Legal

Privacy Policy

Last updated 2026-05-18 · controller Agentix Global Services LLC

This Privacy Policy explains what personal data Agentix Global Services LLC(“we”, “us”, operator of TWILOX at https://www.twilox.com) collects from users of the service, how we use and share that data, how long we keep it, and what rights you have over it. It is written to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and analogous data-protection laws. Read this together with the Terms of Service and the Acceptable Use Policy.

1 · Data we collect

  • Account data: email address, hashed authentication credentials, billing identifier (Stripe customer ID), subscription state.
  • Query inputs (target identifiers): the signal you submit to the orchestrator — for example, an email address, phone number, username, name, image, social handle, domain, IP, company name, or crypto wallet address. Query inputs are hashed in transit; we retain them only as needed to produce and deliver your dossier (see §4 Retention).
  • Dossier output: the findings produced by the orchestrator, including the cross-channel identity graph, source URLs, and AI-generated executive summary.
  • Payment metadata: Stripe session ID, last four digits of card, country of card, subscription status. Full card numbers, expiry dates, and CVV are processed and stored by Stripe — we never receive or store them.
  • Server logs: IP address, user-agent, request timing, error events — for abuse detection, fraud prevention, rate limiting, and operational security only.
  • Analytics: page views, referrers, viewport, and Core Web Vitals via Google Analytics 4 (GA4) with anonymize_ip: true. No advertising-network cookies.

2 · Data we do NOT collect

  • Plaintext queries beyond the retention window (queries are hashed in transit and purged with the dossier).
  • Full payment card details (handled exclusively by Stripe).
  • Browser fingerprints beyond standard request headers.
  • Cross-site behavioural advertising signals.
  • Third-party advertising or remarketing pixels.
  • Special-category personal data (racial / ethnic origin, religion, health, sexual orientation, genetic, biometric for identification of natural persons) — unless such data appears as part of a public-source finding the User explicitly requested.
  • Data of individuals under 18 (see §8 Children).

3 · What we do with the data (purposes & legal bases)

  • Deliver the service — orchestrate workers, produce the dossier, deliver it to the buyer, render it in your browser. Legal basis: performance of contract, GDPR Art. 6(1)(b).
  • Billing — process payment, manage subscription, send receipts. Legal basis: performance of contract, GDPR Art. 6(1)(b); legal obligation for tax / accounting records, GDPR Art. 6(1)(c).
  • Operational security — abuse detection, rate limiting, fraud prevention, incident response. Legal basis: legitimate interest, GDPR Art. 6(1)(f).
  • Service improvement & aggregate analytics — measuring uptime, latency, error rates, and page performance. Legal basis: legitimate interest, GDPR Art. 6(1)(f).
  • Legal compliance — responding to valid legal process, regulatory investigations, and data-subject rights requests. Legal basis: legal obligation, GDPR Art. 6(1)(c).

We do not sell personal data, do not share personal data for cross-context behavioural advertising, and do not engage in automated decision-making with legal or similarly significant effects on data subjects within the meaning of GDPR Art. 22.

4 · Retention

  • Query inputs & dossier output (single-case purchases): retained for 90 days from purchase, then permanently purged from primary storage. Copies in encrypted backup snapshots are purged on the next rolling backup cycle (max 30 additional days).
  • Operative subscriber dossiers: retained for the active subscription period plus 90 days after cancellation, then purged on the same backup cycle.
  • Account records: retained until the account is deleted at the User’s request, plus up to 90 days for backup-cycle rollover. Some billing records are retained longer where required by tax / accounting law (typically 7 years).
  • Server logs & security events: retained for 30 days, then aggregated; raw records purged.
  • Image uploads: purged from worker containers within 24 hours of processing.

