Privacy Policy

1. Who we are and the scope of this policy

Thinkr is an AI workspace for product managers and product teams. Thinkr lets you generate product requirements documents (PRDs) and specs, receive AI critique of your specs, build a research notebook ("notebook" / "brain") from sources you upload, generate proposals and prototypes, and connect third-party integrations. Thinkr is a web application available through our marketing site at https://usethinkr.com and through the application, which runs on a separate application domain.

The Thinkr service is operated by Thinkr, based in the Republic of Indonesia ("Thinkr", "we", "us", or "our"). For the purposes of Indonesian Law No. 27 of 2022 on Personal Data Protection (Undang-Undang No. 27 Tahun 2022 tentang Pelindungan Data Pribadi, "UU PDP") and, where applicable, the EU/UK General Data Protection Regulation ("GDPR"), Thinkr is the data controller (under UU PDP, the Pengendali Data Pribadi) for the personal data described in this policy, except where we act as a processor on your behalf for content you put into the service (see Section 4).

This Privacy Policy applies to personal data we process when you:

• visit or interact with our marketing site;
• create an account and use the Thinkr application;
• purchase or manage a paid subscription; or
• contact us for support or to exercise your rights.

This policy does not cover third-party websites, products, or services that we link to or that you connect through integrations. Those are governed by their own privacy policies. Please read this policy together with our Terms of Service and Refund Policy, which together govern your use of Thinkr.

If you do not agree with this policy, please do not use Thinkr.

2. The personal data we collect

We collect the following categories of personal data. The specific data we hold about you depends on how you use Thinkr.

2.1 Account information

When you create an account we collect your name, email address, password (stored in hashed form), and, where applicable, your organisation or team name, your role, and the primary product-management tool you use (which helps us tailor onboarding and integrations). If you sign in through a third-party identity provider (for example, a single sign-on or Google login), we receive basic profile information from that provider as permitted by your settings there.

2.2 Billing information

When you purchase a paid subscription (Pro, Plus, or Max), payment is processed by Lemon Squeezy, which acts as the Merchant of Record for the transaction. Lemon Squeezy collects and processes your payment details — such as your card number, billing name, billing address, and tax/VAT identifiers. Thinkr does not collect or store your full payment card number. We receive from Lemon Squeezy only limited transaction data needed to provision and manage your subscription, such as your subscription tier, order and subscription identifiers, billing status, renewal dates, the last four digits and brand of your card, and your country for tax purposes. See Section 6 for more on Lemon Squeezy's role.

2.3 User-uploaded sources and content

When you use the notebook/brain, you upload sources and documents (for example, PDFs, text, research notes, links, and other files). We store these sources so that the notebook can reference them and so that you can return to them. You decide what to upload; please do not upload personal data of others, confidential information, or special-category data unless you have a lawful basis to do so.

2.4 Prompts and generated outputs

When you use AI features (PRD generation, critique, proposal generation, prototype generation, and similar), we process the prompts and instructions you provide, the sources and context you select, and the outputs the AI generates. These prompts and outputs are stored in your workspace so that your work persists and so you can edit, export, and revisit it.

2.5 Usage and analytics data

We collect information about how the service is used — for example, features accessed, actions taken, pages viewed, session timing, and aggregate engagement. On our marketing site we use Google Analytics 4 (GA4) to understand traffic and improve the site (see Section 9 on cookies and tracking).

2.6 Device and log data

Our servers and infrastructure automatically record technical data when you use Thinkr, including your IP address, browser type and version, device and operating system information, language settings, referring URLs, timestamps, and diagnostic or error logs. We use this data for security, troubleshooting, and to keep the service reliable.

2.7 Communications

If you contact us (for example, by email or through a support channel), we keep a record of that correspondence and any information you provide so we can respond and improve our support.

3. How we use your personal data

We use personal data for the following purposes:

• To provide the service — to create and maintain your account, store your sources and content, generate AI outputs from your prompts, and deliver the features of your subscription tier.
• To process payments and manage subscriptions — to provision your plan, recognise renewals and cancellations, and handle refund requests, working with Lemon Squeezy as Merchant of Record.
• To operate, secure, and improve Thinkr — to monitor performance, prevent fraud and abuse, debug, develop new features, and understand how the service is used in aggregate.
• To communicate with you — to send service and transactional messages (for example, billing notices, security alerts, and important changes), respond to your enquiries, and, where you have not opted out and where permitted, send product updates.
• To comply with law — to meet our legal, tax, accounting, and regulatory obligations, and to respond to lawful requests from authorities.
• To establish, exercise, or defend legal claims — where necessary to protect our rights, your safety, or the rights of others.

We do not sell your personal data. We do not use your private workspace content to advertise to you.

