Privacy Policy
Effective April 16, 2026 · Last updated April 16, 2026
The short version: ThreadLight is an SMS-based peer support platform for the neurodivergent community. We collect what you share with us in conversation and use it to help you — never to target you with ads, never to sell to data brokers, and never without your ability to delete it. Our business model is provider referrals, which we describe transparently below. You can request full deletion of your data at any time by texting DELETE.
Who We Are
ThreadLight is operated by ThreadLight AI. Our platform connects autistic adults, caregivers, and families with peer support, curated resources, and vetted service providers, through an AI assistant called Elia that communicates via SMS.
Elia is an artificial intelligence, not a human. It is not a therapist, medical provider, or crisis counselor. When you text ThreadLight, you are communicating with an AI system powered by Anthropic's Claude API.
What We Collect
We collect information through your SMS conversations with Elia. Here is what we store and why:
| Data | Why | How stored |
|---|---|---|
| Phone number | Your identity on the platform — used to send and receive messages | Never stored in plain text. We store a cryptographic hash (for lookup) and an encrypted copy (for outbound messaging). The raw number exists nowhere in our systems. |
| Messages | Powering your conversations with Elia and extracting memories so Elia remembers your context | Encrypted in transit and at rest. Raw message content is retained for 77 days, then permanently redacted. See Data Retention below. |
| Memories | Structured facts extracted from conversations (e.g., "user's son has auditory sensitivities") so Elia doesn't ask the same questions twice | Stored as structured records tied to your account. Retained while your account is active. Deleted on account deletion. |
| Profile information | Your relationship to autism, location (city/state), communication preferences | Stored as structured fields. Used for matching and to tailor Elia's tone. Deleted on account deletion. |
| Connection records | Tracking peer connections you've consented to, including consent status and feedback | Stored as structured records. Anonymized on account deletion. |
| Insurance information | Matching you to providers who accept your insurance (only collected when you request provider help) | Encrypted at rest. Deleted on account deletion. Never shared with other users. |
| Analytics events | Understanding how the platform is used and where it can improve | Tracked via PostHog using an anonymous internal ID — never your phone number. Events include things like "user completed onboarding" or "connection accepted," not the content of your conversations. |
How We Use Your Data
Your data is used for these purposes and no others:
- Conversation: Powering your interactions with Elia, including loading relevant memories so Elia has context.
- Peer matching: Identifying potential peer connections based on shared context. No connection is made without your explicit consent.
- Resource recommendations: Surfacing relevant resources from our curated library based on your situation.
- Provider matching: When you request help finding a provider, matching you to vetted providers based on type, location, insurance, and availability. If you consent to a specific provider connection, that provider receives the minimum information needed to reach you. See How ThreadLight Is Funded below.
- Quality improvement: Using aggregated, anonymized patterns from conversations to identify product gaps and improve the platform. This analysis never includes your name, phone number, or any personally identifiable information.
- Safety: Detecting crisis signals and routing to appropriate crisis resources when needed.
What we never do with your data
- We never sell your data to data brokers, advertising networks, or marketing companies.
- We never use your data to target you with advertising. ThreadLight doesn't run ads, sell ad space, or enrich profiles for ad targeting on any platform.
- We never share your personal information with other users without your explicit consent.
- We never share information with providers without your explicit consent to a specific connection (see below).
- We never use your conversations to train AI models. (Anthropic's Claude API, which powers Elia, does not use API customer data for model training.)
How ThreadLight Is Funded
We want to be straightforward about how the platform pays for itself, because your data is involved.
When you ask Elia to connect you with a service provider (a therapist, SLP, OT, tutor, dentist, etc.) and you consent to the specific introduction, the provider pays ThreadLight a referral fee for that connection. The provider receives only the minimum information needed to reach you — typically your first name and phone number, plus the category of support you asked about — and only for the specific connection you have approved.
This is how the platform is funded. We are disclosing it here so there is no confusion:
- Provider referrals are a transaction between ThreadLight and the provider, made on your explicit consent.
- Your phone number and relevant context are shared with a provider only after you actively request provider help and consent to that specific connection.
- Your phone number and data are not sold to data brokers, lead aggregators, list compilers, or any third party outside the scope of a connection you have asked for.
- Peer connections (community members, not paid providers) never involve payment. Those are free and consent-based.
- Free resources (nonprofits, support groups, publicly funded services) are shown alongside paid providers and do not generate referral fees.
If you do not want your information shared with any provider, do not request provider help, or decline the consent prompt when it appears. You can use ThreadLight for peer connections and free resources without any provider introductions being made.
