Last Updated: April 19, 2026 Effective Date: April 19, 2026 Version: 2.0
Plain English summary: We collect the information you give us (account, addresses, photos, payment method) and basic technical data about how you use the Service. We use it to produce Reports, bill you, improve the Service, and send transactional email. We do NOT sell your personal information. You can download your data or delete your Account at any time from https://twellie.com/dashboard. Details below.
This Privacy Policy describes how Twellie, Inc. ("Twellie," "we," "us," or "our") collects, uses, shares, and protects personal information when you use our Service. This Policy applies to the Twellie website, mobile apps, and any other feature or product we offer. It is incorporated into our Terms of Service.
If you do not agree with this Policy, do not use the Service.
Account information: name (if provided), email address, password (hashed, never stored in plaintext), profile picture, phone number (optional).
Transaction and billing information: billing name, billing address, plan selected, purchase history. Credit card and bank-account details are collected and processed by our payment processor (Stripe) and are never stored on our servers.
Property information: addresses of properties you submit for analysis, property-specific photographs you upload, documents you upload (disclosures, inspection reports, titles), known issues or renovations you describe, notes.
Buyer-profile information (optional): maximum budget, down-payment amount, loan type and term, interest rate, purchase purpose (primary / investment / second home), first-time-buyer status, target rent (for investment properties), life-event context if you share it (e.g. relocation, marriage, retirement).
Support and feedback: questions, support messages, bug reports, survey responses, testimonials.
Communications: email replies, chat messages, SMS, phone calls if recorded (with notice).
Device and technical: IP address, browser type and version, operating system, device type, mobile advertising identifiers (IDFA, AAID) where available, device language and region, time-zone, network carrier, screen size.
Usage: pages visited, features used, clicks, taps, scroll position, session duration, referring/exiting URLs, timestamps, actions performed, error events.
Logs: server logs of API calls, authentication events, billing events, and security events.
Cookies and similar: see Section 12.
Approximate location: derived from IP address. We do NOT collect precise GPS location unless you explicitly opt in.
Public records: county assessor data, tax records, recorder of deeds, permit databases, court records — all retrieved based on addresses you submit.
MLS / listing feeds: where we license MLS data, we receive listing details for properties you analyze.
Federal / state data: FEMA flood zones, USGS seismic maps, Census demographics, Federal Reserve mortgage rates, EPA environmental records.
Payment data: Stripe shares the last-four digits of your card, expiration, brand, and billing address for your subscription records. Stripe does not share the full card number with us.
Authentication providers: if you sign in with Google/Apple (when enabled), we receive your email and profile picture from that provider per their policies.
Advertising partners: attribution events from Meta / Facebook, Google Ads (conversions), TikTok (if enabled).
We do not intentionally collect sensitive personal information (racial/ethnic origin, religious beliefs, political opinions, trade-union membership, genetic/biometric data, health data, sex-life or sexual-orientation data, precise geolocation, or government identifiers). If you voluntarily include such information in a document or note, you acknowledge you have submitted it of your own volition, and we will process it only to the extent necessary to deliver the Service.
Addresses you submit may relate to properties owned by third parties. Photographs may contain images of other people or their property. You represent that you have the right to submit this information and that doing so does not violate anyone's privacy rights. We treat third-party information subject to the same protections as your own.
We collect information in three ways:
We use your information to:
We do NOT use your identifiable personal information to train general-purpose AI models, and we do NOT train models on photographs of your home without your explicit consent.
We do not sell personal information in the colloquial sense of selling data for money. We share personal information only in the ways described below.
We share information with vendors who help us run the Service under binding contracts requiring them to safeguard it. Current sub-processors include:
| Provider | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Authentication, database, file storage | United States |
| Stripe, Inc. | Payment processing, tax calculation, fraud screening | United States |
| Resend, Inc. | Transactional and marketing email | United States |
| Sentry | Error monitoring, performance tracing | United States |
| Google LLC | Gemini AI models, Google Analytics 4, Google Ads | United States |
| Anthropic, PBC | Claude AI models | United States |
| Meta Platforms, Inc. | Meta Pixel, Facebook App Events, Conversions API | United States |
| Cloudflare, Inc. | DNS, CDN, DDoS protection (if enabled) | United States |
| Shorebird | Over-the-air Flutter updates | United States |
| Apple, Google | Mobile app distribution + in-app-purchase (where applicable) | United States |
An updated list of sub-processors is maintained at https://twellie.com/sub-processors.
Lawyers, accountants, auditors, insurers, and similar professionals as needed to run our business, subject to confidentiality obligations.
If Twellie is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred to the successor entity. We will notify you of such a transaction and any material change to this Policy.
