Privacy Policy

This policy applies to personal information we collect from visitors of our website, users of our product, and clients of our APIs and SDKs. When we act as a data processor on behalf of a business customer (for example, processing data from your end users), the customer is the data controller — see our DPA for that relationship.

Information you give us

• Account information when you sign up for our product: name, work email, company, role.
• Contact information when you reach out to us: name, email, company, message content.
• Payment information when you subscribe to a paid plan (processed by our payment provider — we do not store full card numbers).
• Communications with our team: emails, support tickets, sales conversations.

Information collected automatically

• Technical data when you visit our website: IP address, browser type, operating system, pages visited, time on page, referring URL.
• Usage data when you use our product: features used, requests made, errors encountered, performance metrics. Used to operate the service and improve it.
• Functional cookies needed for authentication and language preference. We do not currently use analytics, advertising or session-replay tracking.

Information from third parties

If you sign in with a third-party identity provider (Google, GitHub, Microsoft), we receive basic profile information (name, email, avatar) from that provider — only what is needed to create or recognize your account.

• Provide and operate the service: authentication, agent execution, billing, support.
• Improve the service: identify bugs, measure performance, plan capacity.
• Communicate with you: service notifications, product updates, support replies.
• Comply with law: respond to lawful requests, enforce our Terms, prevent abuse.

We do not sell personal information. We do not use customer conversations or agent outputs to train general-purpose AI models. Customer data stays scoped to the customer tenant.

If you are in the European Economic Area or the United Kingdom, we process your information under one of these legal bases:

• Performance of a contract: to provide the service you signed up for.
• Legitimate interest: to improve the service, secure it against abuse, and contact you about your account.
• Consent: for optional things like marketing emails — you can withdraw consent at any time.
• Legal obligation: to comply with tax, accounting and law-enforcement requirements.

We share personal information only with the categories of recipients below, and only as much as needed for the stated purpose.

• Subprocessors: the third parties that help us run the service (hosting, AI inference, email delivery, observability). Our current list is published at /subprocessors/.
• Professional advisors: lawyers, auditors and accountants under confidentiality obligations.
• Authorities: when required by law, court order or to protect rights and safety.
• Successors: if Thaliq is involved in a merger, acquisition or sale of assets, your information may be transferred — we will notify you and honor this policy unless you accept a new one.

• Account data: kept while your account is active and for up to 30 days after deletion (so you can restore by mistake).
• Conversation and agent data: retained per the plan you are on (7 / 30 / 90 days or as configured on Enterprise).
• Billing records: kept for the period required by tax law (typically 5–10 years).
• Audit logs: kept per the plan, then deleted automatically by TTL.
• Contact form submissions: kept as long as needed to follow up, then archived in our CRM (HubSpot) per their retention.

Depending on where you live, you have the right to:

• Access the personal information we hold about you.
• Correct information that is wrong or out of date.
• Delete your information, subject to legal exceptions.
• Port your information to another service in a structured format.
• Object to certain processing, or restrict it.
• Withdraw consent for optional processing.
• Lodge a complaint with your local data protection authority.

To exercise any of these rights, email hola@thaliq.com. We respond within 30 days. We may need to verify your identity before acting on a request.

Our primary infrastructure is in AWS us-east-1, with eu-west-1 available on Enterprise plans. When we transfer personal data out of the European Economic Area, the United Kingdom or other jurisdictions with transfer restrictions, we rely on Standard Contractual Clauses or equivalent safeguards.

We use functional cookies needed for the site to work — authentication, language preference, security tokens. These do not require consent under GDPR because they are strictly necessary.

We do not currently use analytics, advertising or session-replay cookies. If that changes, we will add a cookie banner and update this policy.

Thaliq is a product for businesses and is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent revision. For material changes, we will notify customers by email at least 30 days before the change takes effect.

Questions or requests related to this policy: hola@thaliq.com. We answer in plain language first; lawyers second.