Twome Privacy Policy
Effective date: September 21, 2025
Last updated: September 21, 2025
This Privacy Policy applies worldwide, including the EEA/UK (GDPR/UK GDPR) and California (CCPA/CPRA). It explains what we collect, how we use and share it, how long we keep it, how we protect it, and your rights and choices. By using Twome, you agree to this Policy. If you do not agree, please do not use the Services.
Twome is provided by Vivid World Inc. (“Twome,” “we,” “us,” “our”).
Contact: privacy@twome.ai
For terms governing your use of our Services, see our Terms of Use.
1. The Services
- Services: our websites, apps, and platform features that let you create an AI-powered digital twin (“Twome”) and interact with other Twomes via live video calls and messages.
- Scope: this Policy covers information we process when you visit, create a Twome, participate in calls, or contact us.
We collect information you provide, information collected automatically, and information from third parties. Some information (e.g., facial imagery and voice samples) may be considered biometric or sensitive under applicable laws.
We use information to provide and improve the Services, communicate with you, and protect users.
- Provide and operate: create/host your Twome; enable real‑time calls and messaging; authenticate; support; maintain and secure the platform.
- Personalize and improve: customize content; debug; analyze performance; develop new features. We use your data to train or improve models only if you opt in.
- Communicate: service/transactional messages, updates, and support replies; marketing where permitted and consistent with your preferences.
- Safety and compliance: detect/prevent fraud and abuse; enforce our Terms; comply with legal obligations.
4. Legal Bases (EEA/UK)
Under GDPR/UK GDPR, we rely on:
- Performance of a contract (Art. 6(1)(b)): account creation, operating real‑time calls, core features.
- Legitimate interests (Art. 6(1)(f)): security, fraud prevention, service diagnostics, limited analytics—balanced against your rights.
- Consent (Art. 6(1)(a)): marketing, non‑essential cookies, model training/improvement, optional recordings/transcripts.
- Explicit consent for special categories (Art. 9(2)(a)): biometric‑related processing (facial geometry and voice characteristics) to create and operate your Twome.
- Legal obligations (Art. 6(1)(c)): responding to lawful requests and record‑keeping.
You may withdraw consent at any time without affecting the lawfulness of prior processing.
5. Biometric, Calls, and Recordings
-
Biometric‑related processing: we analyze facial geometry and voice characteristics to generate and run your Twome. We store such data separately with strict access controls and encryption.
-
Model training/improvement (opt‑in): we use conversation content, call metadata, or biometric derivatives for training or improvement only if you explicitly opt in. Opting out does not limit core features.
-
Call recordings and transcripts:
- Default: we do not store full video of your calls; transient frames/audio are processed in memory to operate the call.
- Optional: you can enable recordings/transcripts for your own use. In all‑party consent jurisdictions, we will clearly indicate recording and obtain consent from participants.
- Retention: if enabled, we keep recordings/transcripts until you delete them or for up to 90 days (whichever comes first), unless a longer period is legally required or permitted for safety/legal reasons.
-
Public visibility controls: you can set your Twome to public, link‑only, followers, or private; you can block users or pause discoverability. Other users may still capture content using their devices; we cannot control third‑party recordings.
We do not sell personal information for money. We share information as needed to operate the Services and as permitted by law.
- Service providers (processors): hosting, storage, real‑time media, AI inference, analytics, communications, support, payments, and anti‑abuse—under contracts that restrict use to our instructions and require safeguards.
- With your direction or consent: e.g., content you choose to share, integrations you enable, or referrals you initiate.
- Legal and safety: to comply with law, enforce our Terms, or protect rights, property, and safety.
- Business transfers: in a merger, acquisition, financing, or sale of assets, under protective agreements.
7. Cookies and Tracking
- Essential cookies support login, security, and core functions.
- Where required, we seek consent for analytics/measurement cookies.
- You can control cookies in your browser settings. Blocking cookies may affect functionality.
8. Your Rights and Choices
We honor rights as required by your local law.
- Common rights: access, rectification, deletion, restriction, portability, objection (including to direct marketing), and withdrawal of consent (marketing, non‑essential cookies, training, recordings).
- How to exercise:
- In‑app: Settings > Privacy (if available).
