Privacy
Policy
Effective Date: October 13, 2025
Introduction
Welcome to Twenty.com PBC (“Twenty”, “Company”, “we”, “us”, or “our”).
Twenty operates the website https://twenty.com and related cloud services (collectively, the “Service”).
This Privacy Policy governs your access to and use of the Service and explains how we collect, use, safeguard, and disclose information that results from your use of our Service.
We are committed to complying with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy and our Terms of Service.
Definitions
For purposes of this Privacy Policy:
Service – means the Twenty website (https://twenty.com) and any related services or applications operated by Twenty.com PBC.
Personal Data – means any information about a living individual who can be identified from that data (either alone or in combination with other information in our possession).
Usage Data – means information collected automatically through use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
Cookies – are small files placed on your device (computer or mobile) that store certain information.
Data Controller – means a person or organization who (alone or jointly with others) determines the purposes and means of processing Personal Data. For the purposes of this Privacy Policy, Twenty is the Data Controller for Personal Data we collect directly from you.
Data Processor (or Service Provider) – means a person or organization which processes Personal Data on behalf of the Data Controller. We may use the services of various third-party service providers to process your data more effectively. When you use Twenty’s cloud-based CRM, Twenty acts as a Data Processor for the Customer Data you input into our platform on behalf of your organization (see Information We Collect below).
Data Subject – is any living individual who is the subject of Personal Data (you, or any individual whose data you provide to us).
User – means the individual using our Service. The User may be the Data Subject or an authorized user acting on behalf of a company (our customer).
Information We Collect
We collect different types of information to provide and improve the Service for our users. This includes:
1. Personal Data You Provide: While using our Service (for example, when creating an account, subscribing to our newsletter, or contacting support), we may ask you to provide certain personally identifiable information. This information may include, but is not limited to: your name, email address, phone number, company/organization name, job title, billing information, or any other details you choose to provide. We use this Personal Data to identify or contact you as needed. For instance, if you subscribe to communications from us, we will use your email to send newsletters or updates (you may opt out of these communications at any time by following the unsubscribe link or contacting us).
2. Customer Data (CRM Data): If you are using Twenty’s cloud-based CRM application, you may input or upload personal information about third parties (such as your customers, leads, or contacts) into our Service. This Customer Data may include names, contact details, communications, transaction histories, and other information relevant to customer relationship management. In these cases, you (or your organization) act as the Data Controller for such Customer Data, and Twenty acts as a Data Processor on your behalf. We process this data solely to provide our CRM services to you and in accordance with your instructions. If you use Twenty in a self-hosted environment, we do not collect or have access to the Customer Data in your self-hosted instance; all such data remains under your control on your own servers. (Note: We may collect limited information from self-hosted deployments, such as workspace or user emails for license verification and optional telemetry, but this does not include your customer records. Telemetry is optional and can be disabled by you at any time)
3. Usage Data: When you interact with our website or app, we automatically collect certain technical information about your visit. This Usage Data may include information such as your device’s Internet Protocol address (IP address), browser type and version, the pages you visit on our Service, the date and time of your visit, time spent on those pages, and other diagnostic data. If you access the Service via a mobile device, Usage Data may include your mobile device type, unique device ID, IP address, operating system, browser type, and other device identifiers. We collect this information to understand how our Service is used, to monitor and improve performance, and to ensure the security of our Service.
4. Cookies and Similar Technologies: We use cookies and similar tracking technologies to operate and analyze our Service. Cookies are small data files sent to your browser from a website and stored on your device; they may contain an anonymous unique identifier. We use cookies for purposes such as keeping you logged in, remembering your preferences, and securing the site. We do not use advertising cookies or third-party tracking pixels (such as Google Analytics or social media pixels) to target you with ads. Other tracking technologies (like web beacons or scripts) may be used for strictly functional or analytic purposes to improve the user experience, not for profiling you. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, note that if you disable cookies, some portions of our Service (for example, the login session) may not function properly. (See Cookies and Tracking Technologies below for more details.)
5. Information from Third Parties: We may receive information about you from third-party services that you choose to integrate or connect with Twenty. For example, if you use a single sign-on service or import data from another platform, we will collect the information you have authorized that service to share with us. We handle any such third-party-sourced information according to this Privacy Policy.
