Privacy Policy

This Privacy Policy explains how Superphonic LLC (“Superphonic,” “we,” “us”) collects, uses, shares, and protects information when you use Thankverse (the “Service”). It is written for a global audience and reflects our obligations under the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA), among other laws.

1. Who we are

Superphonic LLC is a Washington limited liability company headquartered in Bellevue, Washington, USA. For any privacy question or request, contact us at info@thankverse.org. Superphonic is the data controller for personal data processed through the Service.

2. What Thankverse is

Thankverse is a service for writing, sending, and keeping thank-you messages (“thanks”). You can send a thanks to someone by email, receive thanks others have sent to you, and (subject to product settings) view a public wall of thanks shared across the community.

3. Information we collect

Information you provide

• Account information: the email address you sign in with and a display name you choose. Display names are sanitized (control characters removed, whitespace collapsed, length capped) before being stored.
• Thanks you send: the recipient’s email address and the message content you compose.
• Thanks addressed to you: messages other people send to your email address are associated with your account when you sign in with that address.
• Reactions and replies you leave on thanks.

Google Contacts (optional, client-side only)

When writing a thanks, you may click “Load Google contacts” to populate a typeahead on the recipient field. If you do, your browser — not our servers — requests read-only access to your Google contacts (both your saved contacts and the auto-saved contacts Google keeps from your Gmail correspondents) and calls Google’s People API directly. The resulting list is cached in your browser’s sessionStorage (cleared when you close the tab) so the dropdown survives navigating between pages. We never receive your contacts, never store them on our servers, and never see anyone in the list other than the single recipient you choose to send a thanks to. You can revoke our access at any time at myaccount.google.com/permissions, and you can clear the in-browser cache immediately using the “clear” link shown next to the recipient field.

Information collected automatically

• Operational logs: IP address, user agent, and basic request metadata collected by our hosting and database providers to operate and secure the Service.
• Error data: when our error reporting is configured, technical error information (stack traces, request context with sensitive fields scrubbed) is sent to Sentry. Message bodies and recipient email addresses are scrubbed before any error event leaves our infrastructure.

4. How we use your information

• To deliver thanks via email (through our email provider, Resend).
• To render the public wall of thanks. Sender and recipient personally identifying information is never exposed on the public wall.
• To operate authentication, including magic-link sign-in.
• To enforce rate limits and prevent abuse.
• To send abuse reports to our internal review inbox.
• To debug, secure, and improve the Service.

5. The email body invariant

Outbound email we send to users contains only a short teaser of a thanks, never the full message. The full content of a thanks is rendered only on the Service itself, behind a signed link. This is a deliberate privacy property of the product: the full message body does not sit in your email provider’s servers.

6. Third-party processors

We use a small number of sub-processors to operate the Service. Each acts only on our instructions and is bound by appropriate contractual safeguards.

• Supabase — authentication and database hosting (United States).
• Resend — transactional email delivery.
• Sentry — error reporting (only when configured for the environment).

We do not sell your personal information, and we do not share it with advertisers or data brokers.

7. Cookies and similar technologies

Thankverse uses only essential cookies required for authentication and session management. We do not use advertising cookies, and we do not track you across other websites.

8. Public content

Content shown on the public wall is intentionally public. Please do not include private, sensitive, or confidential information in a thanks you write — recipients and others may see it.

9. Data retention and account deletion

We retain your account and the data associated with it until you ask us to delete it. We do not auto-delete inactive accounts.

When you delete your account, we erase your name, email address, and authentication record. Thanks you have already sent remain visible to their recipients and on the public wall, but are pseudonymized so that they are no longer linked to you (they appear as authored by a “former member”). We retain that delivered content because the recipients of those thanks have a legitimate interest in keeping the messages they were sent — the same way a paper thank-you card remains with its recipient even if the sender is no longer reachable. This processing is grounded in our and the recipient’s legitimate interests under Article 6(1)(f) of the GDPR and falls within the exception in Article 17(1)(c). Per-message redaction is not currently offered; deleting your account is the available path.

10. Your rights

Depending on where you live, you may have the following rights with respect to your personal data:

• EU / UK (GDPR / UK GDPR): the right to access, rectify, erase (subject to the pseudonymization carveout described above), restrict processing, port your data, object to processing, and withdraw consent at any time. You also have the right to lodge a complaint with your local data protection supervisory authority.
• California (CCPA): the right to know what personal information we collect, to delete it, to correct it, and to opt out of any “sale” or “sharing” of personal information. We do not sell or share personal information.

To exercise any of these rights, email info@thankverse.org. We will respond within the time required by applicable law.

11. International data transfers

The Service is operated from the United States, and personal data is processed there. When personal data is transferred from the EU, UK, or other regions to the United States, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (and the UK Addendum where applicable) with our sub-processors.

12. Children

Thankverse is intended for users aged 13 and older. If you are in the European Economic Area or the United Kingdom, you must be at least 16 to use the Service. We do not knowingly collect personal information from children below those ages. If you believe a child has provided us with personal information, contact info@thankverse.org and we will delete it.

13. Security

We protect personal data using transport encryption, row-level security on user data, signed time-limited tokens for sensitive links, database-level safeguards that prevent unauthorized modification of immutable fields, and an internal abuse review process. No system is perfectly secure, but we work to keep your information safe.

14. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will let active account holders know by email and post a notice on the Service before the changes take effect.

15. Contact us

Questions, comments, or requests? Reach us at info@thankverse.org.