Privacy Statement
Last updated: 27 June 2026
The Dutch version on/nl/privacy/is the authoritative legal text. This English summary is provided for convenience and is kept in sync with the Dutch version; if anything diverges, the Dutch version prevails.
en:twine helps organisations with AI readiness and implementation. In doing so, we process personal data. This page summarises what data we process via this website, why, for how long, and with which parties. Questions? Emailprivacy@en-twine.ai. We respond within one month (art. 12(3) GDPR, extendable by two months for complex requests).
1. Who is responsible
en:twine B.V. is the controller, with statutory seat in Utrecht, registered with the Dutch Chamber of Commerce under KvK number 42091831. Privacy contact: Lynn Diepenbroek,privacy@en-twine.ai.
We have not appointed a Data Protection Officer because our core activities do not involve large-scale observation or processing of special-category personal data (art. 37 GDPR criteria not met). We have not appointed a UK representative under art. 27 UK GDPR; our processing of UK visitors' data is occasional and not high-risk. UK visitors can reach us directly via the privacy contact.
Our services are aimed at business users and are not intended for minors under 16.
2. What data we process and why
We process personal data for four concrete purposes on this site, plus technical logging for site operation and security:
- Contact form — name, email, phone (optional), organisation, message content. Purpose: respond to your inquiry. Legal basis: pre-contractual measure or legitimate interest. Retention: 12 months from last contact (extended to 7 years if a contract follows, per art. 52 AWR).
- AI Readiness Scan (chatbot) — your name, email address, company name, optional company website, questions and answers, scan results, report link, session ID, timestamp, technical metadata, and publicly available company context that we retrieve based on the company name and optional website to personalize the scan.You are talking to an AI system, not a human. Purpose: run the scan, generate an indicative AI-readiness result and report, email the report to you, send at most one reminder if you do not finish the scan, organize internal follow-up, and, with your consent, follow up once personally about your result. Data may be analyzed in anonymized or redacted form for product improvement and market research. Legal basis: your consent at session start. You can stop by closing the session; to withdraw consent or request deletion, email privacy@en-twine.ai. The output is indicative; no automated decisions with legal effect (art. 22 GDPR) are made. Processors and internal tools can include Supabase for scan storage, Exa or public website metadata for company context, Anthropic PBC (Claude LLM, US, EU-US DPF + SCCs) for AI processing, Resend for report/reminder email, and Slack/Notion for limited internal notification and CRM follow-up. Internal follow-up can include name, email, company, score, report link, and scan summary/result for authorized team members. Anthropic does not use inputs/outputs for model training; inputs/outputs are retained 30 days; trust-and-safety classifier scores are retained up to 7 years. Unfinished scans are closed after about 24 hours. Raw chat content is retained up to 90 days, then removed while a redacted or anonymized copy may remain for analysis. Contact, report, and follow-up data are retained up to 12 months from the last scan interaction unless a contract follows or longer retention is required for legal obligations or dispute handling. Do not enter special-category personal data, trade secrets, or third-party confidential information.
- Cookies and product/marketing analytics (PostHog and GA4) — strictly necessary cookies are placed without consent (art. 11.7a(3) Dutch Telecommunications Act). Browser-based PostHog analytics, and optional session replay where enabled, are loaded only after consent via the cookie banner. Google Analytics 4 is also loaded only after consent and measures site traffic/pageviews for cross-checking. These analytics cover pageviews and product interactions that we explicitly send, plus first/last-touch attribution such as UTM parameters, landing page, and external referrer. We do not use third-party ad networks, retargeting, or cross-site tracking. Google Signals, User ID, user-provided data collection, ads personalisation, remarketing, and product links with Google Ads or other advertising products are disabled. GA4 email redaction and query-parameter redaction are active for sensitive/private URL parameters, and Enhanced Measurement form interactions are disabled. You can withdraw analytics consent through the Cookie settings link in the footer; this stops future browser analytics, while deletion of data already sent to PostHog or Google Analytics can be requested via the privacy contact. Server-side AI Readiness Scan events and owner follow-up report events are recorded only for assessments created after explicit scan consent; these can use the assessment ID and be linked to your scan record internally. Report page views and report-page clicks are measured only through the browser analytics layer after cookie consent. Processed by PostHog Cloud EU and Google Analytics 4 under data processing terms. Transfers or access outside the EEA are governed by our processing arrangements and appropriate safeguards. Events are tagged with environment (production/staging/development) so non-production traffic can be excluded from production dashboards. Retention: PostHog events 12 months, PostHog replays 30 days, and GA4 event/user data 2 months without reset on new user activity.
