Privacy & Data Protection Policy

1. Data Controller and Data Processor Roles

1.1 Twins as Data Controller

Twins acts as the data controller for the personal data we collect directly from you to operate the Service (account information, usage data, payment data, etc. — as described in Section 3). As controller, we determine the purposes and means of processing this data and are responsible for compliance with applicable data protection laws for this processing.

1.2 Twins as Data Processor

When you use Twins to clone or transfer data between your Supabase projects, you are the data controller for the database contents being transferred, and Twins acts solely as a data processor on your behalf, in accordance with Article 28 of the GDPR.

As data processor, Twins:

• Processes your database contents only upon your documented instruction (i.e., when you initiate a clone operation through the Service interface).
• Does not store, retain, log, cache, or persist the contents of your databases beyond the duration of the cloning operation.
• Does not access your database contents for any purpose other than performing the requested operation.
• Does not sell, share, rent, or disclose your database contents to any third party for any purpose.
• Does not retain, use, or disclose Customer Data outside of the direct business relationship with you.
• Does not combine Customer Data received from you with data obtained from or on behalf of other customers or from Twins's own interactions with individuals.
• Ensures that persons authorized to process Customer Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing.

1.3 Twins as Controller for Usage Data

Twins acts as a data controller for aggregated, anonymized, and de-identified data derived from your use of the Service ("Usage Data"). This includes aggregate statistics on clone operations, feature usage patterns, performance metrics, and error rates. Usage Data does not identify you personally and is not Customer Data. Twins may use Usage Data for any lawful purpose, including analytics, benchmarking, service improvement, research, and reporting.

2. Data Controller Information

• Company: Twins SAS
• Registered office: Paris, France
• Privacy contact: privacy@twins.dev
• Data Protection Officer (DPO): dpo@twins.dev
• Supervisory authority: Commission Nationale de l'Informatique et des Libertés (CNIL) — www.cnil.fr

3. Data We Collect

3.1 Account Data

When you create an account, we collect:

• Email address
• Name (if provided)
• Authentication credentials (managed by Supabase Auth — we do not store passwords in plaintext)
• Account creation date and profile settings

Legal basis: Performance of a contract (Article 6(1)(b) GDPR).

3.2 Supabase Project Connection Data

When you connect your Supabase projects, we store:

• Supabase project reference IDs
• OAuth access tokens and refresh tokens (encrypted at rest using AES-256)
• Supabase organization ID
• Project names and metadata (region, plan type)

Legal basis: Performance of a contract (Article 6(1)(b) GDPR).

3.3 Payment and Billing Data

When you subscribe to a paid plan, we collect:

• Billing name and address
• Payment method details (processed and stored by Stripe — we do not store full card numbers, CVV, or other PCI-sensitive data on our systems)
• Transaction history, invoice records, and subscription status

Legal basis: Performance of a contract (Article 6(1)(b) GDPR) and legal obligation (Article 6(1)(c) GDPR — accounting and tax requirements).

3.4 Clone Operation Metadata

For each cloning operation, we store operational metadata:

• Job ID, status (pending, running, completed, failed, cancelled)
• Timestamps (created, started, completed, last updated)
• Table names and row counts (not the data content itself)
• Error messages and diagnostic information (if applicable)
• Clone configuration options selected (components, truncate mode, etc.)
• Source and target project reference IDs
• Duration and performance metrics

Legal basis: Legitimate interest in providing and improving the Service (Article 6(1)(f) GDPR).

3.5 Usage and Technical Data

We automatically collect:

• IP address (may be truncated or anonymized)
• Browser type, version, and language
• Operating system and device information
• Pages visited, features used, and interactions within the platform
• Referral source and landing page
• Date, time, and duration of access
• Error logs and crash reports (client-side)

Legal basis: Legitimate interest in security, fraud prevention, and service improvement (Article 6(1)(f) GDPR).

3.6 Communication Data

When you contact us via email, support channels, or feedback forms, we collect:

• Your name and email address
• The content of your communications
• Any attachments you provide

Legal basis: Legitimate interest in responding to inquiries and providing support (Article 6(1)(f) GDPR).

