Privacy
Thesma is a business-to-developer API. This notice covers how we handle developer account data — the information you give us when you sign up and the usage logs we keep to run the service. We do not handle your end users' personal data.
1. Who we are
Thesma is a product of Quorum Holdings Ltd, a company registered in England & Wales (company number 17052431). In this notice, "we", "us", and "our" refer to Quorum Holdings Ltd as the data controller for your developer account.
2. What personal data we collect
We collect the minimum we need to run your API account:
- Developer account: Email, hashed password (stored by Supabase), and optional display name.
- API keys: Hashed (SHA-256), tied to your account. Plaintext keys are shown once at creation and never stored.
- Usage logs: Which API endpoint was called, when, by which key, and the response status — used for rate limiting and billing.
- Billing data: Handled by Stripe. Thesma does not store card numbers or full billing-address data.
- Support emails: Whatever you send us.
We do not collect end-user personal data from our customers' applications. Thesma is business-to-developer; your users are not in our system. API responses we return contain facts from US federal public-domain sources, not personal data belonging to your customers.
We also keep basic technical information — IP address, user agent, and timestamps — tied to each API request, for a short window, so that we can investigate abuse and enforce rate limits. This information is stored alongside the usage log entries above and is subject to the same 30-day retention window.
3. Why we collect it and legal basis
We process your account email, hashed password, and API keys on the basis of contract performance — we cannot run your developer account without them. We process usage logs on the basis of legitimate interest in fraud prevention, rate limiting, and abuse mitigation. Where we are required to retain records for tax, accounting, or fraud-response reasons, the legal basis is compliance with law.
4. Sub-processors
We use a small number of third parties to run the service. Each processes data on our behalf under its own data processing terms.
| Name | Purpose | Location |
|---|---|---|
| Supabase | Authentication and primary Postgres database | US / EU regions |
| Stripe | Billing and payment processing | US |
| Railway | Application hosting and log aggregation (API, portal, screener, marketing site, MCP server, Dagster) | US |
| AWS S3 | Cached SEC filing archive (public EDGAR documents only — contains no customer data) | us-east-1 |
| Resend | Transactional email (signup confirmations, password resets, billing notifications) | US |
| Proton Mail | Inbound email (hello@, security@, privacy@ on thesma.dev). We receive and process the contents of messages sent to those addresses. | Switzerland |
We do not use Cloudflare, PostHog, Sentry, Datadog, Logfire, Honeycomb, or Vercel. Application logs come from Railway's built-in aggregation only.
SEC EDGAR, the US Census Bureau, and BLS are upstream public-data sources, not sub-processors — we fetch from them; we never send customer data to them.
Several of our sub-processors are based in the United States. When we transfer personal data from the UK or the EEA to a US-based processor, we rely on the processor's standard contractual clauses and any applicable UK and EU adequacy mechanisms. Proton Mail (inbound email) is based in Switzerland, which the UK and EU both recognise as providing adequate data protection. We will update this notice if our sub-processor list changes in a way that affects your data.
5. How long we keep data
- Account data: retained until you request deletion. We delete within 30 days of a verified request.
- API access logs: 30 days, via Railway log aggregation.
- Stripe billing data: retained by Stripe per Stripe's own retention policy.
6. Your rights
Under UK GDPR and EU GDPR, you have the following rights over your personal data:
- Right to access: Export via the portal, or email privacy@thesma.dev.
- Right to deletion: Email privacy@thesma.dev. We delete within 30 days.
- Right to rectification: Update via the portal, or email privacy@thesma.dev.
- Right to data portability: Export via the portal, or email privacy@thesma.dev.
- Right to object: Email privacy@thesma.dev.
- Right to complain: You may lodge a complaint with the UK ICO or your local EU data protection authority.
If you believe we have mishandled your personal data, you may lodge a complaint with the UK Information Commissioner's Office (ICO) or the data protection authority in your EU member state.
7. Cookies
The marketing site at thesma.dev sets no cookies. The developer portal at portal.thesma.dev/dashboard uses session cookies, set by Supabase, to keep you logged in after authentication; these are strictly necessary for the service. No tracking, analytics, or advertising cookies are set by any Thesma property.
8. Changes to this policy
We will notify affected developers by email when we make material changes to this policy. Minor clarifications may be published without a direct notification; the "last updated" date at the bottom of this page always reflects the latest revision.
9. Contact
For privacy questions, data subject requests, or to exercise any of the rights above, email privacy@thesma.dev. We reply within a reasonable timeframe.
Last updated: 2026-04-18