Privacy Policy

Last updated: April 26, 2026

This Privacy Policy explains how Twinely (“Twinely,” “we,” “us,” or “our”) collects, uses, shares, and protects personal information when you use our relationship journal application and related services (the “Service”). It also describes your rights and how to exercise them.

If you have any questions about this policy or how your data is handled, contact us at support@twinely.io.

1. Who we are

Twinely is a private journaling application for couples. Twinely is the data controller for personal information you provide to us directly through the Service. For subscription purchases, our payment partner Polar (Polar Software Inc.) acts as the merchant of record and controls certain billing-related personal information (see Section 6).

2. Information we collect

We collect only the information needed to run the Service:

• Account information: email address and a salted bcrypt hash of your password. We never store your password in plain text.
• Journal content: the entries you write, mood selections, tags, reveal-later timestamps, and any images you attach. Entry content and image payloads are encrypted at rest with AES-256-GCM.
• Couple relationship data: the link between two paired accounts and the share setting you choose for each entry (Private, Shared, or Reveal Later).
• AI usage: when you invoke an AI feature, the relevant entry content is sent to our AI provider. We retain metadata about the request (feature used, token counts, cost, and outcome) for rate limiting and billing reconciliation.
• Device and notification data: push subscription endpoints for the Web Push API (if you enable notifications) and PWA install state.
• Security and audit logs: authentication events, failed login attempts, rate-limit trips, and other security-relevant activity, along with the IP address and user agent associated with each event.
• Billing information (via Polar): when you subscribe, Polar collects your name, email, billing address, payment card details, IP address, and tax-relevant identifiers. See Section 6.

3. How we use your information

• To operate, secure, and improve the Service.
• To deliver the AI-powered features you invoke (prompts, insights, suggestions).
• To send transactional emails and, if you opt in, push notifications.
• To prevent abuse, detect fraud, and enforce our Terms.
• To process subscriptions and comply with tax and accounting obligations.
• To respond to legal requests and protect our legal rights.

4. Legal basis for processing (EEA / UK users)

• Contract: processing your account, entries, and subscription is necessary to deliver the Service you requested.
• Consent: AI features, push notifications, and optional analytics events are processed on your consent, which you can withdraw at any time.
• Legitimate interests: security, abuse prevention, and service-integrity monitoring.
• Legal obligation: retention of billing and tax records.

5. Sharing between you and your partner

Twinely is designed for two-person couples. When you link your account with a partner, the share setting on each entry determines visibility:

• Private: only visible to you. The content remains encrypted and is never surfaced to your partner.
• Shared: visible to both you and your linked partner.
• Reveal Later: hidden from your partner until the reveal date you set, at which point it becomes Shared.

AI-generated insights that draw on shared context may reflect information from both partners. If you unlink from your partner, previously shared entries remain visible to both accounts unless you delete them.

6. Who we share your information with

We do not sell your personal information and we do not share it for advertising. We use a small number of subprocessors to run the Service:

Polar (merchant of record, payment processing)

All subscription purchases are processed by Polar (Polar Software Inc., 3500 South DuPont Highway, Dover, DE 19901, US), which operates as an independent reseller and the merchant of record for transactions on the Service. On our behalf, Polar collects and processes your name, email address, billing address, payment card details, IP address, and tax-relevant identifiers. Transactions are processed on Polar’s servers and those of its sub-processors (notably Stripe for payment processing and Polar’s tax-compliance partners).

Polar’s privacy practices are governed by its own privacy policy, available at https://polar.sh/legal/privacy-policy. For data-rights requests relating to information Polar collected from you at checkout, contact privacy@polar.sh. Polar returns a subset of billing status to Twinely (subscription activation, renewal, cancellation) so we can provision your access.

AI providers (OpenAI, Anthropic)

When you invoke an AI feature, the relevant entry content is transmitted to OpenAI or Anthropic for processing. We configure these providers for zero-retention where supported and do not allow your content to be used to train their models. Content is not sent to AI providers unless you trigger an AI feature.

Hosting and infrastructure

The Service is hosted on DigitalOcean. Database storage, encrypted entry content, and application logs reside on DigitalOcean infrastructure. Transactional email is sent via our email provider and push notifications are delivered via the browser vendor’s push service (e.g., Mozilla, Google, Apple) when you enable them.

Legal and safety

We may disclose information to comply with valid legal process, to protect the rights, property, or safety of Twinely, our users, or the public, or in connection with a merger, acquisition, or sale of assets (in which case we will notify you).

7. International data transfers

Twinely is operated from the European Union and data may be transferred to, stored in, or processed in the United States and other countries by our subprocessors (notably Polar and our AI providers). Where required, we rely on Standard Contractual Clauses or equivalent legal mechanisms to protect such transfers.

8. Your rights

Depending on where you live (including under the GDPR, UK GDPR, and California Consumer Privacy Act), you have the right to:

• Access the personal information we hold about you.
• Request a copy of your data in a portable format.
• Correct inaccurate information.
• Request deletion of your account and associated data.
• Object to or restrict certain processing.
• Withdraw consent for AI features, notifications, or other consent-based processing.
• Lodge a complaint with your local data protection authority.

You can export or delete your Twinely data directly from the in-app privacy settings. For any request we cannot fulfill in-app, email support@twinely.io. For information Polar collected from you at checkout (name, billing details, payment data), contact privacy@polar.sh.

We will not discriminate against you for exercising any of these rights.

9. Data retention

• Account, entry, and related data are retained for as long as your account is active.
• If you delete your account, we permanently erase your personal data within 30 days, except where we are required to keep it for legal reasons.
• Billing records held by Polar are retained by Polar for the period required by applicable tax and accounting law (typically up to 7 years).
• Security and audit logs are retained for up to 12 months.

10. Security

We apply industry-standard safeguards:

• Entry content and images are encrypted at rest using AES-256-GCM.
• All network traffic is encrypted in transit over TLS (HTTPS is enforced).
• Passwords are hashed with bcrypt; we never see your plaintext password.
• Rate limiting, account lockouts after repeated failed logins, and a tamper-evident audit log protect your account from abuse.
• Payment card details are never stored on Twinely servers — they are handled by Polar.

No system is perfectly secure. If we become aware of a breach affecting your personal data, we will notify you and the relevant authorities as required by law.

11. Cookies and tracking

Twinely uses a single essential cookie to maintain your authenticated session (NextAuth). We do not use third-party analytics, advertising trackers, or cross-site tracking cookies. Polar may set its own cookies on its checkout page; those are governed by Polar’s privacy policy.

12. Children’s privacy

The Service is not directed to children under 16 (or under 13 in the United States). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact support@twinely.io and we will delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and through an in-app notice before the change takes effect. The “Last updated” date at the top of this page always reflects the current version.

14. Contact us

For privacy questions, data-rights requests, or any other concern about how Twinely handles your information, email support@twinely.io.

For information processed by Polar (billing, payment data, tax identifiers), email privacy@polar.sh.