Product

Customers

How it works

Privacy Policy

Privacy Policy

Privacy Policy

Version: 2026.05    Lastupdated: April 21, 2026

Pursuant to Articles 13 and 14 of Regulation (EU)2016/679 (GDPR) and applicable Italian data protection legislation.


1. INTRODUCTION AND SCOPE

This Privacy Policy describes how TwiniS.r.l. ("Twini", "we", "us", "our")processes personal data when we act as a Data Controller. It applies when you:

•     visit the website twini.ai and related subdomains("Website");

•     sign up for a newsletter, book a demo, or contact usthrough web forms, email, phone, or social media;

•     register a Twini account to access our Service as abusiness customer (a "Customer");

•     interact with us as a sales prospect, partner,investor, supplier, or candidate.

This Privacy Policy does not apply topersonal data that Twini processes as a Data Processor on behalf of itsCustomers. When you interact with a Customer’s online store and our Service isembedded there (for example, our AI shopping assistant on a product page), theCustomer is the Data Controller. To exercise your rights or obtain informationabout that processing, please contact the Customer directly. The termsgoverning our Processor role are set out in our Data Processing Agreement attwini.ai/dpa.


2. DATA CONTROLLER

The Data Controller is Twini S.r.l., withregistered office at Via Pietro Paleocapa 7, 20121 Milano (MI), Italy, codicefiscale and VAT number 13697330960, REA MI-2739354, share capital Euro 5,000.00fully paid-up.

You can contact us about privacy matters at:

•     Email: davide@twini.ai

•     Formal notices (PEC): twini@pec.it

•     Postal address: Via Pietro Paleocapa 7, 20121 Milano(MI), Italy

Twini is not required to appoint a DataProtection Officer under Article 37 of the GDPR, because its core activities donot involve (a) regular and systematic monitoring of data subjects on a largescale, or (b) large-scale processing of special categories of data. As anEU-established company, Twini is also not required to appoint an EURepresentative under Article 27 of the GDPR.


3. PERSONAL DATA WE COLLECT

We collect personal data directly from you,automatically through your interaction with the Website and Service, andoccasionally from third parties (for example, business contact data from publicsources such as LinkedIn, or from referrals).

The categories of personal data we process asData Controller are:


A. Contact and Account Data

Name, business email, business phone number,company name, job title, country, language preference, username, password(hashed), authentication tokens, and communication preferences.


B. Billing and Transaction Data

Billing name, billing address, VAT number,company registration number, invoice history, payment method metadata (lastfour digits, card brand, expiry), and Stripe customer identifier. Full paymentcard numbers are processed directly by our payment processor and are neverstored by Twini.


C. Website Usage Data

IP address, browser type and version, deviceidentifiers, operating system, referring URL, pages viewed, time spent, clicks,and similar telemetry, collected through cookies and tracking technologies asdescribed in Section 10.


D. Commercial Communications Data

Records of emails, calls, meetings, andmessages exchanged between you and our sales, support, or customer successteams, including any attachments and content you choose to share.


E. Business Contact Data

When we identify or interact with potentialcustomers, partners, investors, suppliers, or other business contacts throughpublic sources, events, referrals, or third-party business data providers (forexample, Apollo), we may process name, business email, job title, company,LinkedIn profile URL, and similar public professional information, on the basisof our legitimate interest in business-to-business communications.


F. Candidate Data

If you apply for a role at Twini, we processthe personal data you share with us (for example, CV or resume, cover letter,references, work history, education, interview notes, and assessment outcomes)to evaluate your application and, where relevant, to manage the recruitmentprocess.


4. PURPOSES OF PROCESSING AND LEGAL BASES

We process personal data for the purposes setout below, each based on one of the lawful bases of Article 6 of the GDPR.

Purpose

Description

Legal basis

Service provision

Creating and maintaining your Twini  account, providing the Service, supporting you, processing payments, issuing  invoices, and managing the contractual relationship.

Art. 6(1)(b) GDPR (performance of  contract) and Art. 6(1)(c) (legal obligation) for tax and accounting.

Website operation

Operating the Website, ensuring its  security, preventing abuse, and diagnosing technical issues.

Art. 6(1)(f) GDPR (legitimate  interest) in operating a secure and functional website.

Communications with you

Responding to your inquiries,  scheduling demos, providing support, and sending service and transactional  messages.

Art. 6(1)(b) GDPR for contractual  communications; Art. 6(1)(f) for pre-contractual and general inquiries.

Sales and B2B outreach

Contacting business contacts  identified as potential customers with information about our Service,  respecting opt-out preferences.

Art. 6(1)(f) GDPR (legitimate  interest) in business-to-business outreach in line with EDPB guidance.

Marketing emails (existing customers)

Sending commercial communications  about features and services analogous to those already purchased.

Art. 6(1)(f) GDPR and Art. 130(4) of  the Italian Codice Privacy (soft-spam), with opt-out in each message.

Marketing emails (newsletter)

Sending newsletters, product updates,  events, and promotional content to non-customers.

Art. 6(1)(a) GDPR (consent), freely  revocable at any time.