5 · Third-party processors (subprocessors)

We rely on the following third-party processors, each operating under its own published privacy commitments and Data Processing Addendum:

  • Stripe, Inc. — payment processing, subscription management.
  • Supabase (Supabase, Inc.) — managed Postgres database for account data and scan metadata, authentication.
  • Vercel, Inc. — application hosting, edge network, serverless function execution.
  • Google (Google LLC) — analytics via Google Analytics 4 with anonymize_ip: true; no advertising integration.
  • Neo4j AuraDB — managed graph database for the cross-channel identity graph.
  • Hostinger — worker VPS for orchestration of OSINT tools.
  • Anthropic, OpenAI, Google AI — AI narration of the executive summary (multi-provider fallback).
  • OSINT data sources — third-party public-source search APIs listed in our methodology.

An up-to-date subprocessor list is available on request at privacy@twilox.com.

6 · Cookies & similar technologies

  • Strictly necessary (session) cookies: first-party cookies required for authentication, session continuity, and CSRF protection. Cannot be disabled without breaking the service.
  • Analytics: Google Analytics 4 (GA4) cookies with anonymize_ip: true. No cross-site or advertising profiles.
  • No advertising cookies. No retargeting pixels. No social-network sharing widgets that set third-party cookies.

7 · Your rights (GDPR · UK GDPR · CCPA / CPRA)

You have the following rights with respect to your personal data, subject to the conditions set out in applicable law:

  • Right of access — obtain a copy of the personal data we hold about you.
  • Right to rectification — correct inaccurate or incomplete data.
  • Right to erasure (“right to be forgotten”) — request deletion, subject to legal retention obligations.
  • Right to data portability — receive a machine-readable copy of data you provided to us.
  • Right to object — to processing based on legitimate interests, including profiling.
  • Right to restrict processing — in specific circumstances under GDPR Art. 18.
  • CCPA / CPRA rights — right to know, delete, correct, opt out of sale or sharing (we do not sell or share for cross-context behavioural advertising), limit use of sensitive personal information, and non-discrimination for exercising rights.
  • Right to withdraw consent — where processing is based on consent, at any time, without affecting prior lawful processing.
  • Right to lodge a complaint — with a supervisory authority in your country of residence.

To exercise any of these rights, email privacy@twilox.com. We will verify your identity and respond within 30 days (extendable by 60 days for complex requests, with notice), or within the statutory period set by applicable law. There is no charge for the first request in any 12-month period.

Third-party content note: If a dossier surfaces public information about you that originates on a third-party site (a social platform, a public registry, a news archive), the canonical fix is to request removal or de-indexing from that source. On request we will additionally purge the cached dossier reference from our archive.

8 · Children

The service is intended for adults aged 18 or older. It is not directed at children, and we do not knowingly collect personal data from individuals under 18. If we learn that we have collected personal data from a person under 18 without verified parental consent, we will delete that data promptly. Parents or guardians who believe their child has provided us personal data should contact privacy@twilox.com.

9 · International data transfers

Personal data may be processed in any country in which we or our subprocessors operate, primarily in the United States and the European Union. Where personal data is transferred from the EEA, the UK, or Switzerland to a country that has not received an adequacy decision, we rely on the European Commission’s Standard Contractual Clauses (or the UK International Data Transfer Addendum / IDTA) and additional technical and organisational safeguards as appropriate. A copy of the applicable transfer mechanism is available on request.

10 · Security

We apply industry-standard administrative, technical, and organisational measures to protect personal data, including TLS 1.2+ in transit, encryption at rest for stored data (Supabase, Neo4j AuraDB), hashed authentication credentials, least-privilege access controls, and ephemeral worker containers cleared on completion. No security control is perfect. The User accepts the residual risk inherent in any internet-delivered service.

11 · Breach notification

In the event of a personal-data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority within 72 hours of becoming aware of the breach as required by GDPR Art. 33, and will notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (GDPR Art. 34). For California residents, we will notify in accordance with Cal. Civ. Code § 1798.82 and other applicable U.S. state breach laws.

12 · Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page will be revised, and material changes will be announced via in-app banner and email to subscribers at least 30 days before the effective date. Continued use of the service after the effective date constitutes acceptance of the modified Privacy Policy.

Contact & data controller

Data controller: Agentix Global Services LLC. For all privacy enquiries and to exercise your rights, email privacy@twilox.com or use the contact form. For legal notices, email legal@twilox.com. Abuse reports: abuse@twilox.com.