Privacy Policy

1. Overview

Twenty is a developer marketplace. We process personal data to operate accounts, authenticate users, process purchases, deliver digital products, moderate listings, prevent fraud, and improve the platform. We do not sell your personal information to data brokers.

2. Who we are

For purposes of applicable data-protection law, Twenty is the data controller for personal information described in this Policy, except where we process data solely on behalf of Creators or where Paddle acts as an independent controller for payment data (see Section 7).

Privacy inquiries and data-subject requests can be submitted through Support. We may ask you to verify your identity before fulfilling a request.

3. Information we collect

3.1 Information you provide directly

Account data: email address, username, password (stored only as a cryptographic hash), profile bio, avatar image, website or social links, onboarding intent (buyer or creator), and role assignments.
Creator data: product titles, descriptions, pricing, categories, tech stack tags, setup instructions, thumbnails, screenshots, repository URLs, demo URLs, and uploaded product archives.
Buyer activity: purchase history, library access, wishlist entries, notification preferences, and product reviews or ratings.
Communications: support tickets, feedback submissions, and email correspondence.
Security settings: two-factor authentication configuration (secrets are stored in protected form; recovery codes are hashed).

3.2 Information from third-party sign-in

If you connect Google or GitHub, we receive information permitted by your OAuth consent—typically a provider account identifier, email address, display name, and avatar URL. We may store encrypted OAuth tokens where needed to maintain the connection or verify seller repositories. You can disconnect OAuth providers from your profile settings where supported.

3.3 Payment-related information

Checkout is handled by Paddle. We receive transaction metadata such as order IDs, amounts, currency, payment status, and the email used for fulfillment. We do not store full payment card numbers on our servers.

3.4 Automatically collected information

Device and browser data: IP address, user-agent string, browser type, operating system, and preferred language.
Usage data: pages viewed, buttons clicked, referral URLs, session timestamps, and feature interactions.
Security and fraud signals: failed login attempts, refresh-token events, suspicious request patterns, and blocklist matches.
Approximate geography: country or region inferred from IP for compliance, tax, abuse prevention, and localization.
Log data: server, application, and error logs generated during normal operation.

3.5 Information from others

We may receive information from payment processors, OAuth providers, email delivery services, cloud infrastructure vendors, and anti-abuse tools. Creators may see limited Buyer information necessary to fulfill support for purchased products.

4. How we use information

We use personal information to:

Create, authenticate, and manage Accounts, including email verification, password reset, optional 2FA, and session management.
Process purchases, grant product access, generate receipts, and handle refunds or disputes.
Host, review, publish, feature, and moderate creator listings and buyer reviews.
Operate wishlists, relist notifications, seller verification badges, and dashboard analytics.
Send transactional emails (verification, receipts, security alerts, listing status).
Provide customer support and respond to feedback.
Detect, investigate, and prevent fraud, abuse, malware uploads, and Terms violations.
Maintain platform security, including IP/country blocklists, rate limiting, and audit logs.
Comply with legal obligations, enforce our Terms, and protect rights and safety.
Improve and develop the Service, including debugging, performance monitoring, and aggregated analytics.
Communicate product updates or policy changes where permitted by law.

5. Legal bases (EEA, UK & similar regions)

If you are in the European Economic Area, United Kingdom, or another region requiring a lawful basis, we rely on:

Contract: processing necessary to provide the Service you request (accounts, purchases, delivery).
Legitimate interests: security, fraud prevention, moderation, analytics, and Service improvement, balanced against your rights.
Consent: where required for optional features or marketing cookies; you may withdraw consent at any time.
Legal obligation: tax, accounting, regulatory requests, and record-keeping.

6. How we share information

We may share personal information with:

6.1 Service providers

Paddle — payment processing and Merchant of Record services.
Cloud hosting (e.g., Vercel) — application delivery and edge functions.
Database hosting (e.g., Neon PostgreSQL) — encrypted data storage.
Object storage (e.g., AWS S3 or Cloudflare R2) — product files, screenshots, and archives.
Email providers — transactional and support email delivery.
Image/CDN providers — optimized delivery of thumbnails and avatars where configured.
OAuth providers (Google, GitHub) — authentication and optional seller verification.

These providers process data under contractual terms requiring appropriate safeguards and use limited to providing services to us.

6.2 Creators and Buyers

Public profile fields, listings, and reviews are visible to other users as designed. Creators may see a Buyer's Account identifier and email when necessary to provide product support. We instruct Creators to use such data only for support and not for unsolicited marketing.

6.3 Legal and safety disclosures

We may disclose information if required by law, court order, or governmental request, or when we believe disclosure is necessary to protect rights, safety, investigate fraud, or respond to security incidents.

