Privacy Policy

1. Who we are

Thresia LLC ("Thresia," "we," "us") is a marketing-operations consulting firm based in Buffalo, NY, serving cash-pay clinics and regulated DTC health brands. Our site is at thresia.com. We can be reached at lucas@thresia.com.

Mailing address: Thresia LLC, Buffalo, NY (full address provided in any commercial email we send, per CAN-SPAM requirements).

2. What we collect

We collect information in three ways: from you directly, from your interaction with our site, and from third-party services we use to deliver our work.

Information you give us directly

• Name, business name, email address, phone number when you book a discovery call, email us, or reply to a cold email.
• Any information you share about your business operations during a call, in writing, or via our intake forms.
• Payment information when you engage us as a client — processed by Stripe (we never see or store your full card number).

Information collected automatically

• Basic analytics: page views, referrer, approximate geographic location (city-level), device type, browser type — via Vercel Analytics. This data is aggregated and not tied to your identity.
• Essential cookies for site navigation (session state, theme preference).

Information for cold outbound (prospect data)

For our own outbound marketing (cold email and LinkedIn outreach to potential clients), we use publicly-available business contact information from sources including Google Maps, the NPI Registry, business websites, and reputable business-contact-data providers. We only contact business email addresses and only for B2B purposes related to your business. We do not contact consumers and do not collect personal/consumer data for outbound.

3. How we use your information

• Respond to your inquiry and answer your questions.
• Prepare discovery briefs, send proposals, and (if you become a client) deliver the engagement we agreed to.
• Send you operational updates about your engagement (status emails, reports, milestone alerts).
• Send you our cold email outreach — until you opt out, after which we remove you within 10 business days.
• Improve our services using aggregate, anonymized usage data.
• Comply with legal obligations (tax records, CAN-SPAM requirements, response to lawful requests).

What we don't do: we don't sell your data, we don't rent it, we don't trade it, and we don't share it with advertisers, data brokers, or marketing platforms beyond the service providers listed below (and only for the purpose of delivering our work to you).

4. Service providers we use

We use the following third-party services to deliver our work. Each has its own privacy policy that governs the data we share with them.

• Vercel — hosts our website and operates Vercel Analytics. They see aggregate visitor data. Their policy.
• Calendly — handles meeting bookings. When you book a call, Calendly receives your name, email, and meeting time. Their policy.
• Stripe — processes payments when you become a client. Stripe sees your billing details directly; we only receive a charge confirmation. Their policy.
• Smartlead — runs our cold-email outbound. Stores business contact data for outbound campaigns. Their policy.
• GoHighLevel (for clients) — the CRM we deploy as part of the operating-layer install. Stores your business's customer/patient inquiries during the engagement. Subject to a separate Business Associate Agreement when PHI is involved. Their policy.
• Anthropic / OpenAI / Google AI — for agent operations during a client engagement. We do not send your personal information or PHI to these providers; only business-process data necessary for the agent task at hand.

5. Cold email and CAN-SPAM compliance

If you received a cold email from Thresia, here's what governs that:

• Every commercial email we send identifies itself as such, includes our physical mailing address, and includes a clear way to opt out — as required by the CAN-SPAM Act.
• To opt out: reply with "STOP" or "UNSUBSCRIBE" in the subject or body, or email lucas@thresia.com with the subject "UNSUBSCRIBE." We'll remove you within 10 business days.
• We do not buy email lists. All prospect contact information is sourced from publicly-available business directories.
• We do not contact you on behalf of any other company. Every email from us is from Thresia about Thresia's services.
• We never use deceptive subject lines or false header information.

6. Cookies and analytics

We use minimal first-party cookies and analytics. Specifically:

• Essential cookies — needed for the site to function (session state, accessibility preferences).
• Vercel Analytics — privacy-respecting aggregate analytics. No third-party trackers. No persistent cross-site tracking. No advertising cookies.

We do not use Google Analytics, Facebook Pixel, LinkedIn Insight Tag, or any other third-party tracker on this site. If you want to disable analytics, your browser's "Do Not Track" setting is honored.

7. Your data rights

You have the following rights regarding your personal data, regardless of where you live:

• Access: ask us what information we have about you.
• Correction: ask us to correct information that's wrong.
• Deletion: ask us to delete your information (subject to legal retention obligations like tax records).
• Opt-out of marketing: any time, for any reason, no questions asked.
• Portability: ask for a copy of your data in a structured format.

To exercise any of these rights, email lucas@thresia.com with what you want. We'll respond within 30 days.

California residents (CCPA)

If you're a California resident, you have additional rights under the California Consumer Privacy Act, including the right to know what categories of personal information we collect and the right to opt out of any "sale" of your data. We do not sell your personal information.

New York residents (SHIELD Act)

If you're a New York resident, the NY SHIELD Act protects you. We maintain reasonable administrative, technical, and physical safeguards to protect your information from unauthorized access. If we ever experience a data breach affecting your information, we will notify you in accordance with New York law.

8. Children

Our services are directed at businesses, not children. We do not knowingly collect personal information from anyone under 13. If we learn we've inadvertently collected information from a child under 13, we'll delete it promptly.

9. How we keep your data safe

We use industry-standard security practices: TLS encryption in transit, encryption at rest on Supabase (where client data is stored), least-privilege access controls, row-level security on operator data, and an audit trail of administrative actions.

That said: no security is perfect. If you believe your data has been compromised through us, email lucas@thresia.com immediately.

10. Where your data lives

Thresia is based in the United States. Our infrastructure is hosted in the United States (Vercel + Supabase, US regions). If you're outside the US and you send us information, you're consenting to it being processed in the US, which may have different privacy protections than your home country.

11. Changes to this policy

We may update this policy as our services and obligations evolve. If we make material changes, we'll update the Effective Date at the top of this page and (if you're a client or active prospect) we'll email you a summary of what changed. The current version of this policy always lives at thresia.com/privacy.

12. Contact

Questions, concerns, requests, complaints, or just want to talk:

lucas@thresia.com

Thresia LLC · Buffalo, NY · United States