Privacy policy

Plain-English summary

Twira is software that runs on your machine. It indexes your code locally, signs an audit chain locally, and (in paid tiers) screens for known personal-data patterns locally before any payload reaches an LLM provider you have configured. The only personal data Twira Ltd processes about you is the limited operational data described below: billing details for paid tiers (handled by Stripe), the contents of any contact-form submission you send us, account email for paid tiers, and aggregate website analytics.

We do not collect, transmit, or store your source code. We do not analyse the contents of the files you index. Where this policy refers to "your data", it means the limited operational data described below, not your codebase.

Who we are

The data controller is Twira Ltd, a company registered in England and Wales (company number 17178961), with its registered office at 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom. References to "we", "us", and "our" in this policy mean Twira Ltd.

We do not currently maintain a Data Protection Officer because the scale and nature of our processing does not require one under UK GDPR Article 37 or EU GDPR Article 37. Privacy enquiries are handled by the founder, supported by external counsel where appropriate.

Data we process about you

• Billing data for paid-tier subscribers. Stripe is the processor of record for card data; we see name, business email, billing country, the brand and last four digits of the card, and the line-item history of your subscription. Full card numbers and full CVCs are never transmitted to or stored by us.
• Account email for paid-tier subscribers, used to issue licence keys and send trial, renewal, and service-status messages. Transactional only. Marketing emails are opt-in and separate.
• Contact-form submissions, the topic, your email, optional name and company, the message you write, your IP address, and your browser user-agent string at the moment of submission. Retained for as long as needed to handle your enquiry and to keep an internal record of the conversation, then archived or deleted in line with the retention schedule below.
• Cookieless analytics for the marketing website, served via Plausible Analytics behind a server-side proxy. Aggregate page-view counts only. No cookies. No cross-site tracking. No fingerprinting.
• Server logs for the marketing site and licence-activation service. Standard IP-and-user-agent web logs, retained for 30 days for security, fraud-prevention, and abuse-handling purposes.
• Crawler-class telemetry for the marketing site only. Broad bot category by URL (e.g. "search bot accessed /pricing"). No individual visitor identification.

Data we do NOT process

• Your source code. It is indexed and stored on your machine and never transmitted to us.
• The contents of files you analyse with the detector pipeline. They are processed locally.
• The contents of your local audit chain, lore store, masterplan, or any other on-disk artefact created by the Software.
• The contents of prompts and completions you exchange with your configured LLM provider. Those go directly from your machine to your chosen provider using your key, not through us.
• Personal data screened by the AI Compliance Proxy. The proxy operates on your machine and filters payloads locally before they leave it; the filtered or unfiltered content never transits our systems.
• Telemetry about what you index, search for, or diagnose. The Software has no usage-telemetry channel back to us, by design.

Use of AI tools in business communications and data management

We use third-party AI tools to help us run Twira Ltd. We are transparent about this because some of those tools may, depending on what you choose to send us, briefly process content you have shared with us in the course of your enquiry. We treat that processing as a sub-processor relationship and disclose it here.