We do not knowingly collect any sensitive personal data unless you voluntarily provide it to us. We also pledge never to sell any personal data we collect to third parties.
How We Use Your Information
Twenty uses the collected information for various purposes in order to operate our business, provide the Service to you, and improve our offerings. These purposes include:
Providing and Maintaining the Service: To deliver the core functionalities of our CRM platform and website, including creating and managing user accounts, hosting your CRM data, and enabling you to use our features.
Service Communications: To notify you about updates, changes, or important information regarding the Service (for example, changes to features, security alerts, or support messages).
Enabling User Features: To allow you to participate in interactive features of our Service when you choose to do so (for example, collaborative features, integrations, or community forums).
Customer Support: To provide customer service and support, including responding to your inquiries, troubleshooting issues, and improving your experience.
Analytics and Improvements: To gather analysis, metrics, and valuable information so that we can understand usage trends and improve the Service’s performance and features. This may include analyzing how users interact with our application to refine the user interface or determining which features are most used to inform our product development.
Monitoring and Security: To monitor the usage of our Service and to detect, prevent, and address technical issues, fraud, or misuse. This helps us keep the Service safe, secure, and reliable for all users.
Billing and Transactions: To process transactions, manage subscriptions, and fulfill our contractual obligations. For example, we use provided information to bill for paid plans and to collect fees owed, using secure third-party payment processors (note: we do not store full payment card details ourselves).
Account Management: To send you administrative emails and reminders about your account, such as password resets, login notifications, subscription renewal notices, or policy updates.
Marketing and Related Communications: To provide you with news about Twenty, special offers, or general information about our products and services, but only where you have an existing relationship with us or have otherwise consented to receive such communications. You have the right to opt out of marketing messages at any time.
To Fulfill a Purpose You Provided It: If you give us information for a specific reason, we will use it for that reason. For instance, if you fill out a survey or request, we will use the data to perform or respond to that request.
With Your Consent: For any other purpose that we describe at the time of collection, but only if you have given us consent to use your information in that additional way.
Legal Compliance and Enforcement: To comply with applicable legal requirements, such as financial record-keeping or responding to lawful requests by public authorities. Also, to enforce our agreements (e.g., Terms of Service) and to protect the rights and safety of our company, our users, or others (for example, in investigating and preventing fraud or security issues).
We will not use Personal Data for any purpose that is incompatible with the purposes outlined above without your consent.
How We Share Your Information
We value your privacy and handle your Personal Data with care. We do not sell or rent your personal information to third parties for their marketing purposes. However, we may share information about you in the following circumstances, or as otherwise described in this Privacy Policy:
Service Providers: We may share your information with third-party service providers and partners who perform services on our behalf or help us operate the Service. This includes, for example, cloud hosting providers, infrastructure and security services, payment processors, analytics and error monitoring services, customer support platforms, and email service providers. These third parties are authorized to use your Personal Data only as necessary to provide services to us and are contractually obligated to protect it and not disclose or use it for any other purpose. For transparency, our primary subprocessors as of this policy’s effective date include: Amazon Web Services (AWS) for cloud infrastructure, Cloudflare for network performance and security, Stripe for payment processing, Sentry for error tracking. A comprehensive list of subprocessors is available in our Trust Center.
Affiliates and Corporate Transactions: We may disclose your information to our subsidiaries, parent company, or other affiliates as needed to streamline our operations (for example, if we operate international branches). In the event of a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or other business transaction, your Personal Data may be transferred as part of that deal. We will provide notice before your Personal Data is transferred and becomes subject to a different privacy policy.
Legal Compliance: We may disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g., a court order, subpoena, or government demand). We will only share the information necessary and will, when legally permitted, inform you of such disclosure.
Protecting Rights and Safety: We may disclose information if we believe it is necessary or appropriate to protect the rights, property, or safety of Twenty, our customers, our employees, or others. This includes exchanging information with other companies and organizations for fraud prevention, spam/malware detection, or other similar purposes.
