Privacy · Last updated 2026-05-15

Privacy policy.

We try to be the kind of vendor we'd want to use ourselves. Short version: we collect only what we need to operate, we never sell your data, and you can export or delete it any time. The long version is below.

Standard policy, not legal advice. This document describes our actual practices in plain language. It is not a substitute for a binding agreement under a Master Services Agreement, Data Processing Addendum, or other negotiated contract. For enterprise customers requiring those, contact us at hello@usetheo.dev.

1. Who we are

usetheo ("we", "us") operates the website usetheo.dev and the products TheoCode, TheoCreate (`create-theo`), TheoKit, TheoCloud, TheoUI (`@usetheo/ui`), and TheoKit-SDK ("the service").

Our contact for any privacy matter is hello@usetheo.dev. For security incidents, use security@usetheo.dev.

2. What we collect

We collect only what we need to operate the service. We do not sell, rent, or trade your data.

Account data (when you sign up for TheoCloud or any account-gated product):

  • Email address
  • Name (if provided)
  • Organization name (if applicable)
  • Authentication tokens (hashed)
  • OAuth provider IDs (e.g., GitHub) when you sign in with a third party

Deployment metadata (TheoCloud only):

  • Git commit SHAs, branch names, commit messages
  • Build logs (retained 30 days)
  • Deployment configuration (`theo.yaml` and related)
  • Runtime metrics (request counts, error rates, latency percentiles)
  • Audit log entries (who deployed what, when)

Anonymous usage telemetry (opt-in, CLI and Desktop apps):

  • CLI subcommand invoked (no arguments)
  • Anonymized device ID
  • Product version and OS family
  • Crash reports (stack traces, no source-code content)

Communications:

  • Emails you send us (subject, body, attachments)
  • Discord messages in our public servers (subject to Discord's ToS)
  • Contact form submissions

We do not collect: browsing history outside our own properties, advertising identifiers, biometric data, precise location, or content from your private repositories beyond what is required to build and deploy.

3. How we use it

We use the data we collect to:

  • Provide and operate the service (deploys, builds, runtime, auth)
  • Communicate operational issues (incidents, security advisories, breaking changes)
  • Improve the product (aggregated metrics, debugging, customer support)
  • Enforce our Terms (detecting abuse, fraud, or violations)
  • Comply with legal obligations when required

We do not use your data for advertising, profiling unrelated to service operation, or training third-party AI models. The agents you run with TheoCode use the LLM provider you configure (Anthropic, OpenAI, Google, etc.) — we are not in that data path.

4. Legal bases (GDPR / UK GDPR)

For users in the EEA, UK, and Switzerland, we process personal data under these bases:

  • Contract: we need the data to provide the service you signed up for
  • Legitimate interests: improving the product, security, fraud prevention
  • Consent: opt-in telemetry, marketing communications (where applicable)
  • Legal obligation: tax records, lawful requests from authorities

5. Third parties (subprocessors)

We rely on a small set of subprocessors to run the service. The full public list with region and DPA status lives at /sub-processors. Summary by category:

  • Infrastructure (Cloudflare for CDN/DNS/edge, GitHub for source, Sigstore for image signing, plus a major US/EU hyperscaler and a container registry that are currently under NDA pre-SOC2 — named under MSA NDA on request)
  • Email (Postmark) — transactional email
  • Error tracking (Sentry) — exception monitoring
  • Payments (Stripe) — subscription billing
  • Identity (Auth0 / Clerk — final selection pre-GA, named on /sub-processors once locked)
  • Analytics (Plausible, self-hosted EU) — privacy-preserving aggregate site traffic

The full public list with region and DPA status is published at /sub-processors and updated with 30-day advance notice on any change. Subscribe to /changelog for the history.

6. Cookies and similar technologies

On usetheo.dev we use:

  • Strictly necessary cookies (session, CSRF, theme preference)
  • No advertising cookies
  • No cross-site tracking

The TheoCloud dashboard uses session cookies (httpOnly, Secure, SameSite=Lax) for authentication only. The CLI uses local config files in `~/.theo/` for tokens; no cookies are involved.

7. Data retention

We keep data for these periods:

  • Account data: while your account is active, plus 90 days after closure
  • Build logs: 30 days
  • Audit logs: 1 year (or longer if required by law)
  • Backups: 30 days rolling
  • Anonymized telemetry: indefinite (aggregated, no PII)

Enterprise customers may negotiate custom retention periods under MSA.

8. International transfers

We may transfer personal data outside your country to provide the service. For EEA/UK personal data, transfers to the United States rely on Standard Contractual Clauses (SCCs) signed with each subprocessor.

If you require data residency in a specific region (EU-only, US-only), this is available under enterprise contracts. Contact us.

9. Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Delete your data ("right to erasure" / "right to be forgotten")
  • Restrict or object to processing
  • Receive a portable copy of your data
  • Withdraw consent (for any processing based on consent)
  • Lodge a complaint with a supervisory authority

To exercise any of these rights, email hello@usetheo.dev. We respond to verifiable requests within 30 days. We do not charge for these requests unless they are repetitive or excessive.

10. Security

See our Security page for the technical controls in place. We do not currently hold SOC 2, ISO 27001, or HIPAA certifications — pursuit of these is on the roadmap when enterprise customers require it.

Report security issues to security@usetheo.dev. We acknowledge within 48 hours and triage within 5 business days.

11. Children

The service is not directed to children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us data, contact hello@usetheo.dev and we will delete it.

12. Changes to this policy

We may update this policy as the service evolves or as legal requirements change. Material changes will be communicated by email (account holders) or a banner on usetheo.dev. The "Last updated" date above always reflects the current version.

13. Contact

Privacy questions: hello@usetheo.dev

Security incidents: security@usetheo.dev

Mail (for legally required notices): provided on request.