Privacy Policy | Twinscribe

1) Introduction

Twinscribe (“we”, “us”, “our”), operated as part of Rico Digital Group (sole trader, ABN 96 852 688 946), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your Personal Information when you use our services, including AI-powered ghostwriting, voice training (“voiceprint”), content scheduling, analytics, and integrations with social media platforms.

By using our services, registering for an account, connecting social media accounts, or otherwise providing us information, you agree to the terms of this Privacy Policy. If you do not agree, you should discontinue use.

2) Definitions

“Personal Information” or “Personal Data” means information that identifies or can reasonably be linked to you (e.g., identifiers, profile data, usage data, content you create, voice samples).

“Sensitive Personal Information” includes categories defined by law (e.g., precise geolocation, financial account numbers, and in some jurisdictions, biometric identifiers such as voiceprints).

“Biometric Data / Voiceprint” refers to audio samples and derived representations used to adapt writing style and tone. We do not use voiceprints for identity verification.

“Service Data” is the content or data that you upload, generate, or manage through Twinscribe (e.g., drafts, voice samples, scheduled posts) that we process on your behalf.

3) Roles: Controller vs Processor

For our website, account management, billing, and product analytics, Twinscribe acts as a data controller. For Service Data you instruct us to process (e.g., drafts, scheduled posts, voice samples, publishing to connected platforms), Twinscribe acts as a data processor on your behalf. A Data Processing Addendum (“DPA”), including EU Standard Contractual Clauses and, where applicable, the UK Addendum/IDTA, is available on request. Once executed, the DPA becomes part of both this Privacy Policy and our Terms of Service. To request a DPA, contact privacy@twinscribe.ai.

4) Information We Collect

Information you provide: name, email, password (hashed), profile picture; social media account handles and access tokens; voice training samples; content drafts; preferences (language, time zone, theme); support requests and feedback.
Automatic collection: IP address, device & browser type, OS, time zone, timestamps, usage logs, performance metrics, and error/crash reports.
Payment details: billing address and subscription plan via Stripe. We do not store full credit card numbers on our servers.
Social media interactions: profile metadata and analytics (e.g., likes, impressions) as provided through platform APIs. If you disconnect later, historical data may persist per your settings or until account deletion.
Third-party sources: tools/integrations you authorize; referrals/affiliates; publicly available info you choose to import; testimonials you approve.

5) How We Use Your Information

Provide, operate, improve, and maintain core features (ghostwriting, scheduling, voiceprint, publishing, analytics).
Personalize suggestions, adapt style/voice, and support voiceprint functionality.
Process payments and manage subscriptions.
Communicate service notices, security alerts, updates, and customer support.
Analyze usage, monitor performance, and detect/prevent fraud, abuse, or security incidents.
Comply with legal obligations and respond to government/lawful requests.
Send marketing communications (if opted in); you can opt out at any time.

We do not sell or rent your Personal Information. We share data only with trusted entities to support our operations, including:

Render.com – infrastructure, hosting, data storage.
Stripe – payments and subscription billing.
AI/ML providers – content generation, voice recognition/modeling, text analysis (see “Model Training & AI Transparency”).
Analytics & Monitoring – usage analytics, crash/error reporting.
Email/Communication – transactional and (if opted in) marketing emails.
Social Platforms – publish content and retrieve metrics you authorize via APIs.

All subprocessors are bound by confidentiality and data protection terms. We maintain a current list available on request (see “Subprocessors & Change Notifications”). Integrations you enable may involve additional data sharing subject to those third parties’ privacy terms.

7) Data Security, Storage & International Transfers

Encryption in transit (TLS) and at rest; hashed & salted passwords.
Role-based access control (RBAC), least privilege, periodic access reviews, audit logs; mandatory 2FA for admins.
Vulnerability scanning, dependency monitoring, and security assessments; documented incident response runbook.
Backups and disaster recovery planning; restricted access to voice samples.
Servers may operate across regions. International transfers are safeguarded by EU Standard Contractual Clauses (SCCs) and, where applicable, the UK Addendum/IDTA or other lawful mechanisms.

Access tokens: stored encrypted at rest, scoped to minimum required permissions, rotated/expired per platform guidance, and revoked on disconnect or when no longer necessary.

Data residency (enterprise): Enterprise customers may request data residency options (e.g., EU/UK/APAC), subject to availability and contract.

8) Data Retention & Deletion

We retain Personal Information only as long as necessary for the purposes described or as required by law. After you delete your account, we remove or anonymize personal and service data (subject to legal holds, compliance obligations, or aggregated non-identifiable analytics).

