Theona Main Logo

Privacy Policy

Last updated: 9 February 2026 Effective date: 9 February 2026

Welcome to Theona – AI Assistant ("Theona", "we", "our", "us"). We operate the productivity platform available at https://theona.ai and related mobile and desktop applications (collectively, the "Services"). This Privacy Policy ("Policy") explains how we collect, use, disclose, and safeguard your information when you use the Services.

Important: This Policy is provided for general informational purposes and does not constitute legal advice. Because privacy requirements vary by jurisdiction and industry, you should consult qualified counsel before publishing or relying on this Policy.

1. Scope

This Policy applies to personal data we process when you:

  • Create an account or profile;
  • Connect third‑party data sources to Theona (e.g., email, calendar, cloud storage);
  • Interact with our large‑language‑model (LLM) features (including prompts, chat, and generated outputs);
  • Visit our websites, dashboards, or communications channels; or
  • Communicate with us in any manner.

2. The Information We Collect

Category Examples Source
Account Data Name, email, password (hashed), avatar, preferred language You
Connected Content Emails, calendar events, documents, files, notes, task lists, metadata You / linked services with your authorization
Usage Data Feature interactions, time stamps, clicks, queries, crash logs Your device / in‑app events
Device & Log Data IP address, browser type, device identifiers, OS version Your device
Cookies & Similar Tech Session cookies, preference cookies, analytics beacons Your browser

You may choose not to provide certain information, but doing so can limit core functionality.

3. How We Use Your Information

We process your information to:

  1. Provide the Services and fulfill our contract with you;
  2. Power LLM‑based features (e.g., summarising emails, drafting content, retrieving answers) using context from your connected data;
  3. Personalise your experience (e.g., recommended tasks, adaptive UI);
  4. Improve and develop new features, algorithms, and safety systems;
  5. Communicate with you about updates, security alerts, and support requests;
  6. Protect the integrity of the platform, enforce terms, and prevent fraud; and
  7. Comply with legal obligations or respond to lawful requests.

4. Legal Bases for Processing (GDPR)

For users in the European Economic Area, the United Kingdom, or Switzerland, we rely on:

  • Performance of a contract – to deliver the Services you request;
  • Legitimate interests – to maintain and improve our platform, balanced against your rights and freedoms;
  • Consent – for optional connections, marketing emails, and certain analytics/cookies; and
  • Legal obligation – where required to meet applicable laws.

5. Sharing & Disclosure

We never sell your personal data. We may share limited information with the following categories of third parties:

5.1 Infrastructure & Hosting

  • Supabase (United States) – Database hosting, authentication, and backend infrastructure. All user data, authentication credentials, and application data are stored on Supabase with AES-256 encryption at rest.
  • Railway (United States) – Application hosting and Redis infrastructure for job queues and caching. Processes application runtime data with no direct PII storage.

5.2 Large Language Model Providers

  • OpenAI (United States) – Powers AI features including chat, content generation, and task automation. Your prompts and relevant context are sent to OpenAI's API. Data is not used to train OpenAI's models (we use zero-retention API endpoints).
  • Anthropic (United States) – Provides Claude LLM for advanced reasoning, content generation, and conversational AI. Prompts and context are encrypted in transit. Data is not used for model training.
  • Google AI (Gemini) (United States) – Used for conversation summarization and compression to optimize context window usage. Summary data is stored in our database, not retained by Google.
  • Perplexity (United States) – AI-powered web search for real-time information retrieval. Receives search queries and context. Data is not used for model training.
  • Mem0 (United States) – Long-term memory storage for user preferences and context. Stores user ID and preference summaries. No raw conversation content is transmitted.

5.3 Payment Processing

  • Stripe (United States) – Processes subscription payments, manages billing, and stores payment methods. Stripe receives your email, user ID, and payment information. Subject to Stripe's Privacy Policy.

