Privacy Policy

“Thirdwatch” (“we”, “us”) operates the website at thirdwatch.dev, the Thirdwatch MCP server, and the family of public scraper actors listed at apify.com/thirdwatch. We are the data controller for personal data collected through these surfaces, except where the Apify platform itself is the controller (e.g., your Apify account credentials).

• Account data: email address, sign-in metadata, and session tokens when you create an account or authenticate via OAuth (handled by Clerk).
• Billing data: billing email, country, and payment method last-4 digits when you purchase a paid plan (handled by Dodo Payments). We never see or store full card numbers.
• Usage data: API requests, tool calls, MCP usage events, credit consumption, anonymous device IDs, and aggregate page-view analytics. Stored in our Postgres database on Railway and in PostHog for analytics.
• Tool inputs and outputs: when you run a Thirdwatch actor or call an MCP tool, the inputs you provide and the data returned pass through our infrastructure transiently. Outputs may contain third-party PII scraped from public sources at your direction.
• Diagnostic data: error stack traces, latency, and non-personal context for reliability monitoring (Sentry). Emails, IP addresses, request bodies, and webhook payloads are stripped before send.

We do not collect: government IDs, biometric data, health data, precise geolocation, browsing history outside our surfaces, or special-category data under GDPR Art. 9.

• Contract performance — to provide the service you signed up for (account, billing, tool execution).
• Legitimate interest — to keep the service secure, measure aggregate usage, and detect fraud or abuse.
• Consent — for non-essential cookies and marketing analytics (see our Cookie Policy).
• Legal obligation — when required to retain or disclose records (e.g., tax invoicing, lawful requests).

We share personal data only with the sub-processors listed at /legal/subprocessors, each under a signed Data Processing Agreement. We do not sell personal data, and we do not share it with advertising networks.

Outputs of scraper actors and MCP tools are returned to you. We do not use those outputs to train models or to enrich any third-party dataset.

Our infrastructure spans the United States and the European Union (see sub-processor regions). For transfers from the EU/UK we rely on Standard Contractual Clauses with each sub-processor. For transfers from India we rely on the consent and contractual-necessity bases under the DPDP Act.

• Account & billing records: retained for the life of your account plus 7 years for tax/audit compliance.
• Tool inputs/outputs: retained in your Apify dataset per Apify's default retention (currently 31 days for free tier, longer for paid). We do not keep a separate copy.
• Logs & diagnostics: 30 days, then aggregated or deleted.
• Analytics events: up to 12 months in PostHog.

Under GDPR, DPDP, and CCPA you have the right to access, correct, delete, port, or restrict the processing of your personal data, and to object to processing based on legitimate interest. EU/UK residents additionally have the right to lodge a complaint with their supervisory authority. California residents have the right to opt out of any sale of personal data — we do not sell personal data.

To exercise any of these rights, email support@thirdwatch.dev. We respond within 30 days.

We host on Railway (US-East) with TLS in transit and AES-256 at rest. Authentication is delegated to Clerk. Secrets are stored as environment variables, never in source. We follow least-privilege access and review access quarterly.

Thirdwatch is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, email support@thirdwatch.dev and we will delete it.

We will revise this policy as the service evolves. Material changes will be announced on the site and, where required, by email. The “Last updated” date at the top of this page reflects the most recent revision.

For privacy questions, data subject requests, or to report a concern, email support@thirdwatch.dev.