With Your Consent or At Your Direction: We will share your personal information with third parties if you give us consent to do so for a specific purpose, or if you use our Service to intentionally interact with third parties. For instance, if you choose to integrate our Service with a third-party application or export data to another platform, we will share data at your direction to complete that process. Similarly, we may share data for any other purpose disclosed to you when you provided the information, with your explicit consent.
Aside from the purposes listed above, we will not transfer your Personal Data to any third party without your knowledge, and we do not share personal information with third parties for their own direct marketing use. If we ever need to share your data in a materially different way, we will update this Privacy Policy and notify you as required.
Cookies and Tracking Technologies
As mentioned, Twenty uses cookies and similar tracking technologies to provide, secure, and improve our Service This section explains those technologies in more detail and your choices regarding them.
What Cookies Are: Cookies are small text files placed on your device by websites you visit. They are widely used to make websites work, or work more efficiently, as well as to provide reporting information. We also may use related technologies such as web beacons (clear pixel tags), local storage, and scripts for similar purposes. These technologies help us recognize you, remember your preferences, and understand how you interact with our Service.
How We Use Cookies: We only use cookies in a limited manner, primarily for the functioning of our Service and basic analytics. For example, we use cookies to keep you logged into your account as you navigate the site, and to remember your settings or preferences. Cookies also help us improve security (for instance, by enabling additional verification or detecting malicious behavior). We do not use cookies to collect advertising information or to track your behavior across different websites. In fact, we avoid using third-party advertising or social media cookies entirely, and we do not use Google Analytics or similar invasive tracking tools on our marketing site. (We may use privacy-focused analytics or performance tracking tools that do not identify individuals – for example, our content delivery network and hosting providers may gather aggregate usage statistics for infrastructure monitoring, but this data is not used for advertising or profiling purposes.)
Types of Cookies We May Use:
Session Cookies: These are temporary cookies that are erased when you close your browser. Session cookies are used to operate our Service – for example, to enable you to log in and navigate between pages without having to log in again.
Preference Cookies: These cookies remember information about your choices and preferences (such as your language or other settings) to provide a more personal and convenient experience.
Security Cookies: These cookies are used for security purposes, such as to detect authentication abuses, protect user data, and prevent fraudulent use of login credentials.
Your Choices: Most web browsers automatically accept cookies, but you can usually modify your browser settings to decline cookies or alert you when a cookie is being placed. Please be aware that if you disable or refuse cookies, some features of our Service (like maintaining a login session) may not function properly. You can also clear cookies from your browser at any time. For more information on how to manage cookies, check your browser’s help documentation. Additionally, some of our third-party service providers (e.g., Cloudflare) may set their own cookies as part of providing our Service; these cookies are also only used for the purposes we’ve described (like security and basic analytics). We do not control third-party cookies, but you may be able to opt-out of certain cookies via those third parties’ websites or browser extensions.
Data Security
We take the security of your information very seriously. Twenty implements robust technical and organizational measures to protect your Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures include, for example, encryption of data in transit and at rest, access controls and authentication procedures to limit access to data, regular security audits and assessments, and staff training on data protection. While we strive to use commercially acceptable means to protect your Personal Data, please note that no method of transmission over the internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee absolute security. You should also take steps to safeguard your own credentials and devices (such as choosing strong passwords and keeping them confidential, and using secure networks). In the event of any data breach that affects your Personal Data, we will notify you and the appropriate authorities as required by law.
Data Retention
We will retain your Personal Data only for as long as necessary to fulfill the purposes for which it was collected, as outlined in this Privacy Policy. This means we keep your information for as long as you maintain an account with us or as long as needed to provide you with the Service. We may also retain and use your Personal Data as necessary to comply with our legal obligations (for example, to satisfy tax, accounting, or reporting requirements), to resolve disputes, and to enforce our agreements.
For users of our CRM Service, generally your account and the data within it (including Customer Data you have entered) will remain active and retained until you or your organization delete it or request its deletion. You have the ability to delete certain data through the Service interface (for instance, removing or exporting records) and you may delete your entire account data by contacting us if needed. Upon termination of your account or upon your request, we will securely delete or anonymize your Personal Data and any Customer Data stored in your account, unless we are required to retain it longer to comply with legal obligations or legitimate business interests (such as maintaining security logs or proof of consent). If complete deletion is not immediately possible (for example, because the data is stored in backups), we will isolate and protect the data from any further use until deletion is possible.