• Where AI is used by us. Drafting and editing of internal documents, marketing copy, software code, and customer-facing replies; triage and initial-draft replies to inbound contact-form, pilot, compliance, and security submissions; summarisation of internal notes; transcription of internal meetings where the participants have agreed.
• Which vendors we use. Anthropic (Claude and Claude Code), OpenAI (ChatGPT, Codex, and the OpenAI API), and Google (Gemini and the Gemini API). The full sub-processor list, with links to each vendor's privacy posture and data-handling commitments, is in the Sub-processors section below.
• What data passes through them. When you send us a contact-form submission or any other enquiry, the topic, your message text, and any personal data you have included in that message may be passed through one or more of these AI vendors for the purpose of drafting, summarising, or routing a response. Where you have sent us a structured document (for example a compliance questionnaire), the document content may also pass through them for the same purpose.
• Tier and training. We use the commercial, paid tiers of these AI vendors (Anthropic API and Claude Console, OpenAI API and Team/Enterprise, Google Vertex / Gemini API). Under the commercial terms of those tiers, the vendors do not train their models on the content we send. We do not enable any "improve the model with my data" toggle in any account. We do not knowingly route customer-shared data through a consumer-tier or free-tier AI service.
• Human-in-the-loop. Every reply we send you is reviewed and approved by a human at Twira Ltd before it leaves us. AI is used to draft, organise, and accelerate, not to decide. We do not use AI to make decisions that produce legal or similarly significant effects on you. Article 22 UK GDPR / EU GDPR is therefore not engaged.
• Legal basis. Legitimate interest under UK GDPR Article 6(1)(f), being the interest in operating efficiently and replying to you quickly. We have balanced this interest against your reasonable expectations and consider AI-assisted handling of routine business correspondence to be within them, particularly given the no-training commitments above. If you prefer your enquiry to be handled without any AI involvement, write "no AI processing, human only" at the top of your message and we will route it accordingly.
• Retention by the AI vendors. Vendor-side retention of our prompts is governed by each vendor's terms. Anthropic, OpenAI, and Google API/Enterprise tiers each operate short retention windows (typically 30 days, with shorter windows available on request); we do not increase those windows. We do not maintain a separate copy of vendor-side prompts.
• Security. AI tools used by us run only inside accounts controlled by Twira Ltd, authenticated with multi-factor authentication, with role-based access limited to staff who need it. We do not use shared, personal, or anonymous AI accounts for any handling of customer correspondence.

Automated decision-making and profiling

We do not make any decision about you, or apply any profile to you, that produces a legal effect or a similarly significant effect, on the basis of automated processing alone. The decisions that affect you (whether to take you on as a customer, how to price your subscription, how to reply to your enquiry, whether to suspend or terminate access) are taken by humans at Twira Ltd.

Cookies and similar storage

The marketing website at https://twira.com does not set tracking cookies. It does store a small amount of strictly-necessary data on your device using your browser's local storage, which is treated as equivalent to a cookie under the UK Privacy and Electronic Communications Regulations (PECR) and EU ePrivacy law. Specifically:

• Theme preference, a single key (`twira-theme`) recording whether you chose dark or light mode. Strictly necessary for the visual feature you asked for; not used for tracking.
• CSRF / form-submission tokens, short-lived, request-scoped tokens used to protect the contact form against forgery. Strictly necessary; not used for tracking.

Cookies, closing note

Because both items above are strictly necessary for the functionality you requested, no consent banner is required under PECR or the EU ePrivacy framework. We do not use marketing cookies, advertising cookies, or third-party analytics cookies on this website.

Legal bases (UK GDPR / EU GDPR Article 6)

• Performance of a contract, for paid-tier subscribers, processing billing and account data is necessary to perform the subscription.
• Legitimate interest, for server logs (security and abuse-handling), cookieless analytics (product improvement at aggregate level), responding to contact-form enquiries, and AI-assisted handling of routine correspondence as described above.
• Consent, for any future optional marketing email, which is opt-in only and separately captured.
• Legal obligation, for record retention required by UK and EU tax, accounting, and consumer-law frameworks.

Sub-processors

We use the minimum number of sub-processors required to operate the service. The current list is:

• Stripe, Inc. and Stripe Payments Europe Ltd, payment processing, Stripe Tax for VAT and US sales-tax computation, and Stripe Checkout for self-service subscription management. Data processed: billing details and the line-item history of your subscription. Primary processing locations: United States and European Union. https://stripe.com/privacy
• Microsoft Corporation (Azure), hosting for the marketing website, the licence-activation service, the Stripe webhook handler, and operational telemetry. Primary processing region: UK South. https://www.microsoft.com/en-us/trust-center
• Plausible Insights OÜ (Plausible Analytics), cookieless, server-side-proxied website analytics. Aggregate only. Primary processing location: European Union. https://plausible.io/privacy
• Anthropic, PBC, drafting and triage of business correspondence and internal content. Data may include: contact-form text, attached materials, and internal notes. Used under Anthropic's commercial terms; not used to train models. https://www.anthropic.com/legal/privacy
• OpenAI, LLC, drafting and triage of business correspondence and internal content. Same usage and protections as above. Used under OpenAI Team / Enterprise / API terms; not used to train models. https://openai.com/policies/privacy-policy
• Google LLC (Gemini / Vertex AI), drafting and triage of business correspondence and internal content. Same usage and protections as above. Used under Google Cloud and Workspace commercial terms; not used to train models. https://policies.google.com/privacy

Sub-processors, change-notice commitment

Material additions to this list will be reflected on this page at least 30 days before the new sub-processor begins handling your data. Pro and Enterprise customers can request advance notice by email at the contact form. Where you reasonably object to a new sub-processor, we will work with you to find an alternative, and if that is not possible you may terminate your subscription with a pro-rated refund of any pre-paid period.