4. Legal bases for processing

We only process personal data where we have a lawful basis to do so. The bases below apply under the GDPR (for users in the EU, EEA, and UK) and under UU PDP (for processing subject to Indonesian law). UU PDP recognises broadly comparable bases, including consent, performance of a contract, compliance with legal obligations, protection of vital interests, performance of a task in the public interest or duty of the controller, and legitimate interests.

• Providing the service and your account — GDPR: performance of a contract (Art. 6(1)(b)). UU PDP: fulfilment of a contract / obligation.
• Processing payments and subscriptions — GDPR: performance of a contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) for tax/accounting. UU PDP: contractual obligation; legal obligation.
• Sending AI prompts and content to LLM providers to generate outputs — GDPR: performance of a contract (Art. 6(1)(b)) — this is how the feature works. UU PDP: fulfilment of a contract you requested.
• Securing, maintaining, and improving the service; analytics — GDPR: legitimate interests (Art. 6(1)(f)). UU PDP: legitimate interests, balanced against your rights.
• Marketing communications and non-essential cookies — GDPR: consent (Art. 6(1)(a)) where required. UU PDP: consent.
• Complying with law and defending legal claims — GDPR: legal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)). UU PDP: legal obligation; legitimate interests.

Where we rely on consent (for example, certain analytics or marketing), you may withdraw it at any time without affecting the lawfulness of processing before withdrawal. Where we rely on legitimate interests, we have weighed those interests against your rights and freedoms, and you may object as described in Section 11.

In relation to your private workspace content (your uploaded sources, prompts, and generated outputs), we process this data on your behalf and on your instructions to operate the features you use. As between you and Thinkr, you are responsible for ensuring you have the right to upload and process the content you put into the service.

5. AI processing and sub-processors

Thinkr's core features depend on large-language-model (LLM) technology provided by third parties. To generate an output — such as a PRD, a critique, a proposal, or a prototype — we send the relevant prompts, instructions, and the content or sources you have selected to third-party LLM providers, currently Google (via the Google Gemini API), acting as our sub-processors. The provider processes that content and returns a generated result, which we store in your workspace.

What this means for your content

• Your selected content leaves Thinkr's systems and is processed by the LLM provider for the sole purpose of producing the output you requested.
• We choose providers that offer business or API terms designed to protect customer data. Under the API/business terms we rely on, your content is not used to train the providers' models. Providers may retain inputs and outputs for a limited period for abuse monitoring and to operate their service, after which it is deleted in accordance with their terms. Their handling of your data is governed by their own agreements and privacy policies.
• Because LLM technology is probabilistic, AI output can be inaccurate, incomplete, or unsuitable, and is provided "as is". You are responsible for reviewing and verifying any output before relying on it. See our Terms of Service for the full disclaimer.

Please be mindful of what you submit

Because prompts and selected sources are sent to third-party providers, you should avoid submitting sensitive personal data, regulated data, secrets, or confidential information that you are not permitted to disclose to a sub-processor.

6. Sharing your personal data and our sub-processors

We share personal data only as described below. We do not sell your data.

Categories of recipients

• LLM providers (AI sub-processors) — currently Google (the Google Gemini API) — to generate the AI outputs you request (see Section 5).
• Lemon Squeezy (payments and Merchant of Record) — to process purchases, billing, invoicing, renewals, refunds, and the collection and remittance of sales tax, VAT, and GST. When you buy a paid plan, your contract for the payment is with Lemon Squeezy as the seller/reseller of record, while the Thinkr software service is provided to you by Thinkr. Lemon Squeezy collects your payment details directly; Thinkr does not store your full card data.
• Cloud hosting and infrastructure providers — to host the application, store your data, and run the service securely and reliably.
• Analytics providers — Google Analytics 4 on our marketing site to measure and improve traffic (see Section 9).
• Professional advisers and authorities — lawyers, accountants, auditors, and regulators or law-enforcement bodies, where required to comply with law or to protect our rights.
• In a business transfer — if Thinkr is involved in a merger, acquisition, financing, or sale of assets, personal data may be transferred as part of that transaction, subject to this policy or a successor policy with equivalent protections.

All service providers that process personal data on our behalf do so under contracts that require them to safeguard the data and to use it only for the purposes we specify. An up-to-date list of our key sub-processors is available on request from privacy@usethinkr.com.

7. International data transfers

Thinkr is operated from the Republic of Indonesia, and our sub-processors (including LLM providers, payment, hosting, and analytics providers) may process personal data in countries other than your own, including outside Indonesia and outside the EU/EEA/UK. This means your personal data may be transferred to, and processed in, jurisdictions whose data-protection laws differ from those where you live.

Where we transfer personal data internationally, we take steps required by applicable law to ensure an adequate level of protection. For transfers subject to UU PDP, we transfer personal data outside Indonesia in line with the conditions of UU PDP — for example, where the receiving jurisdiction has an adequate level of protection, where appropriate safeguards are in place, or with your consent. For transfers subject to the GDPR, we rely on a lawful transfer mechanism such as an adequacy decision or the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Agreement or Addendum where relevant), together with supplementary measures where needed.