We retain Usage Data for internal analysis and security purposes. Usage Data is generally kept for a shorter period of time than Personal Data, except when such data is used to strengthen the security or improve the functionality of our Service, or we are legally obligated to retain it for longer periods.
In summary, we do not keep your data in identifiable form for longer than necessary. When data is no longer needed, we take steps to have it deleted, aggregated, or anonymized.
Your Rights and Choices
Depending on your jurisdiction and applicable data protection laws, you have certain rights regarding your Personal Data. Twenty is committed to facilitating the exercise of these rights for all users.
Rights Under the GDPR (for users in the European Economic Area): If you are a resident of the European Union or EEA, you have the following data protection rights under the GDPR:
Right to Access: You have the right to request a copy of the Personal Data we hold about you and to obtain information about how we process it.
Right to Rectification: You have the right to request that we correct any Personal Data that is inaccurate or incomplete.
Right to Erasure: You have the right to request deletion of your Personal Data under certain circumstances (for example, if the data is no longer necessary for the purposes it was collected, or if you withdraw consent and no other legal basis for processing exists). This is sometimes called the “right to be forgotten.”
Right to Restrict Processing: You have the right to request that we restrict the processing of your Personal Data if you contest its accuracy, if the processing is unlawful and you prefer restriction over deletion, if we no longer need the data but you need it for legal claims, or if you have objected to processing pending verification of any overriding legitimate grounds.
Right to Data Portability: You have the right to obtain a copy of your Personal Data in a structured, commonly used, machine-readable format and to have that information transmitted to another controller (where technically feasible). This right applies when the data is processed by automated means and the processing is based on your consent or the performance of a contract.
Right to Object: You have the right to object to our processing of your Personal Data in certain situations, such as for direct marketing or when we are processing data based on legitimate interests. If you object, we will no longer process your Personal Data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or unless processing is required for the establishment, exercise, or defense of legal claims.
Right to Withdraw Consent: If we are processing your Personal Data based on your consent, you have the right to withdraw your consent at any time. This will not affect the lawfulness of any processing we conducted prior to your withdrawal, and it will not affect processing of your Personal Data conducted in reliance on lawful processing grounds other than consent.
To exercise your GDPR rights, please contact us using the contact information provided at the end of this policy. We may ask you to verify your identity before fulfilling certain requests, to ensure that your data is protected. We will respond to your request within the timeframes required by law. Please note that these rights are not absolute – there are exceptions and limitations. For example, we might not delete data that we are required to keep by law, or we might decline a request if it adversely affects the rights and freedoms of others. If you believe our processing of your Personal Data violates the GDPR, you also have the right to lodge a complaint with your local supervisory data protection authority in the EU.
Rights Under the CCPA (for California Residents): If you are a resident of California, you are protected by the California Consumer Privacy Act (CCPA) (as amended by the California Privacy Rights Act, “CPRA”) and other California privacy laws. These laws provide you (or your authorized agent) with specific rights regarding your personal information, including:
Right to Know: You have the right to request that we disclose what personal information we collect, use, disclose, and sell or share (if applicable) about you. This includes the categories of personal information we have collected, the categories of sources of that information, the business or commercial purpose for collecting it, the categories of third parties with whom we share it, and the specific pieces of personal information we hold about you.
Right to Delete: You have the right to request the deletion of personal information we have collected from you (and direct our service providers to do the same), subject to certain exceptions. For example, we may retain information needed to complete transactions, detect security incidents, comply with legal obligations, or other exceptions permitted by law.
Right to Opt-Out of Sale or Sharing: You have the right to opt out of the “sale” or “sharing” of your personal information. However, as noted above, Twenty does not sell your personal information to third parties, and we do not share it for cross-context behavioral advertising. If in the future we consider selling personal data or using it for behavioral advertising, we will provide a clear opt-out mechanism as required by law.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. This means we will not deny you goods or services, charge you different prices, or provide a different level of quality of services just because you exercised your rights. However, in some cases, if you request deletion of certain data, we may not be able to provide services that rely on that data (for instance, deleting your account information might prevent you from continuing to use your account).
