Privacy Policy

Last updated: March 23, 2026 · ThoughtWave Technologies, Inc.

1. Overview

ThoughtWave Technologies, Inc. (“ThoughtWave,” “we,” “our,” or “us”) is committed to protecting the privacy of our customers and users. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and the choices you have regarding your information in connection with your use of our infrastructure services, including our website at thoughtwave.com and all associated services (collectively, the “Services”).

ThoughtWave is a B2B infrastructure services company. We operate virtual machines, virtual desktop infrastructure, BGP tunneling, ZFS storage, and the Stratum cloud management platform. Our primary users are technical professionals and businesses, not consumers. We collect only the information necessary to provide and improve the Services.

2. Information We Collect

2.1 Account Information

When you register for an account, we collect:

  • Full name or company name;
  • Email address;
  • Password (stored as a bcrypt hash — we never store plaintext passwords);
  • For BGP tunnel and lifetime VPS products requiring identity verification: government-issued ID information processed by Stripe Identity, which is subject to Stripe's separate privacy policy. ThoughtWave does not store raw identity documents.

2.2 Payment Information

Payment card information is processed exclusively by Stripe, Inc. ThoughtWave does not store, process, or transmit raw payment card numbers, CVV codes, or full card details. We receive from Stripe only: a tokenized payment method identifier, last four digits of the card, card brand, and expiration date. Stripe's handling of payment data is governed by Stripe's Privacy Policy.

2.3 Usage and Technical Data

We automatically collect certain technical data when you use the Services:

  • IP addresses: Source IP addresses of connections to our platform, recorded in access logs for security and fraud prevention purposes.
  • Session metadata: Login timestamps, session identifiers, geographic location inferred from IP address, and browser/client user-agent strings.
  • Service usage data: For VDI sessions: start time, end time, duration, and credit consumption. For VM services: provisioning timestamps, start/stop events, and control panel actions. For BGP services: tunnel connection status and prefix advertisement logs.
  • API usage data: For Stratum and platform API access: request timestamps, endpoints called, HTTP status codes, and response latencies. We do not log request or response bodies.

2.4 SSH Keys and Security Credentials

If you upload SSH public keys to your account for VM or service access, we store those public keys. We do not request or store private keys.

2.5 Support and Communications

When you contact us for support, we collect the content of your communications (emails, support tickets) and any information you provide in connection with your support request.

2.6 Customer Data on Infrastructure

Data you store on ThoughtWave infrastructure — virtual machine disk images, files within VDI sessions, database contents, and any other data within your provisioned resources — is your data. ThoughtWave does not access, scan, or analyze the contents of your data resources except as described in Section 4.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Service delivery: To provision, configure, operate, and maintain your VMs, VDI sessions, BGP tunnels, storage, and API access; to authenticate you; and to process payments.
  • Billing and account management: To calculate charges, issue invoices, process refunds or credits where applicable, and manage subscription renewals.
  • Security and fraud prevention: To detect and prevent unauthorized access, abuse, account takeovers, DDoS attacks originating from our infrastructure, and other security threats. IP address and session logs are retained for this purpose.
  • Legal compliance: To comply with applicable laws, respond to lawful requests from law enforcement and government authorities, and enforce our Terms of Service and Acceptable Use Policy.
  • Technical support: To diagnose problems with your services and respond to your support requests.
  • Service communications: To send you transactional emails related to your account (provisioning confirmations, payment receipts, security alerts, scheduled maintenance notices). We do not send marketing emails without your explicit opt-in.
  • Service improvement: To analyze aggregate, anonymized usage patterns to improve the performance, reliability, and feature set of our Services. We do not use individually identifiable data for this purpose.

4. When We Access Customer Data

ThoughtWave will access the contents of your data resources only in the following circumstances:

  • With your explicit consent: For example, at your request during a technical support engagement.
  • Legal obligation: In response to a valid court order, subpoena, warrant, or other lawful legal process. We will notify you of such requests to the extent permitted by law.
  • AUP investigation: When we have reasonable, specific grounds to believe your resources are being used in material violation of our Acceptable Use Policy (such as active DDoS attack participation or distribution of malware), and only to the minimum extent necessary to investigate and remediate.
  • Emergency: To prevent imminent harm to persons or property, or to address a critical infrastructure security incident.

5. Information Sharing and Third Parties

ThoughtWave does not sell, rent, or trade personal information to third parties.

We share information only with the following categories of third parties, solely for the purposes described:

5.1 Stripe, Inc. (Payment Processing and Identity Verification)

We share name, email, and order information with Stripe to process payments and, where applicable, to conduct identity verification for services that require KYC. Stripe is a PCI DSS Level 1 certified payment processor. Their privacy practices are described at stripe.com/privacy.