9) Cookies, Tracking & Consent

We currently use only essential cookies required to operate our site and services. We do not set analytics, advertising, or social-tracking cookies.

Authentication/session: e.g., session ID, OAuth state, CSRF tokens to keep you signed in and secure.
Security & reliability: load balancing, rate limiting, and similar runtime needs.
Strictly necessary preferences: only where needed to provide a feature you request (e.g., selected language or theme).

Because we only use essential cookies, a consent banner is not required under EU/UK ePrivacy rules. If our practices change to include non-essential cookies (e.g., analytics or advertising), we will update this Policy and present a consent tool before setting them.

Note: When you use social login (Google, LinkedIn, X/Twitter), those providers may set their own cookies strictly to complete the authentication flow; these are considered essential for that purpose.

10) Sensitive & Biometric Data (Voiceprint)

Our voice training may process audio samples considered sensitive or biometric data under certain laws. We use these solely to adapt style and tone for content generation, not for identity verification.

Storage & Access: Encrypted at rest; access limited to authorized roles.
Training: Your voice samples and derived “voiceprint” are not used to train third-party foundation models. You may opt out of using de-identified data to improve Twinscribe’s models at any time.
Deletion: Delete voice samples and voiceprint independently of account deletion via Settings → Privacy → Voiceprint.
Retention: Voice samples are retained only as needed. Deleted within 30 days after a voiceprint-deletion request or 60 days after account deletion; backups purge within 90 days.

11) Model Training & AI Transparency

By default, we do not use your drafts, voice samples, or private analytics to train third-party models. You can control whether de-identified data may improve Twinscribe’s own models in Settings → Privacy. This does not affect processing strictly required to provide the services you request.

12) Automated Decision-Making & Your Rights

Twinscribe uses algorithms to suggest wording and style. We do not make decisions with legal or similarly significant effects without your involvement. Where automated decisions could materially affect you, we will notify you and you may request human review and an explanation of the logic used, where permitted by law.

13) Platform APIs & Revocation

When you use Google Sign-In or connect LinkedIn or X/Twitter, we request the minimum permissions necessary to authenticate you, publish content you schedule, and retrieve analytics you explicitly authorize. You can revoke access at any time both inside Twinscribe (Settings → Integrations) and from each platform’s own settings.

Google Sign-In: We request identity scopes (e.g., openid, email, profile) to authenticate your account. We do not request Gmail, Drive, Calendar, or YouTube data. Revoke at myaccount.google.com/permissions . Our use and transfer of information received from Google OAuth is limited to authentication/account linking and adheres to the Google API Services User Data Policy (including Limited Use).
LinkedIn (login, publishing & analytics): Revoke at Settings & Privacy → Data privacy → Permitted services . Your use of LinkedIn is governed by the LinkedIn User Agreement and LinkedIn Privacy Policy.
X (Twitter) (login, publishing & analytics): Revoke at Settings and privacy → Security and account access → Apps and sessions → Connected apps . Your use of X is governed by the X Terms and X Privacy Policy.

Twinscribe does not use platform data for cross-context behavioral advertising. We use platform data only to provide the features you request (authentication, publishing, analytics), for security/fraud prevention, and to comply with developer policies and applicable law. Disconnecting an integration revokes tokens promptly; cached metrics/content are removed or anonymized per our retention schedule.

Limitations: Content already published to third-party platforms remains under that platform’s control and policies. Deleting your Twinscribe account does not automatically remove previously published content unless the platform’s API supports it and you request it.

14) Legal Bases & Legal Compliance

For EEA/UK users, processing is based on one or more of: your consent, performance of a contract, our legitimate interests (not overridden by your rights), or legal obligation. For Thai users, we comply with the Personal Data Protection Act (PDPA), including rights to access, rectification, deletion, objection, restriction, portability, and complaint to the PDPC.

For California residents (CCPA/CPRA), you have rights to know, access, delete, correct, and opt out of “selling” or “sharing” personal information for cross-context behavioral advertising. See the California Notice below.

A Data Processing Addendum (“DPA”), with EU SCCs and, where applicable, the UK Addendum/IDTA, is available on request for customers who act as controllers and engage Twinscribe as a processor. Once executed, the DPA forms part of both this Privacy Policy and our Terms of Service.

