Privacy Policy
Effective June 12, 2026 · Last updated June 12, 2026
The short version: ThreadLight is an SMS-based peer support platform and provider directory for the neurodivergent community. We collect what you share with us in conversation and use it to help you, never to sell to data brokers, and never without your ability to delete it. ThreadLight is funded by provider listing subscriptions and optional, clearly-labeled sponsored placements — we don't sell your data, build ad-targeting profiles, or take referral fees. You can request full deletion of your data at any time by texting DELETE.
Who We Are
ThreadLight is operated by ThreadLight AI. Our platform connects autistic adults, caregivers, and families with peer support, curated resources, and vetted service providers, through an AI assistant called Elia that communicates via SMS.
Elia is an artificial intelligence, not a human. It is not a therapist, medical provider, or crisis counselor. When you text ThreadLight, you are communicating with an AI system powered by Anthropic's Claude API.
What We Collect
We collect information through your SMS conversations with Elia. Here is what we store and why:
| Data | Why | How stored |
|---|---|---|
| Phone number | Your identity on the platform, used to send and receive messages | Never stored in plain text. We store a cryptographic hash (for lookup) and an encrypted copy (for outbound messaging). The raw number exists nowhere in our systems. |
| Messages | Powering your conversations with Elia and extracting memories so Elia remembers your context | Encrypted in transit and at rest. Raw message content is retained for 77 days, then permanently redacted. See Data Retention below. |
| Memories | Structured facts extracted from conversations (e.g., "user's son has auditory sensitivities") so Elia doesn't ask the same questions twice | Stored as structured records tied to your account. Retained while your account is active. Deleted on account deletion. |
| Profile information | Your relationship to autism, location (city/state), communication preferences | Stored as structured fields. Used for matching and to tailor Elia's tone. Deleted on account deletion. |
| Connection records | Tracking peer connections you've consented to, including consent status and feedback | Stored as structured records. Anonymized on account deletion. |
| Analytics events | Understanding how the platform is used and where it can improve | Tracked via PostHog using an anonymous internal ID, never your phone number. Events include things like "user completed onboarding" or "connection accepted," not the content of your conversations. |
We do not maintain a separate store of insurance details. If you mention something like an insurance carrier while searching for a provider, it is simply part of your conversation with Elia and is handled like any other message (retained 77 days, then redacted).
How We Use Your Data
Your data is used for these purposes and no others:
- Conversation: Powering your interactions with Elia, including loading relevant memories so Elia has context.
- Peer matching: Identifying potential peer connections based on shared context. No connection is made without your explicit consent.
- Resource recommendations: Surfacing relevant resources from our curated library based on your situation.
- Finding providers: When you ask for help, surfacing relevant listings from our directory of vetted providers based on what you're looking for (type, location, and any criteria you mention). We share nothing with a provider unless you choose to contact them. See How ThreadLight Is Funded below.
- Quality improvement: Using aggregated, anonymized patterns from conversations to identify product gaps and improve the platform. This analysis never includes your name, phone number, or any personally identifiable information.
- Safety: Detecting crisis signals and routing to appropriate crisis resources when needed.
What we never do with your data
- We never sell your data to data brokers, advertising networks, or marketing companies.
- We never share your personal information with other users without your explicit consent.
- We never share your information with a provider unless you choose to contact that provider (see below).
- We never use your conversations to train AI models. (Neither Anthropic's Claude API nor OpenAI's API — which we use for Elia's responses and for matching vectors — uses customer API data for model training.)
How ThreadLight Is Funded
We want to be straightforward about how the platform pays for itself, because your data is involved.
ThreadLight is a directory funded two ways: providers pay a flat monthly subscription ($25/month per live listing) to be listed, and may optionally bid for a sponsored placement — at most one of every three results, clearly labeled as sponsored and charged only when a subscriber clicks. We are disclosing this here so there is no confusion:
- We do not charge per-referral fees, and we do not sell your phone number or information to providers, data brokers, lead aggregators, or any third party.
- Sponsored placements never use your personal data to target you. Eligibility is based on our affirming-care standard and how well a provider matches what you searched for — not on profiling you — and sponsored results are always clearly labeled.
- We share your information with a provider only when you choose to contact them. For a phone listing, that means your phone number is shared with that provider's contact line when you take the step of reaching out. For a website listing, you are sent to the provider's own site and we share nothing.
- Peer connections (community members, not paid providers) never involve payment. Those are free and consent-based.
- Free resources (nonprofits, support groups, publicly funded services) are shown alongside paid listings and pay nothing.
If you do not want your information shared with any provider, simply don't contact one. You can use ThreadLight for peer connections, free resources, and browsing provider listings without any of your information being shared.
