Legal
Privacy Policy
Effective date: February 20, 2026
1. Data We Collect
Account data (collected at signup)
- Email address
- Tenant name (company or project name)
- Payment information (stored by Stripe — Thane stores only a Stripe customer ID)
Usage data (collected during platform use)
- Dashboard access logs (page views, actions taken)
- API call logs (action, timestamp, success/failure — request bodies are not logged)
- Deployment history (commit SHA, build status, deploy status)
- Infrastructure metrics (CPU, memory, request count — aggregated, not individual request data)
Data we do not collect
- Application code (stored in your GitHub, built ephemerally)
- Application data (stored in your RDS instance in your own AWS account)
- End-user data (passes through your application — Thane has no access or visibility)
- Environment variable values (stored in your Secrets Manager, encrypted — Thane does not log or exfiltrate values)
2. Data Storage and Location
| Data Type | Storage Location | Encryption |
|---|---|---|
| Account data | DynamoDB (us-east-1) | AWS-managed KMS |
| Payment data | Stripe | Stripe encryption |
| Usage/audit logs | CloudWatch Logs (us-east-1) | AWS-managed KMS |
| Application data | Your AWS account | Per-account KMS |
| Build artifacts | ECR (your AWS account) | AWS-managed KMS |
All data is stored in us-east-1. Customer application data is in your own AWS account — Thane's control plane stores references (IDs, status) but not the data itself.
3. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Active subscription + 30-day grace + 90-day compliance hold |
| Deployment/app/build logs | Per plan (7–90 days, rolling deletion) |
| Billing records | 7 years (legal requirement) |
| Support tickets | 3 years after resolution |
| Infrastructure metrics | 15 months (CloudWatch default) |
4. Data Deletion
On account closure
After a 30-day grace period, your AWS account is recycled (all tenant-specific resources wiped) or closed. Account data in DynamoDB is marked for deletion and purged after the 90-day compliance retention period. Billing records are retained for 7 years per legal requirements. Aggregated, anonymized usage statistics may be retained indefinitely.
On graduation
Thane's management access is removed. You retain all data in your AWS account. Thane retains account metadata and billing records per the retention schedule above but has no access to your application data.
5. Your Rights
- Access — Request an export of all account data Thane holds (provided within 30 days).
- Correction — Update account information via the dashboard or support.
- Deletion — Close your account and data is deleted per the retention schedule. You can request accelerated deletion of non-legally-required data.
- Portability — Account data exported as JSON. Application data is already in your own AWS account.
Requests should be directed to privacy@usethane.com.
6. Third-Party Data Sharing
Thane shares customer data only with:
| Third Party | Data Shared | Purpose |
|---|---|---|
| Stripe | Email, name, payment info | Payment processing |
| AWS | Account metadata | AWS account management |
| Email provider | Email address | Transactional emails |
Thane does not sell customer data. Thane does not share customer data with advertisers.
7. Cookies
Thane's dashboard uses cookies for:
- Session token — Authentication (essential, 24 hours)
- CSRF token — Security (essential, session duration)
- Preferences — Dashboard settings (functional, 1 year)
Thane does not use advertising cookies, third-party tracking cookies, or cross-site tracking.
8. Changes to This Policy
Thane may update this Privacy Policy with 30 days' notice via email. Material changes require your explicit acceptance at next dashboard login. Non-material changes take effect automatically after the notice period.
If you have questions about this policy, contact us at privacy@usethane.com.