- Email: privacy@twome.ai with subject “Data Request” and your request.
- Verification and timing: we may ask for information to verify your identity. We respond within one month (GDPR/UK) or 45 days (California), with extensions as permitted.
9. Data Retention
- Account deletion: active systems within 30 days; backups/logs within 90 days.
- Biometric templates/derivatives: removed from active systems within 30 days after you delete your Twome or withdraw consent; non‑identifiable safety/anti‑abuse derivatives may be retained as permitted by law.
- Optional recordings/transcripts: until you delete or 90 days max (unless required longer for safety/legal reasons).
- Safety/fraud records: up to 24 months where permitted.
- Legal holds: we may preserve data if required by law, dispute, or investigation.
10. Security
We use technical and organizational measures to protect your data, including:
- Encryption in transit (TLS 1.2+) and at rest (AES‑256).
- Segregated storage for biometric templates; strict role‑based access and least‑privilege reviews.
- Managed key management with periodic rotation.
- MFA/SSO for employee access; audit logging and anomaly detection.
- Secure development practices and periodic independent penetration testing.
No method of transmission or storage is 100% secure. We use commercially reasonable safeguards and improve them over time.
11. International Transfers
We may process data in countries outside your own. For EEA/UK users, where a destination country is not deemed adequate, we use appropriate safeguards such as Standard Contractual Clauses (and the UK IDTA, where applicable), along with additional technical and organizational measures. You may request more information at privacy@twome.ai.
12. California Privacy (CCPA/CPRA)
This section applies to California residents.
- Categories: identifiers (e.g., email, device IDs), internet/network activity, approximate geolocation, audio/visual info (if you enable recordings), inferences, and sensitive data (biometric‑related facial/voice characteristics for your Twome with consent).
- Purposes and disclosures: as described in this Policy; to service providers under contracts; for safety/legal reasons; or with your direction.
- “Sale”/“Sharing”: we do not sell personal information for money. If we engage in cross‑context behavioral advertising, you may opt out by emailing privacy@twome.ai with subject “Do Not Sell or Share” and providing the device/account to apply it to. We will honor and confirm your request.
- Limit sensitive personal information: email privacy@twome.ai with subject “Limit Sensitive” to limit use/disclosure to what is necessary to provide the Services.
- Authorized agents: agents may submit requests on your behalf; we may require proof of authorization and identity verification.
- Non‑discrimination: we will not discriminate against you for exercising your rights.
13. Children’s Privacy
The Services are not directed to individuals under 16. We do not knowingly collect personal information from children under 16. If we learn that a child under 16 (or under 13 in the U.S.) provided personal data without proper consent, we will delete the account and related data. We use reasonable age‑gating during sign‑up.
14. Jurisdiction‑Specific Notes
- Recording consent: in jurisdictions that require all‑party consent to record communications, we will clearly indicate recording and obtain consent from participants before recording.
- Biometric laws (e.g., Illinois BIPA): where applicable, we obtain informed written consent; we do not sell/lease/trade biometric identifiers; we retain them only as long as needed to provide your Twome or for up to three years after your last interaction (whichever is shorter), then delete unless a longer period is legally required.
15. Changes to This Policy
We may update this Policy from time to time. We will post the updated version with a new “Last updated” date. If changes are material, we will provide additional notice (e.g., in‑app or email). Please review periodically.
- Email: privacy@twome.ai
- Mailing address:
Vivid World Inc. (d/b/a Twome)
Attn: Privacy Officer
1111B S Governors Ave STE 37424
Dover, DE 19904, United States
If you are in the EEA/UK and wish to contact our EU/UK representative (if/when appointed) or our data protection officer (if designated), email privacy@twome.ai.
17. Quick Controls
- Access, delete, or correct your data: email privacy@twome.ai with subject “Data Request.”
- Opt out of marketing: use the unsubscribe link in our emails or email privacy@twome.ai.
- Withdraw consent for model training or recordings: adjust in‑app Settings > Privacy (if available) or email privacy@twome.ai.
- California requests (“Do Not Sell or Share,” “Limit Sensitive”): email privacy@twome.ai with the relevant subject line and your device/account details.