3.7 What We Do NOT Collect or Store

4. How We Use Your Data

We use the data described in Section 3 for the following purposes:

• Providing the Service: Authenticating your account, connecting to your Supabase projects, executing cloning operations, displaying job history, and managing your subscription.
• Service improvement: Analyzing usage patterns (in aggregate and anonymized form) to improve features, performance, reliability, and user experience.
• Security and fraud prevention: Detecting, preventing, and responding to fraud, abuse, security incidents, unauthorized access, and technical issues.
• Communication: Sending you service-related notifications (clone completion, errors, account updates, security alerts), responding to your support requests, and providing product updates.
• Billing and payments: Processing payments, managing subscriptions, issuing invoices, and complying with tax and accounting obligations.
• Legal compliance: Complying with applicable laws, regulations, legal processes, governmental requests, and enforceable court orders.
• Business operations: Internal record-keeping, auditing, and corporate governance.

We do not sell your personal data. We do not use your data for advertising, profiling, or automated decision-making that produces legal effects concerning you.

5. Data Sharing and Sub-processors

5.1 Sub-processor List

We share your data with the following categories of third-party service providers (sub-processors) who assist us in operating the Service:

5.2 Sub-processor Management

Each sub-processor is bound by contractual obligations (data processing agreements) to protect your data and process it only as instructed by us. We conduct due diligence on sub-processors before engagement and periodically review their security practices.

We will provide at least thirty (30) days' notice before adding or replacing a sub-processor that processes personal data. If you have a reasonable, data-protection-related objection to a new sub-processor, you must notify us within ten (10) days of receiving notice. If we cannot reasonably address your objection within thirty (30) days, you may terminate the affected portion of the Service.

5.3 Other Disclosures

We may also disclose your data:

• Legal requirements: When required by law, regulation, legal process, or enforceable governmental request.
• Safety and rights: When we believe disclosure is necessary to protect the safety, rights, or property of Twins, our users, or the public.
• Business transfers: In connection with a merger, acquisition, reorganization, sale of assets, or bankruptcy, in which case the successor entity will be bound by this Policy.
• Professional advisors: To our lawyers, auditors, and insurers where necessary for professional advice, insurance, or compliance purposes.

6. International Data Transfers

Some of our sub-processors are located outside the European Economic Area (EEA), the United Kingdom, and Switzerland. For transfers to countries without an adequacy decision from the European Commission, we rely on the following safeguards:

• Standard Contractual Clauses (SCCs): We use the EU Commission's Standard Contractual Clauses (Module Two: controller-to-processor, and Module Three: processor-to-processor where applicable) as approved by Commission Implementing Decision (EU) 2021/914. SCCs are governed by Irish law for dispute resolution purposes.
• UK International Data Transfer Addendum: For transfers from the UK, we apply the UK Addendum to the EU SCCs as approved by the UK Information Commissioner's Office.
• Swiss Addendum: For transfers from Switzerland, we apply supplementary provisions as required by the Swiss Federal Act on Data Protection (nDSG).
• EU-US Data Privacy Framework: Where applicable, we rely on sub-processors' certification under the EU-US Data Privacy Framework (DPF), the UK Extension to the DPF, and the Swiss-US DPF.
• Supplementary measures: We implement additional technical and organizational measures as recommended by the European Data Protection Board (EDPB) in its Recommendations 01/2020, including encryption in transit and at rest, access controls, and contractual prohibitions on government access requests.

You may request a copy of the applicable transfer safeguards by contacting us at dpo@twins.dev.

7. Data Retention

We retain your data only for as long as necessary to fulfil the purposes described in this Policy or as required by applicable law. Specific retention periods are:

After expiration of the applicable retention period, data is either securely deleted or irreversibly anonymized. Backup systems may retain copies for up to ninety (90) additional days, after which they are purged automatically.

