PRIVACY POLICY
(Pursuant to Art. 13 of Regulation (EU) 679/2016 - GDPR)
Last updated: December 28, 2025
This Privacy Policy describes how TWINI S.R.L. (hereinafter the “Controller” or “Company”) collects, uses, and protects the Personal Data of Customers who have purchased access to the Twini Software and Services (the “Platform”), in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable local privacy laws.
This policy forms an integral part of the Terms of Service governing the use of Twini.
1. Data Controller
The Data Controller is: TWINI S.R.L. Registered Office: Via Pietro Paleocapa 7, 20121 Milano (MI), Italy VAT / Tax Code: 13697330960 Email for Privacy Inquiries: info@twini.ai (or privacy@twini.ai)
2. Categories of Data Subjects and Personal Data
The Personal Data processed concerns the Customer (the business entity subscribing) and, where applicable, the Customer's end-users ("Shoppers") whose data is processed on behalf of the Customer.
The Controller processes the following categories of data:
Customer Account Data: Identity data of the administrator (Name, Email, Business Role), Billing Data (VAT ID, Billing Address), and Platform Usage Logs.
Integrated Commerce Data (Shopify): To provide the AI services, Twini connects to the Customer’s Shopify store. Depending on the permissions granted, we may process:
Product Data: Catalogs, inventory, prices, and variants.
Shopper Data: Names, emails, order history, shipping addresses, and customer tags (processed strictly to personalize the AI buying assistant).
Content: Reviews, FAQs, pages, and policies.
3. Purposes of Processing and Legal Basis
3.1. Subscription to Software and Services
Purpose: To provide access to the Twini platform, connect to the Customer’s Shopify store, ingest catalog/customer data, and deploy the AI Conversational Widget.
Legal Basis: Performance of a Contract (Art. 6(1)(b) GDPR).
3.2. Customer Support and Requests
Purpose: To respond to technical support tickets, onboarding questions, or inquiries sent via the Twini dashboard or email.
Legal Basis: Performance of a Contract (Art. 6(1)(b) GDPR).
3.3. Product Improvement & AI Optimization
Purpose: To analyze usage patterns and conversation logs to improve the accuracy of the AI Agent (e.g., prompt engineering, RAG pipelines) and the quality of the "AI-Optimized Product Data" module.
Legal Basis: Legitimate Interest (Art. 6(1)(f) GDPR) to improve the Software provided to the Customer. Note: This does not include training foundational models on Customer Data.
3.4. Marketing (Newsletter)
Purpose: To send commercial communications regarding Twini updates or promotions.
Legal Basis: Consent (Art. 6(1)(a) GDPR) or Legitimate Interest for existing Customers (Soft Spam).
4. Processing Methods and Retention
Personal Data is processed using digital and IT tools in compliance with Art. 5 of the GDPR (lawfulness, fairness, transparency).
Retention: Data is retained only for the time necessary to fulfill the purposes outlined above (e.g., duration of the subscription + statutory limitation periods for legal defense).
5. Security Measures
The Controller implements robust technical and organizational measures (TOMs) pursuant to Art. 32 of the GDPR to protect data against unauthorized access, loss, or destruction.
Infrastructure: Our primary infrastructure is hosted on Railway (hosted in Europe regions where possible), ensuring high standards of physical and network security.
Encryption: Data is encrypted in transit (TLS/SSL) and at rest.
6. Data Recipients (Sub-processors)
Personal Data may be shared with third-party service providers acting as sub-processors, strictly necessary to run the Platform:
Hosting & Infrastructure: Railway (Cloud Infrastructure).
AI & LLM Providers: OpenAI (Large Language Model provider). Data sent to OpenAI is used solely for generating responses and embeddings; it is not used to train OpenAI’s public models.
Payment Processors: [e.g., Stripe] (for billing Twini subscriptions).
Administrative Consultants: Accountants or legal counsel bound by confidentiality.
7. International Transfers
The Controller’s primary data storage is located within the European Economic Area (EEA) via Railway. However, the use of OpenAI for AI processing may involve the transfer of data (specifically, prompt contents and conversation context) to servers in the United States. Such transfers are safeguarded by:
Standard Contractual Clauses (SCCs): Incorporated into our data processing agreements with OpenAI and other non-EU vendors.
Data Privacy Framework: Compliance with the EU-US Data Privacy Framework where applicable.
8. Rights of the Data Subject
Customers may contact info@twini.ai to exercise their rights under Art. 15-22 GDPR:
Right of access, rectification, and erasure ("Right to be forgotten").
Right to restriction of processing and data portability.
Right to object to processing.
9. Specific Processing: AI and Shopify Integration
(This section details the tech stack specific to Twini)
9.1. Shopify Data Access Twini integrates with the Customer’s Shopify store via official APIs. To enable the AI Agent to provide personalized support (e.g., "Where is my order?" or "Reorder my last item"), Twini requires access to Customer and Order scopes.
Purpose Limitation: While we access these broad scopes, Twini processes this data solely to answer Shopper queries and enrich product metadata. We do not sell, rent, or use Shopper PII for independent advertising purposes.
9.2. AI Processing (OpenAI & Training Policy) Twini utilizes Large Language Models (LLMs) provided by OpenAI.
Zero-Retention on Training: We configure our usage to ensure Customer Data is not used to train the foundational models of our third-party providers.
Twini Training Policy: Consistent with our Terms of Service, Twini does not use Customer Data to train or fine-tune its own foundational AI models unless the Customer has explicitly opted into such training.
Context Windows: Only the relevant snippets of data (e.g., a specific product FAQ or order status) are sent to the LLM at the moment of inference, minimizing data exposure.
9.3. Shopper Data (Controller-Processor Relationship) Regarding the personal data of the Customer's end-users (Shoppers) processed by Twini:
The Customer acts as the Data Controller.
TWINI S.R.L. acts as the Data Processor. This relationship is governed by our Data Processing Agreement (DPA), which is incorporated by reference into our Terms of Service.