You may request more information about the safeguards we use by contacting us at privacy@usethinkr.com.

8. Data retention

We keep personal data only for as long as we need it for the purposes set out in this policy, and then delete or anonymise it.

• Account and workspace content (your sources, prompts, and generated outputs) is retained while your account is active. You can delete individual sources, content, and outputs at any time within the app. When you delete your account, we delete or anonymise your workspace content within a reasonable period, subject to routine backups that are overwritten on a rolling basis.
• Billing records (such as invoices and transaction records) are retained for as long as required to meet our tax, accounting, and legal obligations. Lemon Squeezy retains payment records under its own policies as Merchant of Record.
• Usage, analytics, and log data is retained for a limited period for security, troubleshooting, and product-improvement purposes, and is then deleted or aggregated.
• Support communications are retained for as long as needed to resolve your request and for a reasonable period afterwards.

We may retain certain data for longer where required by law or where necessary to establish, exercise, or defend legal claims.

9. Cookies and tracking

We and our providers use cookies and similar technologies to operate the service, remember your preferences, keep you signed in, and understand how the marketing site is used.

• Essential cookies are necessary to provide the service — for example, to authenticate you and keep your session secure. These cannot be turned off without breaking core functionality.
• Analytics cookies — on our marketing site we use Google Analytics 4 (GA4) to collect aggregated and pseudonymised statistics about visits, such as pages viewed, traffic sources, approximate location derived from IP address, and device type. Where required by law, we obtain consent before setting non-essential analytics cookies.

You can control cookies through your browser settings and, where offered, through a cookie or consent banner. Disabling some cookies may affect how the service works. To opt out of Google Analytics across sites, you can install the Google Analytics opt-out browser add-on. We do not respond to browser "Do Not Track" signals in a standardised way at this time.

10. Security

We take reasonable and appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, and destruction. These measures include encryption of data in transit, access controls and authentication, hosting with reputable cloud-infrastructure providers, hashing of passwords, logging and monitoring, and limiting access to personal data to those who need it.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential and for the activity that occurs under your account. If we become aware of a personal-data breach that affects your rights, we will notify you and the relevant supervisory authority where and as required by UU PDP, the GDPR, and other applicable law. Please report any suspected security issue to privacy@usethinkr.com.

11. Your rights and how to exercise them

Subject to applicable law, you have rights over your personal data. Under UU PDP and the GDPR these include the right to:

• access the personal data we hold about you and obtain information about how it is processed;
• correct or update inaccurate or incomplete personal data;
• delete your personal data (the right to erasure / to be forgotten), subject to legal retention requirements;
• port your personal data — to receive it in a structured, commonly used, machine-readable format and, where technically feasible, have it transmitted to another controller;
• restrict or object to certain processing, including processing based on our legitimate interests and processing for direct marketing;
• withdraw consent at any time where we rely on consent, without affecting processing carried out before withdrawal;
• not be subject to a decision based solely on automated processing that produces legal or similarly significant effects, where such a right applies; and
• lodge a complaint with a supervisory authority.

You can exercise many of these rights directly in the app — for example, by editing your profile, deleting sources and content, or deleting your account. To make any other request, contact us at privacy@usethinkr.com. We will respond within the timeframes required by applicable law. We may need to verify your identity before acting on a request, and in some cases we may be unable to fully comply (for example, where the law requires us to retain data). There is normally no charge to exercise your rights.

If you are in the EU/EEA or UK, you have the right to complain to your local data-protection authority. If you are in Indonesia, you may contact the relevant authority responsible for personal-data protection under UU PDP. We would, however, appreciate the chance to address your concerns first.

12. Children's privacy

Thinkr is a workplace product intended for business use by adults. It is not directed to children, and we do not knowingly collect personal data from children below the age of majority in their jurisdiction (and, in any event, not below the minimum age required to consent to data processing under applicable law, such as 16 under the GDPR unless a lower national age applies). If you believe a child has provided us with personal data, please contact us at privacy@usethinkr.com and we will take steps to delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or the service. When we make material changes, we will update the "Effective date" below and, where appropriate, notify you by email or through the service before the changes take effect. We encourage you to review this policy periodically. Your continued use of Thinkr after an update takes effect constitutes acceptance of the revised policy, to the extent permitted by law.

14. Contact us

If you have questions about this Privacy Policy or how we handle your personal data, or if you wish to exercise your rights, please contact us:

• Data protection / privacy requests: privacy@usethinkr.com
• General and support enquiries: support@usethinkr.com
• Operator: Thinkr (Republic of Indonesia)

Effective date: 3 June 2026