PRIVACY POLICY
Version: 2026.05 Last updated: April 21, 2026
Pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR) and applicable Italian data protection legislation.

1. INTRODUCTION AND SCOPE
   This Privacy Policy describes how Twini S.r.l. (“Twini”, “we”, “us”, “our”) processes personal data when we act as a Data Controller. It applies when you:
   • visit the website twini.ai and related subdomains (“Website”);
   • sign up for a newsletter, book a demo, or contact us through web forms, email, phone, or social media;
   • register a Twini account to access our Service as a business customer (a “Customer”);
   • interact with us as a sales prospect, partner, investor, supplier, or candidate.
   This Privacy Policy does not apply to personal data that Twini processes as a Data Processor on behalf of its Customers. When you interact with a Customer’s online store and our Service is embedded there (for example, our AI shopping assistant on a product page), the Customer is the Data Controller. To exercise your rights or obtain information about that processing, please contact the Customer directly. The terms governing our Processor role are set out in our Data Processing Agreement at twini.ai/dpa.

2. DATA CONTROLLER
   The Data Controller is Twini S.r.l., with registered office at Via Pietro Paleocapa 7, 20121 Milano (MI), Italy, codice fiscale and VAT number 13697330960, REA MI-2739354, share capital Euro 5,000.00 fully paid-up.
   You can contact us about privacy matters at:
   • Email: davide@twini.ai
   • Formal notices (PEC): twini@pec.it
   • Postal address: Via Pietro Paleocapa 7, 20121 Milano (MI), Italy
   Twini is not required to appoint a Data Protection Officer under Article 37 of the GDPR, because its core activities do not involve (a) regular and systematic monitoring of data subjects on a large scale, or (b) large-scale processing of special categories of data. As an EU-established company, Twini is also not required to appoint an EU Representative under Article 27 of the GDPR.

3. PERSONAL DATA WE COLLECT
   We collect personal data directly from you, automatically through your interaction with the Website and Service, and occasionally from third parties (for example, business contact data from public sources such as LinkedIn, or from referrals).
   The categories of personal data we process as Data Controller are:
   A. Contact and Account Data. Name, business email, business phone number, company name, job title, country, language preference, username, password (hashed), authentication tokens, and communication preferences.
   B. Billing and Transaction Data. Billing name, billing address, VAT number, company registration number, invoice history, payment method metadata (last four digits, card brand, expiry), and Stripe customer identifier. Full payment card numbers are processed directly by our payment processor and are never stored by Twini.
   C. Website Usage Data. IP address, browser type and version, device identifiers, operating system, referring URL, pages viewed, time spent, clicks, and similar telemetry, collected through cookies and tracking technologies as described in Section 10.
   D. Commercial Communications Data. Records of emails, calls, meetings, and messages exchanged between you and our sales, support, or customer success teams, including any attachments and content you choose to share.
   E. Business Contact Data. When we identify or interact with potential customers, partners, investors, suppliers, or other business contacts through public sources, events, referrals, or third-party business data providers (for example, Apollo), we may process name, business email, job title, company, LinkedIn profile URL, and similar public professional information, on the basis of our legitimate interest in business-to-business communications.
   F. Candidate Data. If you apply for a role at Twini, we process the personal data you share with us (for example, CV or resume, cover letter, references, work history, education, interview notes, and assessment outcomes) to evaluate your application and, where relevant, to manage the recruitment process.

