Privacy Policy

Effective date: 8 May 2026 · Last updated: 8 May 2026

This Privacy Policy explains how Tredsy ("Tredsy", "we", "our") collects, uses, and protects information when you use the Tredsy iOS application and the related services at tredsy.com (the "Service"). We've tried to write it in plain English. If anything is unclear, email us at support@tredsy.com.

1. Who is the data controller

The data controller is the individual entrepreneur (Ukrainian: ФОП) Yaroslav Kira, registered in Ukraine and operating from Lviv, Shevchenka St. 372. You can reach the controller at support@tredsy.com for any privacy-related question or to exercise your rights under the GDPR.

2. What data we process

We only process the minimum needed to run the Service:

• Threads profile data — your numeric Threads user id and username. Received from Meta during the OAuth sign-in flow so we know which account a post belongs to.
• Threads access token — issued by Meta after you authorise Tredsy. Stored encrypted at rest using AES-256-GCM with a per-row initialisation vector. Used only to publish on your behalf.
• Post content you create — text, scheduled time, first-comment text, status (draft / scheduled / published / failed), and timestamps.
• Media you upload — images and videos attached to a post. Stored on Cloudflare R2 in the EU until the post or your account is deleted.
• Server logs — IP address, User-Agent, request path, and error stack traces. Used for debugging, abuse prevention, and security. Retained for up to 7 days, then rotated by our hosting provider.

We do not ask for or collect: your email password, bank details, contacts list, photo library beyond the items you explicitly attach to a post, location, microphone, or any health data.

3. Why we process it (legal basis)

• Performance of contract (GDPR Art. 6(1)(b)) — when you sign in with Threads, you ask us to schedule and publish posts on your behalf. Processing the data above is necessary to deliver that.
• Legitimate interest (GDPR Art. 6(1)(f)) — for server logs and abuse prevention, balanced against your reasonable expectations of a hosted service.

4. Where data lives

• Application database — managed PostgreSQL on Render, hosted in Frankfurt, Germany (EU).
• Media storage — Cloudflare R2, EU region.
• DNS and TLS termination — Cloudflare (operates a global network; the backend origin remains in Frankfurt).

Data does not leave the EU/EEA in the ordinary course of operating the Service. The Threads API itself is operated by Meta Platforms; when you publish a post, the content is sent to Meta's infrastructure, which may operate globally. That's a direct consequence of using Threads, not of using Tredsy.

5. Who else sees the data

We use a small number of processors who handle data on our behalf under contractual obligations consistent with the GDPR:

• Meta Platforms, Inc. — receives post text and media when you publish. Subject to Meta's own privacy policy and the Threads platform terms.
• Render Services, Inc. — hosts the application server and database.
• Cloudflare, Inc. — provides DNS, TLS, and R2 object storage.

We do not sell your data, and we do not share it with advertisers, data brokers, or analytics networks beyond what is described here.

6. How long we keep it

• Account and Threads connection — until you delete your account or disconnect the Threads account from Tredsy.
• Posts and uploaded media — until the post is deleted from Tredsy or your account is deleted.
• Server logs — up to 7 days, after which they are rotated and overwritten by the hosting provider.
• Database backups — encrypted backups are retained by our hosting provider for up to 30 days for disaster recovery, then deleted.

7. Security

• All traffic in transit uses TLS 1.2 or higher.
• Threads access tokens are encrypted at rest with AES-256-GCM.
• Authentication uses short-lived JSON Web Tokens scoped to your user.
• Access to the production environment is limited to the data controller and is protected by hardware-backed multi-factor authentication.

No system is perfectly secure. If we ever discover a personal data breach affecting you, we will notify you and the relevant supervisory authority within 72 hours, as required by GDPR Art. 33–34.

8. Your rights

Under the GDPR (and equivalent local laws), you have the right to:

• Access the personal data we hold about you (Art. 15) and receive a copy in a portable format (Art. 20).
• Ask us to correct inaccurate data (Art. 16) or delete it (Art. 17 — "right to be forgotten").
• Restrict or object to certain processing (Art. 18, 21).
• Withdraw consent at any time (where consent is the legal basis), by disconnecting Threads from within the app or by emailing us.
• Lodge a complaint with a data protection authority. In Ukraine, the Ukrainian Parliament Commissioner for Human Rights. In the EU, the authority of your country of residence.

To exercise any of these rights, email support@tredsy.com from the address associated with your account. We will respond within 30 days.

9. Deleting your data

The fastest way to delete everything is from inside the app: open Settings → Delete account. This removes your user record, all posts, all uploaded media (including from R2), and revokes your Threads session on our side. For a step-by-step walkthrough see our Data deletion instructions.

10. Children

Tredsy is not directed at children under 13 (or under 16 in jurisdictions where that is the minimum age for online consent). We do not knowingly collect personal data from children. If you believe a child has registered, please contact us and we will delete the account.

11. Analytics, push notifications, and crash reports

Tredsy does not currently use third-party analytics, advertising SDKs, or push notifications. If we add any of these in the future (for example, anonymous crash reporting via Sentry, or push notifications for scheduled-post failures), we will update this policy and notify users in-app at least 30 days before the change takes effect.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be highlighted at the top of this page and announced in the app 30 days before they take effect. The "Last updated" date above always reflects the current version.

13. Contact

For any privacy-related question, including GDPR rights requests: support@tredsy.com.