Throughline

Privacy policy

Throughline LLC, a Washington limited liability company

Effective: May 25, 2026 · Version 1.1

At a Glance

This summary is for convenience only; the full policy below controls.

  • We do not sell your personal information.
  • We do not run third-party advertising or cross-app behavioral tracking — there are no ad SDKs in the app.
  • We do not collect GPS or precise location. The app has no location SDK.
  • Crash and error diagnostics use Sentry (not advertising): we may receive error reports and, on a small fraction of sessions, masked session replay to fix bugs. We do not send student names or assignment content to Sentry by design.
  • Student profiles are created and managed by an adult administrator (18+); we collect the minimum information needed to provide the service.
  • Your data is encrypted in transit and at rest, and isolated per household via row-level security.

1. Introduction

Welcome to Throughline. This Privacy Policy explains how Throughline LLC, a Washington limited liability company ("Throughline," "we," "our," or "us") collects, uses, discloses, and safeguards information when you use the Throughline mobile application (the "App"), our website at jointhroughline.com (the "Website"), and any related emails or services we provide (collectively, the "Service"). Throughline is a homeschool planning and learning-tracking application designed for families.

By creating an account or using the Service, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

2. Who We Are and How to Reach Us

The data controller for personal information collected through the Service is Throughline LLC, a Washington limited liability company.

  • Email: support@jointhroughline.com
  • Website: jointhroughline.com

3. Information We Collect

3.1 Information You Provide

When you create an account and use the Service, you provide us with:

  • Administrator account information: email address and password (handled by Supabase Auth — we never see your password in plaintext), full name, time zone, optional profile photo (avatar), and your email-notification preferences.
  • Optional admin PIN: a numeric PIN used to lock the administrator profile against access by other household members. The PIN is stored as a one-way hash; we cannot recover it for you.
  • Student profile data: each student profile may include first name, last name, optional avatar, grade level, school year, and tracking mode (Simple, Balanced, or Detailed). We do not collect a student's date of birth or precise age.
  • Compliance location data (manual, not GPS): if you choose to record where a student is being homeschooled for compliance reporting, you may enter U.S. state, school district (optional), applicable date range, and notes. This is text you type — we do not access your device's location services.
  • Homeschool content: the assignments, lessons, learning sessions, attendance days, grades, goals, curriculum, subjects, schedules, timers, log entries, narrative comments, portfolio items, and other planning or tracking content you create.
  • Files and media you upload: documents, images, and links you add to your resource library, attachments on activities, and similar files.
  • Communications with us: support and feedback messages, replies, and any information you choose to include.

3.2 Information We Collect Automatically

When you use the Service, we automatically collect:

  • Device information: device type, operating system, and the version of the App you are running.
  • Push notification token: an Expo push token associated with your installation, used only to deliver notifications you have enabled.
  • IP address and approximate region: your IP address is processed by our hosting provider (Supabase) when your device communicates with our servers, primarily for security, abuse prevention, and routing. Only an approximate region (such as country) can be inferred from an IP address. We do not use IP-based geolocation for advertising or profiling.
  • Service-reliability telemetry: we record the most recent App version, native build, and last-seen timestamp on a per-account basis to help diagnose issues across versions.
  • Crash and error diagnostics (Sentry): if the App encounters an unexpected error, we may send diagnostic data to our crash-reporting provider, Sentry, Inc. This typically includes the error type, stack trace, device type, operating system, App version, and an internal account identifier (your Supabase user id). We configure the App not to send your email address, student names, or homeschool content in these reports. Sentry may also receive your IP address as part of standard web-style request metadata; we have disabled Sentry's "send default PII" setting. On a sample of sessions (and on sessions where an error occurs), Sentry may capture masked session replay (screen recording with text and images masked) solely to help us reproduce bugs — not for advertising.
  • Email-delivery metadata: when we send you email, our email provider (Resend) records delivery, bounce, and similar status events.

3.3 Subscription and In-App Purchase Data

If we offer Throughline Premium or other in-app purchases through the Apple App Store or Google Play and you choose to subscribe, our subscription provider RevenueCat associates your subscription with an internal "app user ID" that is set to your Throughline account identifier. We receive entitlement status, product identifiers, and purchase/renewal events. We do not receive or store your payment-card information; payments are handled by Apple or Google.

3.4 Information We Do Not Collect

We want to be specific about what we do not collect:

  • Precise or GPS location. The App does not include any location SDK and never asks for location permission.
  • Microphone audio, contacts, calendar, health, or biometric data.
  • Mobile advertising identifiers (IDFA / Advertising ID).
  • Behavioral advertising, cross-app tracking, or attribution SDKs. We do not embed advertising, fingerprinting, or marketing-analytics SDKs.
  • Payment-card numbers, bank-account details, or full billing addresses. Apple and Google handle in-app purchase billing.