15) California Privacy Notice (CCPA/CPRA)

In the last 12 months, we collected: identifiers (e.g., name, email), commercial information (plan, billing metadata), internet activity (usage logs), geolocation (coarse), inferences (style preferences), and where applicable sensitive data (voice samples/voiceprint). Sources include you, your devices, and services you connect. Purposes include providing/improving services, security, debugging, and compliance.

Sale/Share: We do not sell personal information and do not “share” it for cross-context behavioral advertising. If this changes, we will provide a “Do Not Sell or Share My Personal Information” link.
Sensitive Personal Information: We do not use or disclose sensitive personal information beyond uses permitted by California law (e.g., providing the services you request, security/fraud prevention, authentication). Because of this, we do not offer a “Limit the Use of My Sensitive Personal Information” link. If this changes, we will surface the required link and update this notice.

16) How to Exercise Your Rights

Submit requests at privacy@twinscribe.ai. We verify identity and respond within 30 days (with permitted extensions). You may request: access/export, correction, deletion, voiceprint-only deletion, marketing/analytics opt-out, and restriction/objection where applicable.

17) Complaints to Supervisory Authorities

If you are in the EU/EEA or UK, you may lodge a complaint with your local data protection authority (e.g., your country’s DPA or the UK ICO). In Thailand, you may complain to the PDPC. We encourage you to contact us first at privacy@twinscribe.ai.

18) Data Retention Schedule

Data Category	Typical Retention	Notes
Account profile (name, email)	Account life + 60 days	Backups purge within 90 days
Billing records (Stripe metadata)	7 years	Tax/audit compliance
Drafts & scheduled posts	Account life; 60 days after deletion	User-initiated delete honored sooner
Voice samples & voiceprint	Until feature disabled; 30 days after voiceprint deletion; 60 days post account deletion	Backups purge within 90 days
Access & error logs	180 days	Security & debugging
Analytics events	12–24 months	Aggregated thereafter

19) Business Transfers, Legal Obligations & Exceptions

In the event of a merger, acquisition, reorganization, or sale of assets, Twinscribe may transfer Personal and Service Data to the new owner, provided that comparable privacy protections continue to apply. We may disclose data to comply with law, protect rights and safety, prevent fraud/abuse, and respond to lawful requests.

Note: Content already published to third-party platforms may remain under that platform’s control and policies. Deleting your Twinscribe account does not automatically remove previously published content unless the platform’s API supports it and you request it.

20) Security & Breach Notification

Encryption in transit/at rest; key management/rotation.
Mandatory 2FA for admins; least-privilege access; RBAC; audit logging.
Documented incident response runbook and security reviews.
We notify affected users and, where required, authorities without undue delay after becoming aware of a breach, consistent with applicable laws.

21) Changes to This Policy

We may revise this Privacy Policy from time to time. When we do, we update the “Effective Date” above and post the revised policy. If changes materially affect your rights or how we use your data, we will attempt to provide advance notice (e.g., email or in-app notice).

22) Subprocessors & Change Notifications

We maintain a current list of subprocessors (infrastructure, billing, email, analytics) available upon request at privacy@twinscribe.ai or on our site. We’ll provide advance notice of material changes where feasible, and you may subscribe to updates via that address. A published Subprocessors page will be made available at https://twinscribe.ai/subprocessors. Until then, please request the list via email.

If Twinscribe offers mobile apps, any third-party SDKs used will be listed on the Subprocessors page with purposes and data categories.

23) Children’s Privacy

Twinscribe is not directed to individuals under 16 (or under 13 where applicable by law). We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us to request deletion.

24) Your Rights & Choices

Access your Personal Information that we have about you.
Correct or update inaccurate or incomplete data.
Delete your account and related data (subject to legal or contractual restrictions).
Export your data in a usable format.
Object to or restrict certain processing (e.g., marketing, profiling) where permitted by law.
Withdraw consent for non-essential processing.
Region-specific rights (e.g., GDPR/UK GDPR, CCPA/CPRA, Thailand PDPA) as applicable.

25) Contact, CAN-SPAM & Data Protection Officer

If you have questions or concerns about this Privacy Policy or your Personal Information, contact us at:
privacy@twinscribe.ai

Legal entity: Rico Digital Group (sole trader)
ABN: 96 852 688 946
Mailing address: Melbourne 3051, Victoria - Australia

We have appointed a Data Protection Officer to oversee compliance. Contact: privacy@twinscribe.ai.

If you target the EU/UK: appoint an EU/UK representative and list their contact here.

Marketing emails include an unsubscribe link and our physical mailing address as required by CAN-SPAM. You can unsubscribe at any time using the link in the footer of our emails.