We may disclose information:
Where permitted and appropriate, we will push back against overly broad requests.
We will share information in additional ways when you direct us to — for example, sharing a Report with a real-estate agent or financial advisor you specify.
We may share aggregated or de-identified data (which cannot reasonably be linked back to you) with third parties (e.g. published market insights, partner integrations, research).
We do not "sell" personal information as defined by the California Consumer Privacy Act ("CCPA") or similar laws. We also do not "share" personal information for cross-context behavioral advertising, except that our use of the Meta Pixel and similar pixels may constitute "sharing" under these laws. See Section 9 for your right to opt out.
We use third-party AI models (Google Gemini, Anthropic Claude) to analyze property photos, synthesize Reports, and generate recommendations. When we call these providers:
If you prefer your data not be processed by third-party AI providers, do not use the Service — our core functionality depends on them.
Twellie is based in the United States. We process personal information in the United States and other countries where our sub-processors operate. Data-protection laws in the United States may be less protective than those in the EU, UK, Switzerland, or your home country.
For transfers from the EU/EEA, UK, and Switzerland:
By using the Service, you consent to transfer of your information to the United States.
We keep personal information only as long as needed for the purposes described in this Policy, after which we delete or anonymize it. Typical retention periods:
| Data | Retention |
|---|---|
| Account + profile | Until you delete your Account + 30 days (then purged from backups within 90 days) |
| Reports | Until you delete them, or 7 years after your last login (whichever is earlier) |
| Payment and billing records | 7 years (tax / accounting / audit compliance) |
| Support tickets and correspondence | 3 years |
| Server logs (containing IP, request data) | 90 days |
| Analytics (GA4, Meta Pixel) | Per those providers' default retention (typically 14-26 months) |
| Legal hold / litigation data | Duration of the hold or matter |
Where longer retention is required by law (e.g. tax records), we keep information only as long as that obligation requires.
Subject to applicable law, you have the right to:
Most rights can be exercised from your Account:
For all other requests (or if the above tools are unavailable for any reason), email privacy@twellie.com from the address associated with your Account. We respond within 30 days (45 for complex requests) as required by CCPA/GDPR.
To prevent unauthorized disclosure, we will verify your identity before honoring a deletion or access request. Verification may include confirming you control the email on file, answering security questions, or providing a government-issued ID (redacting sensitive fields). We delete verification materials after the request is fulfilled.
You may designate an authorized agent to make a request on your behalf. We may require proof that the agent has your written authorization.
We will not deny, charge different prices, or provide a different level of service because you exercised your privacy rights.
When you delete your Account:
Your email may also remain on a suppression list to honor your deletion (i.e., to prevent accidental re-enrollment).
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).
| CCPA Category | Examples | Collected? |
|---|---|---|
| Identifiers | email, account ID, IP, device ID | ✅ |
| Personal information (Cal. Civ. Code § 1798.80) | name, address, phone | ✅ (when you provide) |
| Protected classifications | race, religion, etc. | ❌ |
| Commercial information | purchase history, subscription tier | ✅ |
| Biometric information | fingerprints, iris scans | ❌ |
| Internet/network activity | pages visited, search terms | ✅ |
| Geolocation | approximate (city-level from IP) | ✅ |
| Sensory | audio/visual recordings | Photos you upload |
| Professional/employment | job, employer | ❌ |
| Education information | school records | ❌ |
| Inferences | buyer profile, preferences | ✅ |
| Sensitive personal info | SSN, health, precise geo | ❌ |
Submit a verifiable consumer request via https://twellie.com/dashboard or by emailing privacy@twellie.com.
California residents may request information about our disclosure of personal information to third parties for direct-marketing purposes. Send a request to privacy@twellie.com.
If you are in the European Economic Area, United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation ("GDPR") or UK GDPR.
See Section 3.7 for the legal bases we rely on.
Twellie, Inc. is the data controller for personal information collected through the Service. Sub-processors listed in Section 4.1 act as processors.
You have the right to complain to a supervisory authority. Contacts:
If we require an EU representative under GDPR Art. 27, contact details will be published here. As of the Effective Date we rely on the cross-border exemption for occasional and non-large-scale processing; we will appoint an Art. 27 representative if/when required.
Processed per Standard Contractual Clauses (Section 6). You can request a copy of the SCCs at privacy@twellie.com.
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MTCDPA), Iowa (ICDPA), Tennessee (TIPA), Delaware (DPDPA), New Hampshire (NHPA), New Jersey (NJDPA), Indiana (INCDPA), Nebraska (NEDPA), and any other state with a comprehensive privacy law have rights similar to (but sometimes narrower than) California's:
Exercise these rights via https://twellie.com/dashboard or privacy@twellie.com. We respond within 45 days (with one 45-day extension where permitted).
