TWINii Privacy Policy

Twin Inc Ltd (Company No. 16656477)

Registered in England & Wales. Registered office: 20 Wenlock Road, London N1 7GU, United Kingdom.

Last Updated: 10 Dec 2025

TWINii Privacy Policy (Global + Regional Disclosures)

0. Summary

We collect only the data needed for TWINii to work: to run the service, personalise your experience, attribute purchases, pay creators, protect our community, and improve the product. We’re transparent about how AI, affiliate links and partners like Kindred are used. You control your data rights, and we never train public models on your private one-to-one chats without your consent.

1. Who We Are and How to Contact Us

Twin Inc Ltd (“TWINii”, “we”, “us”) is the data controller for personal data used in our consumer services. If you have questions about your data or this policy, you can contact us at privacy@twinii.ai. When a creator or brand uses TWINii under a commercial agreement and instructs us how to handle personal data, we act as their data processor under a Data Processing Addendum (DPA).

2. Data We Collect

2.1 Account & contact data: Information you provide such as your name or handle, email, age band or date of birth, country, language, and device identifiers.

2.2 Usage & content data: Activity from your time on TWINii, including chats with Twins, prompts, posts, likes, follows, search queries, session telemetry, crash logs, and moderation flags.

2.3 Technical data: Information used to deliver and secure the service, such as IP address, device/OS/browser details, app version, referrer, and cookie or SDK identifiers.

2.4 Commerce & affiliate data: Click-throughs on product links, cart and purchase events, pseudonymous order IDs, and store receipts or tokens used to issue rewards or pay creators.

2.5 Creator assets: For creators, the likeness, voice, name, branding, prompts and instructions you provide so we can operate your verified Twin.

2.6 Optional or sensitive data: Facial imagery and skin metrics for virtual try-on, and any health-related concerns you choose to share in chats. We only process this with your explicit consent where required by law, and you may withdraw consent at any time.

2.7 Inferences: Interest segments, predicted preferences and other insights we generate from your activity to personalise recommendations.

3. Purposes and Legal Bases

3.1 Provide and secure the Services (contract; legitimate interests). Examples: create your account; authenticate; safeguard; prevent fraud; debug.

3.2 Personalisation and recommendations (legitimate interests; consent where required for cookies/ads). Example: ranking product suggestions.

3.3 Affiliate attribution and payouts (contract/legitimate interests). Example: sending pseudonymous click/purchase events to Partner Networks such as Kindred.

3.4 Communications (consent; legitimate interests for service emails). Example: send service announcements; obtain feedback.

3.5 Marketing (consent in the EEA/UK; soft opt-in for existing customers where allowed). Example: email newsletters you subscribe to; you may opt out at any time.

3.6 Safety and integrity (legal obligation; legitimate interests). Example: detect harmful content; respond to rights requests; comply with law.

3.7 Research and product improvement (legitimate interests). We may use de-identified or aggregated data to improve features.

3.8 AI training and evaluation. We may use de-identified or aggregated data to improve our models. We do not train public models on your private one-to-one chats without your consent.

4. Sharing of Personal Data

4.1 Service providers (processors): Hosting, storage, analytics, messaging, payment, age-assurance, fraud prevention, content moderation and customer support providers acting under our instructions.

4.2 Partner Networks and retailers: We share pseudonymous identifiers and event data to attribute sales and calculate commissions (e.g., Kindred). We do not share raw chat content for this purpose.

4.3 Platforms and APIs: If you choose to sign in with another platform (e.g., Meta), that provider processes your data under its own terms and policies.

4.4 Business transfers: If TWINii undergoes a reorganisation, merger or sale, your data may transfer to the successor entity subject to this Policy.

4.5 Legal and safety: We may disclose data to authorities or others where necessary to comply with law or protect individuals.

4.6 Public or shared content: Content you publish publicly may be visible to others; please consider this before sharing.

When TWINii integrates with third-party APIs such as Meta, Google, TikTok or Kindred, data is processed solely within the scope of those partners’ Platform Terms and Developer Policies. TWINii does not store or reuse partner data beyond the permitted purposes.

5. International Data Transfers

Where we transfer personal data outside the UK or EEA, we rely on the EU Standard Contractual Clauses (2021/914) and/or the UK International Data Transfer Addendum, and apply supplementary measures where appropriate, including encryption in transit, access controls and vendor due diligence.