5.2 Cloudflare, Inc. (CDN, DDoS Mitigation, and DNS)

ThoughtWave uses Cloudflare as its CDN, DDoS mitigation provider, and DNS manager. Traffic to thoughtwave.com passes through Cloudflare's network. Cloudflare has access to connection metadata including source IP addresses and HTTP request headers. Cloudflare's privacy practices are described at cloudflare.com/privacypolicy.

5.3 Data Center and Colocation Providers

ThoughtWave's physical infrastructure is housed in colocation facilities. These facilities have physical access to the hardware on which your data is stored but have no logical access to your data or account information. Colocation providers are contractually obligated to maintain physical security standards.

5.4 Law Enforcement and Legal Process

We may disclose information to law enforcement agencies, courts, or government authorities when required by valid legal process (court order, subpoena, search warrant) or when we have a good-faith belief that disclosure is necessary to prevent imminent harm or protect the rights, property, or safety of ThoughtWave, our customers, or the public. Where legally permitted, we will notify affected customers of such disclosures.

5.5 Business Transfers

In the event of a merger, acquisition, asset sale, or restructuring, customer information may be transferred to the acquiring entity as part of that transaction. We will notify affected customers and, where required by law, provide choices regarding the handling of their information.

6. Data Retention

We retain personal information for as long as necessary to provide the Services and fulfill the purposes described in this Policy:

  • Active account data (name, email, payment history, service records): Retained for the duration of your active account and for 90 days following account closure or cancellation, after which it is deleted from our primary systems.
  • Access and security logs (IP addresses, login timestamps, session metadata): Retained for 90 days for security incident investigation purposes.
  • Billing records: Retained for 7 years as required by applicable financial and tax regulations.
  • Support tickets and communications: Retained for 2 years after resolution.
  • Customer infrastructure data (VM disk images, VDI session data, BGP configuration): Deleted within 30 days of account closure or service termination.

Certain data may be retained longer if required by valid legal hold, court order, or ongoing legal proceedings.

7. Security

ThoughtWave implements industry-standard technical and organizational security measures to protect personal information against unauthorized access, disclosure, alteration, or destruction:

  • All data in transit is encrypted using TLS 1.2 or higher. Non-TLS connections are rejected or redirected.
  • Passwords are hashed using bcrypt with a work factor appropriate for current hardware capabilities.
  • Sensitive credentials (MFA secrets, OAuth tokens, API keys) are encrypted at rest using AES-256-GCM before storage in our database.
  • Customer infrastructure data is stored on ZFS-based storage with encryption at rest.
  • Multi-factor authentication (TOTP) is available and strongly recommended for all accounts. Administrative access to ThoughtWave systems requires MFA.
  • Access to production systems is restricted to authorized personnel on a need-to-know basis, accessed via authenticated SSH with key-based authentication.

No security system is impenetrable. In the event of a data breach that affects your personal information, ThoughtWave will notify affected customers in accordance with applicable law and will take reasonable steps to contain and remediate the incident.

8. Cookies and Tracking

ThoughtWave uses session cookies and browser localStorage solely to manage authenticated sessions and maintain application state. We do not use third-party advertising cookies, cross-site tracking pixels, behavioral analytics platforms, or social media tracking scripts on our platform.

Session cookies are deleted when you log out or when the session expires (sessions expire after 7 days of inactivity). You may disable cookies in your browser, but doing so will prevent you from logging in to the Services.

9. Your Rights and Choices

Subject to applicable law, you have the following rights with respect to your personal information:

  • Access: You may request a copy of the personal information we hold about you.
  • Correction: You may update your account information (name, email, password) through your account settings at any time. For information you cannot update yourself, contact us.
  • Deletion: You may request deletion of your account and associated personal information by closing your account or contacting us. We will delete your data in accordance with our retention schedule described in Section 6, except where retention is required by law.
  • Portability: You may request a machine-readable export of your account data (orders, service records) by contacting us.
  • Objection: You may opt out of receiving non-transactional communications from us by contacting us. You cannot opt out of transactional communications (billing notices, security alerts) while your account is active.

To exercise any of these rights, contact us at [email protected]. We will respond to verified requests within 30 days.

10. International Transfers

ThoughtWave's primary infrastructure is located in the United States. If you access the Services from outside the United States, your information will be transferred to, stored in, and processed in the United States. By using the Services, you acknowledge and consent to this transfer. ThoughtWave implements appropriate safeguards for international transfers where required by applicable law.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting an updated version at thoughtwave.com/legal/privacy and, where appropriate, by email. The date at the top of this page indicates when the Policy was last revised. Your continued use of the Services after the effective date of an update constitutes your acceptance of the revised Policy.

12. Contact

For privacy-related inquiries, data requests, or concerns, contact: [email protected]
ThoughtWave Technologies, Inc.
Michigan, United States

Terms of ServiceAcceptable Use Policy
Privacy Policy — ThoughtWave Technologies | ThoughtWave Technologies