APIs that generally do not use your data for training their models.
  • Model Selection: For our OpenRouter integration, we specifically prioritize models that either explicitly state they do not train on user data or do not specify (relying on OpenRouter's privacy indicators). We avoid models that explicitly state they train on API data.
  • Context Window: To provide personalized advice, we send relevant parts of your journal (Nodes, Goals, Soul Map) to the AI model for each request. This data is ephemeral to the AI session.

6. Data Retention and Deletion

  • Account Data: Retained as long as your account is active.
  • Trial History: We retain a record of emails that have used a Free Trial indefinitely to prevent abuse.
  • Account Deletion: You can delete your account from the Settings menu. This action:
    1. Cancels your Stripe subscription.
    2. Deletes your User and Profile from Supabase.
    3. Does NOT delete your payment history held by Stripe (required for tax/legal reasons).
    4. Does NOT delete your email from the trial_history table (fraud prevention). This is strictly to prevent the creation of multiple free trial accounts by the same individual.

7. Your Rights and Responsibilities

  • Data Export: You are responsible for regularly exporting your journal data (via Settings > Data Control). We cannot recover data lost due to browser clearing, crashing, or closed tabs.
  • GDPR/CCPA Rights: Depending on your location, you may have rights to access, correct, or delete your personal data held by us (Account/Billing info). Contact support to exercise these rights.

8. Children's Privacy

Our Service is not directed to children under 13 (or other age as required by local law). We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.

10. Contact Us

If you have any questions about this Privacy Policy, please contact us at: elvisbirbalas@gmail.com