Throughline Legal
Privacy Policy
Effective May 26, 2026
1. Who this applies to
Smoke Signals AI, LLC (“Smoke Signals,” “we,” “us,” or “our”) operates Throughline, available at throughline.smokesignals.ai and through customer-configured custom domains. This Privacy Policy explains how we collect, use, and protect personal information when you visit our marketing site, create an account, use the Throughline product, or interact with microapps or content pages our customers publish through Throughline.
When you use Throughline as a customer, you are the controller of the personal information you upload, generate, or transmit through the Service, and we act as your processor. Our Data Processing Addendum is available on request at [email protected].
2. Information we collect
Information you provide. Name, email, password, billing details, organization, role, and any content you create or upload to the Service. Free-text answers you give us during onboarding (your use case, your role, whether you use HubSpot).
Information collected automatically. IP address, browser type, device characteristics, referring URL, pages viewed, time spent, clicks, errors, and similar usage data. We use first- and third-party cookies and similar technologies to remember your session, understand product usage, and measure marketing effectiveness.
Information from integrations. When you connect third-party services (HubSpot, Stripe, R2, etc.), we receive the data those services share with us based on the scopes you authorize. Specifically, when you connect HubSpot we can read contacts, companies, and lists, and write content and form submissions to your HubSpot portal.
Information from end users of customers’ published pages.If you visit a content page or microapp published by a Throughline customer, we collect basic analytics (page views, time on page) on the customer’s behalf. We also process any form submissions you make on those pages and pass them to the customer.
3. How we use information
- Provide, maintain, and improve the Service.
- Personalize onboarding, suggest features, and identify accounts that may be stuck so we can reach out.
- Process payments, prevent fraud, and meet legal obligations.
- Communicate with you about the Service, including account, security, and policy updates. Marketing communications, where permitted, with an opt-out in every message.
- Operate AI features. We send your inputs to large language model providers (currently Anthropic) to produce responses. We do not use your inputs or outputs to train our own models. The model providers’ use of inputs is governed by their own terms; Anthropic’s API explicitly does not train on customer inputs.
- Comply with law, enforce our terms, and protect our and others’ rights, property, and safety.
4. Legal bases (EEA, UK, Switzerland)
If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases to process your personal data: performance of a contract (to provide the Service and account features), our legitimate interests (improving the product, securing it, and protecting it from abuse), consent (where we ask for it, e.g., for non-essential cookies), and compliance with legal obligations (tax, fraud, accounting).
5. How we share information
We share personal information only as described here. We do not sell personal information.
- Service providers (sub-processors). Companies that help us run the Service:
- Anthropic — large language model inference
- Voyage AI — embeddings for knowledge-base search
- HubSpot — when you connect your HubSpot portal
- Stripe — billing
- Resend — transactional email
- Railway — application hosting
- Cloudflare — CDN, custom-hostname routing
- AWS / Cloudflare R2 — file storage
- PostgreSQL — primary database (hosted on Railway)
- PostHog — product analytics (anonymized where possible)
- Customers, on their behalf.If you are an end user of a customer’s published page or microapp, we share the data you submit with that customer.
- Compliance & enforcement. When required by law, legal process, or to protect rights, property, or safety.
- Corporate transactions. In connection with a merger, acquisition, financing, reorganization, or sale of assets, we may share information with successors or advisors. We will give notice of any such transfer.
6. International transfers
We are based in the United States. If you are outside the U.S., your information will be transferred to and processed in the U.S. and other countries where our service providers operate. Where required, we rely on the European Commission’s Standard Contractual Clauses and equivalent UK and Swiss mechanisms to legitimize the transfer.
7. Data retention
We retain personal information for as long as we need it to provide the Service, meet our legal obligations, resolve disputes, and enforce our agreements. When you close your account, we will delete or anonymize personal information within 90 days, except where we are required to retain it (for example, for tax, accounting, or security records).
Customer Content is retained while your account is active and for a short window thereafter to allow recovery if you change your mind. Backups are rotated on a fixed schedule and may contain personal information for up to 90 days after deletion from the production database.
8. Your rights
Depending on where you live, you may have the right to:
- access the personal information we hold about you;
- correct inaccurate information;
- delete personal information, subject to legal exceptions;
- port your information in a structured, machine-readable format;
- object to or restrict certain processing, including direct marketing;
- withdraw consent where we rely on it; and
- lodge a complaint with a supervisory authority (in the EEA, your local Data Protection Authority).
To exercise any of these rights, contact us at [email protected]. If you use Throughline as a customer, requests from your end users should be directed to you; we will assist where required.
California residents: we do not sell or share personal information as those terms are defined under the CCPA / CPRA. You have the right to know, delete, correct, and opt out of automated decision-making. We do not knowingly collect personal information from anyone under 16.
9. Security
We use administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, or destruction. These include encryption in transit (TLS) and at rest, role-based access controls, audit logging, and least-privilege production access. No system is perfectly secure; we cannot guarantee absolute security.
10. Cookies & tracking
We use cookies and similar technologies that are strictly necessary to run the Service (session cookies, CSRF tokens) and analytics cookies that help us understand how the Service is used. You can control non-essential cookies through your browser settings. We honor the Global Privacy Control (GPC) signal as an opt-out of sale or sharing for users in California and other jurisdictions that recognize it.
11. Children
Throughline is not directed to children under 16 and we do not knowingly collect personal information from them. If you believe a child has provided us with personal information, contact us at [email protected] and we will delete it.
12. Changes to this policy
We may update this Privacy Policy from time to time. We will post the updated version here with a new effective date, and for material changes we will provide additional notice (for example, by email or a banner in the Service) before the changes take effect.
13. Contact us
Questions about this policy, our processing, or your rights:
Smoke Signals AI, LLC
32 Clelland Road, Lexington, MA 02421
[email protected]