Privacy policy

Your deal data is yours.

How Thread by Heft IQ collects, uses, and protects information. Last updated June 11, 2026.

The short version

We store the data your organisation puts into Thread — prospects, deals, team-member activity, debriefs, tenant offerings, ICP notes, imported CRM records, documents, and generated sales collateral — on infrastructure we run for you. We do not sell it, we do not use it for advertising, we do not train shared AI models on it, and we do not mix it with other tenants’ data. The learning Thread surfaces is scoped to your own organisation.

Who controls the data

In most customer workspaces, your company is the controller of the prospect, customer, employee, and CRM data you choose to put into Thread. Heft IQ acts as a processor/service provider for that workspace and uses the data only to provide, secure, and improve Thread for your organisation.

If you are a prospect, partner, or team member of a Thread customer, that customer may control the business records about you in their workspace. We will route privacy requests about that data to the customer’s admin when required.

Data we collect

  • Account info — name, email, organisation, signup intent. Captured when you create an account.
  • Workspace content — deals, debriefs, prospects, partner records, buyer maps, practice runs, documents, calls/notes you upload, contacts you add, and tenant-specific offerings/ICP context. This is the data you actively put into Thread or generate inside Thread.
  • CRM and import data — records you import from HubSpot or spreadsheets, including company/contact fields, deal metadata, owner fields, lifecycle stages, and import audit outcomes.
  • Public research signals — for accounts you tell us to research, we fetch publicly available information (websites, LinkedIn profiles, news). We cache these results in your tenant.
  • Usage telemetry — basic logs of which features are used, import/run outcomes, notification events, error reports, and performance metrics. Used to keep the product reliable and understandable for admins.
  • Billing — if you subscribe, payment is processed by a PCI-focused billing provider. We never see or store full card numbers.

How we use it

Strictly to operate Thread for your team: render your dashboard, run your AI-assisted research and generation against your tenant context, import or reconcile CRM records, send notifications you opt into, and provide learning within your org. Your debriefs, practice runs, and deal outcomes improve your organisation’s memory — not a shared cross-customer model.

We do not sell personal data. We do not share it with advertisers. We do not feed it into third-party AI training pipelines.

AI and generated content

Thread uses AI to help with account research, deal briefs, one-pagers, outbound drafts, buyer-map suggestions, practice coaching, and similar workflows. Prompts are built from the data available inside your tenant and, where relevant, public research collected for the account you asked Thread to work on.

We do not allow a provider to train general-purpose models on your tenant data. Generated output remains part of your workspace and should be reviewed by your team before external use, especially when it contains facts, recommendations, or regulated claims.

Integrations and CRM imports

If an admin connects HubSpot, Thread stores the OAuth tokens needed to perform the import/sync actions the admin requests. Imported records keep a HubSpot reference so future runs can detect duplicates, skip unchanged records, and maintain an audit trail of what was created, updated, skipped, or flagged for review.

Thread is designed so teams can prospect and manage active pipeline in Thread while keeping HubSpot clean. We only send data back to connected systems when the workspace is configured to do so or when an authorised user initiates that action.

Subprocessors and service providers

Thread uses carefully selected service providers to operate the product, including infrastructure, authentication, billing, customer-authorised CRM connectivity, AI processing, notifications, public-web research, background processing, and reliability monitoring.

We avoid publishing a full implementation map on the public website. Customers and security reviewers can review maintained subprocessor details, policies, and available artifacts through the Heft IQ Trust Center or by contacting privacy@heftiq.com.

Tenant isolation

Tenant-owned records are isolated at the data layer. Every tenant-owned record carries a tenant identifier, and application reads/writes are scoped to the requesting tenant. Cohort insights, research facts, decision traces, practice-run scorecards, HubSpot import rows, and generated collateral all stay inside that tenant boundary.

Retention

Active workspaces are retained for as long as your account is active. If you cancel, you can export your data (deals, debriefs, prospects, contacts, offering context, documents, and import history) as CSV/JSON for 30 days, after which we permanently delete it from active systems. Operational logs and analytics events are retained for up to 90 days unless we need to preserve them for security, fraud prevention, or legal reasons.

Your rights

You can request a copy of your data, ask us to delete it, or correct it — email privacy@heftiq.com from the address on your account and we’ll respond within 30 days. If you’re a partner of one of our customers, your data is controlled by that customer; we’ll route your request to their admin.

Cookies

We use first-party cookies for authentication and to remember your session. We do not use third-party advertising cookies.

Changes

We’ll update this page when our practices change. Material changes get an in-app notice or email notice before they take effect when required.

Contact

Privacy questions: privacy@heftiq.com
General: hello@heftiq.com

Privacy · Thread