Privacy Policy for freelanceOS

1) Scope and Roles

• Controller processing (this Policy): visitors to our websites, prospective and existing customers, account owners and users, billing contacts, and recipients of TwinMinds’ own emails.
• Processor processing (DPA): your uploaded/collected CRM data (contacts, notes, files, messages) processed in your workspace. See /dpa.

2) Data We Collect (controller)

We collect and process the following categories of data:

• Account & Profile Data: name, business name, email, password hash, role, workspace details.
• Billing & Transaction Data: subscription plan, invoices, taxes/VAT, payment status. Card data is handled by Stripe; we do not store full card numbers.
• Service Usage Data: app interactions, feature usage, and diagnostic events (for security and performance).
• Device & Log Data: IP address, device/browser type, language, timestamps, referrer URLs.
• Support Data: content of messages, tickets, attachments you send us.
• Marketing Preferences: your opt-in/out choices for product updates or newsletters.
• Cookies & Similar Tech: see Section 8.

We do not intentionally collect special categories of data (e.g., health data) as controller.

3) Purposes and Legal Bases

We process Personal Data under the GDPR on these bases:

• Contract (Art. 6(1)(b)) – to create and administer your account, provide the Service, issue invoices, and respond to support requests.
• Legal Obligation (Art. 6(1)(c)) – to comply with tax, accounting, and regulatory requirements.
• Legitimate Interests (Art. 6(1)(f)) – to secure and improve the Service (e.g., prevent abuse, debug, measure basic usage), and to send service communications. We balance our interests against your rights and expectations.
• Consent (Art. 6(1)(a)) – for non-essential cookies/analytics in the EEA/UK and for marketing emails where required. You can withdraw consent at any time.

4) How We Share Information

We share Personal Data with:

• Service Providers/Sub-Processors:
  • Vercel (hosting), Supabase (database/storage/auth), Stripe (payments/taxes), Brevo (transactional & opted-in marketing emails), Google Analytics (analytics).
• Professional advisors (legal/accounting) and authorities where required by law.
• Business transfers: in connection with a merger, acquisition, or sale of assets.

We do not sell Personal Data.

5) International Transfers

We are based in France (EU). Where providers process data outside the EEA/UK, we rely on appropriate safeguards, including the European Commission’s Standard Contractual Clauses (SCCs) and, where applicable, the UK Addendum. Details appear in our DPA and Sub-processors page ( /legal/subprocessors).

6) Data Retention

• Account & Billing: retained while your subscription is active and thereafter as needed for legal/accounting obligations (e.g., French accounting records are typically retained up to 10 years).
• Support tickets: up to 24 months after closure.
• Technical logs: up to 12 months, unless required longer for security/investigations.
• Marketing data: until you unsubscribe or 24 months after last interaction.
• Backups: overwritten in the ordinary course (target ~30 days).
• For processor data in your workspace, see deletion commitments in the DPA (default 30 days after verified request or account closure).

7) Security

We implement appropriate technical and organizational measures aligned with our size and risk profile, including TLS encryption in transit, provider-level encryption at rest, role-based access, least-privilege, and routine patching. No method of transmission or storage is 100% secure.

8) Cookies and Analytics

• We use essential cookies to operate and secure the Service.
• We use Google Analytics to understand aggregated usage and improve the Service. In the EEA/UK, Analytics is loaded only with your consent via our cookie banner.
• You can adjust cookie preferences at any time via the banner or your browser settings.

9) Your Rights (EEA/UK)

Subject to conditions and exemptions, you have the right to access, rectify, erase, restrict, object, port your data, and to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with your local authority. In France, this is the CNIL (Commission nationale de l’informatique et des libertés).

To exercise rights, email legal@twinminds.studio from the address associated with your account. We may request additional verification to protect your data.

10) Children

The Service is intended for business users aged 16+. We do not knowingly collect personal data from children.

11) Communications

• Transactional emails (account, billing, security) are necessary to provide the Service.
• Marketing emails are sent only with your consent where required, and always include an unsubscribe link.
• Workspace emails sent via freelanceOS are covered by your own legal obligations as controller; see our Terms and AUP.

12) Links and Third Parties

Our websites and apps may link to third-party sites or services. Their privacy practices are governed by their own policies.

13) Changes to this Policy

We may update this Policy from time to time. Material changes will be notified (email or in-app) at least 30 days before they take effect where feasible. Your continued use after the effective date means you accept the updated Policy.

14) Contact Us

For questions or requests about privacy, contact TwinMinds Studio at legal@twinminds.studio.

Controller vs. Processor — Quick Reference

• This Privacy Policy covers how TwinMinds acts as a controller (website, account, billing, analytics, our own communications).
• Your DPA covers how TwinMinds acts as a processor for your workspace data inside freelanceOS (customer contacts, files, messages).
• If there’s any conflict between this Policy and the DPA regarding processor activities, the DPA controls.