← Back to Sign In

Privacy Policy

Last updated: March 2026

1. Introduction

Thing ("we", "our", or "the Service") is an organizational design platform operated by Vm78 Inc. and available at thingcorp.co. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By accessing or using Thing, you agree to this Privacy Policy. If you do not agree, please do not use the Service.

2. Information We Collect

We collect the following categories of information:

Account Information: When you create an account, we collect your name, email address, organization name, and a hashed version of your password. We never store passwords in plaintext.
Organizational Data: Data you upload or create within the Service, including employee names, job titles, departments, organizational structure and reporting relationships, employment dates (start date, end date), and custom attributes defined by your organization.
Usage Data: We automatically collect information about how you interact with the Service, including pages visited, features used, browser type, IP address, and device information.
Billing Information: Payment processing is handled by Stripe. We do not store credit card numbers. We retain your Stripe customer ID and subscription status.

3. How We Use Your Information

We use your information to:

  • Provide, maintain, and improve the Service, including org chart visualization and organizational design tools
  • Generate analytics and reporting on organizational structure, headcount, and workforce composition
  • Power AI-powered analysis features such as organizational health assessments, span-of-control analysis, and structural recommendations
  • Process transactions and manage your subscription
  • Send transactional emails (password resets, welcome emails, notifications)
  • Monitor and analyze usage patterns to improve user experience
  • Detect, prevent, and address technical issues and security threats
  • Comply with legal obligations

4. Data Storage and Security

We implement industry-standard security measures to protect your data, including:

  • Encryption at rest for all stored data
  • Encryption in transit via TLS/HTTPS for all data transmission
  • Infrastructure hosted on Amazon Web Services (AWS)
  • Password hashing using bcrypt
  • Role-based access control with tenant isolation
  • Rate limiting and CSRF protection
  • Regular security monitoring via Sentry
  • Daily encrypted database backups

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

5. Data Retention

We retain your account and organizational data for as long as your account is active or as needed to provide you with the Service. Data retention periods are configurable by your organization's administrator where applicable.

Audit logs are retained for 90 days for compliance and security purposes. Database backups are retained for 30 days and then automatically deleted. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal or regulatory purposes.

6. Third-Party Services

We use the following third-party services that may process your data:

  • Amazon Web Services — Cloud hosting, database, and infrastructure.
  • AI Providers — AI-powered analysis features use third-party AI providers as configured by your organization. Data sent to AI providers is used solely for generating analysis results and is not retained by the AI provider beyond the scope of the request.
  • Sentry — Error tracking and performance monitoring. See Sentry's Privacy Policy.
  • Stripe — Payment processing and subscription management. See Stripe's Privacy Policy.
  • Resend — Transactional email delivery. See Resend's Privacy Policy.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access — Request a copy of the personal data we hold about you
  • Rectification — Request correction of inaccurate data
  • Deletion — Request deletion of your personal data
  • Data Portability — Export your data in machine-readable formats (CSV, JSON) via the Service's built-in export functionality
  • Objection — Object to processing of your personal data
  • Restriction — Request restriction of processing

To exercise any of these rights, contact us at privacy@thingcorp.co. We will respond within 30 days.

8. Cookies

We use essential session cookies required for authentication and session management only. We do not use advertising, analytics, or tracking cookies. Session cookies are automatically deleted when you close your browser or when your session expires.

9. GDPR Compliance

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data in accordance with the General Data Protection Regulation (GDPR).

Legal Basis for Processing: We process personal data on the following legal bases:
  • Contract — Processing necessary for the performance of our contract with you to provide the Service
  • Legitimate Interest — Processing necessary for our legitimate interests, such as improving the Service, ensuring security, and preventing fraud, where those interests are not overridden by your rights
  • Consent — Where you have given explicit consent for specific processing activities
  • Legal Obligation — Processing necessary to comply with applicable laws
Data Processor Role: When processing organizational data on behalf of your employer or organization, we act as a Data Processor under GDPR. Your organization acts as the Data Controller and is responsible for ensuring a lawful basis for processing employee data within the Service.
Data Processing Agreement: A Data Processing Agreement (DPA) is available on request and can be reviewed at our DPA page. Organizations subject to GDPR should review and execute the DPA.
International Data Transfers: Our servers are located in the United States. If you access the Service from outside the United States, your data may be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) as approved by the European Commission for such transfers.

10. Children's Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

Vm78 Inc.
Email: privacy@thingcorp.co

See also our Terms of Service and Data Processing Agreement.