Privacy Policy
The short version: your data is yours.

This Privacy Policy describes how Metasession Ltd. (“ThorStack”, “we”, “our”) handles personal data across two surfaces:

• The marketing website at thorstack.com — where you may browse, chat with our AI assistant, fill out a form, or book a meeting.
• The ThorStack platform — the dedicated, per-tenant deployment we operate for each customer.

For platform usage, the customer organization is the data controller of personal data they ingest; ThorStack acts as data processor under our DPA. For the marketing website, ThorStack is the controller.

On the marketing website, we collect:

• Information you provide via forms (name, work email, company, team size, free-text notes).
• Conversations you have with the website AI assistant (message content and timestamps).
• Standard request metadata — IP address, user-agent, referrer, and pages visited — for security and analytics.

Inside a ThorStack deployment, the customer determines what data flows in. This may include emails, calendars, contacts, deals, orders, invoices, and content drafted by AI agents. ThorStack does not access this data except as required to operate the deployment or as authorized by the customer.

• To respond to inquiries and route prospective customers to a sales engineer.
• To provision, operate, monitor, and maintain deployments.
• To investigate security incidents and detect abuse or unauthorized use.
• To meet our contractual, legal, and regulatory obligations.
• To improve the platform — using aggregated, non-identifying telemetry only. We never train shared AI models on customer data.

The ThorStack assistant on this site uses OpenAI (model: gpt-4o-mini) to answer questions about the platform. When you chat with the assistant:

• Your messages are sent to OpenAI's API together with our product context. OpenAI processes the request under their API data usage policy: API inputs and outputs are not used to train OpenAI's models and are retained for up to 30 days for abuse monitoring.
• We log assistant conversations on our servers for up to 90 days for quality monitoring. If you submit your contact details via the assistant, those details are stored for sales follow-up until you ask us to delete them.
• The assistant cannot read or write to any ThorStack customer tenant.

We share personal data only with the sub-processors required to run our service. Current sub-processors include:

• Cloud infrastructure — AWS, GCP, or the customer's own cloud (Sovereign tier).
• OpenAI — for the website AI assistant only.
• Anthropic, OpenAI, Google Vertex — inside customer deployments, when the customer chooses one as their LLM provider, or under their own API keys.
• Cal.com — for meeting scheduling on the marketing site.
• Resend — for transactional and marketing email.

A current sub-processor list is maintained at /dpa and is updated when new processors are added or removed.

ThorStack operates infrastructure in multiple regions across North America, Europe, APAC, and Africa. Customers can pin their data to a specific region during onboarding. For transfers from the EU/UK to the US, we rely on Standard Contractual Clauses (SCCs) and supplementary measures.

• Marketing website forms and chat transcripts: up to 90 days, longer if you become a customer or explicitly opt in.
• Customer deployment data: retained according to the customer's configured retention policy. Default is indefinite while the contract is active; deleted within 30 days of contract termination.
• Audit logs: 1 year on Studio, unlimited on Operator and Sovereign.
• Backups: 30-day rolling retention by default.

Depending on your jurisdiction (GDPR, NDPA, CCPA, and others), you may have the right to access, correct, delete, restrict, or port your personal data, and to withdraw consent or object to processing.

If your personal data lives inside a customer's ThorStack deployment, please direct your request to that customer first — they are the controller. We will support customers in fulfilling such requests.

For data we hold about you directly (marketing website), email privacy@thorstack.com and we'll respond within 30 days.

ThorStack is SOC 2 Type II certified. We encrypt data in transit (TLS 1.2+) and at rest (AES-256). Per-tenant deployments use isolated databases and storage prefixes. Sovereign customers can bring their own KMS for encryption at rest. See /soc2 for our control summary and how to request the full audit report.

The marketing website uses minimal first-party cookies to remember your preferences and to measure aggregate traffic. We do not set advertising cookies. You can disable cookies in your browser without losing site functionality.

We'll post material changes on this page and, where required, notify customers via the email on file at least 30 days before they take effect.