4. PURPOSES OF PROCESSING AND LEGAL BASES
   We process personal data for the purposes set out below, each based on one of the lawful bases of Article 6 of the GDPR.
   Where processing is based on legitimate interest, we have conducted a balancing test and you have the right to object as described in Section 9.
   Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing based on consent before its withdrawal.
   Providing data is generally not a statutory requirement, except for data required for tax and accounting compliance (for example, billing data). If you do not provide data necessary to enter into or perform a contract, we may not be able to provide the Service.
   Service provision. Creating and maintaining your Twini account, providing the Service, supporting you, processing payments, issuing invoices, and managing the contractual relationship. Legal basis: Art. 6(1)(b) GDPR (performance of contract) and Art. 6(1)(c) (legal obligation) for tax and accounting.
   Website operation. Operating the Website, ensuring its security, preventing abuse, and diagnosing technical issues. Legal basis: Art. 6(1)(f) GDPR (legitimate interest) in operating a secure and functional website.
   Communications with you. Responding to your inquiries, scheduling demos, providing support, and sending service and transactional messages. Legal basis: Art. 6(1)(b) GDPR for contractual communications; Art. 6(1)(f) for pre-contractual and general inquiries.
   Sales and B2B outreach. Contacting business contacts identified as potential customers with information about our Service, respecting opt-out preferences. Legal basis: Art. 6(1)(f) GDPR (legitimate interest) in business-to-business outreach in line with EDPB guidance.
   Marketing emails (existing customers). Sending commercial communications about features and services analogous to those already purchased. Legal basis: Art. 6(1)(f) GDPR and Art. 130(4) of the Italian Codice Privacy (soft-spam), with opt-out in each message.
   Marketing emails (newsletter). Sending newsletters, product updates, events, and promotional content to non-customers. Legal basis: Art. 6(1)(a) GDPR (consent), freely revocable at any time.
   Product analytics and improvement. Analyzing aggregated and de-identified usage patterns to improve the Service, troubleshoot, and develop new features. Legal basis: Art. 6(1)(f) GDPR (legitimate interest) in improving the Service.
   Security and fraud prevention. Protecting accounts, detecting and preventing fraud, abuse, and unauthorized access, and complying with security obligations. Legal basis: Art. 6(1)(f) GDPR and Art. 6(1)(c) where required by law.
   Legal compliance and defense. Complying with tax, accounting, anti-money-laundering, and other legal obligations; establishing, exercising, or defending legal claims. Legal basis: Art. 6(1)(c) GDPR (legal obligation) and Art. 6(1)(f) (legitimate interest in legal defense).
   Corporate transactions. Evaluating and executing potential corporate transactions (mergers, acquisitions, financings, reorganizations). Legal basis: Art. 6(1)(f) GDPR (legitimate interest), with confidentiality safeguards.

5. RECIPIENTS AND SUBPROCESSORS
   We may share personal data with the following categories of recipients, in each case under appropriate contractual safeguards and on a need-to-know basis:
   • Service providers that operate our infrastructure, hosting, analytics, support, payments, communication, security, and productivity tools. The current list of our primary subprocessors is published at twini.ai/subprocessors.
   • Large language model providers and aggregators that power the AI functionality of the Service (currently including OpenAI and OpenRouter, with the up-to-date list available at twini.ai/subprocessors), strictly for the operation of the Service and under contractual commitments prohibiting use of your data to train their foundational models.
   • Payment processors (for example, Stripe) that handle card transactions and subscription billing.
   • Professional advisors bound by confidentiality, including accountants, tax advisors, auditors, and lawyers.
   • Public authorities and law enforcement, only where required by binding law or legal process. We assess such requests and challenge them where there are reasonable grounds, and notify affected individuals where permitted by applicable law.
   • Potential or actual acquirers, investors, and their advisors in connection with corporate transactions, under confidentiality obligations.
   Twini does not sell personal data and does not engage in cross-context behavioral advertising with personal data.

6. INTERNATIONAL TRANSFERS
   Twini is established in Italy and stores personal data primarily within the European Economic Area (EEA). Some of our subprocessors, including large language model providers and certain analytics and productivity tools, may process personal data in countries outside the EEA, including the United States.
   When we transfer personal data outside the EEA, we rely on one or more of the following safeguards, as appropriate:
   • Adequacy decisions of the European Commission, including the EU-US Data Privacy Framework where the recipient is certified;
   • Standard Contractual Clauses adopted by the European Commission in Implementing Decision (EU) 2021/914, supplemented where appropriate by additional technical, organizational, and contractual measures identified through a transfer impact assessment;
   • The UK International Data Transfer Addendum and Swiss-specific modifications, where applicable.
   You may request a copy of the safeguards applicable to a specific transfer by emailing davide@twini.ai.

7. DATA RETENTION
   We retain personal data for the time necessary to achieve the purposes described in Section 4 and to comply with our legal obligations. The reference retention periods are:
   Account and contact data. For the duration of the customer relationship, plus up to 12 months after the relationship ends.
   Billing, invoice, and tax records. 10 years from the date of the document, in accordance with Italian tax and accounting law.
   Support communications. Up to 36 months from the last interaction.
   Website usage data and cookies. As specified in our cookie notice; analytics data typically up to 14 months, security logs up to 12 months.
   Sales prospect and business contact data. Up to 24 months from the last contact, or until objection, whichever is earlier.
   Candidate data. For the duration of the recruitment process, plus up to 12 months if you consent to being considered for future roles; otherwise deleted within 6 months of the end of the process.
   Newsletter subscribers (consent). Until consent is withdrawn, or up to 24 months of inactivity.
   Soft-spam email database (existing customers). Until objection by the data subject.
   Records of consent and other compliance evidence. For the period required to demonstrate compliance with Applicable Law.
   Data processed for legal defense. For the duration of any applicable limitation period.
   After the retention period, we delete or anonymize personal data, except where longer retention is required by law.