6. Retention

We retain data only as long as necessary for the purposes described.

6.1 Account and profile data: Life of account plus up to 24 months.

6.2 Chats and content logs: 12 months by default unless you delete them sooner or we need to retain them for safety or legal reasons.

6.3 Commerce and affiliate events: Up to 7 years for tax and audit requirements.

6.4 Creator assets: As specified in the Creator Agreement or until access is revoked, with archival copies kept only for legal holds.

6.5 Security logs and breach records: Retained as required by law and industry practice.

7. Your Rights

Your privacy rights depend on where you live.

7.1 UK/EEA rights: You have the right to access, rectify, erase, restrict processing, object, request data portability, and withdraw consent at any time. You may also object to profiling or automated decision-making that has legal or similarly significant effects.

7.2 US state rights (CPRA/Colorado/Connecticut/Virginia): You have the right to know, access, delete, correct, and opt out of the sale or sharing of personal data and of targeted advertising. We provide a “Do Not Sell or Share My Personal Information” mechanism for applicable users.

7.3 Appeals: If we deny a request, you may appeal and we will explain the outcome.

7.4 Regulators: You can complain to the UK ICO or your local data protection authority.

8. Children

8.1 The Services are not intended for children under 16.

8.2 We may apply age-assurance measures and limit features for accounts believed to be under the applicable age, and we will delete children’s data on verified parental requests.

8.3 We may use face-scan or age-assurance technology to help confirm eligibility and apply youth-safety measures. Verification is triggered only when risk or legal thresholds require it, and no raw facial imagery is retained.

9. Cookies and Similar Technologies

9.1 We use cookies and SDKs for functionality, analytics, fraud prevention and ads measurement.

9.2 In the EEA/UK we obtain consent through a consent-management platform (CMP) aligned with the IAB TCF, and you can change your preferences at any time.

9.3 Some features may not function without certain cookies or SDKs.

10. Security of Personal Data

10.1 We implement appropriate technical and organisational measures, including TLS encryption in transit, access controls, secret management, least-privilege permissions, event logging, regular reviews, short-lived authentication tokens and vulnerability management.

10.2 No system is 100% secure, but we work to protect your data and limit risk through layered safeguards.

10A. Security Incidents and Breach Notification

10A.1 If we become aware of a personal-data breach that is likely to result in risk to individuals, we will notify the relevant supervisory authority within 72 hours where required by law.

10A.2 We will notify affected users without undue delay when the breach is likely to result in a high risk to their rights or freedoms.

10A.3 We maintain incident and breach logs for audit, security monitoring and legal compliance.

11. AI Transparency

11.1 We label AI-generated or AI-manipulated media where feasible and may use cryptographic watermarks or metadata to signal provenance.

11.2 We disclose when content is sponsored or includes affiliate links.

12. Affiliate & Partner Network Disclosure (Kindred)

12.1 We partner with networks such as Kindred; some offers may carry affiliate status or result in commission to us and/or you.

12.2 We do not endorse the underlying products or services. Always review the product’s instructions, safety labels and Terms & Conditions before purchase.

12.3 Data shared for attribution is pseudonymous and limited in scope.

13. Exercising Your Rights; Contact

13.1 You can submit rights requests by emailing privacy@twinii.ai.

13.2 We may need to verify your identity before completing your request, and you may appoint an authorised agent where permitted by law.

13.3 We will respond within the applicable statutory timeframe.

13.4 EU/UK representative and DPO details will be published here when appointed.

14. Region-Specific Disclosures

14.1 California (CPRA): We disclose categories of personal information collected, the purposes of use and sharing in this Policy. You may opt out of sale/share and targeted advertising, and you will not be discriminated against for exercising your rights. An appeal process is available.

14.2 Colorado, Connecticut, Virginia and Utah: Similar rights apply in these states, and we honour them as required.

14.3 EEA/UK: Our lawful bases are set out in Section 3. You may lodge a complaint with the UK ICO (ico.org.uk) or your local supervisory authority.

15. Changes to this Policy

15.1 We may update this Policy from time to time. We will post updates on this page and provide reasonable notice of material changes before they take effect.

15.2 Continued use of the Services after the effective date of an updated Policy constitutes acceptance of the changes.

15.3 The effective date will be shown at the end of this document.

Effective Date: 10 December 2025