// privacy_policy

1. Who We Are

This Privacy Policy explains how Threadlinqs Intelligence ("Threadlinqs", "we", "us") — operated by [registered entity name], based in Canada — collects, uses, discloses, and protects personal information through the websites threadlinqs.com and intel.threadlinqs.com and related services (the "Service"). We are the organization accountable for your personal information.

We are committed to handling personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec's Law 25, and applicable provincial privacy laws, and — for users in those regions — the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act / CPRA. Our Privacy Officer can be reached at contact@threadlinqs.com (subject line: "Privacy").

2. Information We Collect

Account information — when you create an account: your email address, display name, and a securely hashed version of your password. Optionally, a bio and an onboarding questionnaire (role, organisation size, experience, tools, interests) that you may skip.

Authentication & security data — for each session we record a hashed session token, IP address, browser/user-agent, approximate location (country, city) derived from your IP, and device type. We keep an activity log of account actions (e.g. sign-in, page and threat views, library saves) with the same network metadata, used for security, abuse prevention, and to operate the Service.

Service content — saved items (threats, detections, IOCs, references), custom feeds, and any text you submit to AI features (Research Lab prompts, TLQL queries, chat). See §5 on AI processing.

Billing data — if you subscribe, our payment processor (Stripe) handles your card details directly; we never see or store full card numbers. We store a Stripe customer/subscription identifier and your plan status. A Stripe customer record is created when you register so checkout works smoothly.

Communications — your email subscription preferences and a log of transactional/debrief emails we send you (recipient, type, status, time).

Anonymous visit analytics — a server-side log of public-page visits powers our internal metrics: requested path, host, referer domain (host only), country, city, device type, and browser/bot brand. IP addresses are never stored in raw form — they are one-way hashed with a daily-rotated salt before storage, and requests carrying DNT: 1 (Do Not Track) or Sec-GPC: 1 (Global Privacy Control) are skipped entirely.

Cookies & similar technologies — see §6.

3. Why We Use It & Our Legal Basis

We use personal information to: create and secure your account; provide and operate the Service; process subscriptions and payments; send you transactional messages and, with your consent, daily intelligence debriefs; detect, investigate and prevent fraud, abuse and security incidents; measure and improve performance; and comply with law.

Where the GDPR applies, our legal bases are: performance of a contract (creating your account, providing the Service, processing payments); legitimate interests (security, abuse-prevention and integrity logging, and aggregate analytics, balanced against your rights); consent (non-essential cookies, advertising, and marketing/debrief emails); and legal obligation (tax, accounting, lawful requests). Under PIPEDA and Quebec Law 25 we rely on your consent (express where the information is sensitive or where required for cookies/marketing) and the limited statutory exceptions. You may withdraw consent at any time (see §9), subject to legal or contractual limits.

4. Advertising & "Do Not Sell or Share"

We display advertising through Google AdSense only to visitors who are not signed in. Signed-in users do not see ads. Google and its partners may use cookies and similar identifiers to serve and measure ads, which — depending on your settings and region — may involve personalised advertising.

Under California's CCPA/CPRA, the use of advertising cookies to deliver personalised ads can constitute a "sale" or "sharing" of personal information. We do not sell your information for money. To opt out of personalised advertising and analytics cookies, use our Cookie settings or the Do Not Sell or Share My Personal Information control, decline advertising in the cookie banner, and/or adjust Google Ad Settings. In the EU/UK and Quebec, non-essential cookies are off by default until you opt in.

5. AI Processing of Your Inputs

Certain features (Research Lab, TLQL natural-language translation, and chat) send the text you submit to third-party AI providers — currently NVIDIA (NIM), and, where you bring your own key, OpenAI or Anthropic — to generate results. Those providers process your input under their own terms and privacy policies. Do not submit personal, confidential, or sensitive information into AI inputs. AI output may be inaccurate or incomplete and must be independently verified. If you supply your own provider API key ("BYOK"), it is stored only in your browser and sent transiently with your request; we do not retain it server-side.