To exercise your California privacy rights, you (or an authorized agent acting on your behalf) can submit a verifiable request to us using the contact information at the end of this policy. Please describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. We will verify your identity (or your agent’s authority) as required before acting on a request, typically by confirming information we already have on file. We aim to respond to valid requests within 45 days as required by the CCPA (or notify you if an extension is needed).
Additionally, California's "Shine the Light" law (Civil Code Section § 1798.83) permits users of our Service who are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for direct marketing without consent, so this provision is generally not applicable to Twenty’s practices.
If you have any questions about your privacy rights or how to exercise them, you can always contact us at the email provided in the Contact Us section. We will be happy to assist you.
International Data Transfers
Twenty is based in the United States but data is currently hosted in Frankfurt (EU). We plan multiple hosting locations in 2026.
We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy. Twenty complies with applicable legal requirements for transferring personal data internationally. In particular, for Personal Data originating from the European Economic Area (EEA), United Kingdom, or Switzerland, we implement appropriate safeguards for cross-border data transfers as required by the GDPR and corresponding laws. These safeguards may include entering into Standard Contractual Clauses approved by the European Commission, relying on an adequacy decision by the relevant authority (if the destination country is deemed to provide adequate protection), or other lawful mechanisms. No transfer of your Personal Data will take place to an organization or a country unless adequate controls are in place to protect your information, including the security of your data and other personal information.
Your use of our Service, followed by your submission of information to us, represents your consent to this transfer, storage, and processing of your information in the United States and other jurisdictions as described. If you have questions about our international data transfer practices, please contact us.
Links to Other Sites
Our Service or website may contain links to other sites that are not operated by Twenty (for example, a link to an article, a partner’s website, or an integration provider). If you click on a third-party link, you will be directed to that third party’s site. We strongly advise you to review the privacy policy of every external site or service that you visit, as their privacy practices may differ from ours.
We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party websites or services. When you leave our site, our Privacy Policy no longer applies. If you provide personal information to any third-party site, your information is governed by their policies. We recommend you exercise caution and read the privacy statements of those sites before engaging with them.
Children’s Privacy
Our Service is not intended for use by children under the age of 18. We do not knowingly collect personally identifiable information from anyone under 18 years of age. If you are under 18, please do not use the Service or provide any Personal Data to us.
In the event that we discover we have collected Personal Data from a child under 18 without verified parental consent, we will take immediate steps to delete such information from our servers or to obtain appropriate consent. If you are a parent or guardian and you become aware that your child has provided us with Personal Data, please contact us so that we can take the necessary actions.
Note: In certain jurisdictions, such as under U.S. COPPA law, “child” is defined as under 13 years old. However, our policy is to avoid collecting data from anyone under 18 to ensure we comply with all child protection regulations and because our services are business-oriented. We encourage parents and legal guardians to monitor their children’s internet usage and to help enforce this Privacy Policy by instructing their children never to provide Personal Data through our Service without permission.
Changes to This Privacy Policy
We may update our Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will post the updated Privacy Policy on this page and update the “Effective Date” at the top of the policy. If the changes are material, we will notify you either by email (using the email address associated with your account) or by means of a prominent notice on our website or within the Service, prior to the change becoming effective. We encourage you to review this Privacy Policy periodically for any updates.
Your continued use of the Service after any changes to this Privacy Policy become effective constitutes acceptance of those changes, to the extent permitted by law. If you do not agree with any updates or amendments, you should stop using our Service and, if you wish, delete your account or exercise your rights as described above.
Contact Us
If you have any questions about this Privacy Policy, or if you would like to exercise any of your privacy rights, please contact us:
By Email: [email protected]
You may also write to us at our business address if one is provided on our website. Email is the quickest way to reach us for privacy concerns. We take all inquiries about privacy seriously and will respond as promptly as possible.
Thank you for trusting Twenty with your data. Your privacy is important to us, and we are committed to safeguarding it in accordance with this policy and applicable laws.