Last updated: September 16, 2025
Twin Labs SAS ("Twin", "we", "us") builds the Twin Agent and the websites available at twin.so and app.twin.so (the "Services"). This policy explains how we collect, use, share, and protect personal data when you browse our sites, create a Twin workspace, or ask our platform to automate tasks on your behalf.
Twin Labs SAS is registered in France (RCS Paris 978 364 222) with its registered office at 10 rue de Penthievre, 75008 Paris, France. Unless stated otherwise, Twin acts as the data controller for personal data that we collect through the Services. When we process customer content on behalf of your organisation, we act as your data processor and only use that data according to your documented instructions and our Data Processing Agreement (DPA).
You can reach our privacy team at support@twin.so or by using the contact form available at twin.so/contact. EU residents may also contact the French Data Protection Authority (CNIL) or your local authority if you believe your rights were infringed.
To run automations Twin can store optional credentials on your behalf. This may include usernames, passwords, one-time passcodes, API keys, or browser session tokens for third-party services such as Google products. Credentials saved in the Twin Vault are encrypted using separate key management, and access is limited to the workspace members you authorise. When you choose not to store credentials, Twin holds them only in memory for the duration of the session and destroys them immediately afterwards.
When you connect Google services to Twin we process Google user data as described in the dedicated section below.
We automatically collect technical data about how the Services are accessed and used, including IP address, browser type, operating system, device identifiers, timestamps, feature usage metrics, error logs, agent execution traces, and diagnostic information. We generate aggregate analytics from this data to understand feature performance and to secure the platform.
We use cookies, local storage, and similar technologies to operate the Services, remember your preferences, and analyse how visitors interact with our website. Details are provided in the "Cookies and online analytics" section below. You can adjust your cookie preferences at any time through the cookie banner or within your browser settings.
For individuals located in the European Economic Area (EEA), the United Kingdom, and Switzerland, we rely on one or more of the following legal bases: performance of a contract (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR) such as securing and improving the Services, compliance with legal obligations (Art. 6(1)(c) GDPR), or your consent where required (Art. 6(1)(a) GDPR).
We share personal data only with the following categories of recipients and only for the purposes described in this policy:
We never sell personal data and we do not use Google user data or other customer content for advertising.
Many Twin automations interact with Google services. We access Google user data only after you authorise the integration via OAuth 2.0 or by importing session details into the Twin Vault. The Twin product shows you the exact Google OAuth scopes requested before you grant access, and you can revoke access at any time.
We never use Google user data to target advertising, build user profiles unrelated to your automations, or train proprietary or third-party machine-learning models. When we send automation context to model providers such as OpenAI, we do so under agreements that prohibit them from using your data to improve their general models.
Google OAuth tokens and saved credentials are encrypted at rest using strong cryptography and stored in isolated secrets management systems. Only a limited group of authorised Twin engineers can access these systems, and only for legitimate operational reasons. Credentials that are required solely for a live session stay in memory and are destroyed once the session ends. Vault entries can be deleted at any time from the Twin interface.
Automation artefacts that contain Google user data (for example, execution logs, screenshots, DOM traces, or downloaded invoices) are retained only as long as necessary to provide the Services. Unless you configure a different retention period, we automatically delete these artefacts within 30 days (or sooner where technically feasible) after the automation run, and remove remaining traces from backups within an additional 30 days. You can request shorter retention windows by contacting our support team.
When you disconnect Google from Twin or delete your workspace, we remove associated OAuth tokens and cached Google data within 30 days (or sooner where technically feasible), unless we must retain certain information to comply with legal obligations (for example, accounting records required under French law).
We share Google user data only with:
We do not share Google user data with advertisers or data brokers and we do not sell it. Human access is restricted to vetted personnel under strict access controls.
You can revoke Twin's access to your Google account at any time through the integration settings in the Twin application or via Google's security controls at myaccount.google.com/permissions.
We use both necessary and optional cookies:
You can control cookies through your browser settings or by using the "Cookie preferences" link in the website footer.
We retain personal data for as long as necessary to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods include:
When retention periods expire, we delete or irreversibly anonymise the data unless we are legally required to keep it longer.
We primarily host customer data in the European Union. Some of our service providers (such as OpenAI or support tooling) are located outside the EU, including in the United States. When we transfer personal data outside the EEA, UK, or Switzerland, we implement appropriate safeguards such as the European Commission's Standard Contractual Clauses, UK Addendum, or rely on adequacy decisions where available.
Depending on your location, you may have rights regarding your personal data, including the right to access, correct, update, delete, restrict, or object to our processing, as well as the right to data portability. You also have the right to withdraw consent at any time when we process data based on consent.
EU/EEA, UK, and Swiss residents can exercise these rights under the GDPR by contacting us at support@twin.so. We will respond within one month, or sooner where required. California residents can submit a request under the CCPA/CPRA to know, delete, or correct personal information, and to opt out of any sharing for cross-context behavioural advertising (which Twin does not engage in). We will respond to verifiable requests within 45 days.
When Twin processes personal data on behalf of a customer, we may redirect your request to that customer so they can respond as the data controller.
The Services are designed for business users and are not intended for children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data to Twin, please contact us so we can delete it.
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Services before the changes take effect. The "Last updated" date at the top of this page indicates when the latest version became effective.
If you have any questions about this Privacy Policy or about Twin's privacy practices, please contact us at support@twin.so.