Legal

Privacy Policy

Last updated: 24 March 2026

Who we are

Thinklio is operated by Novansa OÜ, a company registered in Estonia. We act as data controller for personal data collected about our customers and users, and as data processor for data that customers process through the platform.

Contact: privacy@novansa.com

1. Two roles, one policy

Thinklio operates in two distinct data roles, and it is important to understand the difference.

As data controller — we collect and use data about you as a customer or user of the Thinklio platform (account data, billing data, usage telemetry). This section of our policy explains how we handle that data.

As data processor — when you configure Thinklio agents to process data from your own users or systems, you are the data controller and we process that data on your behalf. Your obligations as a data controller are set out in our Data Processing Agreement.

This Privacy Policy primarily addresses our role as data controller. If you need a copy of our Data Processing Agreement, contact us at privacy@novansa.com.

2. Legal basis for processing (GDPR)

Novansa OÜ is subject to the General Data Protection Regulation (GDPR). We process customer and user data on the following legal bases:

Account creation and platform access

Performance of contract (Article 6(1)(b))

Credit and subscription billing

Performance of contract (Article 6(1)(b))

Platform usage analytics and improvement

Legitimate interests (Article 6(1)(f))

Service communications and notifications

Performance of contract (Article 6(1)(b))

Security monitoring and fraud prevention

Legitimate interests (Article 6(1)(f))

Legal and tax compliance

Legal obligation (Article 6(1)(c))

Marketing (opted-in)

Consent (Article 6(1)(a))

3. What data we collect about you

Account data

First name, last name, email address, hashed password, organisation name (if applicable), and account preferences. You may optionally add a profile picture or avatar (which does not need to be a photograph of you).

Billing data

Subscription plan, credit balance, payment history, and billing contact details. Payment card data is handled by Paddle and not stored by us.

Platform usage data

Logs of platform interactions, agent execution records, API usage volumes, feature usage patterns, and error logs. This data is used to operate, improve, and secure the platform.

Technical data

IP address, browser or client type, device information, and session identifiers.

Location and locale data

Country (inferred or provided by you), time zone, and language or locale preferences. This data is used to deliver a localised experience and is not used to track your precise location.

Configuration data

Agent configurations, workflow definitions, knowledge base content, and integration settings that you create and manage within Thinklio. This is your content; we store it to deliver the service.

Support data

Any information you provide when contacting our support team.

4. How we use your data

We use your data to:

  • create and manage your account
  • deliver platform features and agent execution
  • manage credits, billing, and subscriptions via Paddle
  • monitor and maintain platform security and performance
  • respond to support requests
  • send service notifications and platform alerts
  • improve the platform through usage analysis
  • meet legal and tax obligations

We do not use your configuration data or agent execution content to train AI models.

5. Third-party services

Supabase

Database and authentication — Account data, configuration data

Paddle

Payment processing — Billing and payment data

OneSignal

Push notifications — Device identifiers, notification preferences

Analytics provider (e.g. PostHog or Mixpanel)

Platform usage analytics — Pseudonymised usage data

AI providers (e.g. Anthropic, OpenAI)

Agent execution — Prompts and content submitted to agent tasks

Note on AI providers: When your agents execute tasks, content from those tasks is sent to the relevant AI provider's API. This is governed by the provider's own data processing terms. We recommend reviewing the privacy terms of any AI provider integrated with your Thinklio configuration.

We have Data Processing Agreements in place with our processors where required by GDPR.

6. Data transfers outside the EEA

Some of our service providers are based outside the EEA. We ensure appropriate safeguards are in place for all international transfers, including Standard Contractual Clauses (SCCs) where applicable.

7. How long we keep your data

Account data

Until account closure, plus 30 days

Configuration and agent data

Until deletion or account closure, plus 30 days

Execution logs

90 days (configurable on Business plans)

Billing and payment records

7 years (legal/tax compliance)

Usage analytics

24 months (aggregated/pseudonymised)

Backup copies

Up to 90 days after primary deletion

8. Your rights

Under GDPR, you have the right to:

Access

Request a copy of the data we hold about you.

Correction

Correct inaccurate data we hold about you.

Deletion

Request deletion of your data.

Portability

Receive your data in a machine-readable format.

Restriction

Limit how we process your data in certain circumstances.

Objection

Object to processing based on legitimate interests.

Withdraw consent

Where processing is consent-based, withdraw at any time.

Contact privacy@novansa.com. We will respond within 30 days.

You may also complain to the Estonian Data Protection Inspectorate (aki.ee) or your local data protection authority.

9. Security

We implement extensive technical and organisational security measures, including:

  • TLS encryption in transit and encryption at rest
  • hardened server infrastructure with access controls
  • security monitoring and alerting
  • regular security reviews and patching

To report a security issue: security@novansa.com

10. EU AI Act

The European Union's AI Act imposes obligations on providers and deployers of AI systems. As Thinklio is a platform that enables AI agent deployment, we are monitoring AI Act implementation and will update our practices and documentation as requirements are clarified and take effect.

If you deploy Thinklio agents in contexts that may fall under AI Act requirements (including high-risk AI use cases), you are responsible for ensuring your deployment complies with applicable obligations.

11. Cookies and tracking

Thinklio uses cookies and similar technologies for session management, security, and platform analytics. Cookie preferences can be managed through your browser or platform settings.

12. Children's data

Thinklio is for users 18 and over and is a business platform. We do not knowingly collect data from minors.

13. Changes to this policy

We will notify you of material changes by email or in-platform notification before they take effect.

14. Contact us

Novansa OÜ

Sepapaja tn 6, 15551 Tallinn, Harju Maakond, Estonia

Email: privacy@novansa.com