Privacy Statement
Last updated: March 2025
Twinnio ("we", "us", or "our") is committed to protecting your personal data and respecting your privacy. This Privacy Statement explains what data we collect, why we collect it, how we use it, and your rights under the General Data Protection Regulation (GDPR) and Dutch data protection law.
1. Data Controller
The data controller responsible for your personal data is Twinnio, based in the Netherlands. For privacy-related questions, contact us at privacy@twinnio.co.
2. Data We Collect
We collect the following categories of personal data:
Account Data
Name, email address, and password (stored as a hash) provided when you create an account.
Content Data
Documents, Q&A pairs, interview responses, and website content that you provide to train your digital twin. This content may include personal information if you choose to include it.
Usage Data
Information about how you use the Service, including log data, IP addresses, browser type, pages visited, and time spent on the platform.
Payment Data
Billing information processed by our payment provider. We do not store full payment card details on our servers.
Widget Visitor Data
When visitors interact with a Twinnio chat widget on a third-party website, their messages and IP addresses may be processed to provide the chat functionality.
3. Purpose and Legal Basis for Processing
| Purpose | Legal Basis |
|---|---|
| Providing and operating the Service | Contract performance |
| Processing payments and billing | Contract performance / Legal obligation |
| Sending account and service notifications | Contract performance |
| Security, fraud prevention, and debugging | Legitimate interest |
| Product improvement and analytics | Legitimate interest |
| Marketing communications (optional) | Consent |
4. Data Storage and Security
Your data is stored securely using Supabase (hosted infrastructure within the EU). We implement appropriate technical and organizational measures to protect your data against unauthorized access, loss, or alteration, including encryption in transit (TLS) and at rest.
We retain your personal data for as long as your account is active or as needed to provide the Service. After account termination, data is retained for up to 30 days before deletion, unless a longer retention period is required by law.
5. Third Parties
We share your data only with trusted third-party service providers necessary to operate the Service:
- Supabase — Database and authentication infrastructure. Data is stored within EU data centers. Supabase is GDPR-compliant.
- Paddle — Payment processing. Paddle acts as the Merchant of Record and handles billing and tax compliance. Subject to Paddle's own privacy policy.
- OpenAI — AI processing for generating twin responses. Content submitted for AI processing is subject to OpenAI's data usage policies.
We do not sell your personal data to third parties.
6. Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights:
- Right of access: Request a copy of your personal data.
- Right to rectification: Request correction of inaccurate data.
- Right to erasure: Request deletion of your personal data ("right to be forgotten").
- Right to restriction: Request restriction of processing in certain circumstances.
- Right to data portability: Receive your data in a machine-readable format.
- Right to object: Object to processing based on legitimate interests.
- Right to withdraw consent: Withdraw consent at any time where processing is based on consent.
To exercise any of these rights, contact us at privacy@twinnio.co. We will respond within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
7. Cookies
We use essential cookies to keep you signed in and maintain session state. We do not use tracking or advertising cookies. You can control cookies through your browser settings.
8. International Transfers
Your data is primarily stored and processed within the European Economic Area (EEA). Where data is transferred outside the EEA (e.g., for AI processing via OpenAI), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where required.
9. Changes to This Statement
We may update this Privacy Statement from time to time. We will notify you of material changes by email or through the Service. The date at the top of this page reflects the most recent update.
10. Contact
For privacy-related questions or to exercise your rights, contact our privacy team at privacy@twinnio.co.