Product analytics and improvement

Analyzing aggregated and  de-identified usage patterns to improve the Service, troubleshoot, and  develop new features.

Art. 6(1)(f) GDPR (legitimate  interest) in improving the Service.

Security and fraud prevention

Protecting accounts, detecting and  preventing fraud, abuse, and unauthorized access, and complying with security  obligations.

Art. 6(1)(f) GDPR and Art. 6(1)(c)  where required by law.

Legal compliance and defense

Complying with tax, accounting,  anti-money-laundering, and other legal obligations; establishing, exercising,  or defending legal claims.

Art. 6(1)(c) GDPR (legal obligation)  and Art. 6(1)(f) (legitimate interest in legal defense).

Corporate transactions

Evaluating and executing potential  corporate transactions (mergers, acquisitions, financings, reorganizations).

Art. 6(1)(f) GDPR (legitimate  interest), with confidentiality safeguards.

Where processing is based on legitimateinterest, we have conducted a balancing test and you have the right to objectas described in Section 9.

Where processing is based on consent, you maywithdraw it at any time without affecting the lawfulness of processing based onconsent before its withdrawal.

Providing data is generally not a statutoryrequirement, except for data required for tax and accounting compliance (forexample, billing data). If you do not provide data necessary to enter into orperform a contract, we may not be able to provide the Service.


5. RECIPIENTS AND SUBPROCESSORS

We may share personal data with the followingcategories of recipients, in each case under appropriate contractual safeguardsand on a need-to-know basis:

•     Service providers that operate our infrastructure,hosting, analytics, support, payments, communication, security, andproductivity tools. The current list of our primary subprocessors is publishedat twini.ai/subprocessors.

•     Large language model providers and aggregators thatpower the AI functionality of the Service (currently including OpenAI,Anthropic, and OpenRouter, with the up-to-date list available attwini.ai/subprocessors), strictly for the operation of the Service and undercontractual commitments prohibiting use of your data to train theirfoundational models.

•     Payment processors (for example, Stripe) that handlecard transactions and subscription billing.

•     Professional advisors bound by confidentiality,including accountants, tax advisors, auditors, and lawyers.

•     Public authorities and law enforcement, only whererequired by binding law or legal process. We assess such requests and challengethem where there are reasonable grounds, and notify affected individuals wherepermitted by applicable law.

•     Potential or actual acquirers, investors, and theiradvisors in connection with corporate transactions, under confidentialityobligations.

Twini does not sell personal data and doesnot engage in cross-context behavioral advertising with personal data.


6. INTERNATIONAL TRANSFERS

Twini is established in Italy and storespersonal data primarily within the European Economic Area (EEA). Some of oursubprocessors, including large language model providers and certain analyticsand productivity tools, may process personal data in countries outside the EEA,including the United States.

When we transfer personal data outside theEEA, we rely on one or more of the following safeguards, as appropriate:

•     Adequacy decisions of the European Commission,including the EU-US Data Privacy Framework where the recipient is certified;

•     Standard Contractual Clauses adopted by the EuropeanCommission in Implementing Decision (EU) 2021/914, supplemented whereappropriate by additional technical, organizational, and contractual measuresidentified through a transfer impact assessment;

•     The UK International Data Transfer Addendum andSwiss-specific modifications, where applicable.

You may request a copy of the safeguardsapplicable to a specific transfer by emailing davide@twini.ai.


7. DATA RETENTION

We retain personal data for the timenecessary to achieve the purposes described in Section 4 and to comply with ourlegal obligations. The reference retention periods are:

Data category

Retention period

Account and contact data

For the duration of the customer  relationship, plus up to 12 months after the relationship ends.

Billing, invoice, and tax records

10 years from the date of the  document, in accordance with Italian tax and accounting law.

Support communications

Up to 36 months from the last  interaction.

Website usage data and cookies

As specified in our cookie notice;  analytics data typically up to 14 months, security logs up to 12 months.

Sales prospect and business contact  data

Up to 24 months from the last  contact, or until objection, whichever is earlier.

Candidate data

For the duration of the recruitment  process, plus up to 12 months if you consent to being considered for future  roles; otherwise deleted within 6 months of the end of the process.

Newsletter subscribers (consent)

Until consent is withdrawn, or up to  24 months of inactivity.

Soft-spam email database (existing  customers)

Until objection by the data subject.

Records of consent and other  compliance evidence

For the period required to  demonstrate compliance with Applicable Law.

Data processed for legal defense

For the duration of any applicable  limitation period.

After the retention period, we delete oranonymize personal data, except where longer retention is required by law.


8. SECURITY MEASURES

We implement appropriate technical andorganizational measures to protect personal data against accidental or unlawfuldestruction, loss, alteration, unauthorized disclosure, or access, inaccordance with Article 32 of the GDPR. These measures include:

•     Encryption of data in transit (TLS 1.2 or higher) andat rest (AES-256 or equivalent).

•     Role-based access control, multi-factor authenticationfor production systems, and need-to-know access.

•     Monitoring and logging of access to production systems,with alerting for anomalous activity.

