Think This Out

Four modes, one head

Pick how you're thinking right now

Every mode is just a different shape for the same act — getting what's in your head onto a page that's yours. You can switch modes mid‑thought without losing anything.

Thought Dump

For the loud days. One long text area, fast save, no structure asked of you. Tag and reread later.

Cmd / Ctrl + S to save without leaving the keyboard
Soft auto‑save while you type
Encrypted at rest the moment it lands in the database

Guided Journal

For the days when you don't know where to start. A daily rotating prompt, an optional mood, and the rest is yours.

The prompt you saw is stored with the entry — permanent context
Mood capture is optional, never inferred
Reflection question on demand (only if you turned AI on for that entry)

Plan Something

Goal → milestones → tasks. The thinking is yours; the structure stays out of your way.

Edit any level inline; nothing locks
Check tasks off without leaving the page
Optional AI “suggest milestones” — only when you ask

Make a Decision

A weighted decision matrix you can actually finish. Live ranking. No fake confidence numbers.

Options × criteria × weight, scored 0–5
Leader highlight that updates as you score
Optional tie‑breaker explainer when the top two land within 5%

Privacy, in detail

Your thoughts are encrypted — even from us

We built the privacy story before we built the features. Here's what that looks like in practice.

Encrypted at rest, per column

Every entry's content, summary, and structured data are encrypted with AES‑256‑GCM. The encryption key is unique to your account and bound to the column — ciphertext can't be replayed between users or fields.

AI is off by default

New entries are private. AI features can't see an entry unless you've turned on AI globally and flipped the “Share with AI” switch on that specific entry. Either switch revokes access instantly.

Revoke is one click

Revoke AI access from /account and every shared entry flips back to private, every embedding is nulled, and every paid AI feature refuses your account—at the database, not just the UI.

Admins never read your content

The admin surface is metadata only: mode, privacy level, length, timestamps. The query that backs /admin/thoughts can't select content columns. That's a code contract, audited.

Delete actually deletes

Soft‑delete first, hard‑delete 30 days later. A timer purges deleted rows nightly. The journal logs the count — never the content.

Export anything, anytime

One click on /account exports all your sessions as JSON. No proprietary lock‑in. We're a place to keep things, not a place to hold them.

Security stance

Honest, specific, verifiable

The vague “bank‑grade encryption” line means nothing. Here are the actual controls, named.

Transport: TLS 1.3 first, TLS 1.2 fallback. Hybrid post‑quantum key exchange (X25519MLKEM768) on the app surface. HSTS preload, OCSP stapling, AEAD ciphers only.
Headers: Strict CSP (script-src 'self'), frame-ancestors 'none', Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy denies geolocation, camera, mic, payment, usb.
Sign‑in: Auth.js 5 with database sessions. Google OAuth (account picker forced) or magic‑link via email. 15‑minute link TTL, 60‑second resend cooldown, 30‑day session lifetime.
CSRF: Next.js server actions are POST‑only behind the session cookie; the framework auto‑applies CSRF. The marketing form uses double‑submit cookie with a 2‑hour token.
Rate limits: Per‑user, per‑feature soft limits on every paid AI path. Admin actions are per‑actor (20 burst, 1/sec sustained). Magic‑link sends are per‑identifier.
DNS / mail: DNSSEC validated at the parent for all three zones. SPF -all, DMARC p=reject with strict alignment, MTA‑STS + TLS‑RPT on the mail zone, CAA with iodef.
Audit: Every admin mutation appends to admin_audit (actor, action, target, before/after, IP, UA). Every AI round‑trip appends to bcat_call_log — metadata only, never content.
Backup: Nightly encrypted Postgres dump on VPS01 (AES‑256‑CBC, PBKDF2 600k). Passphrase lives in our vault, never on the app process.

How‑to

Four short walkthroughs

Everything in the app is two clicks deep. These are the routes through it that most people want.

Your first thought dump
1. Sign in with Google or a magic‑link email.
2. From the dashboard, pick Dump it. A fresh, empty page opens.
3. Write. Cmd / Ctrl + S saves; nothing leaves the page.
4. Tag it later from the entry's three‑dot menu, or leave it untagged.
Turning AI on for a single entry
1. Visit /account and accept the AI‑sharing terms once. This unlocks the per‑entry toggle — nothing else.
2. Open the entry you want help with.
3. Flip Share with AI on that entry. It's now eligible for semantic search and suggesters.
4. Use the AI button on the page (e.g. Suggest milestones). Every call is rate‑limited and logged as metadata.
Running fully without AI
1. Don't accept AI sharing on /account — or revoke it if you already did.
2. That's it. Every AI feature refuses to fire; the buttons are still visible but inert.
3. You still get search (substring), tags, and exports.
Exporting or deleting everything
1. Visit /account.
2. Export downloads a JSON of every session you've written.
3. Delete all soft‑deletes immediately; the hard purge runs within 30 days.

Frequently asked

Questions, answered

Is this a therapy tool?

No. ThinkThisOut is a private space to write things down and untangle them. It is not a clinical or crisis service. If you are in crisis, please contact a local emergency line or a mental‑health professional.

What does “private by default” actually mean?

Every new entry starts at privacy_level = 'private'. That excludes it from AI features entirely — the chokepoint is enforced in the database query, not the UI. AI can't see it unless you explicitly flip the per‑entry switch.

Where does the AI run?

On our own infrastructure (an internal model server on a second VPS), not on a third‑party API. We never send your text to OpenAI, Anthropic, or any other vendor. Embeddings are 768‑dim vectors computed by an open‑source model running on that server.

What's logged?

Sign‑in events (type, identifier, IP, UA, success/failure). Admin actions (full audit). AI round‑trips (feature, latency, status, character counts — never content). Email delivery attempts (type, recipient, status — never body).

Can you read my entries?

The data is encrypted with a key bound to your account. The admin UI is built to refuse to query content columns at all; that's a code‑level contract. We could technically decrypt by deploying new code with access to the master key — but it would be a deliberate breach of the published privacy contract and would show up in our audit log.

How do you pay for this?

Today, we don't — it's free during the private beta. The likely shape post‑beta is freemium: core writing free forever, optional paid tier for AI features that incur real inference cost. There is no ad surface and there never will be.

Is there a mobile app?

Not yet. The web app is built mobile‑first and installs as a PWA on iOS and Android. We'll ship native if retention warrants it.

How do I delete my account?

Visit /account and use Delete all. Sessions are soft‑deleted immediately and hard‑deleted within 30 days by an automated job. To also remove the bare account record, use the contact form below.

Ready to untangle something?

Sign in, pick a mode, start writing. We don't ship anything to anyone.

Try the private beta

Free while in beta. Nothing leaves your account.

Get in touch

Open contact form

ThinkThisOut