Privacy policy

Summary

Thoma is a self-hosted Product Lifecycle Management application. Customer organizations install Thoma on their own infrastructure and own all data they enter into it. The vendor (us) does not see, store, or have access to that customer data.

This page covers what the marketing site at thoma.software and the demo sandbox collect. For deeper detail on what a self-hosted Thoma installation collects from end users, see the Data Privacy Statement (available on request to customers under NDA).

What this site collects

Marketing site (this site)

• Trial signup form at /trial/ — we collect the email address and company name you enter, plus a Cloudflare Turnstile token for spam prevention. The email is used only to deliver your trial license key and (once) confirm receipt. We do not add it to a marketing list.
• Server logs — Cloudflare Pages records standard request logs (IP, user-agent, requested URL, timestamp) for operational and security purposes. Retention follows Cloudflare's defaults.
• No tracking cookies, analytics, or advertising pixels. We do not run third-party analytics on this site.

Demo sandbox

• Visiting /demo/ provisions a disposable Thoma tenant. You can use the application without supplying any personal data. The tenant and any data you enter into it are purged automatically after 6 hours of inactivity.
• If you choose to add data to the sandbox, that data is stored on the demo server only for the lifetime of the sandbox and is not retained after pruning.

Self-hosted Thoma installations

When a customer installs Thoma on their own server, customer data lives entirely on customer infrastructure. The vendor receives only an aggregated license heartbeat (license-key fingerprint, application version, active-seat count) every 24 hours. The heartbeat does not contain user identities, document content, or audit-log content.

How we use the data we collect

• Delivering trial license keys (one-time)
• Operational security (rate-limiting, abuse detection)
• Aggregated license-usage metrics across the customer base

We do not sell, rent, or share data we collect with third parties for marketing purposes.

Data retention

• Trial signup records: retained until the trial license expires plus 90 days for support inquiries.
• Demo sandbox data: pruned automatically after 6 hours of inactivity.
• Server logs (Cloudflare Pages): per Cloudflare's default retention policy.
• License heartbeat data: retained while the license is active, then purged.

Your rights

Depending on your jurisdiction (GDPR, CCPA, PIPEDA, etc.), you may have the right to access, correct, delete, or port your personal data. To exercise any of these rights for data the marketing site or trial-signup flow holds, contact [email protected].

If you are an end user of a Thoma installation operated by an employer or other organization, that organization is the data controller; please direct rights requests to your organization's privacy officer.

Third-party services

• Cloudflare Pages hosts this site. Cloudflare also provides Turnstile (the bot-prevention widget on the trial form). Cloudflare's privacy practices are documented at cloudflare.com/privacypolicy.
• SMTP delivery provider (e.g., Resend) is used to send transactional email such as trial license keys.

Changes to this policy

Material changes will be reflected by updating the "Last updated" date at the top of this page. We will not weaken protections retroactively.

Contact

Privacy inquiries: [email protected]

General contact: [email protected]