Privacy Policy

Effective Date: March 26, 2026

This Privacy Policy describes how Marketplace Central ("ThoughtBox," "we," "us," or "our") collects, uses, and protects your information when you use the web application at thoughts.thoughtbox.ai and related services (collectively, the "Service").

1. Information We Collect

Information You Provide

Account Information: Name and email address from your authentication provider (Amazon Cognito).
Preferences: Display name, default AI provider, default email/contacts provider, and other settings you configure.
Content You Create: Conversations with the AI assistant, files you upload or create, and notes the AI saves on your behalf.

Information from Connected Third-Party Accounts

When you connect a third-party account (Google, Microsoft, Dropbox, Box), we access only the data and services you explicitly authorize:

Google: File metadata and content from Google Drive (read-only), contacts and organizational directory (read-only), and the ability to send email via Gmail on your behalf.
Microsoft: File metadata and content from OneDrive (read-only), contacts (read-only), and the ability to send email via Outlook on your behalf.
Dropbox: File metadata and content (read-only).
Box: File metadata and content.

We access this data only to provide the features you use. We do not use your third-party data for advertising, profiling, or any purpose unrelated to the Service.

Information Collected Automatically

Usage Data: Actions you take within the Service (conversations started, files accessed, features used), stored in activity logs associated with your account.
Server Logs: Standard web server request logs including IP address, browser type, and request timestamps, retained for operational and security purposes.

2. How We Use Your Information

We use your information solely to:

Provide, operate, and improve the Service.
Execute actions you request (browsing files, sending emails, searching contacts, analyzing documents).
Maintain your preferences and conversation history.
Authenticate your identity and secure your account.
Communicate with you about the Service (security notices, service updates).

We do not sell, rent, or share your personal information with third parties for their marketing purposes.

3. AI Processing

When you interact with the AI assistant, your messages and relevant context (connected files, contacts) are sent to AI model providers (Amazon Bedrock, or a provider you select such as OpenAI, Anthropic, or Google AI) to generate responses. We do not use your conversations or data to train AI models. Your interactions are processed in real time and not retained by the AI provider beyond the duration of the request.

4. Data Storage and Security

Conversations and user data are stored in an encrypted Amazon Aurora database.
Files you create are stored in Amazon S3 with server-side encryption.
OAuth tokens for connected third-party accounts are encrypted at rest using AWS Secrets Manager or application-level encryption before storage.
Data in transit is encrypted via TLS (HTTPS) for all connections.
Access to infrastructure is restricted to authorized personnel and secured with IAM policies, VPC isolation, and audit logging.

5. Third-Party Services

The Service integrates with third-party providers to deliver its features:

Provider	Purpose	Data Shared
Amazon Web Services (Cognito)	Authentication	Email, name
Amazon Bedrock	AI processing	Conversation content
Google APIs	Drive, Gmail, Contacts	As authorized by you
Microsoft Graph	OneDrive, Outlook, Contacts	As authorized by you
Dropbox API	File storage	As authorized by you
Box API	File storage	As authorized by you

Each provider is governed by their own privacy policy. We encourage you to review them.

6. Data Retention

Account data and conversation history are retained for as long as your account is active.
Connected account tokens are retained until you disconnect the account or delete your account.
Server logs are retained for up to 90 days.
Upon account deletion, your data is permanently removed from our systems within 30 days, except where retention is required by law.

7. Your Rights

You may at any time:

Disconnect any third-party account from the Connections page, immediately revoking our access.
Delete individual conversations from the chat interface.
Request deletion of your account and all associated data by contacting us at support@thoughtbox.ai.
Access your data by exporting conversations and files through the Service.

If you are located in the European Economic Area (EEA), you may also exercise rights under the GDPR including the right to access, rectification, portability, and erasure by contacting us.

8. Children's Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised effective date. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

10. Contact

If you have questions about this Privacy Policy or our data practices, contact us at support@thoughtbox.ai.

1. Information We Collect​

Information You Provide​

Information from Connected Third-Party Accounts​

Information Collected Automatically​

2. How We Use Your Information​

3. AI Processing​

4. Data Storage and Security​

5. Third-Party Services​

6. Data Retention​

7. Your Rights​

8. Children's Privacy​

9. Changes to This Policy​

10. Contact​