- Calendly — scheduling a call uses Calendly (pop-out). We process name, email, organisation, phone (optional), chosen time slot, timezone, and intake answers. Processor: Calendly LLC (US, EU-US DPF + SCCs + UK IDTA). We do not use Calendly Notetaker. Retention: 12 months.
- Server and security logs — hosting provider: Vercel Inc., with compute in Vercel region fra1 (Frankfurt, Germany) and a global edge/CDN network for delivery, caching, and logs. Technical logs (IP, timestamp, user-agent) are retained up to 30 days for availability, debugging, and security (legitimate interest, art. 6(1)(f) GDPR).
3. Processors and transfers outside the EEA
We sign DPAs (art. 28 GDPR) where a party processes personal data on our behalf. Transfers outside the EEA take place under an adequacy decision, the EU-US Data Privacy Framework, or Standard Contractual Clauses (art. 44–49 GDPR), with the UK Addendum where applicable.
- Vercel Inc. — processor, website hosting, Vercel region fra1 (Frankfurt, Germany) for compute / global edge for delivery, caching, and logs. EU-US DPF + SCCs.
- Supabase — processor, database and server-side storage for scan records, messages, scores, and report data. DPA + appropriate transfer safeguards.
- PostHog Inc. — processor, analytics + optional session replay, Cloud EU (Frankfurt).
- Google Ireland Ltd / Google LLC — processor, Google Analytics 4 site analytics. EU-US DPF + SCCs for sub-processing.
- Anthropic PBC — processor, LLM API for the chatbot, US. EU-US DPF + SCCs.
- Exa — processor, public company context for the AI Readiness Scan, US. DPA + appropriate transfer safeguards.
- Resend — processor, transactional email for contact forms, scan reports, reminders, and report shares, US. EU-US DPF + DPA.
- Notion — processor, internal CRM and sales follow-up for scan leads. DPA + appropriate transfer safeguards.
- Slack Technologies — processor, internal notifications for completed scans and operational alerts. DPA + appropriate transfer safeguards.
- Calendly LLC — processor (booking data) and independent controller (its own account management), US. EU-US DPF + SCCs (Module 2) + UK IDTA.
- Google Ireland Ltd / Google LLC — processor, business email (Google Workspace, EU data residency Frankfurt). Adequacy decision (intra-EU) + EU-US DPF + SCCs for sub-processing.
We do not sell your data and do not use it for profiling beyond the purposes described above. We provide a copy of the safeguards used on request.
4. Security
We apply appropriate technical and organisational measures (art. 32 GDPR): TLS in transit, need-to-know access, logging, vendor selection, periodic review. We notify the Dutch DPA (and, where required, you) within 72 hours of a breach with risk (art. 33–34 GDPR).
Suspect a breach? Email privacy@en-twine.ai.
5. Your rights
Under the GDPR (and UK GDPR for UK residents) you have the right to access, rectification, erasure, restriction, portability, objection, and withdrawal of consent (art. 15–21, art. 7(3) GDPR). You also have the right not to be subject to solely automated decisions with legal effect (art. 22 GDPR); our chatbot does not make such decisions. Send requests to privacy@en-twine.ai. We respond within one month and may request identity verification.
6. Right to complain
You can lodge a complaint with the Dutch Data Protection Authority (autoriteitpersoonsgegevens.nl). UK visitors can contact the Information Commissioner's Office (ico.org.uk).
7. Changes
We may update this statement when our website, vendors, or legal obligations change. The current version is always on this page, with the date of the last change.