ThroughlineSign in

Privacy Policy

Throughline is a service provided by Derek Ho, trading as Empirica Logic (ABN 44 784 262 084) ("we", "us", "our"). We build a private work tracker that turns your completed work into a performance‑review narrative.

This policy explains what personal information we collect, how we use and protect it, who we share it with, and the choices and rights you have. It's written to be read, not to hide behind. Please also read our Terms of Service.

We handle personal information in line with the Australian Privacy Principles in the Privacy Act 1988 (Cth). (Australian law doesn't yet strictly require a business of our size to comply with that Act — we treat it as the floor anyway.)

Effective date: 5 July 2026 · Last updated: 5 July 2026


How your data is protected — in plain terms

We want to be straight with you about what our privacy protections do and don't do, because a lot of apps are vague here.

If you need a guarantee that not even we can read your content, this product is not yet built for that (true end‑to‑end encryption is incompatible with the server‑side AI drafting that makes the product work). Using your own key or a local model is the closest option today, and we'll always tell you which mode you're in.


Who this policy covers

This policy applies to everyone who uses Throughline — the web app and installable (PWA) app. The service is currently invite‑only.

What personal information we collect

Information you give us

Information collected automatically

We do not currently use third‑party advertising, analytics, or cross‑site tracking. If we add product analytics, we will use a privacy‑friendly, cookieless tool and name it in this policy before it ships.

How we use your information

We use your information only to:

  1. Provide the service — store and display your work, generate the impact drafts and review write‑ups you ask for, and let you sign in.
  2. Support you — respond to your requests. If you report a problem, we may need to look at the relevant records in your account to diagnose it; we access the minimum needed.
  3. Keep the service secure and working — detect and prevent abuse, fraud, and technical faults.
  4. Communicate essentials — account, security, and service messages (e.g. invites, password resets). These are sent transactionally, not for marketing.
  5. Comply with the law — meet legal obligations and respond to lawful requests.

We do not sell your personal information, and we do not use your private work content to train AI models. The service also makes no automated decisions about you with legal or similarly significant effects — the AI only drafts text that you review, edit, and control.

AI features and your content

Throughline can draft impact statements and review write‑ups from your work. There are three ways the AI can be powered, each with a different privacy implication, and the app tells you which one you're using:

In every mode, the resulting draft is saved back into your account (which we can access as described above) so you can edit and use it.

Who we share your information with (sub‑processors)

We don't sell your data or share it for advertising. We rely on a small set of trusted infrastructure providers ("sub‑processors") to run the service. Each processes data only on our instructions:

Sub‑processorWhat it doesData involvedWhere
SupabaseDatabase, authentication, and file storageYour account and all your contentAustralia (Sydney)
VercelApplication hosting and deliveryRequests to the app; standard technical logsUnited States
Resend (via Supabase)Sends transactional email (invites, password resets)Your email address and the messageUnited States
AnthropicAI drafting — only in "Managed AI" modeThe specific content you submit for a draft (only if/when managed AI is enabled)United States

We may also disclose information if required by law, or to protect the rights, safety, or property of you, us, or others. If we ever undergo a business transfer (e.g. restructure, merger, or acquisition), we'll ensure your information remains protected under terms consistent with this policy and notify you of any change of operator.

Where your data is stored, and international transfers

Your content is hosted in Australia (Supabase's Sydney region, ap‑southeast‑2). Some sub‑processors process limited data in other countries — currently the United States, as set out in the table above (application delivery and logs via Vercel; transactional email via Resend; and, only if you use managed AI, the content you submit for a draft via Anthropic). Where data is transferred internationally, we rely on those providers' safeguards and process it consistent with this policy and applicable law.

How we protect your information

If a data breach happens, and it's likely to result in serious harm to you, we'll notify you promptly and tell you what happened, what information was involved, and what we're doing about it — consistent with Australia's Notifiable Data Breaches scheme.

As explained in "How your data is protected — in plain terms", we do not currently offer end‑to‑end encryption, so we are technically able to access stored content. No online service can promise perfect security; we work to protect your information but cannot guarantee it against every possible risk.

How long we keep your information

We keep your content for as long as your account is active. If you delete your account, we delete your content from our live systems; residual copies may persist in encrypted backups for a short period before they roll off (currently up to 7 days). We may retain minimal records where the law requires — for example, if paid plans launch, billing and transaction records may be kept as long as tax law requires.

Your rights and choices

You can:

Depending on where you live, you may have additional rights (for example, under the EU/UK GDPR, the right to object to or restrict certain processing, and the right to lodge a complaint with a supervisory authority). We'll honour the substance of these expectations for all users regardless of strict legal obligation. To exercise any right, contact us below.

Children

Throughline is not directed to children and is not intended for anyone under 16. We don't knowingly collect information from children.

Changes to this policy

We may update this policy as the product evolves. We won't reduce your rights under this policy without telling you first. If we make a material change, we'll update the "Last updated" date and notify you in‑app or by email before it takes effect.

Contact us, questions, and complaints

Questions, requests, or complaints about your privacy: derek@empiricalogic.com.au. We'll acknowledge your message within a few days and aim to respond fully within 30 days.

If you're in Australia and not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. If you're in the EU/UK, you can contact your local data protection authority.