8. SECURITY MEASURES
   We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, in accordance with Article 32 of the GDPR. These measures include:
   • Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
   • Role-based access control, multi-factor authentication for production systems, and need-to-know access.
   • Monitoring and logging of access to production systems, with alerting for anomalous activity.
   • Regular backups of critical data, encrypted and logically segregated.
   • Secure software development practices, including code review and dependency vulnerability scanning.
   • Confidentiality obligations and data protection training for all personnel authorized to process personal data.
   • Due diligence and written data protection agreements with our subprocessors.
   • A documented incident response process aligned with Articles 33 and 34 of the GDPR.
   If you become aware of any security issue affecting the Service, please contact us at davide@twini.ai.

9. YOUR RIGHTS
   You have the following rights under Articles 15 to 22 of the GDPR, subject to applicable limitations:
   Right of access: to obtain confirmation of whether we process personal data concerning you and to receive a copy.
   Right to rectification: to have inaccurate or incomplete personal data corrected.
   Right to erasure (“right to be forgotten”): to have personal data deleted in the circumstances set out in the GDPR.
   Right to restriction of processing: to limit how we process your personal data in the circumstances set out in the GDPR.
   Right to data portability: to receive personal data you have provided in a structured, commonly used, machine-readable format, and to transmit it to another controller.
   Right to object: to object at any time to processing based on our legitimate interest (including profiling) on grounds related to your particular situation. You can object at any time and without justification to processing of your personal data for direct marketing purposes.
   Right to withdraw consent: where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
   Right not to be subject to solely automated decisions producing legal or similarly significant effects, as provided by Article 22 of the GDPR.
   Right to lodge a complaint with a supervisory authority, in particular the Italian Data Protection Authority (Garante per la protezione dei dati personali, www.garanteprivacy.it), or with the supervisory authority of your Member State of residence, place of work, or place of the alleged infringement, pursuant to Article 77 of the GDPR.
   To exercise any of these rights, email davide@twini.ai. We will respond without undue delay and in any event within one month, as required by Article 12 of the GDPR. We may need to verify your identity before acting on your request.
   Automated decision-making. Twini does not carry out automated decision-making that produces legal effects concerning you or similarly significantly affects you, within the meaning of Article 22 of the GDPR. If this changes, we will inform you and implement the safeguards required by Applicable Law.
   How to withdraw consent. Where we process your personal data on the basis of consent, you may withdraw it at any time. For marketing emails, each message contains an unsubscribe link. You may also withdraw consent by emailing davide@twini.ai. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.

10. COOKIES AND TRACKING TECHNOLOGIES
    The Website uses cookies and similar technologies (pixels, local storage, device identifiers) in accordance with Article 122 of the Italian Codice Privacy and the Guidelines of the Italian Garante of 10 June 2021.
    We use the following categories of cookies and trackers:
    Technical and strictly necessary: required for the functioning of the Website, session management, load balancing, and security. These do not require consent.
    Analytics (where configured as technical cookies): aggregate measurements of Website use, with IP address anonymization and no cross-site tracking.
    Third-party analytics and advertising (including the Meta Pixel): used only with your consent, collected through our cookie banner.
    You can manage your preferences at any time through the cookie banner on the Website or through your browser settings. Rejecting non-technical cookies will not affect access to the Website.
    A full list of cookies, their purposes, providers, and retention periods is available through the cookie preference center on the Website.

11. AI SYSTEM DISCLOSURE (EU AI ACT)
    Our Service includes artificial intelligence components, in particular a conversational AI assistant embedded in our Customers’ storefronts. In accordance with Article 50 of Regulation (EU) 2024/1689 (EU AI Act), users interacting with the AI assistant are informed of the AI nature of the interaction through clear labels (for example, “AI Assistant by Twini.ai”).
    The AI assistant uses large language models provided by third parties (see Section 5) to generate responses based on product content made available by our Customers and on user questions. The AI assistant is designed to support and inform shoppers; it does not make legal, medical, or financial decisions, and outputs may contain inaccuracies. Users should verify material information directly with our Customer (the brand operating the store on which the AI assistant appears).
    We do not use personal data to train, fine-tune, or improve any foundational AI model, whether our own or that of a third party. See Section 4.4 of our Terms of Service for the contractual commitment applicable to Customer Data.

12. CHILDREN
    Our Service is directed at businesses and is not intended for children under 16. We do not knowingly collect personal data from children. If you believe that a child has provided personal data to us, please contact davide@twini.ai and we will take appropriate action, including deletion.

13. CHANGES TO THIS PRIVACY POLICY
    We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The updated version will be posted on the Website with a new “Last updated” date. For material changes, we will provide additional notice, for example by email to registered users or through a banner on the Website.

14. CONTACT
    For any questions, requests, or concerns regarding this Privacy Policy or our processing of your personal data, please contact us at davide@twini.ai. Formal notices may be sent to twini@pec.it or to our registered office at Via Pietro Paleocapa 7, 20121 Milano (MI), Italy.