Privacy Policy
Last updated: 19 May 2026
1. Who we are
twig.tools (the “Service”, “we”, “us”, “our”) is the data controller for the personal data we process about you. You can reach us at twig.tools.community@gmail.com.
2. Scope
This policy explains what personal data we collect, why we collect it, how we use and share it, how long we keep it, and what rights you have. It applies to the twig.tools website, the web application, and any companion tools (including the bookmarklet).
3. What we collect
Account data
Email address and a hashed password (we never store passwords in plain text). If you sign in with a third-party identity provider, we receive the identifiers and email address that provider returns.
Content you create
The bookmarks, URLs, page titles, tags, notes, folders, ordering, and any text or metadata you save in the Service.
Billing data
If you subscribe to a paid plan, payment is processed by Stripe. We do not see or store full payment card numbers. We store a Stripe customer identifier, subscription status, plan, billing period, and the last-four digits and brand of the card used for the subscription, so that we can manage your subscription.
Communications
If you email us we keep the message and any reply so we can respond and have a record.
Technical data
Server logs containing IP address, user-agent string, requested URL, timestamps, and response codes. These are used to operate the Service, diagnose problems, and protect against abuse.
4. Why we use your data and our legal bases
Under UK GDPR / EU GDPR we rely on the following legal bases:
- Performance of a contract — to create your account, deliver the Service, process payments, and provide support.
- Legitimate interests — to keep the Service secure, prevent fraud and abuse, debug errors, and improve the product. We balance these interests against your rights and freedoms.
- Legal obligation — to retain records required by tax, accounting, or other applicable law.
- Consent — where we ask for it explicitly (for example, optional marketing emails). You can withdraw consent at any time.
5. Subprocessors
We use a small number of trusted infrastructure providers to deliver the Service. Each is contractually bound to protect your data and to process it only on our instructions.
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase | Authentication, database, and file storage for your account and content. | EU / US |
| Stripe | Payment processing and subscription management. | US / global |
| Resend | Transactional email (sign-up confirmation, password resets, billing notices). | US |
| Vercel | Hosting and serverless functions for the Service. | US / global edge |
| Cloudflare | Bot protection (Turnstile / CAPTCHA) on sign-up and sign-in forms. | Global edge |
| OAuth identity provider for “Sign in with Google”. Google receives your email address and basic profile identifiers during sign-in. | US / global |
We will update this list when we add or replace a subprocessor. Material changes will be announced in the Service or by email.
6. International transfers
Some of our subprocessors are located in the United States or operate on global edge networks. Where personal data is transferred outside the UK or EEA, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum, together with each provider’s additional technical and organisational measures.
7. How we share data
We do not sell your personal data. We share it only:
- With the subprocessors listed above, as necessary to operate the Service.
- With professional advisers (lawyers, accountants) bound by duties of confidentiality.
- If required by law, a court order, or to protect our rights, property, or safety, or those of others.
- In connection with a merger, acquisition, or sale of all or part of our business, in which case the recipient will be bound by this Privacy Policy.
8. Retention
- Account and content — kept for as long as your account is active. When you delete your account we delete or anonymise your content within 30 days, except where retention is required by law.
- Billing records — kept for the period required by tax and accounting law (typically 6 years in the UK).
- Server logs — kept for up to 30 days, then deleted or aggregated.
- Support emails — kept for up to 2 years after the last interaction.
9. Your rights
If UK GDPR or EU GDPR applies to your data you have the right to:
- Access a copy of the personal data we hold about you.
- Have inaccurate data corrected.
- Have your data deleted (subject to legal retention obligations).
- Restrict or object to certain processing.
- Receive your data in a portable format, or have it transmitted to another controller where technically feasible.
- Withdraw any consent you previously gave (without affecting prior lawful processing).
- Lodge a complaint with a supervisory authority — in the UK that is the Information Commissioner’s Office (ico.org.uk).
To exercise any of these rights email twig.tools.community@gmail.com. You can also export or delete your content directly from your account.
10. Cookies and similar technologies
We use cookies and similar local-storage mechanisms that are strictly necessary to operate the Service — for example to keep you signed in and to maintain your session with Stripe during checkout. We do not use advertising or third-party tracking cookies.
11. Security
We protect data in transit with TLS and at rest using the encryption provided by our infrastructure subprocessors. Passwords are stored only as one-way hashes. Access to production systems is restricted to authorised personnel. No system is perfectly secure; if we become aware of a personal data breach that affects you we will notify you and the relevant authority in accordance with applicable law.
12. Children
The Service is not intended for children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it.
13. Changes to this policy
We may update this Privacy Policy from time to time. If a change is material we will notify you by email or via the Service at least 14 days before it takes effect.
14. Contact
Questions about this Privacy Policy or how we handle your data? Email twig.tools.community@gmail.com.