•     Regular backups of critical data, encrypted andlogically segregated.

•     Secure software development practices, including codereview and dependency vulnerability scanning.

•     Confidentiality obligations and data protectiontraining for all personnel authorized to process personal data.

•     Due diligence and written data protection agreementswith our subprocessors.

•     A documented incident response process aligned withArticles 33 and 34 of the GDPR.

If you become aware of any security issueaffecting the Service, please contact us at davide@twini.ai.


9. YOUR RIGHTS

You have the following rights under Articles15 to 22 of the GDPR, subject to applicable limitations:

•     Right of access: to obtain confirmation of whether weprocess personal data concerning you and to receive a copy.

•     Right to rectification: to have inaccurate orincomplete personal data corrected.

•     Right to erasure ("right to be forgotten"):to have personal data deleted in the circumstances set out in the GDPR.

•     Right to restriction of processing: to limit how weprocess your personal data in the circumstances set out in the GDPR.

•     Right to data portability: to receive personal data youhave provided in a structured, commonly used, machine-readable format, and totransmit it to another controller.

•     Right to object: to object at any time to processingbased on our legitimate interest (including profiling) on grounds related toyour particular situation. You can object at any time and without justificationto processing of your personal data for direct marketing purposes.

•     Right to withdraw consent: where processing is based onconsent, you can withdraw it at any time without affecting the lawfulness ofprior processing.

•     Right not to be subject to solely automated decisionsproducing legal or similarly significant effects, as provided by Article 22 ofthe GDPR.

•     Right to lodge a complaint with a supervisoryauthority, in particular the Italian Data Protection Authority (Garante per laprotezione dei dati personali, www.garanteprivacy.it), or with the supervisoryauthority of your Member State of residence, place of work, or place of thealleged infringement, pursuant to Article 77 of the GDPR.

To exercise any of these rights, emaildavide@twini.ai. We will respond without undue delay and in any event withinone month, as required by Article 12 of the GDPR. We may need to verify youridentity before acting on your request.

Automated decision-making. Twini does notcarry out automated decision-making that produces legal effects concerning youor similarly significantly affects you, within the meaning of Article 22 of theGDPR. If this changes, we will inform you and implement the safeguards requiredby Applicable Law.

How to withdraw consent. Where we processyour personal data on the basis of consent, you may withdraw it at any time.For marketing emails, each message contains an unsubscribe link. You may alsowithdraw consent by emailing davide@twini.ai. Withdrawing consent does notaffect the lawfulness of processing carried out before the withdrawal.


10. COOKIES AND TRACKING TECHNOLOGIES

The Website uses cookies and similartechnologies (pixels, local storage, device identifiers) in accordance withArticle 122 of the Italian Codice Privacy and the Guidelines of the ItalianGarante of 10 June 2021.

We use the following categories of cookiesand trackers:

•     Technical and strictly necessary: required for thefunctioning of the Website, session management, load balancing, and security.These do not require consent.

•     Analytics (where configured as technical cookies):aggregate measurements of Website use, with IP address anonymization and nocross-site tracking.

•     Third-party analytics and advertising (including theMeta Pixel): used only with your consent, collected through our cookie banner.

You can manage your preferences at any timethrough the cookie banner on the Website or through your browser settings.Rejecting non-technical cookies will not affect access to the Website.

A full list of cookies, their purposes,providers, and retention periods is available through the cookie preferencecenter on the Website.


11. AI SYSTEM DISCLOSURE (EU AI ACT)

Our Service includes artificial intelligencecomponents, in particular a conversational AI assistant embedded in ourCustomers’ storefronts. In accordance with Article 50 of Regulation (EU)2024/1689 (EU AI Act), users interacting with the AI assistant are informed ofthe AI nature of the interaction through clear labels (for example, "AIAssistant by Twini.ai").

The AI assistant uses large language modelsprovided by third parties (see Section 5) to generate responses based onproduct content made available by our Customers and on user questions. The AIassistant is designed to support and inform shoppers; it does not make legal,medical, or financial decisions, and outputs may contain inaccuracies. Usersshould verify material information directly with our Customer (the brandoperating the store on which the AI assistant appears).

We do not use personal data to train,fine-tune, or improve any foundational AI model, whether our own or that of athird party. See Section 4 of our Terms of Service for the contractualcommitment applicable to Customer Data.


12. CHILDREN

Our Service is directed at businesses and isnot intended for children under 16. We do not knowingly collect personal datafrom children. If you believe that a child has provided personal data to us,please contact davide@twini.ai and we will take appropriate action, includingdeletion.


13. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from timeto time to reflect changes in our practices or legal requirements. The updatedversion will be posted on the Website with a new "Last updated" date.For material changes, we will provide additional notice, for example by emailto registered users or through a banner on the Website.


14. CONTACT

For any questions, requests, or concernsregarding this Privacy Policy or our processing of your personal data, pleasecontact us at davide@twini.ai. Formal notices may be sent to twini@pec.it or toour registered office at Via Pietro Paleocapa 7, 20121 Milano (MI), Italy.