Privacy
Policy
We don't use advertising cookies (Google, Meta, etc.) and never collect personal data unless voluntarily provided by you.
We pledge never to sell any data.
We comply with GDPR, CCPA, PECR.
Twenty is not PCI or HIPAA certified
In this policy, we explain our data collection and handling practices, and your rights pertaining to your data.
Visitors to our website can browse freely, with minimal data collection or tracking:
We only collect personal information if you choose to become a "subscriber" and voluntarily provide it.
Basic cookies are employed to ensure a seamless browsing experience, such as maintaining your login session. Additionally, we use services like Cloudflare and Framer, which may automatically set cookies for analytics purposes. These cookies are used solely for high-level metrics and not for individual tracking.
We do not share or sell any information to third-party services.
We refrain from using services such as Google Analytics, Facebook Pixel, LinkedIn Pixel, Clearbit, etc. No cookies are used for advertising purposes.We collect anonymous data for statistical purposes to help us understand website traffic trends. Personal data is not included in this collection.
A subscriber is an individual who, although not using the app, has completed a form to receive information such as newsletters or status page updates.
As a subscriber, we collect your name, email, or phone number to send you updates and communications, contingent upon your consent.
For users of the app, Twenty acts as a data controller for your basic informations such as email and full name.
For users of the app, Twenty acts as a data controller for your basic informations such as email and full name.
As a data processor, Twenty processes personal data entered into our CRM platform by our clients. This data may include, but is not limited to, contact details, communication records, and transaction histories. The specific types of data processed depend on the configurations and inputs of each client.
We process personal data solely for the purposes defined by our clients, in accordance with their instructions. These purposes typically include managing customer relationships, tracking sales activities, and analyzing business performance.
Twenty processes personal data based on actions taken in our app by our clients, the data controllers. We ensure that all processing activities are aligned with these instructions and do not use personal data for any other purposes.
To deliver our services, we may engage third-party subprocessors. We ensure that all subprocessors are bound by contractual agreements that uphold the same level of data protection as required by GDPR. The main sub-processor today are: AWS, Cloudflare, Stripe, Sentry, Front.
We implement robust technical and organizational measures to protect personal data against unauthorized access, loss, or alteration. These measures include encryption, access controls, and regular security audits.
Upon termination of our services or upon request, we will securely delete or return all personal data to the data controller.
As a data processor, we assist our clients in fulfilling their obligations to respond to data subject requests. This includes facilitating access, rectification, and erasure of personal data upon request by the data controller.
For self-hosting users, Twenty provides the tools and infrastructure to manage your CRM data independently. All data entered into your self-hosted CRM instance remains under your control and ownership. This includes any customer data or personal information you manage within the CRM.
Unlike our cloud-hosted services, where we act as a data processor, self-hosting allows you to maintain full control over your data environment. We do not access or process any of the CRM data you manage on your self-hosted instance. Your workspace's data remains on your servers, and we do not have the ability to view, alter, or extract it.
We may collect information about the workspace and its users, such as email addresses and domain names, for purposes such as verifying an Enterprise subscriptions and providing additional services. This information is handled with care and in compliance with applicable data protection laws.
If telemetry is enabled on your instance, we may collect usage information to improve our platform's performance, enhance user experience, and identify potential issues. This data helps us understand how our software is used and allows us to make informed decisions about future updates. Importantly, this telemetry data will never include your workspace's data but only metadata related to system performance and usage.
You can opt-out of telemetry at anytime by simply changing an environment variable on your server.
We retain your data for as long as your account is active or as necessary for providing you with the services. This data is also used to comply with our legal obligations, resolve disputes, enforce our agreements, and protect Twenty's legal rights.
You can delete your data anytime in your account.
We are committed to upholding the standards set forth by the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Privacy and Electronic Communications Regulations (PECR).
Twenty is not certified by the Payment Card Industry (PCI) or Health Insurance Portability and Accountability Act (HIPAA) standards. As such, we do not claim to comply with PCI and HIPAA requirements for the protection of financial and medical data.
Our privacy policy may be updated as our business evolves and to stay compliant with regulations. Significant changes will be communicated to users via email.
Please reach us at contact [at] twenty.com for any queries, comments, or concerns about this privacy policy, your data, or your rights related to your information.