Legal

Privacy Policy

Last updated: February 2026

1. Introduction

Thoriad (“we,” “us,” or “our”) operates a governed AI notebook platform that enables enterprise teams to write, execute, and collaborate on code with built-in security, data loss prevention (DLP), and compliance controls. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Thoriad platform, website, and related services (collectively, the “Service”).

By accessing or using the Service, you agree to the terms of this Privacy Policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you register for an account, we collect your name, email address, organisation name, and role. If you authenticate via single sign-on (SSO) through SAML or OIDC, we receive identity attributes from your identity provider as configured by your organisation.

2.2 Notebook Content

The Service processes and stores notebook content you create, including code cells, markdown cells, execution outputs, and associated metadata such as timestamps and collaborator identifiers. This content is stored on Cloudflare’s infrastructure using D1 (structured data) and R2 (object storage).

2.3 Execution Data

When you execute code within a Thoriad sandbox, we process the code, runtime environment details, execution duration, resource consumption, and outputs. Sandboxes are air-gapped Linux containers with no network egress by default.

2.4 Usage and Telemetry Data

We automatically collect information about how you interact with the Service, including pages visited, features used, session duration, browser type, operating system, IP address, and referring URLs. We use this data to improve performance and user experience.

2.5 Billing Information

Payment processing is handled by Stripe. We do not store full credit card numbers on our systems. We retain billing-related metadata such as plan type, billing cycle, and invoice history.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Execute code in sandboxed environments and return results to you
  • Enforce DLP policies, RBAC permissions, and organisational security controls
  • Generate and maintain immutable, hash-chained audit logs for compliance
  • Process payments and manage subscriptions
  • Send transactional communications (account verification, security alerts, service updates)
  • Analyse usage patterns to improve performance, reliability, and features
  • Comply with legal obligations and respond to lawful requests

We do not use your notebook content to train machine learning models. AI features (such as code generation via Claude) are processed through Cloudflare AI Gateway and are not retained beyond the duration of your request unless you explicitly save them to a notebook.

4. Data Sharing and Disclosure

We do not sell your personal data. We may share information with third parties only in the following circumstances:

4.1 Infrastructure Providers

Thoriad is built on Cloudflare’s developer platform, including Workers, D1, R2, KV, and Containers. Your data is processed and stored on Cloudflare’s global network. Refer to Cloudflare’s privacy policy for details on their data handling.

4.2 Payment Processor

Stripe processes payment transactions on our behalf. Stripe’s collection and use of your payment information is governed by their privacy policy.

4.3 Organisation Administrators

If you use the Service through an enterprise account, your organisation’s administrators may access audit logs, usage reports, and account information in accordance with their role permissions.

4.4 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

5. Data Retention

We retain your account information for as long as your account is active. Notebook content is retained until you delete it or your account is terminated. Audit logs are retained according to your plan’s retention period (30 days for Starter, 1 year for Team, unlimited for Enterprise). After account termination, we delete your data within 90 days, except where retention is required by law or for legitimate dispute resolution.

6. Data Security

We implement industry-standard security measures to protect your data, including:

  • Encryption in transit (TLS 1.3) and at rest
  • Three-tier DLP scanning (regex, semantic AI, and third-party integration) on all data boundaries
  • Role-based access control with 23 granular permissions across five roles
  • SHA-256 hash-chained, tamper-evident audit logging across 32 event types
  • Air-gapped sandbox execution with no default network egress
  • OAuth 2.1 with PKCE for authentication; SCIM v2 for automated provisioning

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

7. International Data Transfers

Your data is processed on Cloudflare’s global edge network, which spans 300+ locations worldwide. We support region hints to prefer specific geographies for data residency. For transfers from the European Economic Area (EEA), we rely on Cloudflare’s Standard Contractual Clauses and supplementary measures. Enterprise customers may request a Data Processing Agreement (DPA) with additional transfer safeguards.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your personal data, subject to legal retention requirements.
  • Portability: Request your data in a structured, machine-readable format.
  • Restriction: Request that we limit processing of your data in certain circumstances.
  • Objection: Object to processing based on legitimate interests.

To exercise any of these rights, contact us at privacy@thoriad.com. We will respond within 30 days.

9. Cookies and Tracking

We use essential cookies to maintain your session and authentication state. We do not use third-party advertising trackers. Analytics cookies, if used, are first-party and can be disabled in your account settings.

10. Children's Privacy

The Service is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us and we will take steps to delete such information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. For significant changes, we will provide notice through the Service or via email. Continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at:

Thoriad
Email: privacy@thoriad.com