Privacy Policy

1. What we collect

The data we hold per workspace falls into a small number of buckets:

• Account data — email address, hashed password (handled by Supabase Auth), and Stripe customer ID once you subscribe.
• Brand voice data — the LinkedIn URL and brand-voice answers you provide during onboarding, plus voice feedback signals (internally stored as voice_feedback) derived from your edits over time. These signals feed your own brand voice profile only.
• Content drafts, posts & edit history — the articles we surface, the drafts we generate, and the full edit history of changes and approvals you make on each draft. We retain the edit history so your voice profile stays in sync with how you actually write.
• Feed preferences — which RSS sources you follow and any custom feeds you add.
• Usage metrics — counts of generations, schedules, and API requests, used for billing and rate limits. We do not run third-party web analytics or behavioural trackers.
• Connection tokens — third-party access tokens (e.g. Zernio) are encrypted at rest before they touch our database.

2. How we use it

We use your data only for the following purposes:

• operate the service — generate drafts, schedule posts, surface analytics;
• improve your brand voice profile — your edits feed back into your own profile only, never into a shared model;
• send service email — onboarding, password resets, “your batch is ready”, billing receipts, and (per the Terms of Service) 30-day price-change notices;
• enforce the Terms — investigate suspected abuse and respond to legal requests.

We do not sell your data. We do not use your content to train shared AI models.

3. Third-party processors

To deliver the service we share specific data with the following processors. Each is bound by their own GDPR-compliant data-processing terms.

• Anthropic — receives the article text and your brand voice profile when generating drafts via the Claude API.
• Google — receives image prompts when generating illustrations via the Gemini Imagen API.
• Zernio — receives the final post body, media, and scheduled timestamp when a post is queued to LinkedIn or X.
• Supabase — hosts our primary database and handles authentication. All workspace data is isolated with Row Level Security.
• Stripe — handles billing. Stripe stores your payment method and customer record; we only see the tokens needed to manage your subscription.
• Railway — hosts the application servers that run the scanning, generation, and scheduling jobs.

4. Data retention

Drafts, approved posts, voice profiles, and feed preferences are retained for the duration of your subscription. You can delete individual drafts at any time from the dashboard.

When you cancel and your account is fully deleted, we purge workspace data from our primary database within 30 days. Database backups are retained for up to 30 additional days for disaster recovery and then expire.

5. GDPR & your rights

TwinWrite acts as a data controller for account data and as a data processor for the content you produce on the platform. As an EU-resident user you have the right to:

• access the data we hold about you;
• correct inaccurate data;
• export your data in a machine-readable format;
• delete your account and the data associated with it;
• lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu) if you believe we have not handled your request correctly.

Most of these rights can be exercised directly from the dashboard. For anything we don’t cover in-product, email hello@twinwrite.com and we’ll respond within 30 days.

6. Cookies

We use session cookies only, set by Supabase Auth so we can keep you signed in across requests. We do not use third-party tracking cookies, advertising pixels, or analytics that fingerprint individuals.

7. Contact

For data requests, security reports, or any privacy-related question, email hello@twinwrite.com. Please mention “Privacy” in the subject line so we route it correctly.

See also our Terms of Service.