6. Cookies & Tracking Technologies

We use a single essential session cookie (tl_session: HttpOnly, Secure, SameSite=Lax, 7-day expiry) for authentication — this is required for the Service and is not used for tracking. We also use, subject to your consent where required: analytics cookies (Google Analytics 4 — _ga, _ga_*) and advertising cookies (Google AdSense, unauthenticated visitors only). In the EU/UK and Quebec these non-essential cookies load only after you opt in via our consent banner; you can change or withdraw your choices anytime through Cookie settings. Full details are in our Cookie Policy.

7. Third-Party Service Providers

We share personal information with service providers ("processors") who act on our behalf, only as needed: Stripe (payments), Cloudflare (hosting, CDN, DDoS protection, IP-based geolocation), Resend (transactional & debrief email), Google (Analytics 4 and AdSense), and the AI providers in §5. Each is bound to protect the information and use it only for the services we engage them for. We do not sell your personal information to data brokers. Review each provider's practices via their own privacy policies (e.g. Stripe, Cloudflare, Resend, Google).

8. International Transfers

We are based in Canada and our providers may process and store information in the United States and other countries whose laws may differ from yours. Where we transfer personal information internationally, we rely on appropriate safeguards such as the provider's adequacy status, EU Standard Contractual Clauses / UK IDTA, or the EU-US Data Privacy Framework where applicable, and — for Quebec residents — assess the protection afforded before transfer. [Confirm transfer mechanisms with counsel.]

9. Data Retention

We keep personal information only as long as necessary for the purposes above or as required by law: account data — until you delete your account (or a period of inactivity, then deletion); sessions — 7 days; activity logs — 90 days; anonymous visit analytics — 90 days, then auto-purged; email verification codes — 15 minutes; billing records — for the period required by tax and accounting law. When you delete your account we remove your personal data, except records we must retain for legal, tax, or fraud-prevention purposes.

10. Your Privacy Rights

Subject to your jurisdiction, you have rights to: access the personal information we hold about you; correct inaccuracies; delete / erase your data; port it in a machine-readable format; object to or restrict certain processing; withdraw consent; and (Quebec) request de-indexing and information about automated decisions. You can exercise most rights directly in your account settings (including deleting your account), or by contacting our Privacy Officer at contact@threadlinqs.com. We respond within 30 days. You also have the right to complain to a regulator: the Office of the Privacy Commissioner of Canada, Quebec's Commission d'accès à l'information, the UK ICO or your EU supervisory authority, or the California Attorney General, as applicable.

11. Email Communications & Anti-Spam

We send transactional emails (e.g. verification codes, account and billing notices) as part of the Service. We send daily intelligence debriefs only if you opt in. Every commercial email identifies us, includes a postal mailing address, and provides a one-click unsubscribe that we honour promptly (consistent with Canada's Anti-Spam Legislation (CASL) and the US CAN-SPAM Act). You can unsubscribe anytime from the email footer or your account settings.

12. Children's Privacy

The Service is intended for security professionals and is not directed to children. We do not knowingly collect personal information from anyone under 14 (Quebec) or under 13 (other regions). If you believe a child has provided us information, contact us and we will delete it.

13. Security

We protect personal information with safeguards appropriate to its sensitivity: TLS encryption in transit; passwords stored only as salted PBKDF2 hashes (never in plaintext); HttpOnly/Secure session cookies; rate limiting, concurrent-session caps, and security headers. No method of transmission or storage is perfectly secure, but we work to protect your information and to detect and respond to incidents.

14. Data Breaches

If a breach of security safeguards creates a real risk of significant harm, we will assess it and notify the appropriate regulator (e.g. the Office of the Privacy Commissioner of Canada, Quebec's CAI, or — within 72 hours where the GDPR applies — the relevant authority) and affected individuals as required by law, and we keep records of breaches.

15. Changes to This Policy

We may update this policy from time to time. Material changes will be posted here with a new "last updated" date and version, and where required we will seek renewed consent. Your continued use of the Service after an update constitutes acceptance of the revised policy.

16. Contact & Privacy Officer

For privacy questions, requests, or complaints, contact our Privacy Officer: contact@threadlinqs.com, Threadlinqs Intelligence, [business mailing address — insert a business address or PO box; do not use a home address].