Effective date: January 1, 2026 · Last updated: June 11, 2026
🔒 Plain-English summary: Inthread only processes messages you explicitly send to an AI model. Your iMessage history never leaves your device. We collect your email address if you join the waitlist. That's it.
Section 1
Information We Collect
Inthread ("we," "us," or "our") operates the Inthread iOS and Apple Watch application (the "App"). We collect information only as necessary to provide the service.
Email address — collected when you join our waitlist or create an account. Used only to send access notifications and product updates.
Subscription and purchase data — processed by Apple via In-App Purchase. We receive only anonymized transaction records (e.g., subscription status). We never see your payment card details.
API keys (optional) — if you use Bring Your Own Key (BYOK), your API keys are stored on your device (in the app's protected storage on iOS and watchOS, or your browser's extension storage in Chrome) and are used only to call the AI provider you choose. By default they are not sent to our servers. If you turn on optional cross-device key sync, your keys are encrypted on your device with a passphrase only you know (AES-256-GCM) before they are uploaded — we store only ciphertext we cannot decrypt.
Crash reports and diagnostics — anonymized crash logs may be collected via Apple's crash reporting tools to help us fix bugs. These contain no message content.
Section 2
How We Use Your Information
To deliver and maintain the App and its features.
To send you onboarding instructions and product updates (email).
To process your subscription via Apple's In-App Purchase system.
To diagnose and fix technical issues using anonymized crash data.
To comply with legal obligations.
We do not sell your personal information. We do not use your data for advertising profiling. We do not share your data with third parties except as described in Section 4 (AI Providers) and as required by law.
Section 3
Information We Do Not Collect
This section is important. The following data never leaves your device and is never transmitted to Inthread's servers:
iMessage history or contacts — Inthread operates as a keyboard extension. It does not access, read, or store your message history.
Message content (beyond what you explicitly send to AI) — Only the specific text you choose to send to an AI model is transmitted. Inthread does not passively read your conversations.
Location data — we do not request or use location information.
Microphone recordings — voice/dictation input is processed locally by iOS and Apple Watch on-device. Raw audio is not transmitted to our servers.
Health or biometric data — we collect none.
Photos, camera, or media library — we do not access these.
Section 4
Third-Party AI Providers
When you use Inthread to send a prompt to an AI model, that prompt is transmitted to the relevant third-party AI provider. Each provider has its own privacy policy and data practices:
If you use your own API key (BYOK), your prompts are sent directly from your device to the provider using your key — they do not pass through Inthread's infrastructure. If you use Inthread's hosted access (subscription), prompts are routed through our secure API proxy, which does not log message content.
Section 5
Data Retention
Email address — retained until you request deletion or unsubscribe.
Subscription records — retained for as long as required by applicable law (typically 7 years for financial records).
Crash logs — anonymized logs retained for up to 90 days.
API keys — stored on your device and deleted when you remove the App or extension, or clear your keys in settings. If you enabled encrypted sync, the encrypted copy is removed when you delete the key or turn off sync.
You may request deletion of your personal data at any time by emailing us at the address in Section 10.
Section 6
Children's Privacy
Inthread is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately and we will delete it.
Users must be at least 13 years old to use the App. Users between 13 and 17 should use the App only with parental consent.
Section 7
Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
Access — request a copy of the personal data we hold about you.
Correction — request correction of inaccurate data.
Deletion — request deletion of your personal data ("right to be forgotten").
Portability — receive your data in a machine-readable format.
Objection — object to processing of your data for marketing purposes.
Withdrawal of consent — where processing is based on consent, you may withdraw it at any time.
California residents have additional rights under the California Consumer Privacy Act (CCPA/CPRA), including the right to opt out of the sale of personal information. We do not sell personal information.
EU/EEA residents have rights under the General Data Protection Regulation (GDPR). Our legal basis for processing is legitimate interest (providing the service) and performance of a contract (subscription).
To exercise any of these rights, contact us at privacy@inthread.app.
Section 8
Security
We implement industry-standard security measures to protect your information:
All data in transit is encrypted using TLS 1.2 or higher.
API keys are stored on your device (encrypted at rest by the operating system on iOS and watchOS) and are sent only to the AI provider you choose. Optional cross-device sync encrypts keys on your device with AES-256-GCM, using a key derived from a passphrase only you know, before upload — so our servers store ciphertext they cannot read.
Our infrastructure uses industry-standard access controls, logging, and monitoring.
We conduct regular security reviews of our codebase and dependencies.
No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.
Section 9
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this page and, where required by law, by sending you an email notification.
Your continued use of the App after any changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this page periodically.
Section 10
Contact Us
Get in touch
For privacy inquiries, data deletion requests, or any questions about this policy: