Usamos cookies essenciais para login e armazenamento local para suas preferências. Para métricas de uso, usamos o Google Analytics 4 — você pode recusar sem perder nada do produto. Saber mais

ThreadMineThreadMine
Back
This is a courtesy translation. The Portuguese version prevails in case of any discrepancy.

Legal document

Privacy Policy

How FELIPE MASCHIO TECHNOLOGY LTDA handles your data when operating ThreadMine.

This policy describes how FELIPE MASCHIO TECHNOLOGY LTDA (the operator of the ThreadMine service, hereinafter "we") collects, stores, uses and shares personal data when you use the threadmine.dev website or the ThreadMine product. This policy is aligned with the Brazilian General Data Protection Law (Law 13.709/2018 — LGPD).

We are committed to collecting only what is strictly necessary, being transparent about how it is used, and letting you exercise your rights at any time.

1. What data we collect

We collect only the data needed to authenticate you, operate your analyses and bill subscriptions. Specifically:

  • Sign-up: name, email, password (stored as a bcrypt hash, never in clear text), optional avatar URL.
  • Optional onboarding: job role, usage goal, JVM stacks, team size. You may skip any field.
  • Advanced authentication: MFA secret (encrypted at rest), OAuth provider identifier (e.g. Google) when integrated.
  • Submitted content: JVM thread dump files that you send for analysis. This content may include class names, stack traces and technical data from your application.
  • Usage metadata: date and time of uploads, source IP address, detected dump format, hostname extracted during parsing.
  • Analysis results: health score, detected problems, generated summaries (including AI-generated summaries, when enabled).
  • Workspaces and teams: assigned role (Admin, Maintainer, Analyst, Viewer), invitations sent and accepted.
  • Audit log: records of changes to sensitive entities (e.g. role change, API key revocation).

2. How we store it

All data in transit is protected by TLS 1.2 or higher. Passwords are stored as bcrypt hashes. MFA secrets are encrypted at rest using a key managed separately from the database credentials. Raw dumps may be stored temporarily in S3-compatible storage while the analysis is being processed.

The ThreadMine environment is multi-tenant with logical segregation by workspace: no user accesses another workspace's data without an explicit invitation. The backend rejects any read that does not include a workspace filter.

3. How long we keep it

Retention depends on the type of data and the plan you subscribe to:

  • Submitted raw dumps: deleted after processing by default. During the beta, history is available for up to 7 days on all plans; you may delete it at any time. Extended retention per plan is on the roadmap.
  • Analysis results (health score, detected problems): kept while your account is active, subject to your plan's limits.
  • Access logs: 30 days. The audit log of changes is retained for compliance purposes.
  • Sign-up data: for as long as your account exists. After account deletion, we remove it within 30 days, except for records we are required to keep due to a legal or accounting obligation (e.g. invoices).

4. Who we share it with

We do not sell your data. We do not share it with third parties for marketing purposes. We use a small set of subprocessors that are strictly necessary to operate the product:

SubprocessorPurposeData
Hetzner (or similar)Hosting and storageAll data at rest
Resend (or similar)Sending transactional emailsEmail, name
Anthropic / GoogleAI analysis (when enabled by the admin)Dump content + metadata

We do not use your dumps to train AI models, and the AI providers (Anthropic and Google) have a default policy of not using API inputs for training (see also our AI Policy).

5. Your rights as a data subject

The LGPD (Art. 18) grants you the rights below. You may exercise any of them free of charge, at any time:

  • Access: download a copy of all your data through the self-service export (ZIP) at /app/perfil/dados.
  • Correction: correct your name, email and other fields through your profile at /perfil.
  • Deletion: delete your account and associated data self-service at /app/perfil/dados.
  • Portability: the export includes an open JSON format to move to another provider.
  • Objection and withdrawal of consent: turn off notifications at /app/perfil/dados or request objection to any optional processing by contacting the DPO.
  • Information about sharing: the list of subprocessors above is complete.

6. Cookies

We use essential cookies for authentication (session via an httpOnly cookie) and interface preferences (theme, language). We also use Google Analytics 4 (GA4) to understand how the product is used and to measure our campaigns — it may set third-party cookies and collect usage data in aggregate form (pages visited, traffic source, device type). We do not use your personal data for third-party advertising beyond measuring our own campaigns. Google Analytics is opt-in: on your first visit you choose between Accept or Decline in the cookie banner. Until you accept — or if you decline — no analytics cookie is written (Google Consent Mode v2 in denied state). Essential cookies do not depend on this choice, as they are required for login to work.

7. Security

We apply technical and organizational controls to protect your data: TLS in transit, password hashing, tenant segregation, the principle of least privilege, an audit log for sensitive changes, and regular backups. Despite these controls, no system is completely immune; in the event of an incident affecting personal data, we will notify you and the ANPD within the timeframes required by the LGPD.

8. International transfer

Some subprocessors may process data outside Brazil (e.g. LLM providers in the US). In such cases, we require contractual safeguards compatible with the LGPD for adequate processing.

9. How to contact us

FELIPE MASCHIO TECHNOLOGY LTDA's Data Protection Officer (DPO): dpo@threadmine.dev

You may also file a complaint directly with the Brazilian National Data Protection Authority (ANPD) at gov.br/anpd.

10. Changes to this policy

If we materially change this policy, we will notify you by email at least 15 days before it takes effect. The version in force will always be available at this URL.

Last updated: May 20, 2026