5.4 Analytics & Monitoring

  • Google Analytics (GA4) (United States) – Website traffic analysis on our marketing website (theona.ai). Collects anonymized page views, visitor behavior, and traffic sources. Uses cookies (_ga_RTKD7H1FMD) for 2 years. No personally identifiable information is sent. Subject to Google's Privacy Policy.
  • PostHog (United States) – Product analytics in the application (app.theona.ai). We send user ID, email (for legitimate interest in product improvement), and usage events. Session recordings are partially masked; chat content can be excluded via opt-out settings.
  • Sentry (United States) – Error monitoring and performance tracking. We send sanitized error logs with all personally identifiable information (PII) redacted. No request bodies, authentication headers, or user content are transmitted.

5.5 Integration Framework

  • Composio (United States) – Manages third-party integrations and OAuth connections. Receives user ID and tool execution arguments (no raw user content). Enables connections to Google Workspace, Slack, Linear, Notion, and other productivity tools.
  • Nango (United States) – OAuth management for additional third-party integrations. Receives user ID, OAuth tokens, and integration metadata.

5.6 Data Extraction

  • Firecrawl (United States) – Web scraping and content extraction. Receives URLs and returns extracted web page content as requested by the user.
  • Apify (European Union, Czech Republic) – LinkedIn data extraction and web automation. Processes public profile data and search results as requested by the user.

5.7 Email

  • Resend (United States) – Transactional email delivery for notifications and account alerts. Receives email address and email content.

5.8 Meeting Recording

  • Recall AI (United States) – Meeting recording and transcription. Processes meeting audio, transcripts, and participant metadata when authorized by the user.

5.9 User-Authorized Integrations

When you connect third-party services, data flows between Theona and those services subject to their respective privacy policies. Theona supports 60+ integrations across the following categories:

  • Communication: Slack, Microsoft Teams, Discord, Telegram, WhatsApp Business
  • Project Management: Linear, Asana, Jira, Notion, Trello, Monday, Todoist
  • CRM: HubSpot, Salesforce, Pipedrive, Apollo, Attio
  • Google Workspace: Gmail, Calendar, Drive, Docs, Sheets
  • Microsoft 365: Outlook, OneDrive, Teams
  • Development: GitHub, Bitbucket
  • Design: Figma, Webflow
  • HR: BambooHR, Lever, Recruitee, Talantix
  • Support: HelpScout, Zendesk, Intercom
  • Social & Content: LinkedIn, YouTube, Reddit
  • Storage: Dropbox, Google Drive, OneDrive
  • Other: Shopify, Looker, Confluence, YouTrack

For a complete and up-to-date list, visit theona.ai/integration. Each integration accesses only the data you explicitly authorize.

5.10 Other Disclosures

  • Corporate Events – Merger, acquisition, or asset sale, subject to continuing protections
  • Legal & Safety – When required by law or to protect rights, property, or safety of users or the public

Complete list of sub-processors: A current list of all data sub-processors, including their locations and data processing agreements, is available at theona.ai/sub-processors.

6. International Transfers

We are headquartered in the United States and use service providers located in the United States and European Union. When we transfer personal data outside the EEA/UK, we rely on adequacy decisions, Standard Contractual Clauses (SCCs), or other lawful mechanisms. A copy of the relevant transfer mechanism is available on request.

7. Data Retention

We keep personal data only for as long as necessary to fulfill the purposes described in this Policy or as required by law:

  • Account data – retained until your account is deleted, then held for up to 30 days for deletion processing before permanent removal;
  • Connected content – retained while the integration is active; upon disconnection we make reasonable efforts to delete cached copies within 24-48 hours;
  • LLM prompts & outputs – stored in active conversations for functionality and debugging; inactive conversations may be automatically archived or deleted based on our data retention policies;
  • Analytics logs – aggregated and anonymized after 13 months; raw logs retained as needed for security and compliance.

8. Security

We implement industry‑standard administrative, technical, and organisational measures, including:

  • End‑to‑end TLS encryption in transit;
  • AES‑256 encryption at rest;
  • Role‑based access controls and audit logs;
  • Regular penetration testing and code reviews;

9. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold;
  • Rectify inaccurate or incomplete data;
  • Erase data ("right to be forgotten");
  • Restrict or object to processing;
  • Data Portability;
  • Withdraw consent at any time;
  • Lodge a complaint with your supervisory authority (in the EU, you can contact your local data‑protection authority).

