Legal

Privacy policy

Draft — Requires legal review

This document is a draft requiring thorough legal review before publication. It is provided as a starting point informed by industry best practices.

Effective date: To be determinedLast updated: February 2026

1. Introduction and scope

This Privacy Policy describes how TwinMail, Inc. (“Twindevs,” “we,” “us,” or “our”) collects, uses, and protects information when you use the TwinMail application and related services. TwinMail is a local-first email client — this architectural choice fundamentally shapes our privacy posture.

2. What we collect

We collect the minimum information necessary to provide the service:

  • Account information: Email address used for registration, display name, and account preferences.
  • Billing information: Payment details processed by Stripe. We do not store credit card numbers or banking details on our servers.
  • Encrypted sync blobs: When multi-device sync is enabled, client-side encrypted data blobs are stored on our infrastructure. We cannot decrypt these blobs.
  • Usage metadata: Sync timestamps, device types, app version, and crash diagnostics (opt-in only).

3. What we do NOT collect

Due to our zero-knowledge architecture, TwinMail cannot access:

  • Email content, subject lines, or message bodies
  • Sender and recipient information
  • Message timestamps or threading data
  • Attachment contents or file names
  • Contact lists or address book entries
  • Search queries or search indices
  • Calendar event details

4. Local-first architecture

TwinMail stores all email content, metadata, and search indices locally on your device. The application uses SQLite with FTS5 for full-text search, and all databases are encrypted using XChaCha20-Poly1305 with per-Vault key hierarchies derived via Argon2id and HKDF. Your device is the source of truth — our cloud infrastructure serves only as an encrypted transport layer for multi-device synchronization.

5. Cloud AI processing

By default, no email content is sent to any cloud AI provider. Features such as thread summarization, entity extraction, and draft assistance require explicit, per-action consent via a consent sheet that displays the exact payload before transmission. When you opt in:

  • Only the specific content you approve is transmitted.
  • Data is sent to the configured AI provider (e.g., Anthropic Claude API) under contractual data protection guarantees.
  • No AI provider trains on your data.
  • An encrypted audit event is logged locally for your review.

6. Third-party services

TwinMail integrates with the following third-party services:

  • Stripe: Payment processing. Stripe handles all payment information under their own privacy policy. We do not store credit card numbers.
  • Anthropic Claude API: Optional AI features (explicit opt-in only). Content is sent with contractual guarantees including no model training on user data.
  • Cloudflare R2: Encrypted blob storage for multi-device sync. All data is encrypted client-side before transmission. Zero-egress architecture.
  • Email providers (Gmail, Outlook, iCloud, Yahoo, IMAP): We connect via OAuth or application-specific passwords. Provider credentials are stored exclusively in your encrypted local Vault.

7. Data retention and deletion

Account data is retained for the duration of your active subscription plus 90 days. Encrypted sync blobs are deleted within 30 days of account deletion. Billing records are retained for 7 years as required by law. You may request immediate deletion of all personal data at any time by contacting privacy@twindevs.com.

8. Your rights (GDPR and CCPA)

You have the following rights under applicable data protection laws:

  • Right to access: Request a copy of all personal data we hold about you.
  • Right to deletion: Request complete account and data deletion.
  • Right to export: Download all your data in standard formats (MBOX for email).
  • Right to restrict processing: Limit how we use your data.
  • Right to opt out: Disable optional analytics and AI features at any time.
  • Data portability: Export emails in standard formats compatible with other clients.
  • Non-discrimination: We will not discriminate against you for exercising these rights.

To exercise these rights, contact privacy@twindevs.com.

9. International data transfers

TwinMail uses US-based infrastructure for cloud services. International data transfers comply with GDPR Standard Contractual Clauses (SCCs). Our zero-knowledge architecture significantly simplifies compliance because we cannot access the content of your communications.

10. Contact information

For privacy inquiries: privacy@twindevs.com

Data Protection Officer: dpo@twindevs.com

Twindevs, Inc.