Cookies: small text files stored on your device. Local storage: similar to cookies, stored in your browser. Mobile SDKs: device identifiers used by Meta App Events and similar. Pixels / web beacons: transparent images used by Meta Pixel, Google Analytics.
Full list of cookies and their purposes is maintained at https://twellie.com/cookie-policy.
We use Meta Pixel on web and the Facebook App Events SDK in the mobile app to measure the effectiveness of Facebook and Instagram ads, attribute signups and subscriptions, and (where enabled) show you relevant ads on Meta platforms. Events we send include PageView, CompleteRegistration, InitiateCheckout, and Purchase.
iOS 14+ users: We honor App Tracking Transparency. If you deny tracking, we disable conversion signals that require the IDFA.
Used for product analytics and ad attribution. IP addresses are anonymized server-side.
We implement reasonable technical and organizational measures to protect personal information:
No system is perfectly secure. Keep your password confidential, use a strong unique password, enable any available MFA, and notify us immediately at security@twellie.com if you suspect unauthorized access.
The Service is not directed to children under 18 and is not intended for anyone under the age of majority in their jurisdiction. We do not knowingly collect personal information from children under 13 ("Children" as defined in the Children's Online Privacy Protection Act, COPPA, 15 U.S.C. §§ 6501-6506).
Consistent with COPPA:
If you are a parent or guardian and believe a child has submitted personal information to Twellie, email privacy@twellie.com with the child's email address (or any identifier you know) and a brief description. We will:
California Business and Professions Code § 22581 grants minors aged 13-17 the right to request removal of content they posted. Teens in California may email privacy@twellie.com to request removal. Some content may be retained in anonymised form or for law-enforcement compliance, per statute.
| Data Category | Retention Period | Rationale |
|---|---|---|
| Account profile (email, name, auth record) | Life of account + 30-day soft delete | Service continuity + accidental-click recovery |
| Reports (report_json) | Life of account, or 7 years after last login | User access to their own history |
| Usage counters (monthly report count) | 7 years | Billing audit + tax |
| Subscription records (Stripe data, invoices) | 7 years | Tax, accounting, audit |
| Payment transactions | 7 years | Tax, accounting, audit |
| Consent acceptances | 10 years | GDPR Art. 7 burden-of-proof |
| Deletion requests | 10 years | Compliance audit trail |
| Support tickets | 3 years | Product learning, dispute resolution |
| Server access logs (IP, request path) | 90 days | Security investigation, debugging |
| Sentry events | 30-90 days (varies by plan) | Error monitoring |
| GA4 events | 14 months | Analytics retention default |
| Meta Pixel events | 180 days (Meta default) | Ad attribution |
| Email deliverability logs (Resend) | 30 days + 6 months archive | Anti-abuse, bounce handling |
| Cookie banner choice | 12 months | CCPA re-prompting requirement |
| Backups (all categories) | Rolling 90 days | Disaster recovery |
| Legal-hold / investigation data | Duration of hold + 2 years after closure | Litigation, regulatory |
Where longer retention is required by law (e.g., 7-year tax records), we retain only what the law requires and delete the rest.
Do Not Track ("DNT"): Most browsers send DNT signals but industry has not standardized interpretation. We do not currently respond to DNT signals.
Global Privacy Control ("GPC"): We do honor GPC signals. When your browser sends GPC headers, we treat it as an opt-out of sale/sharing for that browser session and persist the preference if you are signed in.
Reports and the Service may link to third-party websites (GreatSchools, FEMA, Zillow listings, etc.). Those sites' privacy practices are governed by their own policies. We are not responsible for third-party content or privacy practices.
Reports rely on automated processing (the AI analysis is the product). Reports are informational only and do not produce legal or similarly significant effects on you by themselves — you are the sole decision-maker about whether to act on a Report. Because Reports do not produce legal or similarly significant effects solely from the automated processing, GDPR Art. 22 restrictions on automated decision-making do not apply. We nonetheless honor all other GDPR rights, including access, deletion, and objection.
We may update this Privacy Policy from time to time. Material changes will be announced at https://twellie.com/privacy with a new "Last Updated" date and, where feasible, by email to the address associated with your Account at least 30 days before the change takes effect. Continued use after the effective date constitutes acceptance. For changes that materially reduce your rights, we will seek affirmative re-consent where required by law.
Twellie, Inc. [ADDRESS — INSERT BEFORE LAUNCH] United States
Email is the primary channel; we do not accept privacy requests by postal mail unless you require a specific accessible format.
© 2026 Twellie, Inc. All rights reserved.