4. How We Use Your Information

We use the information we collect to:

  • Create and manage your administrator account and household profiles.
  • Enable profile switching among household members, similar to a household streaming service.
  • Provide, maintain, secure, and improve the Service, including planning, daily logging, gradebook, attendance, reports, and resource-library features.
  • Deliver transactional emails — for example, welcome messages, password-change confirmations, support replies, account-deletion confirmations, data-export notices, assignment reminders or summaries you have opted into, and policy or billing updates.
  • Send local and push notifications you have enabled (push notifications may require Throughline Premium).
  • Process subscriptions and entitlements through RevenueCat, Apple, and Google.
  • Respond to your support and feedback requests.
  • Detect, prevent, and address fraud, abuse, security incidents, or violations of our Terms.
  • Diagnose and fix crashes, errors, and reliability problems using Sentry crash reports (and optional masked session replay where enabled).
  • Comply with our legal obligations, including responses to lawful requests and tax or recordkeeping requirements.

5. Legal Bases for Processing (EEA, UK, and Switzerland)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR / UK GDPR:

  • Performance of a contract (Art. 6(1)(b)): processing necessary to provide the Service to you under our Terms — for example, hosting your homeschool data, authenticating you, and delivering core features.
  • Legitimate interests (Art. 6(1)(f)): operating, securing, and improving the Service, preventing fraud and abuse, and basic service-reliability telemetry. We balance these interests against your rights and freedoms.
  • Consent (Art. 6(1)(a)): for optional features such as push notifications and any future marketing communications. You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): where we must process information to comply with applicable law.

6. How We Share Your Information

We do not sell your personal information.

We do not "share" your personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act (as amended by the CPRA). We share information only as described below.

6.1 Service Providers (Subprocessors)

We rely on a small set of vetted vendors to operate the Service. They process personal information only on our instructions and are bound by written data-protection terms.

  • Supabase Inc. (United States) — managed Postgres database, authentication, file storage, and serverless functions. Supabase is GDPR-compliant and SOC 2 Type II certified. Privacy: https://supabase.com/privacy.
  • Resend Inc. (United States) — transactional email delivery (welcome, password change, support replies, assignment summaries, policy updates, and similar). Privacy: https://resend.com/legal/privacy-policy.
  • RevenueCat, Inc. (United States) — subscription management and entitlement tracking, including receipt validation with Apple and Google. Privacy: https://www.revenuecat.com/privacy.
  • Expo / 650 Industries, Inc. (United States) — push-notification relay to Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM). Privacy: https://expo.dev/privacy.
  • Sentry, Inc. (United States) — crash and error reporting for the App, optional masked session replay for debugging, and (on our build servers only) upload of source maps using a separate auth token that is never included in the App. The App contains a public Sentry data source name (DSN) so it can send crash events; that is not a secret. Privacy: https://sentry.io/privacy/.
  • Apple Inc. and Google LLC — distribution of the App through the App Store and Google Play and processing of in-app purchases. Their privacy practices apply to information they collect from you directly.

6.2 Legal, Safety, and Compliance

We may disclose information when we believe in good faith that disclosure is necessary to: comply with a law, regulation, subpoena, court order, or other lawful request from a government authority; enforce our Terms; protect the rights, property, or safety of Throughline, our users, or others; or detect or prevent fraud, security incidents, or technical issues.

6.3 Business Transfers

If Throughline is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of its assets, your information may be transferred to the successor or acquirer. We will provide notice (for example, in the App or by email) before any such transfer.

6.4 With Your Direction

If you choose to export, share, or print your data using the Service's built-in export and share features (such as PDF reports or CSV exports), the recipient and any service you select for sharing receive the data you choose to send.

7. International Data Transfers

Throughline is operated from the United States, and your information is stored and processed in the United States. If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States.

For transfers from the European Economic Area, the United Kingdom, or Switzerland, we and our subprocessors rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) as a transfer mechanism. You may request a summary of these safeguards by writing to support@jointhroughline.com.

8. Children's Privacy

Throughline is a family-oriented service. The administrator account is intended for adults aged 18 or older. Student profiles created by an administrator may belong to children of any age, and the data within those profiles is provided and managed by the administrator on behalf of their household.

By creating a student profile for a child, the administrator represents that they are the child's parent or legal guardian (or have equivalent authority) and consents to our collection and use of that child's personal information as described in this Privacy Policy. We collect only the information needed to provide the Service.

No advertising or cross-app behavioral tracking is applied to any profile, including student profiles. Technical crash diagnostics (Section 3.2) are not used to profile children for marketing. We do not sell or share any child's personal information.

Administrators may review, correct, export, or delete any student profile and its data at any time from within the App. To delete an entire administrator account and associated household data, use More → My Profile → Edit Profile → Permissions → Delete account in the App (email verification code) or https://jointhroughline.com/delete on the Website (same flow). You may also contact support@jointhroughline.com for assistance. If you believe we have collected personal information from a child without appropriate parental or guardian consent, please contact us at support@jointhroughline.com and we will promptly delete it.