Data Retention
We retain different types of data for different periods, based on what's necessary for the platform to function. All retained data is stored in our primary database on Prisma Postgres (db.prisma.io), where it is encrypted at rest.
| Data type | Retention period |
|---|---|
| Raw message content | 77 days. After 77 days, the text of your messages is permanently redacted. Message metadata (timestamp, type) is preserved without content. |
| Structured memories | Retained while your account is active. Deleted immediately upon account deletion. |
| Profile and insurance data | Retained while your account is active. Deleted immediately upon account deletion. |
| Connection records and feedback | Retained while your account is active. Anonymized (your identity removed) upon account deletion. |
| Anonymized analytical data | Up to 333 days. This data has all identifying information removed and cannot be linked back to you. |
| Aggregated product intelligence | Retained indefinitely. This is fully aggregated data (e.g., "12 users asked about autism-friendly dentists in April 2026") that contains no personal information. |
Data Deletion
You can request full deletion of your personal data at any time by texting DELETE to the ThreadLight number. Upon confirmation:
- Your profile, memories, messages, insurance data, and sensory profiles are permanently deleted.
- Your phone number hash is retained only to prevent re-registration conflicts — it cannot be used to contact you or identify you.
- Active peer connections involving your account are ended.
- Connection feedback you provided is anonymized (your identity removed, aggregate ratings preserved).
- Deletion is atomic — either everything is deleted or nothing is. There is no partial state.
Deletion is permanent and irreversible. If you text the ThreadLight number after deleting your data, you will be treated as a new user.
Third-Party Services
ThreadLight uses the following third-party services to operate. Each processes some of your data as described:
| Service | Purpose | What they receive |
|---|---|---|
| Twilio | SMS messaging infrastructure | Your phone number and message content (required to send/receive SMS). Twilio retains message records per their retention policy. Upon account deletion, we request deletion of your Twilio message history. |
| Anthropic (Claude API) | AI conversation processing | Your message content and relevant memories are sent to Anthropic's Claude API to generate Elia's responses. Anthropic retains API inputs/outputs for up to 30 days for trust and safety purposes. Anthropic does not use API customer data for model training. |
| Prisma Postgres | Primary database hosting | All structured user data — profiles, memories, messages, connection records, insurance data — is stored on Prisma Postgres (db.prisma.io). Data is encrypted at rest and accessible only via authenticated database connections from the ThreadLight application. |
| PostHog | Product analytics | Anonymous usage events identified by an internal ID — never your phone number or message content. Events track platform usage patterns, not conversation content. |
| Render | Application hosting | The ThreadLight application (API and web services) runs on Render's infrastructure. Traffic is encrypted via TLS in transit. |
| Vetted providers | Service delivery (only when you consent to a connection) | When you consent to a specific provider connection, the provider receives only the minimum information needed to reach you: typically first name, phone number, and the category of support requested. See How ThreadLight Is Funded above. |
Anthropic uses Amazon Web Services (AWS) as a subprocessor for their API infrastructure.
How We Protect Your Data
- Phone numbers are never stored in plain text. We use HMAC-SHA256 hashing for lookups and AES-256-GCM encryption for outbound messaging.
- Insurance data is encrypted at rest using the same standard as phone numbers.
- All data is encrypted in transit (TLS) and at rest.
- Analytics events are keyed to anonymous internal IDs, never phone numbers or personal identifiers.
- Anonymized data is stored in separate tables with no technical path back to your user record.
Your Rights Under California Law (CCPA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act:
- Right to know: You can request a summary of what personal information we have collected about you. Contact us at the address below.
- Right to delete: You can request deletion of your personal data by texting DELETE or contacting us directly.
- Right to opt out of sale: ThreadLight does not sell your personal information to data brokers or third parties outside the scope of a provider connection you've explicitly consented to. If you do not want any of your information shared with a provider, you can simply decline the consent prompt when it appears, or avoid requesting provider help.
- Right to non-discrimination: We will never treat you differently for exercising your privacy rights. Your experience on the platform is the same regardless of any privacy choices you make.
SMS and TCPA Compliance
ThreadLight communicates via SMS. By texting our number and confirming your age, you consent to receive SMS messages from us. You can opt out at any time:
- Text STOP to stop all messages. We will not reply (as required by law) and will not send you any further messages.
- Text START to resume messages at any time.
- Standard message and data rates from your carrier may apply.
Children
ThreadLight is for users 18 years of age and older. We verify age at the point of first contact. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected data from a minor, we will delete it immediately.
Parents and caregivers who are 18 or older may use the platform on behalf of their children — they are the user, not the child.
AI Disclosure
Elia is an artificial intelligence assistant. It is not a human. When you text ThreadLight, you are communicating with an AI system. Elia identifies itself as an AI at the beginning of each session.
Elia is not a therapist, doctor, counselor, or crisis line. It does not provide medical diagnoses, treatment plans, or clinical advice. When Elia detects signs of crisis, it surfaces contact information for human crisis services — it does not attempt to provide crisis intervention itself.
Changes to This Policy
We may update this privacy policy as our practices or legal requirements evolve. When we make material changes, we will notify active users via SMS and update the effective date at the top of this page. Your continued use of the platform after notification constitutes acceptance of the updated policy.
Contact Us
If you have questions about this privacy policy, your data, or your rights, contact us at:
ThreadLight AI
Email: privacy@threadlight.org
Philadelphia, PA