Who we are

Twine is a wellness app based in England and Wales. We are responsible for your personal data under UK GDPR. You can contact us about privacy at privacy@twine.app.

What we collect

We collect your email address and login information when you create an account. We collect basic technical logs necessary to run the app securely.

Your conversation content — reflections and drafted messages — is stored on Twine's secure servers so that the AI can process your reflections and generate drafts. This content is associated with your account and is not shared with other users.

Why we use your data

We use your account details to run the service under our contract with you. Your reflections and message drafts are processed and stored on our servers as part of providing the core service. Because this content may contain sensitive personal information about your relationships and feelings, we process it under the legal basis of consent (Art 6(1)(a) and Art 9(2)(a) UK GDPR). You provide this consent when you accept the pre-use disclaimer. You can withdraw consent at any time by closing your account, which will delete all your content.

How your data is stored

Twine is designed to minimise the data we hold about you while providing a functional service. Your conversation content is stored on Twine's secure servers. This means:

• • Your reflections and message drafts are stored in our database, encrypted at rest, and associated with your account
• • Your content is private to your account and is not visible to other users
• • Your content is accessible across sessions so that Twine can provide continuity in your reflections
• • All content is permanently deleted when you close your account

You can request a copy of your data at any time by emailing privacy@twine.app.

Safety scanning

To meet our legal obligations under the Online Safety Act 2023 and UK GDPR, Twine runs automated safety checks on all messages submitted within a session.

How it works: every message you send is checked by a combination of pattern matching and AI-based safety assessment on our servers. The vast majority of messages pass these checks and are processed normally. Where a message is identified as containing content associated with illegal activity or serious risk to life, we will take the steps described below.

Categories and actions:

• • Child sexual exploitation or abuse (CSEA): content is preserved as evidence and reported to the National Crime Agency.
• • Terrorism: content is preserved as evidence and reported to the Counter Terrorism Internet Referral Unit.
• • Credible, specific, and imminent threat of violence against an identified person: content is preserved as evidence and reported to the relevant police force.
• • Urgent mental health crisis (imminent risk with stated method or current injury): an urgent support email is sent to you and a police welfare check is requested.

In all cases where content is reported to authorities, your account will be suspended. Grounds for suspension are set out in our Terms of Service.

Where content is assessed and does not meet any of the above thresholds, it is not retained on our servers.

Legal basis: vital interests (Art 6(1)(d)) for urgent crisis welfare checks; legal obligation (Art 6(1)(c)) for CSEA and terrorism reporting; legitimate interests (Art 6(1)(f)) for threat assessment and account suspension.

How AI processing works

Twine uses third-party AI services to generate reflections and draft messages. This means content you enter is processed by AI providers, currently Anthropic (Claude) and OpenAI (GPT-4o mini). Both are bound by data processing agreements with Twine. Anthropic and OpenAI are US-based companies. We rely on Standard Contractual Clauses as the legal basis for transferring your data outside the UK. Neither provider uses your content to train their models under our agreements with them.

AI processing applies only to content you actively submit within a session. Locally stored content that you do not submit in a session is never transmitted to AI providers.

Sharing your data

We do not sell your data. We share it only with the AI providers named above and with the technical services that host Twine. All hosting is within the UK or EEA except where AI processing requires transfer as described above. In exceptional circumstances where we believe someone is in immediate danger, we may share limited information with emergency services under our vital interests obligations.

How long we keep your data

Your conversation content is stored on our servers for as long as your account is active. It is permanently deleted when you close your account.

Account data is retained for up to 90 days after account closure for legal and audit purposes, after which it is permanently deleted.

Content reported to authorities under our statutory obligations is retained until law enforcement advises otherwise. Safety metadata (timestamps and classification records) is retained for 90 days.

Your rights

Under UK GDPR you have the right to access, correct, delete, or restrict the use of your personal data. You also have the right to object to any automated processing. Email privacy@twine.app and we will respond within 30 days.

Cookies and tracking

Twine does not use non-essential cookies or third-party analytics. We collect only what is necessary to run the app.

Changes to this policy

We will notify you of any significant changes to this policy. Continued use of Twine after notification constitutes acceptance.

Contact

For any privacy questions or to exercise your rights, contact privacy@twine.app.