This Privacy Policy explains how Qanata Labs processes personal data in connection with your use of ThinkHere, why we are entitled to do so, and what rights you have.
ThinkHere runs the AI model entirely in your browser using WebGPU. Your prompts and the AI's responses are never transmitted over the network to Qanata Labs or any third party. They are stored only in your browser's local storage, on your device, under your control.
This is not a policy promise layered over a server-side system — it is the technical reality of how ThinkHere is built. We have no ability to access your conversations regardless of which tier you use.
The two data worlds are completely separate:
The data controller for personal data processed in connection with ThinkHere is Qanata Labs, the company that develops and operates ThinkHere. You can contact us at [email protected].
Lawful bases under UK GDPRWe process personal data only where we have a lawful basis to do so. The table below sets out each processing activity and the basis we rely on:
| Processing activity | Lawful basis |
|---|---|
| Creating and managing your account (name, email, password hash) | Performance of a contract — necessary to provide the account-based service you have requested |
| Sending service notices and security alerts | Performance of a contract / Legitimate interests — keeping you informed about the service you use |
| Logging server access data during model downloads (IP address, browser user agent, timestamp, file requested) | Legitimate interests — security monitoring, CDN optimisation, and abuse prevention; this data is not linked to conversation content |
| Collecting de-identified operational telemetry (browser type, OS, model load success/failure) | Legitimate interests — improving ThinkHere's reliability and compatibility; telemetry is de-identified before storage |
| Collecting crash and error reports (technical details, no conversation content) | Legitimate interests — diagnosing and fixing faults in the service |
| Retaining records for legal or regulatory compliance | Legal obligation — where applicable law requires us to retain data |
We do not subject you to automated decision-making or profiling that produces legal or similarly significant effects.
If you create a free account, we collect your name and email address, your password (stored as a secure one-way hash — we never store or can recover your plaintext password), and your preferences and settings. Your account does not store or sync your conversations; it manages feature access and preferences only.
3.2 — Model weight download logsWhen you load a model for the first time, the model weights are downloaded from our servers via a standard HTTPS request. We may log standard server access data — IP address, browser user agent, timestamp, and file requested — for security monitoring and CDN optimisation. This data is not linked to your conversations or your account unless required for a specific security investigation. These logs are retained for up to 90 days.
3.3 — De-identified operational telemetryWe may collect limited operational telemetry to help us improve ThinkHere — such as which browser and OS you are using, whether a model loaded successfully, and general feature interaction signals. "De-identified" means we remove or minimise direct identifiers before storage; however, some operational data (such as an IP address present in a CDN log) may still constitute personal data under UK GDPR, and we treat it as such. We never include conversation content in telemetry. Telemetry data is retained for up to 90 days.
3.4 — Crash and error reportsIf ThinkHere encounters a technical error, we may collect a crash report containing details about the error and the browser/device environment. These reports do not include conversation content, prompts, or AI responses.
ThinkHere does not use advertising cookies, third-party trackers, or any analytics tool that sends conversation content off-device.
We use account information and operational data only for the purposes set out in the lawful basis table in Section 2:
We do not use any data to train AI models. We do not use any data for advertising. We do not sell personal data.
ThinkHere uses cookies strictly for session management and authentication (to keep you signed in). We do not use tracking, advertising, or analytics cookies.
ThinkHere also makes extensive use of browser-local storage mechanisms — specifically the browser's Local Storage API and Cache Storage API — to store your conversation history and cached model weights respectively. These are not cookies: they are browser-native storage areas that exist only on your device and are not accessible to us. You can clear them at any time through your browser settings or the controls in ThinkHere's interface.
We do not sell personal data. We share limited account and operational data only with the following categories of subprocessor, each engaged under a data processing agreement that restricts them to processing data only on our instructions:
We will maintain an up-to-date list of current subprocessors at thinkhere.ai/subprocessors. We will notify users of material subprocessor changes in advance where those changes affect how account data is processed.
We may also disclose data to law enforcement or regulatory authorities where required by applicable law, or to a successor entity in the event of a merger or acquisition — in which case we will notify you in advance.
Qanata Labs is based in the United Kingdom. Account data and operational logs are processed in the UK and, where subprocessors are used, potentially in the European Economic Area or other countries.
Where we transfer personal data outside the UK or EEA, we ensure an appropriate safeguard is in place — such as the UK International Data Transfer Agreement (IDTA), the EU Standard Contractual Clauses (SCCs), or a transfer to a country that the UK has recognised as providing adequate protection.
Because your conversation data never leaves your device, it is not subject to any international transfer by us.
Account data (name, email, preferences) is retained for as long as your account is active. You may delete your account at any time via account settings. We will delete your account data within 30 days of a deletion request, subject to the exceptions below.
Server access logs from model downloads are retained for up to 90 days for security and CDN purposes, then deleted.
We may retain certain data beyond the 30-day period where we are required to do so by law or regulation — for example, financial and billing records once a paid tier is live, fraud-prevention logs, or records subject to a legal hold. We will only retain the minimum data necessary for each such purpose.
Your conversation history and cached model weights are stored in your browser only. We cannot access or delete them remotely. You control this data entirely through your browser settings.
Under UK GDPR, you have the following rights in relation to personal data we hold about you:
To exercise any of these rights, contact us at [email protected]. We will respond within one month. If you are based in the UK, you also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
ThinkHere is not directed at children under 13. We do not knowingly collect personal data from users under 13. If we become aware that a user under 13 has created an account, we will close the account and delete their data promptly.
Users aged 13 and under 18 may use ThinkHere with the consent of a parent or legal guardian, as set out in our Terms of Use. If a parent or guardian believes their child under 13 has provided personal data, please contact us at [email protected] and we will delete it without delay.
Account data and operational logs are protected with industry-standard encryption in transit (TLS) and at rest. Access to personal data is restricted to authorised personnel on a need-to-know basis. We conduct regular security assessments and address vulnerabilities promptly.
Because your conversation data never leaves your browser, it is not exposed to server-side security risks. Model weight downloads are served over HTTPS. If you discover a security vulnerability in ThinkHere, please report it responsibly to [email protected].
ThinkHere is open source under the MIT licence. Our privacy practices are reflected in the public codebase. Anyone can inspect the source code to verify how data flows within the application and confirm that conversations are processed locally.
We may update this Privacy Policy from time to time. We will notify you of material changes via the ThinkHere interface or by email before they take effect. The current version is always available at thinkhere.ai/privacy. Continued use after the effective date of an updated policy constitutes acceptance.
Privacy questions, data rights requests, or concerns:
To report a security vulnerability:
By using ThinkHere you agree to our Terms of Use, Privacy Policy and Usage Policies · A Qanata Labs product