ThreadDesk

Privacy Policy

Last updated: February 23, 2026

1. Introduction

We respect your privacy. This Policy describes what data ThreadDesk (the “Service”) processes, for what purposes and on what basis, and what rights you have. The Service is primarily intended for Self‑Hosted deployment within a company’s closed network and works with your local Mattermost installation via the official API.

2. Scope and roles

  • Self‑Hosted: the data controller is typically your organization. ThreadDesk operates as software deployed and administered by your organization. Data remains within your environment.
  • Cloud version: provided for evaluation/trial only and not intended for production use. Security and compliance requirements (e.g., GDPR) may not be fully met in the cloud.

3. Sources and categories of data

The Service interacts with Mattermost on behalf of the signed‑in user (OAuth is recommended; personal tokens are supported but are not rotated and are less secure).

Categories of data processed during operation:

  • Identifiers and metadata from Mattermost: IDs of teams/channels/users/messages, thread statuses, read markers, reactions, links;
  • Message content (only as needed for UI display) — fetched from your Mattermost via the official API;
  • Client technical data: browser/client type and version, local UI settings;
  • Application event logs (no message text).

4. Purposes of processing

  • Building a unified queue of threads/DMs (“Inbox Zero”), navigation, replies, and resolve actions;
  • Displaying the current state of Mattermost conversations in a single workspace;
  • Enabling authentication, sessions, and access control;
  • Diagnostics and reliability (technical events only; message text is not stored in logs).

5. Local storage and retention

  • No separate external database is required — an embedded store is used as a cache;
  • The cache retains recent activity for 7–14 days (exact period set by the admin);
  • When the Service is removed/reinstalled, the local cache is cleared; on first run the user re‑authorizes and continues working;
  • Long‑term storage of conversation history is performed by your Mattermost under its policies.

6. Data disclosure and transfers

  • By default, the Service does not send data to the public internet and works only with your local Mattermost; outbound traffic can be blocked at the network level;
  • Exceptions are possible only for external integrations explicitly connected by your admins (e.g., other corporate messengers/services). Such integrations are configured separately and governed by their own policies;
  • In the cloud version, external infrastructure providers may be used; however, the cloud is intended for evaluation only.

7. International transfers

For Self‑Hosted deployments, the Service does not itself perform international data transfers. Any transfers depend on your network architecture and Mattermost policies.

8. Security

  • Uses the official Mattermost API under the user’s authorization, similar to a regular web/desktop client;
  • OAuth is recommended; using personal tokens is possible but reduces security due to the lack of rotation;
  • App logs can be limited by level; message text is not written to logs — only technical events;
  • For Self‑Hosted, perimeter protection and network rules are defined by your organization (including blocking outbound traffic for the Service).

9. Cookies and local storage

The Service may use technical cookies/local storage to maintain sessions and user interface preferences. Marketing/advertising cookies are not used.

10. Data subject rights

Rights of access, rectification, and deletion are primarily exercised within your Mattermost system and corporate processes. Since ThreadDesk does not perform long‑term storage of content, deletion requests are realized through cache policy (7–14 days) and removal of the local deployment where necessary.

11. Children

The Service is not intended for use by children. If you believe a child has provided personal data via Mattermost/ThreadDesk, contact your organization’s administrators.

12. Changes to this Policy

We may update this Policy. The current version is published with the distribution/on the website. The last updated date is shown above.

Contact for privacy and security questions: [email protected]