Privacy Policy

Last updated: September 16, 2025

Twin Labs SAS ("Twin", "we", "us") builds the Twin Agent and the websites available at twin.so and app.twin.so (the "Services"). This policy explains how we collect, use, share, and protect personal data when you browse our sites, create a Twin workspace, or ask our platform to automate tasks on your behalf.

Twin Labs SAS is registered in France (RCS Paris 978 364 222) with its registered office at 10 rue de Penthievre, 75008 Paris, France. Unless stated otherwise, Twin acts as the data controller for personal data that we collect through the Services. When we process customer content on behalf of your organisation, we act as your data processor and only use that data according to your documented instructions and our Data Processing Agreement (DPA).

How to Contact Us

You can reach our privacy team at support@twin.so or by using the contact form available at twin.so/contact. EU residents may also contact the French Data Protection Authority (CNIL) or your local authority if you believe your rights were infringed.

Personal Data We Collect

Information you provide directly

  • Account, workspace, and contact details. We collect your name, work email address, company name, job title, phone number, and password (hashed) when you register or are invited to a Twin workspace. Workspace owners may also provide seat assignments, usage policies, and access roles for their teammates.
  • Customer content and configuration. When you build or run an agent you may provide prompts, process descriptions, training data, files, screenshots, structured documents, or other materials that describe the tasks you want Twin to perform. These materials can include personal data relating to your employees, contractors, or end users. We treat this content as confidential customer data.
  • Billing and commercial information. If you purchase a paid plan, we collect billing contact information, purchase order references, VAT or tax identification numbers, and transaction records. Payment card details are processed directly by our payment providers and are not stored on Twin's systems.
  • Support and communications. We keep records of emails, chat conversations, form submissions, surveys, and other communications with you, including information you provide when you join our waitlist, register for an event, or request technical assistance.

Automation credentials and secure storage

To run automations Twin can store optional credentials on your behalf. This may include usernames, passwords, one-time passcodes, API keys, or browser session tokens for third-party services such as Google products. Credentials saved in the Twin Vault are encrypted using separate key management, and access is limited to the workspace members you authorise. When you choose not to store credentials, Twin holds them only in memory for the duration of the session and destroys them immediately afterwards.

Google user data

When you connect Google services to Twin we process Google user data as described in the dedicated section below.

Usage and device data

We automatically collect technical data about how the Services are accessed and used, including IP address, browser type, operating system, device identifiers, timestamps, feature usage metrics, error logs, agent execution traces, and diagnostic information. We generate aggregate analytics from this data to understand feature performance and to secure the platform.

Cookies and similar technologies

We use cookies, local storage, and similar technologies to operate the Services, remember your preferences, and analyse how visitors interact with our website. Details are provided in the "Cookies and online analytics" section below. You can adjust your cookie preferences at any time through the cookie banner or within your browser settings.

How We Use Personal Data

  • Provide, secure, and maintain the Services, including creating and administering workspaces, delivering agent runs, generating dashboards, and providing customer support.
  • Authenticate users, prevent fraud or abuse, and enforce our Terms and other agreements.
  • Process transactions, send invoices, and collect payments.
  • Respond to inquiries, send operational communications, and inform you about product updates or events. You can opt out of marketing emails at any time.
  • Improve and develop the Services by analysing aggregated or de-identified usage patterns, running experiments, and developing new features.
  • Comply with legal obligations and respond to lawful requests from public authorities.

For individuals located in the European Economic Area (EEA), the United Kingdom, and Switzerland, we rely on one or more of the following legal bases: performance of a contract (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR) such as securing and improving the Services, compliance with legal obligations (Art. 6(1)(c) GDPR), or your consent where required (Art. 6(1)(a) GDPR).

How We Share Personal Data

We share personal data only with the following categories of recipients and only for the purposes described in this policy:

  • Service providers and sub-processors. We use carefully selected vendors to host infrastructure, store data, send communications, provide analytics, manage forms, and run our AI pipeline. Examples include our cloud hosting and security providers listed in the Trust Center, OpenAI (for reasoning models), SubmitForm for form submissions, Simple Analytics, and Google Analytics. We ensure appropriate data processing agreements and safeguards are in place with each vendor. A live list of sub-processors is available in our Trust Center.
  • Integration partners at your direction. When you connect Twin to services such as Qonto or Google Workspace, we share the outputs you request (for example, invoices, reports, or status updates) with those services.
  • Professional advisors. We may share data with lawyers, accountants, auditors, or insurers where necessary to obtain professional advice or manage risk.
  • Corporate transactions. Personal data may be transferred in connection with a merger, financing, acquisition, or dissolution of Twin, subject to appropriate safeguards.
  • Legal compliance. We may disclose data when we believe it is necessary to comply with applicable law, a court order, or lawful requests from authorities. We will push back on overly broad or unlawful requests whenever possible.

We never sell personal data and we do not use Google user data or other customer content for advertising.

Google User Data

Many Twin automations interact with Google services. We access Google user data only after you authorise the integration via OAuth 2.0 or by importing session details into the Twin Vault. The Twin product shows you the exact Google OAuth scopes requested before you grant access, and you can revoke access at any time.