Submit requests by emailing [email protected] or via the in‑app privacy dashboard. We may need to verify your identity before responding.

10. Children’s Privacy

Theona is not directed to children under 16. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided data, please contact us and we will delete it.

11. Cookies & Tracking Technologies

We use cookies and similar technologies to provide, secure, and improve the Services. Below is a summary of the cookies we use:

11.1 Essential Cookies

Required for the Services to function. Cannot be disabled.

  • sidebar_state (Theona) – Remembers sidebar open/closed state in application (7 days)

Note: Authentication (Supabase) uses Local Storage, not cookies. See section 11.3.

11.2 Analytics & Performance Cookies

Help us understand how users interact with the Services. You can opt out via browser settings or Privacy Settings.

  • _ga_RTKD7H1FMD (Google Analytics GA4) – Website traffic analysis on theona.ai (2 years)
  • ph_phc_..._posthog (PostHog) – Product analytics in app.theona.ai (1 year)
  • sentry-* (Sentry) – Error monitoring and performance tracking, sanitized (Session)

11.3 Local Storage (Not Cookies)

Authentication tokens and user preferences are stored in browser Local Storage, not cookies:

  • Supabase authentication tokens – JWT access and refresh tokens for login sessions
  • User session data – Current user ID and session metadata
  • Theme settings – Dark mode, light mode preference
  • Language & locale – Preferred language and region
  • UI preferences – Layout settings, notification preferences

Local Storage is stored on your device only and never transmitted to our servers automatically.

11.4 Managing Cookies

You can control cookies through:

  • In-app settings – Privacy Settings page allows you to opt out of analytics
  • Browser settings – Most browsers allow you to block or delete cookies
  • Cookie consent banner – Manage preferences when you first visit

Note: Disabling essential cookies may prevent you from using core features of the Services. For complete details, see our Cookie Policy.

12. Your California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights regarding your personal information.

12.1 Categories of Personal Information Collected

In the past 12 months, we have collected the following categories of personal information:

  • Identifiers – Name, email address, user ID, IP address
  • Commercial information – Subscription plans, payment history, usage records
  • Internet activity – Browsing history, feature interactions, search queries
  • Professional information – Connected work accounts, calendar events, emails, documents
  • Inferences – Preferences, usage patterns derived from your activity

12.2 Sale of Personal Information

We do not sell your personal information. We have not sold personal information in the past 12 months and do not intend to do so in the future.

12.3 Your CCPA Rights

California residents have the right to:

  • Know – Request disclosure of the categories and specific pieces of personal information we have collected, the sources, purposes, and third parties with whom we share it
  • Delete – Request deletion of your personal information (subject to certain exceptions)
  • Opt-out – Opt out of the sale of personal information (though we do not sell your data)
  • Non-discrimination – Exercise your rights without receiving discriminatory treatment

12.4 Exercising Your Rights

To exercise your CCPA rights, contact us at [email protected] or through the Privacy Settings page in your account. We will verify your identity before processing your request and respond within 45 days as required by CCPA.

12.5 Authorized Agents

You may designate an authorized agent to submit requests on your behalf. The agent must provide proof of authorization, and we may require you to verify your identity directly.

13. Changes to This Policy

We may update this Policy to reflect changes to our practices, technology, or legal requirements. Where practicable, we will notify you of material changes at least 30 days in advance via email or prominent in‑app notice. Changes required for legal compliance, security, or service continuity may be implemented with shorter notice. The "Last updated" date at the top indicates when the latest changes were made.

14. Contact Us

If you have questions, concerns, or would like to exercise your privacy rights, please contact us:

Theona, Inc.
Remote‑first company registered in Delaware, USA
Privacy inquiries: [email protected]
General support: [email protected]

We aim to respond to privacy-related requests within 30 days (45 days for CCPA requests as required by law). Complex requests may require additional time, and we will notify you if an extension is needed.

Thank you for trusting Theona with your data. We are committed to protecting your privacy while helping you work smarter.

Ready to reinvent work?

Start today
PricingArticlesIntegrationsTemplatesSupport
Privacy PolicyTerms of ServiceCookie PolicySub-ProcessorsSecurityTrust Center
Slack