Privacy Policy

1. Who We Are

ThreadStack is operated by Bianca van Heerden, an individual based in South Africa. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use threadstack.tech and the ThreadStack Chrome extension.

2. Information We Collect

Information you provide directly:

• Account registration: email address, social media handle, password (hashed and stored securely via Supabase Auth — we cannot read your password)
• Payment information: handled entirely by PayPal. We receive only your PayPal email address and subscription status. We never see or store card details or bank information.
• Affiliate applications: name, email, social media handle, promotional method, PayPal email for payouts
• Support communications: emails sent to info@threadstack.tech

Social media data — Chrome extension (Threads):

• Your Threads follower and following lists are read directly from the Threads website as it loads in your browser
• This data is stored entirely within the Chrome extension's local storage on your device
• This data is never transmitted to our servers — it never leaves your computer

Social media data — website (Instagram upload):

• Instagram follower/following data from files you upload is processed entirely in your browser session (sessionStorage)
• Uploaded file contents are not transmitted to or stored on our servers

Automatically collected:

• Basic server logs (IP address, browser type, pages visited) collected by Netlify and Supabase for security purposes
• Affiliate referral codes when you visit via an affiliate link

3. How We Use Your Information

• To provide and maintain the ThreadStack service
• To process subscription payments through PayPal
• To send transactional emails: welcome, password reset, subscription confirmation, cancellation notices
• To respond to support enquiries
• To track affiliate referrals and pay commissions
• To detect and prevent fraud and abuse
• To comply with applicable legal obligations

4. What We Do NOT Do

• We never sell, rent, share, or trade your personal data to any third party for commercial purposes
• We never ask for your Threads or Instagram password — at any point, for any reason
• We never access your social media accounts on your behalf
• We never store your raw social media export files on our servers
• We never display third-party advertising
• We never use your follower data for any purpose other than showing it to you

5. Third-Party Services

• PayPal: Processes all subscription payments. We receive only your PayPal email and subscription status.
• Supabase: Securely stores your account information (email, handle, plan status, affiliate data). Supabase is SOC2 compliant and stores data in secure, encrypted databases. Your password is hashed — it cannot be read by us or by Supabase.
• Resend: Transactional email delivery. We share your email address solely to deliver emails you requested (welcome, password reset, subscription confirmation).
• Netlify: Hosts our website and serverless backend functions. Netlify may log your IP address for security purposes.
• Cloudflare: Manages our domain DNS and security. Cloudflare processes requests to threadstack.tech and may log IP addresses for security.
• Google Chrome Web Store: Distributes the ThreadStack Chrome extension. Google's Privacy Policy applies to the installation process.

6. Data Storage and Security

Chrome extension data: All Threads follower data is stored exclusively in Chrome's local extension storage (chrome.storage.local) on your device. It is not synced to any server and is removed when you uninstall the extension.

Website session data: Instagram results are stored in sessionStorage (cleared when you close the browser tab). Nothing is sent to our servers.

Account data: Stored securely in Supabase with row-level security. Your password is hashed using bcrypt. Only you can access your data.

API keys: All API keys (Resend, PayPal) are stored exclusively in Netlify server-side environment variables. They are never exposed in browser-accessible files.

7. Data Retention

We retain your email address and subscription status for as long as you have an active account. If you request account deletion, we will remove your personal data from our records within 30 days. Extension data can be cleared at any time via Chrome's extension settings.

8. Your Rights

You have the right to: access the personal data we hold about you; request correction of inaccurate data; request deletion of your personal data; withdraw consent for marketing communications; receive your data in a portable format; lodge a complaint with the relevant data protection authority. To exercise these rights, email info@threadstack.tech. We will respond within 30 days.

9. Cookies and Storage

ThreadStack uses sessionStorage and localStorage in your browser for session management. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. You can clear stored data at any time through your browser settings.

10. Children's Privacy

ThreadStack is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us immediately and we will delete it promptly.

11. International Data Transfers

ThreadStack is operated from South Africa. Our hosting (Netlify) and database (Supabase) may process data in the United States and European Union. By using our Service, you acknowledge that your information may be processed in these jurisdictions.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent version.

13. Contact

Bianca van Heerden
Email: info@threadstack.tech
Location: South Africa