8. Data Security

We implement appropriate technical and organizational security measures to protect your data against unauthorized access, alteration, disclosure, or destruction. These measures include:

8.1 Encryption

• In transit: All data transmitted between your browser, our servers, Supabase, and Railway is encrypted using TLS 1.2 or higher with modern cipher suites.
• At rest: OAuth tokens and sensitive credentials are encrypted at rest using AES-256 encryption. Database backups are encrypted by Supabase using AES-256.
• Key management: Encryption keys are managed through the security infrastructure provided by our hosting providers (AWS KMS).

8.2 Access Control

• Row-Level Security (RLS): Database-level policies enforce that users can only access their own data (own projects, own clone jobs, own connections).
• Principle of least privilege: Service role keys and administrative access are restricted to backend workers that require them, with the minimum permissions necessary.
• No shared credentials: Each user authenticates independently. Service accounts use dedicated credentials that are not shared across services.

8.3 Infrastructure Security

• No persistent Customer Data storage: Database contents are processed in-memory during cloning and are never written to disk on Twins-controlled infrastructure.
• Isolated worker processes: Each clone operation runs in an isolated worker process. Workers do not share memory or state across operations.
• Secure authentication: Authentication is managed through Supabase Auth with industry-standard security practices.
• HTTPS only: All endpoints enforce HTTPS. HTTP connections are automatically redirected to HTTPS.

8.4 Security Disclaimer

Despite these measures, no method of electronic transmission or storage is 100% secure. We use commercially reasonable physical, technical, and organizational measures designed to preserve the integrity and security of your data, but we cannot guarantee the absolute security of our systems.

Twins shall not be held liable for any data breach, unauthorized access, or data loss arising from circumstances beyond our reasonable control, including but not limited to: vulnerabilities in third-party services or their underlying infrastructure (AWS, GCP), zero-day exploits, sophisticated cyberattacks targeting our sub-processors, user negligence (sharing credentials, using weak passwords, failing to secure Supabase projects), or interception of data during transmission over public networks.

9. Your Rights Under the GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights regarding the personal data we hold about you as data controller (i.e., account data, usage data, payment data — not Customer Data in your databases):

• Right of access (Art. 15): You may request a copy of the personal data we hold about you, along with information about how we process it.
• Right to rectification (Art. 16): You may request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17): You may request deletion of your personal data, subject to legal retention obligations (e.g., tax and accounting requirements). Also known as the "right to be forgotten."
• Right to restriction (Art. 18): You may request that we restrict the processing of your personal data in certain circumstances (e.g., while we verify the accuracy of your data).
• Right to data portability (Art. 20): You may request to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON or CSV), and have the right to transmit that data to another controller.
• Right to object (Art. 21): You may object to the processing of your personal data based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
• Right not to be subject to automated decisions (Art. 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you. Twins does not currently engage in such automated decision-making.
• Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
• Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. In France, the relevant authority is the Commission Nationale de l'Informatique et des Libertés (CNIL) — www.cnil.fr.

To exercise any of these rights, contact our Data Protection Officer at dpo@twins.dev. We will verify your identity and respond within thirty (30) days of receiving your request. This period may be extended by an additional sixty (60) days for complex requests, in which case we will inform you of the extension and the reasons for it.

10. Your Rights Under the CCPA (California)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

• Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the purposes for collection, and the categories of third parties with whom we share it.
• Right to delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to correct: You may request correction of inaccurate personal information.
• Right to opt-out of sale/sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

For CCPA purposes, Twins acts as a "service provider" (not a "business") with respect to Customer Data processed on your behalf. We will not sell, retain beyond the direct business relationship, or use Customer Data outside of the purposes specified in our Agreement.

11. Your Database Contents — Disclaimer of Responsibility

Twins shall not be held liable for any breach of data protection law arising from the content of your databases, the legality of your data processing activities, or your failure to comply with applicable data protection requirements. Any regulatory fines, penalties, sanctions, or claims by data subjects or supervisory authorities relating to Customer Data are your sole responsibility.

12. Data Breach Notification

12.1 Twins as Data Controller

In the event of a personal data breach affecting data for which Twins is the data controller, we will:

• Notify the relevant supervisory authority (CNIL) within seventy-two (72) hours of becoming aware of the breach, as required by Article 33 of the GDPR, unless the breach is unlikely to result in a risk to individuals' rights and freedoms.
• Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34 of the GDPR.
• Document the breach, its effects, and the remedial actions taken, as required by Article 33(5) of the GDPR.

