In one paragraph
Almost everything you put into twine is end-to-end encrypted on your device before it is uploaded. Our servers store only unreadable ciphertext; the keys never leave your and your partner's devices. We can see your account email, the fact that your account is paired with your partner's, and basic operational metadata. We do not sell your data, we do not show ads, and we do not run third-party analytics or tracking.
twine is operated by Nikky Amresh, an individual developer based in Bangalore, India ("we", "us", "the developer"). Contact and grievance officer: [email protected]
1. Who this applies to
twine is intended for adults. You must be 18 or older to use twine. twine is not directed at children, and we do not knowingly collect personal data from anyone under 18. If we learn we have, we will delete it. (We use 18 because India's DPDP Act treats anyone under 18 as a child; this single age limit also satisfies COPPA and GDPR digital-consent rules.)
2. What we collect
2a. Data we can read
- Account identity. Your email address and a Firebase user ID. If you sign in with Google or Apple, we receive the basic identity those services return (name and email; Apple lets you hide your email behind a relay).
- Pairing metadata. The fact that your account is linked to your partner's account.
- Operational metadata. Timestamps of when you sync or change something, the type of item changed (for example "a date was updated") used only to route a content-free notification to your partner, ciphertext object sizes and counts, and a per-couple activity cursor. Secret wishes and surprise dates never generate any notification.
- Push token. A Firebase Cloud Messaging device token so we can deliver notifications. Notification payloads never contain your content.
- Network and device data. Your IP address, app version, and request logs, held transiently for security, abuse prevention, and operating the service.
- TMDB search text. When you search for a movie or show, your search text passes through our proxy to TMDB so we can return results. We do not store it alongside your identity; your saved watchlist entries are stored encrypted.
2b. Data we cannot read (end-to-end encrypted)
The content of your notes, dates, wishes, journal entries, photos, and location tags is encrypted on your device using modern end-to-end encryption (X25519 key exchange with XChaCha20-Poly1305). The encryption keys and your recovery credentials never leave your and your partner's devices. Our servers, our database, and our file storage only ever hold ciphertext. We cannot read this content, moderate it, hand it to anyone in readable form, or recover it for you.
Important consequence: if you exhaust all recovery options (platform restore, PIN backup, and partner re-key), we cannot recover your content. There is no backdoor.
2c. No exceptions to end-to-end encryption
Your content never leaves your device in a form any server can read. There are no exceptions. Even "Download my data" runs entirely on your device: every text entry is already stored decrypted in your local copy, and your encrypted photos are pulled from storage and decrypted on the device before being zipped, so no keys are ever escrowed and nothing is decrypted on our servers.
2d. What we do NOT collect
We do not use advertising identifiers, we do not run third-party analytics SDKs, we do not access your contacts, and we do not track you across other apps or websites. We do not sell or "share" your personal information (as those terms are defined under California law). There is no automated decision-making or profiling.
3. Why we use your data (purposes and legal bases)
| Purpose | Data used | GDPR legal basis |
|---|---|---|
| Create and run your account, sync, deliver notifications | Email, user ID, push token, ciphertext, metadata | Performance of a contract (Art. 6(1)(b)) |
| Optional location tags on memories | Location (encrypted) | Consent (Art. 6(1)(a)) |
| Security, abuse prevention, debugging | IP, logs, device/app version | Legitimate interests (Art. 6(1)(f)) |
You can withdraw consent for the location feature at any time using the in-app toggle; withdrawing is as easy as granting.
4. Who we share data with
We use the following processors and service providers. Each receives only what is listed; none ever receives your readable content.
| Provider | Receives | Role |
|---|---|---|
| Google LLC (Firebase Authentication, Cloud Messaging) | Email / sign-in identity, user ID, push token, IP | Identity and push delivery |
| Cloudflare, Inc. (Workers, D1, R2, KV) | Ciphertext, routing metadata, IP, request logs | Hosting and encrypted storage |
| TMDB | Movie/TV search text via our proxy; no account data | Movie and show metadata |
| Mapbox, Inc. (when maps are enabled) | Map tile requests (IP, device metadata), SDK telemetry | Maps; you can opt out of Mapbox telemetry in the map's info control |
We do not sell your personal information and we do not share it for advertising. We may disclose data if required by law, but because your content is end-to-end encrypted, the most we can ever produce is account data, metadata, and unreadable ciphertext.
International transfers. Our providers operate globally, including in the United States. Where applicable, transfers rely on Standard Contractual Clauses and the providers' Data Privacy Framework certifications.
TMDB attribution. This product uses the TMDB API but is not endorsed or certified by TMDB.
5. How long we keep data, and deletion
- We keep your data for as long as your account exists.
- You can delete your account at any time from within the app (Profile → Delete account) or by requesting deletion at our deletion page.
- When you delete your account, we delete your account record (Firebase Auth), email, and push tokens, and the ciphertext we hold for you, from production systems within 30 days.
- What happens to the shared space: when one partner deletes their account, the couple space is dissolved and the deleting user's server-side ciphertext is deleted. Your partner's device-local copy of shared memories may remain on their device.
- Backups and logs. Deleted data may persist in encrypted backups and transient logs for up to 35 days before automatic purge. Anything in backups remains ciphertext that no one holds the keys to once your devices are gone.
6. Your rights
Everyone: you can access, correct, export, or delete your account data, and withdraw consent for optional features. Email [email protected]. Because content is end-to-end encrypted, an access/export request can only return what we hold: your account data, metadata, and ciphertext.
EEA/UK (GDPR): you also have the rights to restriction, objection, and portability, and the right to lodge a complaint with your local supervisory authority. Because your content is end-to-end encrypted, we do not process readable special-category data.
India (DPDP Act 2023): you have the rights to access, correction, erasure, grievance redressal, and nomination, and the right to complain to the Data Protection Board of India. Our grievance contact is [email protected]. We will notify affected users and the Board of a personal-data breach as required.
California (CCPA/CPRA, CalOPPA): we do not sell or share personal information and do not use it for cross-context behavioural advertising. We honour Global Privacy Control / Do Not Track signals to the extent they apply; we do not track users for advertising in any case.
7. Security
Content is end-to-end encrypted on your device before upload. All network traffic uses TLS. Encryption keys live in your device's secure keystore (flutter_secure_storage, backed by iOS Keychain and Android Keystore). Account recovery uses a PIN-protected server backup (Argon2id key derivation, rate-limited, server-side peppered) that only you control, plus platform-level iCloud/Google Block Store restore and partner re-keying. We never log plaintext content or keys.
8. Changes to this policy
If we make material changes, we will update the "Last updated" date and, where appropriate, notify you in the app. Continued use after an update means you accept the revised policy.
9. Contact
Nikky Amresh, Bangalore, India
Email and grievance officer: [email protected]