twyn logotwynBack to twyn.life

Privacy Policy

Last updated: 13 June 2026

1. Who we are

twyn.life ("twyn", "we") is a personal health data platform operated by Oleksii Lazorenko as an individual, currently in private beta. For anything related to your data, contact hello@twyn.life. For the purposes of the EU General Data Protection Regulation (GDPR), Oleksii Lazorenko is the data controller.

2. What data we collect

Data you provide

  • Account data — email address, name, authentication identifiers.
  • Health data — laboratory results, medical records, wearable and tracker measurements (sleep, heart rate, activity and similar), supplement and medication lists, genetic data files, nutrition logs, diary notes, goals, and profile facts (such as date of birth and biological sex). This is special-category data under Article 9 GDPR. We process it only because you deliberately upload or enter it — that is, on the basis of your explicit consent (Article 9(2)(a)). You can withdraw consent at any time by deleting data or your account.
  • Connected device data — if you connect Oura, WHOOP, or another wearable account, we collect only the categories you authorize through that provider's OAuth flow. For Oura this may include sleep, readiness/activity summaries, heart-rate data, workouts, sessions, tags, SpO2, and basic profile data depending on the scopes you approve. For WHOOP this may include recovery, cycles/strain, workouts, sleep, profile, and body-measurement data depending on the scopes you approve.
  • Waitlist data — the email address you submit on the landing page.

Data collected automatically

  • Technical data — IP address, browser type, and basic usage events needed to run, secure, and improve the service. We do not use advertising trackers and we do not sell data — to anyone, ever.

3. How we use your data

  • To provide the service: store, normalize, and display your health data back to you.
  • To expose your data to AI agents you connect: data is only accessible with personal access tokens that you issue and can revoke in Settings.
  • To run AI-assisted features you invoke (lab PDF extraction, note structuring, variant annotation): relevant excerpts of your data are sent to our AI subprocessors (Anthropic, OpenAI) and processed under their API terms, which prohibit training on your data.
  • To sync connected devices you explicitly authorize (including Oura and WHOOP): we use the provider connection only to import, normalize, and show your own data back to you, and to expose it to AI agents you explicitly connect.
  • To communicate with you about the service (invites, important changes).

We do not sell your data, use it for advertising, or train machine-learning models on it. We do not use Oura, WHOOP, or other connected-device data for unrelated analytics, resale, or model training.

4. Where your data lives and who processes it

Your data is stored encrypted in transit and at rest. We use the following subprocessors:

  • Supabase — database, authentication, and file storage.
  • Vercel — application hosting.
  • Anthropic — AI processing for features you invoke.
  • OpenAI — text embeddings for search features.

Some subprocessors process data in the United States. Such transfers rely on the EU–US Data Privacy Framework and/or Standard Contractual Clauses, as applicable to each provider.

Within the platform, your data is isolated per user account (row-level security). Raw files you upload are preserved unchanged in private storage so that your data remains portable and re-processable.

OAuth access and refresh tokens for connected devices (including Oura and WHOOP) are stored encrypted and used only to refresh your connection and sync the data you authorized. You can disconnect a provider in Settings. When the provider supports it, we revoke the provider token as part of disconnecting or deleting your account.

5. How long we keep it

Your data is kept for as long as your account exists. If you delete your account, all of your data — including raw files — is deleted. Waitlist emails are kept until you are invited or ask to be removed. Backups expire on a rolling schedule within 30 days.

6. Your rights

Under the GDPR you have the right to:

  • access your data and receive a copy of it (portability);
  • correct inaccurate data;
  • delete your data ("right to be forgotten");
  • restrict or object to processing;
  • withdraw consent at any time;
  • lodge a complaint with a supervisory authority — in Portugal, the CNPD (Comissão Nacional de Proteção de Dados).

Data export and account deletion are self-serve: open Settings → Privacy & Data in the app to download a complete copy of your data or permanently delete your account. For anything else, email hello@twyn.life — we respond promptly.

7. Cookies

We use only essential cookies: session authentication. No advertising or cross-site tracking cookies.

8. Changes

We may update this policy as the product evolves. Material changes will be announced by email to account holders before they take effect.