Throughline is not a "school official" under the U.S. Family Educational Rights and Privacy Act (FERPA). Throughline is not directed to children under 13 as direct users; the Service is provided to and contracted with adult household administrators.

9. Data Retention

When you confirm account deletion in the App or on the Website, you verify control of your account email using a one-time code (or sign-in link from the same email). After verification, we permanently delete your administrator account, student profiles, and associated Service content promptly. Some information may persist in encrypted backups for a short period as described below, and we may retain certain records where required for legal, tax, fraud-prevention, audit, or accounting purposes (for example, billing records held by Apple, Google, or RevenueCat).

Specific retention windows include:

  • Email-delivery logs (Resend): up to 12 months.
  • Crash and error events (Sentry): retained according to our Sentry project settings (commonly up to 90 days for error events; see Sentry documentation for current defaults).
  • Support and feedback messages: up to 24 months from last contact.
  • Backups and disaster-recovery copies: cycled out within 35 days of deletion.
  • Records required by law (such as tax records): for the period required by applicable law.

10. Your Rights and Choices

10.1 Rights Available to All Users

Subject to applicable law, you may request the following with respect to your personal information:

  • Access — a copy of the personal information we hold about you.
  • Correction — that we correct information that is inaccurate or incomplete.
  • Deletion — that we delete your account and associated data.
  • Portability — that we provide your data in a portable, machine-readable format.
  • Restriction or objection — that we limit certain processing of your information.

To exercise these rights, you may use More → My Profile → Edit Profile → Permissions → Delete account in the App or https://jointhroughline.com/delete on the Website for account deletion requests, email support@jointhroughline.com from the email address associated with your account, or use the in-App Feedback section for other requests. We may need to verify your identity before fulfilling your request, typically by confirming control of the account email.

10.2 California Residents (CCPA / CPRA)

If you are a California resident, you have the right to: know what personal information we collect, use, disclose, and (if applicable) sell or share; request deletion of your personal information; correct inaccurate personal information; limit the use and disclosure of sensitive personal information; and opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information for cross-context behavioral advertising. We will not discriminate against you for exercising any of these rights.

California residents may also request, once per year, a list of third parties to whom we have disclosed personal information for those parties' direct marketing purposes ("Shine the Light"). Requests may be sent to support@jointhroughline.com.

10.3 Other U.S. State Residents

If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, or another U.S. state with a comprehensive privacy law, you generally have rights of access, correction, deletion, portability, and to opt out of certain processing. We will respond to verifiable requests within the period required by your state's law (generally 45 days, with one extension where permitted).

10.4 EEA, UK, and Swiss Residents

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the rights described in Section 5 above, plus the right to lodge a complaint with your local data protection authority. The data controller is Throughline LLC, a Washington limited liability company.

10.5 Other Choices

  • Push notifications: enable or disable in your device's system settings, or in the App's notification settings.
  • Marketing emails: every marketing email contains a one-click unsubscribe link, and you can manage email preferences in your account settings. Transactional emails (such as password resets, security notices, billing receipts, and support replies) are required to operate the Service and cannot be disabled while you have an account.
  • Global Privacy Control / Do Not Track: where the Website honors a recognized browser opt-out signal such as Global Privacy Control, we treat it as an opt-out of any "sale" or "sharing" of personal information.

11. Security

We implement administrative, technical, and physical safeguards designed to protect your information, including:

  • Encryption in transit using TLS 1.2 or later for all client-server communication.
  • Encryption at rest for our managed database and file storage.
  • Row-level security policies that isolate each household's data so that one administrator account cannot access another's.
  • Least-privilege access controls and tightly scoped service-role keys for backend operations.
  • Optional administrator PIN to lock profile switching on shared devices.
  • Regular review of dependencies, configurations, and access policies.

No method of transmission over the internet or electronic storage is 100% secure. If we become aware of a breach affecting your personal information, we will notify you and the appropriate authorities as required by applicable law.

12. Cookies and Tracking Technologies

The Throughline App is a native mobile application and does not use browser-style cookies. It uses on-device storage (such as AsyncStorage) to remember your sign-in session and certain preferences. We do not embed third-party advertising cookies, pixels, fingerprinting, or marketing-tracking SDKs in the App. We do use Sentry for crash and error diagnostics only (see Sections 3.2 and 6.1), which may use similar technologies as part of delivering that service.

The Website may use a small number of strictly-necessary cookies (for example, to remember your cookie-banner choice). We do not run third-party advertising or analytics cookies on the Website.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice through the App and, where we have your email address, by email to active administrators at least 14 days before the changes take effect, unless a shorter period is required by law. The "Effective Date" and version number above will be updated for each revision. Your continued use of the Service after a change becomes effective constitutes acceptance of the updated Policy.

14. Contact Us

If you have questions or concerns about this Privacy Policy or wish to exercise any of the rights described above, please contact us:

Throughline LLC, a Washington limited liability company

  • Email: support@jointhroughline.com
  • Website: jointhroughline.com