Data we access

  • Basic Google account profile information (name, email address, profile image, and Google account ID) so we can associate the connection with your Twin workspace and audit log.
  • OAuth tokens, refresh tokens, and—when you opt in—browser session cookies or credentials that allow our managed browsers to remain signed in while an automation runs.
  • Content and metadata from the Google products you choose to automate, such as Gmail messages or attachments, Drive files, Google Ads, Google Analytics, Google Search Console, Sheets, Calendar, or Admin Console configuration data. We only access the minimum data required to execute the workflows you configure and deliver the output you request.

How we use Google user data

  • Authenticate into Google services on your behalf, perform the actions you instruct Twin to carry out, and return the resulting output to you or to other services you designate.
  • Maintain security logs, guardrails, and audit trails needed to troubleshoot performance, investigate incidents, and validate compliance with your policies. Access to these logs is strictly limited and reviewed regularly.
  • Fulfil legal obligations, enforce our agreements, and prevent misuse of the Services.

We never use Google user data to target advertising, build user profiles unrelated to your automations, or train proprietary or third-party machine-learning models. When we send automation context to model providers such as OpenAI, we do so under agreements that prohibit them from using your data to improve their general models.

Storage, retention, and deletion

Google OAuth tokens and saved credentials are encrypted at rest using strong cryptography and stored in isolated secrets management systems. Only a limited group of authorised Twin engineers can access these systems, and only for legitimate operational reasons. Credentials that are required solely for a live session stay in memory and are destroyed once the session ends. Vault entries can be deleted at any time from the Twin interface.

Automation artefacts that contain Google user data (for example, execution logs, screenshots, DOM traces, or downloaded invoices) are retained only as long as necessary to provide the Services. Unless you configure a different retention period, we automatically delete these artefacts within 30 days (or sooner where technically feasible) after the automation run, and remove remaining traces from backups within an additional 30 days. You can request shorter retention windows by contacting our support team.

When you disconnect Google from Twin or delete your workspace, we remove associated OAuth tokens and cached Google data within 30 days (or sooner where technically feasible), unless we must retain certain information to comply with legal obligations (for example, accounting records required under French law).

Sharing of Google user data

We share Google user data only with:

  • Third-party processors that help us deliver the Services (such as cloud infrastructure providers and OpenAI), each bound by confidentiality and data-processing agreements.
  • Integration partners that you explicitly connect, for the sole purpose of delivering the workflow output you request.
  • Legal authorities if we receive a lawful and valid request.

We do not share Google user data with advertisers or data brokers and we do not sell it. Human access is restricted to vetted personnel under strict access controls.

You can revoke Twin's access to your Google account at any time through the integration settings in the Twin application or via Google's security controls at myaccount.google.com/permissions.

Cookies and Online Analytics

We use both necessary and optional cookies:

  • Essential cookies keep you logged in, store your consent preferences, and support security features. These cookies cannot be disabled through the cookie banner.
  • Analytics cookies (Google Analytics 4 and Simple Analytics) help us understand how visitors use the website so we can improve content and performance. We request your consent before enabling these cookies, and you can withdraw it at any time. Google Analytics data is pseudonymised and IP addresses are truncated. You can also install the Google Analytics opt-out browser add-on.
  • Advertising measurement cookies (Google Ads Pixel) measure the performance of our campaigns. These cookies are only set if you provide consent via the cookie banner.

You can control cookies through your browser settings or by using the "Cookie preferences" link in the website footer.

Data Retention

We retain personal data for as long as necessary to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods include:

  • Account and workspace information: retained for the lifetime of the workspace and deleted within 30 days (or sooner where technically feasible) after termination, unless we must keep certain records for legal or accounting purposes (in France, invoicing records are retained for 10 years).
  • Support communications and incident reports: retained for up to three years for audit and compliance.
  • Security and usage logs: retained for up to 12 months to investigate incidents and monitor reliability.
  • Backups: encrypted backups may persist for up to 35 days before being overwritten as part of our disaster-recovery procedures.

When retention periods expire, we delete or irreversibly anonymise the data unless we are legally required to keep it longer.

International Data Transfers

We primarily host customer data in the European Union. Some of our service providers (such as OpenAI or support tooling) are located outside the EU, including in the United States. When we transfer personal data outside the EEA, UK, or Switzerland, we implement appropriate safeguards such as the European Commission's Standard Contractual Clauses, UK Addendum, or rely on adequacy decisions where available.

Your Privacy Rights

Depending on your location, you may have rights regarding your personal data, including the right to access, correct, update, delete, restrict, or object to our processing, as well as the right to data portability. You also have the right to withdraw consent at any time when we process data based on consent.

EU/EEA, UK, and Swiss residents can exercise these rights under the GDPR by contacting us at support@twin.so. We will respond within one month, or sooner where required. California residents can submit a request under the CCPA/CPRA to know, delete, or correct personal information, and to opt out of any sharing for cross-context behavioural advertising (which Twin does not engage in). We will respond to verifiable requests within 45 days.

When Twin processes personal data on behalf of a customer, we may redirect your request to that customer so they can respond as the data controller.

Children's Privacy

The Services are designed for business users and are not intended for children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data to Twin, please contact us so we can delete it.

Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Services before the changes take effect. The "Last updated" date at the top of this page indicates when the latest version became effective.

If you have any questions about this Privacy Policy or about Twin's privacy practices, please contact us at support@twin.so.