12.2 Twins as Data Processor

In the event of a security incident affecting Customer Data for which you are the data controller, we will:

• Notify you in writing without undue delay, and where feasible within seventy-two (72) hours, after becoming aware of the incident.
• Provide you with sufficient information to enable you to fulfil your own notification obligations under Articles 33 and 34 of the GDPR, including: the nature of the incident, the categories and approximate number of data subjects affected (if known), the likely consequences, and the measures taken or proposed to address the incident.
• Cooperate with you and take commercially reasonable steps to assist in the investigation, containment, and mitigation of the incident.

12.3 Notification Is Not Admission

Twins's notification of, or response to, a security incident shall not be construed as an acknowledgment by Twins of any fault, liability, or wrongdoing with respect to the incident. You are solely responsible for fulfilling your own obligations under applicable data breach notification laws with respect to Customer Data.

13. Audit Rights

You have the right to verify Twins's compliance with this Policy and applicable data protection laws, subject to the following conditions:

• Audits may be conducted at most once per calendar year.
• You must provide at least thirty (30) days' written notice before an audit.
• Audits must be conducted during normal business hours and must not materially disrupt Twins's operations.
• Audits are conducted at your sole expense.
• Audit results are Twins's confidential information and may not be disclosed to third parties without our written consent.
• Twins may satisfy audit requests by providing relevant certifications, third-party audit reports (e.g., SOC 2), or documentation, provided they are dated within the preceding twelve (12) months and no known material changes have occurred.

14. Data Deletion and Return

Upon termination of your account, you have fourteen (14) days to request a copy of your personal data (account data and clone metadata) in a structured, commonly used, machine-readable format.

After the fourteen (14) day retrieval period, Twins will delete all personal data associated with your account within thirty (30) days, except for data that must be retained to comply with legal obligations (e.g., billing records for tax purposes). Data on backup systems will be purged within ninety (90) days of the deletion request.

Customer Data (your database contents) is never retained by Twins and therefore does not need to be returned or deleted — it exists only transiently in worker memory during clone operations.

15. Cookies and Tracking Technologies

15.1 Strictly Necessary Cookies

Twins uses only strictly necessary cookies required for the functioning of the Service. These cookies do not require consent under the ePrivacy Directive (2002/58/EC) as amended, as they are essential for providing the Service you have requested. They include:

• Authentication session cookies: Used to maintain your logged-in session and authenticate API requests.
• Theme/preference cookies: Used to store your UI preferences (e.g., dark/light mode).
• Security cookies: Used for CSRF protection and secure form submissions.

15.2 What We Do Not Use

We do not use:

• Advertising or marketing cookies
• Third-party tracking pixels or beacons
• Cross-site tracking technologies
• Fingerprinting or device identification technologies
• Social media tracking plugins

15.3 Product Analytics (Mixpanel)

Twins uses Mixpanel for product analytics to understand how users interact with the platform and improve the Service. Mixpanel collects pseudonymized usage events, interaction data, and device information. This data is used solely for service improvement and is not used for advertising or profiling. For details on Mixpanel's data processing, see Mixpanel's Privacy Policy.

Legal basis: Legitimate interest in service improvement (Article 6(1)(f) GDPR).

16. Children's Privacy

The Service is not directed to individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children under 16. If you are a parent or guardian and you become aware that your child has provided us with personal data, please contact us at dpo@twins.dev. If we learn that we have collected personal data from a child under 16 without verified parental consent, we will take steps to promptly delete such data from our systems.

17. Limitation of Liability for Data Protection

18. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Post the updated Policy on the platform with a revised "Last updated" date.
• Where practicable, send you an email notification of the material changes.
• Where required by applicable law, obtain your consent before applying changes that affect the legal basis for processing your data.

Your continued use of the Service after the updated Policy takes effect constitutes acceptance of the changes. If you do not agree with the changes, you should discontinue your use of the Service and request account deletion.