What we collect
- Account data: name, email, organization, role.
- Environment data: the structured profile you submit through the intake wizard, document uploads, and the structured output our engine produces.
- Integration data: CyberTwin is upload-based today. Should we later offer read-only API integrations, we would pull only the minimum-scope data described on our Trust & security page.
- Operational data: sign-in events, audit-log entries, billing events from Stripe.
- Marketing-site data: coarse, cookieless first-party analytics — the page path, referrer, a coarse device class (mobile/desktop/bot), and country, sent to our own server. No IP address or fingerprint is stored. No third-party analytics, no autocapture, no session replay.
Why we collect it
- To deliver the recommendation engine you are paying for (legitimate interest, contractual necessity).
- To bill you (contractual necessity).
- To meet our security and audit obligations (legal obligation).
- To send transactional email related to your account (contractual necessity).
- To send marketing email only if you opt in (consent).
How we protect it
Data is encrypted at rest by the cloud provider and in transit via TLS 1.2+. Any integration credentials (should read-only integrations ship) would be envelope-encrypted with a customer-isolated KMS key. Region-pinned data residency is available on Enterprise — contact us to scope it for your organisation.
How long we keep it
- Active account data: while your account is active.
- Environment data: while your account is active; after cancellation, the account is read-only for 90 days so you can export, data is retained a further 90 days for re-activation, then deleted — 180 days total. (See the cancellation terms for the full timeline.)
- Audit logs: 12 months.
- Billing records: 7 years (tax retention requirements).
Your rights
If you are in the EU/UK, GCC, California, or any jurisdiction whose privacy law gives you specific rights, you can request access, correction, deletion, or portability. Email privacy@cybertwin.io; we respond within 30 days.
Children
Not directed at children under 16. We do not knowingly collect data from them.
Changes
We update this policy when our practices change. Material changes are emailed to org Owners with at least 14 days notice. Old versions are linked here.
Contact
Privacy team: privacy@cybertwin.io
Security disclosure: security@cybertwin.io