Privacy

Privacy at Threadly.

What we collect when you comment, why, and what you can do about it. Threadly is currently run as a personal-blog deployment; this policy describes that one-instance operation, not a future multi-tenant product.

Last updated: July 7, 2026.

What you give us

When you post a comment, we store the nickname you chose (or that the widget auto-generated for you), the comment body in both Markdown and pre-sanitized HTML, the thread the comment landed on, and a UTC timestamp.

Your browser also receives a randomly-generated "author token" stored in localStorage. We use it to recognize the same author across comments and to prevent double-submits; you can wipe it by signing out or clearing site data.

What we collect automatically

Cloudflare's edge network sees your IP and standard request metadata — that is how every public web request works, and we have no control over it. Our general request log records method, path, status, and duration only; it does not contain raw IPs.

The honeypot (a hidden bot-defense field on the comment form) does record the IP of tripped submissions, alongside the thread and site, so the operator can spot spam patterns. Honeypot events go through the same structured-log path as general requests, so they're kept at Cloudflare Workers' standard log retention window before rolling off — and are not otherwise shared with any third party.

How moderation works

Every comment is run through a single language-model call given the comment text. The model returns a verdict (approve / hold / reject) and a one-line reason. Both are stored alongside the comment so the site owner can see why a comment was held.

Where it is stored

Comments, sites, votes, and accounts live in a Postgres database hosted on Neon. The API runs as a Cloudflare Worker. Backups are Neon-managed; we do not separately export them today.

Data retention

Comments, sites, and votes are kept for as long as the site that owns them is active. Deleting a site from the dashboard cascades to every comment under it. Honeypot and request logs roll forward on the platform's standard window (Cloudflare Workers' default log retention); we do not currently export separate backups beyond the database provider's own retention policy.

We do not sell or share your data with anyone. If we add product analytics later, it will be privacy-friendly and disclosed here before any data leaves Threadly.

Your controls

The site owner can delete a site from the dashboard, which cascades to every comment under it. We do not yet expose a self-service "delete my comment" surface — if you need a comment of yours removed, ask the site owner of the blog you commented on. (For v0 the operator is the founder; this limitation is acknowledged and will change once customers arrive.)

Sub-processors

When our Pro plan launches, payments will be processed by Stripe Inc., which will act as a payment-processing sub-processor for any account that upgrades. Stripe handles card data under its own privacy practices, documented at stripe.com/privacy. Until the Pro plan launches, no payment-processing third party receives your data. If a future integration adds another sub-processor, this page will be updated with the same "Last updated" bump.

Updates and contact

Material changes to this policy will appear here with a new "Last updated" date. For privacy questions about this deployment, ask the site owner of the blog you commented on.