Privacy Policy

1. Who is the controller

The data controller for this website and the services we deliver is:

TwiceData is a US-based entity. We do not have an EU establishment. For EU/UK data subjects we acknowledge the obligations of the GDPR and UK GDPR when offering services to people in those jurisdictions (Article 3(2)(a) — “extraterritorial” scope).

Article 27 EU Representative: TwiceData is preparing to appoint a representative in the Union per GDPR Article 27. In the interim, EU and UK data subjects can reach us directly at the contact address above. We will update this page with the appointed representative’s name and address once the appointment is finalized.

2. What we collect and why

We collect the minimum data needed to deliver our services. Concretely:

2.1 Contact-form submissions

When you submit the form at /contact we receive your name (if provided), work email, company name (if provided), and whatever you write in the “What are you trying to ship?” field. We also automatically receive your source IP address.

• Purpose: respond to your inquiry and scope a potential engagement.
• Legal basis: performance of a contract (steps prior to entering one), GDPR Article 6(1)(b); and our legitimate interest in responding to inbound business inquiries, Article 6(1)(f).
• Retention: 24 months from last contact unless a contractual relationship begins, in which case the email lifecycle follows the engagement record-keeping policy (typically 7 years for US tax purposes).
• Recipients: the email is delivered via AWS SES (see Sub-processors below) to our info@twicedata.com mailbox on Microsoft 365.

2.2 Website analytics

We use Microsoft Clarity to understand how visitors use the site (clicks, scroll depth, anonymous session replay) and GoAccess on our own server to summarize Apache access logs (page views, referrers, country, browser).

• Purpose: improve site usability; understand which content prospects find useful.
• Legal basis: legitimate interest, GDPR Article 6(1)(f). Clarity is configured for EU privacy mode — sensitive content is auto-masked, no personally identifying recordings are captured. Apache logs are processed with anonymized last-octet IP addresses.
• Retention: Clarity holds anonymized session data for up to 13 months. Apache access logs are rotated weekly with the prior 6 weeks retained.
• Opt out: Use your browser’s “Do Not Track” or any GPC (Global Privacy Control) signal; we honour both. Clarity also respects the “privacy mode” flag.

2.3 Server access logs

Apache logs every request (URL, status code, user agent, referrer, IP address). Last octet of IPv4 is masked before any human or analytics tool sees it.

• Purpose: security (detect attacks, abuse), debugging, rough traffic counts.
• Legal basis: legitimate interest, Article 6(1)(f).
• Retention: 6 weeks rolling.

3. International transfers (EU/UK → US)

Because TwiceData is US-based, all personal data we process is transferred to and stored on infrastructure located in the United States. Concretely:

• The website runs on AWS Lightsail in the us-east-2 region (Ohio).
• The contact-form mailbox info@twicedata.com is hosted on Microsoft 365 (tenant data location: United States).
• Email delivery uses AWS SES in us-east-1 (Virginia).
• Microsoft Clarity stores session telemetry in Microsoft Azure (EU residents’ data is processed in EU regions per Microsoft’s EU Data Boundary commitment).
• Cal.com (booking widget on the contact page) is operated by Cal.com, Inc., a Delaware corporation with operating offices in Berlin, Germany. Booking metadata you provide (name, email, scheduled time) is stored on Cal.com’s EU infrastructure.

Transfers from the EU/UK to the US rely on the EU-US Data Privacy Framework (DPF) where the recipient is certified (AWS and Microsoft are both DPF-certified). For any recipient that is not, we are putting Standard Contractual Clauses in place as we finalize our EU setup, and will share copies on request once executed.

4. Sub-processors

The third parties that process personal data on our behalf:

5. Your rights

If you are in the EU, UK, or any other jurisdiction that grants similar rights, you can:

• Access the personal data we hold about you.
• Rectify inaccurate data.
• Erase your data (“right to be forgotten”).
• Restrict processing, or object to processing that’s based on legitimate interest.
• Port your data to another controller in a machine-readable format.
• Withdraw consent at any time, where processing was based on consent.
• Lodge a complaint with your local supervisory authority (e.g., the Italian Garante for the Protection of Personal Data, or the ICO in the UK).

To exercise any of these rights, email info@twicedata.com. We aim to respond within 30 days as required by GDPR Article 12(3).

6. Automated decisions and profiling

We do not make automated decisions or perform profiling that produces legal or similarly significant effects on you (GDPR Article 22).

7. Children

Our services target B2B data engineering buyers and are not directed at children under 16. We do not knowingly collect data from minors.

8. Changes to this policy

Material changes will be noted at the top of this page with a new “Last updated” date. For changes that materially affect data subjects with active engagements, we’ll send a direct email notification.

9. Contact

Privacy-specific questions: info@twicedata.com (subject line: Privacy or GDPR).