Twikkie Privacy notice.

Twikkie Ltd ("Twikkie", "we", "us", "our") is the data controller for personal data processed via twikkie.com and the Twikkie public marketing site. Twikkie Ltd is a company registered in England and Wales (Company number 13881656, VAT GB 514 3588 90).

If you are using the Twikkie product as an employee or contractor of one of our customers, that customer is the data controller of your information; Twikkie is the processor. This notice covers the marketing site only.

We collect the minimum data needed to operate the site, respond to enquiries and improve Twikkie:

• Identity & contact data — name, work email, company, role, message — when you book a demo, contact sales, apply to a job, request the ROI report or subscribe to the newsletter.
• Account data — email and hashed password — when you sign in to your Twikkie account.
• Technical data — IP address (truncated for analytics), browser type and version, device, referrer, language and pages viewed.
• Usage data (with your consent only) — anonymous events showing which pages and features you interact with.
• Cookie data — see our Cookie policy for the full table of cookies and durations.

Article 6 UK GDPR / EU GDPR lawful bases we rely on:

• Contract (Art. 6(1)(b)) — to deliver a demo, ROI report, partner enquiry or trial you've asked for.
• Legitimate interests (Art. 6(1)(f)) — to run the public site, respond to business enquiries and keep the service secure. Balanced against your rights.
• Consent (Art. 6(1)(a)) — for analytics cookies, marketing cookies and marketing emails. You can withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal obligation (Art. 6(1)(c)) — to keep records we're required to keep by UK law (e.g. accounting).

• Demo / contact / partner / ROI enquiries — 24 months from last contact, then deleted or anonymised.
• Newsletter subscribers — until you unsubscribe (one-click in every email).
• Account data — for the lifetime of your account; deleted on request within 30 days.
• Analytics events — 12 months, then aggregated.
• Server logs — 30 days for security investigations, then rotated.
• Cookie consent records — 24 months so we can prove your choice if challenged.

We do not sell your personal data. We share it only with carefully selected sub-processors who help us run the site, under written data-processing agreements (Art. 28 UK GDPR), and only for the purposes described in this notice. Categories of recipient include:

• Cloud hosting and database providers — to store and serve the site and your data securely.
• Email delivery providers — to send transactional emails (e.g. confirmations) and newsletters you've opted in to.
• Security, anti-bot and CDN providers — to keep the site available and protected against abuse.
• Product analytics providers — to understand site usage, only loaded if you grant analytics consent.
• AI assistant provider — to power the on-site chat assistant. Conversations are processed solely to generate replies and are not used to train third-party models.

A current list of named sub-processors is available on request at hello@twikkie.com. We notify customers in advance of any material change to our sub-processor list.

Where data is transferred outside the UK / EEA, we rely on the UK International Data Transfer Agreement (IDTA), EU Standard Contractual Clauses and supplementary measures such as encryption in transit and at rest. Details of the safeguards in place for a specific transfer are available on request.

Under UK GDPR / EU GDPR you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase your data ("right to be forgotten") where applicable.
• Restrict or object to processing based on legitimate interests.
• Data portability — receive your data in a portable format.
• Withdraw consent at any time for consent-based processing.
• Not be subject to automated decision-making with significant effects.

To exercise any of these rights, email hello@twikkie.com. We aim to respond within 30 days. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local EU supervisory authority.

• TLS 1.2+ in transit and AES-256 at rest.
• httpOnly, Secure cookies for authentication; CSRF defences on state-changing endpoints.
• Principle of least privilege for staff access; access logs retained 30 days.
• Annual third-party penetration test and ongoing dependency scanning.

Twikkie is a B2B product. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, contact hello@twikkie.com and we will delete it.

We will post any material changes on this page and update the "last updated" date. The current version is 2026-02-v2.