6.4 Business transfers

If Twenty is involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred subject to continued protection consistent with this Policy.

6.5 Aggregated data

We may publish aggregated or de-identified statistics (e.g., total sales volume, category trends) that do not identify individuals.

7. Payments (Paddle)

Paddle.com Market Limited and its affiliates act as Merchant of Record for most purchases on Twenty. When you pay, Paddle collects payment and billing information directly according to Paddle's Privacy Policy. We receive limited transaction data needed to unlock purchases in your library. For payment-related privacy requests, you may need to contact Paddle as well as Twenty.

8. Cookies & similar technologies

8.1 Essential cookies

We use http-only cookies and similar mechanisms to keep you signed in, rotate refresh tokens securely, enforce CSRF protections where applicable, and remember essential session state. These are necessary for the Service to function and do not require consent in many jurisdictions.

8.2 Analytics & preferences

We may use privacy-respecting analytics to understand usage patterns. Where non-essential cookies or similar technologies are used, we will request consent when required by law.

8.3 Your choices

Most browsers let you block or delete cookies. Blocking essential cookies may prevent login and purchases. Refer to your browser documentation for instructions.

9. Data retention

We retain personal information only as long as necessary for the purposes described in this Policy, including:

Account data — for the life of your Account and a reasonable period after deletion for backups, disputes, and legal compliance.
Purchase records — typically for seven (7) years or longer where tax or accounting law requires.
Security logs — for months to years depending on severity and investigation needs.
Support messages — until resolved and for a limited archival period.
Marketing consents — until withdrawn.

When data is no longer needed, we delete or anonymize it unless retention is required by law or legitimate ongoing disputes.

10. Security

We implement administrative, technical, and organizational measures designed to protect personal information, including:

TLS encryption in transit for web traffic.
Bcrypt or comparable hashing for passwords; passwords are never stored in plain text.
Http-only, secure cookie flags for authentication tokens where supported.
Refresh-token rotation with family revocation on suspected theft.
Optional TOTP-based two-factor authentication.
Role-based access controls for administrative functions.
Automated scanning of uploaded archives for known threats.
Security event logging and monitoring for suspicious activity.
Password policy enforcement, including rejection of common weak passwords.

No method of transmission or storage is 100% secure. You are responsible for safeguarding your credentials and devices.

11. International transfers

Twenty may process and store information in the United States and other countries where we or our service providers operate. These countries may have different data-protection laws than your residence. Where required, we use appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms for transfers from the EEA, UK, or Switzerland.

12. Your privacy rights

Depending on your location, you may have rights to access, correct, delete, restrict, or object to certain processing of your personal information, and to data portability. You may also withdraw consent where processing is consent-based.

To exercise rights, contact us through Support. We will respond within the timeframe required by applicable law. You may lodge a complaint with your local supervisory authority if you believe our processing violates applicable law.

12.1 Account self-service

You can update profile information, manage sessions, enable 2FA, and request password or email changes from your dashboard where available.

13. California residents (CCPA/CPRA)

If you are a California resident, you may have the right to know categories of personal information collected, sources, business purposes, and categories of third parties with whom we share data; to delete certain information; to correct inaccurate information; and to opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising.

Twenty does not sell personal information as defined by the CCPA/CPRA. We do not share personal information for cross-context behavioral advertising. To submit a verifiable request, use Support. We will not discriminate against you for exercising privacy rights.

14. Children's privacy

The Service is not directed to children under 18 (or the age of digital consent in your country). We do not knowingly collect personal information from children. If you believe a child has provided us data, contact us and we will take steps to delete it.

15. Automated processing

We use automated systems to support security and trust, including:

Malware and suspicious-pattern scanning of uploaded ZIP archives.
IP and country blocklist matching for abuse prevention.
Rate limiting and anomaly detection on authentication endpoints.
Password policy checks against a local list of commonly used weak passwords.

These systems may result in blocked uploads, delayed listings, or Account restrictions. Significant adverse decisions may be reviewed on request through Support where feasible.

16. Data breaches

If we become aware of a personal data breach likely to result in risk to your rights and freedoms, we will notify affected users and regulators as required by applicable law, and take steps to mitigate harm.

17. Changes to this Policy

We may update this Privacy Policy periodically. Material changes will be posted on this page with an updated "Last updated" date. Where required, we will provide additional notice. Continued use after changes take effect constitutes acknowledgment unless applicable law requires explicit consent.

18. Contact us

Privacy questions and data requests: twenty.site/support.

For Terms-related matters, see our Terms of Service.