International transfers

Where personal data is transferred outside the United Kingdom or the European Economic Area (most commonly to Stripe, Anthropic, OpenAI, and Google in the United States, or to Microsoft Azure regions outside the UK), those transfers are governed by the relevant Standard Contractual Clauses (EU Commission 2021/914 SCCs together with the UK Information Commissioner's International Data Transfer Addendum, or the UK International Data Transfer Agreement directly) or an equivalent legally-recognised mechanism such as an adequacy decision. We rely on each sub-processor's public commitment to those clauses; links to each are provided above.

Security measures

• TLS 1.2 or higher for every connection between you, the marketing website, the licence-activation service, and our sub-processors.
• Encryption at rest for the licence-activation database and for billing records held by Stripe.
• Multi-factor authentication on every administrative account at Twira Ltd.
• Role-based access to internal systems, with access reviewed when staffing or scope changes.
• Audit logging of administrative access to systems holding personal data.
• Regular security review of the marketing website, the licence-activation service, and dependencies, with severity-scaled remediation.

Your rights

Under UK GDPR, EU GDPR, and similar regimes you have the right to access, to rectify, to port, to erase, to restrict, and to object to the processing of your personal data. You also have the right to object specifically to processing carried out on the basis of legitimate interest, including the AI-assisted handling of correspondence described above.

To exercise any of these rights, submit the compliance form at /contact?topic=compliance. We respond within 30 calendar days and usually within 48 hours. We may need to verify your identity before fulfilling a request, particularly where the request relates to data linked to a paid-tier account.

If you are a resident of California, Colorado, Connecticut, Utah, Virginia, or another US state with a comprehensive privacy law, you have equivalent rights under your state's law. Use the same compliance form. We do not sell or share personal information for cross-context behavioural advertising, and we therefore have no "Do Not Sell or Share" mechanism to offer; we have nonetheless provided a clear opt-out mechanism above for AI-assisted handling.

You also have the right to lodge a complaint with your supervisory authority. For UK residents, that is the Information Commissioner's Office (https://ico.org.uk/). For EU residents, that is the data-protection authority in your member state.

Data retention

• Billing data, retained for the statutory period required by UK tax and accounting law, currently six years from the end of the accounting period to which the record relates.
• Account email, until you close your account, then deleted within 30 calendar days unless retention is required for an ongoing legal obligation or to handle a live dispute.
• Contact-form submissions, retained for as long as is needed to handle your enquiry and to keep a reasonable internal record of the conversation, then either archived in an access-restricted store or deleted. We do not retain submissions for longer than 24 months unless they relate to a live commercial relationship or to an ongoing legal matter.
• Server logs, 30 days.
• Cookieless analytics, aggregate only; retained for 24 months in line with Plausible defaults.

Children

Twira is a developer tool intended for adult use. We do not knowingly market the Software or our services to anyone under 18 and we do not knowingly process personal data of anyone under 18. If you believe a child has provided us with information, submit the compliance form at /contact?topic=compliance and we will investigate and delete as appropriate.

The Education tier of our paid subscriptions is offered to students at recognised institutions and may, in some jurisdictions, be activated by people aged 16 or 17. Where we knowingly grant Education access to anyone under 18, we do so on the basis of consent obtained through the institutional email channel and limit processing to what is necessary to provide the Education licence.

Updates to this policy

We may update this policy from time to time. Material changes are notified by email to paid-tier account holders at least 30 calendar days in advance and posted on this page on the same date the email is sent. The "Last updated" date at the top of this page changes with every revision.

Contact

Questions about this policy, sub-processor questions, or rights requests: submit the compliance form at /contact?topic=compliance. We respond within 30 calendar days and usually within 48 hours.