Data Retention
We retain different types of data for different periods, based on what's necessary for the platform to function. All retained data is stored in our primary database, a managed Render Postgres database, where it is encrypted at rest.
| Data type | Retention period |
|---|---|
| Raw message content | 77 days. After 77 days, the text of your messages is permanently redacted. Message metadata (timestamp, type) is preserved without content. |
| Structured memories | Retained while your account is active. Deleted immediately upon account deletion. |
| Profile data | Retained while your account is active. Deleted immediately upon account deletion. |
| Connection records and feedback | Retained while your account is active. Anonymized (your identity removed) upon account deletion. |
| Anonymized analytical data | Up to 333 days. This data has all identifying information removed and cannot be linked back to you. |
| Aggregated product intelligence | Retained indefinitely. This is fully aggregated data (e.g., "12 users asked about autism-friendly dentists in April 2026") that contains no personal information. |
Data Deletion
You can request full deletion of your personal data at any time by texting DELETE to the ThreadLight number. Upon confirmation:
- Your profile, memories, messages, and sensory profiles are permanently deleted.
- Your phone number hash is retained only to prevent re-registration conflicts. It cannot be used to contact you or identify you.
- Active peer connections involving your account are ended.
- Connection feedback you provided is anonymized (your identity removed, aggregate ratings preserved).
- Deletion is atomic: either everything is deleted or nothing is. There is no partial state.
Deletion is permanent and irreversible. If you text the ThreadLight number after deleting your data, you will be treated as a new user.
Third-Party Services
ThreadLight uses the following third-party services to operate. Each processes some of your data as described:
| Service | Purpose | What they receive |
|---|---|---|
| Twilio | SMS messaging infrastructure | Your phone number and message content (required to send/receive SMS). Twilio retains message records per their retention policy. Upon account deletion, we request deletion of your Twilio message history. |
| Anthropic (Claude API) | AI conversation processing | Your message content and relevant memories are sent to Anthropic's Claude API to generate Elia's responses. Anthropic retains API inputs/outputs for up to 30 days for trust and safety purposes. Anthropic does not use API customer data for model training. |
| OpenAI | Vector embeddings for matching and search | Text derived from your conversations and profile (such as extracted memories) is sent to OpenAI's embeddings API to produce the vector representations used for matching and search. OpenAI does not use API data to train its models and retains it only briefly (generally up to 30 days) for abuse monitoring. |
| Stripe | Provider subscription billing | Used only for providers who pay for a listing, not for members. Stripe processes the provider's payment card, billing email, and billing address. Member message content is never sent to Stripe. |
| Render Postgres | Primary database hosting | All structured user data (profiles, memories, messages, connection records) is stored in a managed Render Postgres database. Data is encrypted at rest and accessible only via authenticated database connections from the ThreadLight application. |
| PostHog | Product analytics | Anonymous usage events identified by an internal ID, never your phone number or message content. Events track platform usage patterns, not conversation content. |
| Render | Application hosting | The ThreadLight application (API and web services) runs on Render's infrastructure. Traffic is encrypted via TLS in transit. |
| Listed providers | Service delivery (only when you choose to contact one) | When you choose to contact a phone-based listing, the provider's contact line receives your phone number so they can respond. For website listings, you are sent to the provider's own site and we share nothing. See How ThreadLight Is Funded above. |
Anthropic uses Amazon Web Services (AWS) as a subprocessor for their API infrastructure.
How We Protect Your Data
- Phone numbers are never stored in plain text. We use HMAC-SHA256 hashing for lookups and AES-256-GCM encryption for outbound messaging.
- All data is encrypted in transit (TLS) and at rest.
- Analytics events are keyed to anonymous internal IDs, never phone numbers or personal identifiers.
- Anonymized data is stored in separate tables with no technical path back to your user record.
Your Rights Under California Law (CCPA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act:
- Right to know: You can request a summary of what personal information we have collected about you. Contact us at the address below.
- Right to delete: You can request deletion of your personal data by texting DELETE or contacting us directly.
- Right to opt out of sale: ThreadLight does not sell your personal information. We share your information with a provider only when you choose to contact them; if you don't want anything shared, simply don't contact a provider.
- Right to non-discrimination: We will never treat you differently for exercising your privacy rights. Your experience on the platform is the same regardless of any privacy choices you make.
SMS and TCPA Compliance
ThreadLight communicates via SMS. By texting our number and confirming your age, you consent to receive SMS messages from us. You can opt out at any time. Full messaging terms are in our Terms of Service.
- Text STOP to stop all messages. We will not reply (as required by law) and will not send you any further messages.
- Text START to resume messages at any time.
- Standard message and data rates from your carrier may apply.
Children
ThreadLight is for users 18 years of age and older. We verify age at the point of first contact. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected data from a minor, we will delete it immediately.
Parents and caregivers who are 18 or older may use the platform on behalf of their children. They are the user, not the child.
AI Disclosure
Elia is an artificial intelligence assistant. It is not a human. When you text ThreadLight, you are communicating with an AI system. Elia identifies itself as an AI at the beginning of each session.
Elia is not a therapist, doctor, counselor, or crisis line. It does not provide medical diagnoses, treatment plans, or clinical advice. When Elia detects signs of crisis, it surfaces contact information for human crisis services. It does not attempt to provide crisis intervention itself.
Changes to This Policy
We may update this privacy policy as our practices or legal requirements evolve. When we make material changes, we will notify active users via SMS and update the effective date at the top of this page. Your continued use of the platform after notification constitutes acceptance of the updated policy.
Contact Us
If you have questions about this privacy policy, your data, or your rights, contact us at:
ThreadLight AI
Email: hello@threadlight.ai
Philadelphia, PA