Privacy Policy

1. Introduction

TwinPhone("TwinPhone," "we," "our," "us") is the browser-based international calling service available at twin-phone.com (collectively, the "Service"), owned and operated by hrhelperg s.r.o. This Privacy Policy explains how we collect, use, disclose, retain, and protect your personal data when you use our Service. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

2. Data Controller

For the purposes of the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and other applicable data protection laws, the data controller responsible for your personal data is:

• hrhelperg s.r.o. (operating as TwinPhone)
• Husitská 502/36, 130 00 Praha 3, Czech Republic
• Company ID (IČO): 14270862

For any privacy-related inquiries or to exercise your data subject rights, contact us at support@twin-phone.com or support@twin-phone.com. We have not appointed a Data Protection Officer, as we are not required to under Article 37 GDPR; privacy requests are handled by our team at the address above.

3. Legal Bases for Processing

Where the GDPR or UK GDPR applies, we process your personal data only when we have a valid legal basis under Article 6, including:

• Contract performance: Processing necessary to provide the Service you requested (account management, call routing, billing).
• Legitimate interests:Fraud prevention, service security, analytics to improve performance — balanced against your rights and freedoms.
• Legal obligation: Compliance with applicable laws, tax regulations, and lawful government requests.
• Consent: Where required (e.g., optional analytics cookies, marketing communications). You may withdraw consent at any time without affecting the lawfulness of prior processing.

4. Information We Collect

Account Information: Email address and optional display name provided during registration.

Call Metadata: Numbers dialed, call duration, timestamps, and call status. Required for billing and your call history. We do not record or store call audio.

Payment Information: Payment transactions are processed by our third-party payment processor (Stripe). We receive a transaction reference and amount. We do not store credit card numbers, CVVs, or full card details on our servers.

Technical Data: IP address, browser type and version, device type, operating system, referring URL, pages visited, and session duration. Collected automatically via server logs and analytics.

Promotional fingerprints: To prevent abuse of one-time promotional offers (e.g., the first top-up Bonus Credit), we store acryptographic hash(SHA-256 with a server-side secret) of the IP address used to claim the offer. The original IP address is not retained on this record; only the irreversible hash is, which lets us detect a second sign-up from the same network without keeping personally identifiable information. The same technique is used to record consent metadata for opt-in features such as auto-refill, where retaining proof-of-consent is required by the FTC Restore Online Shoppers' Confidence Act (ROSCA) and Article 22 of the EU Consumer Rights Directive.

Communications: If you contact us for support, we retain the content of your messages to resolve your inquiry and improve our service.

5. How We Use Your Information

• Provide, operate, and maintain the calling Service
• Process payments, manage your account balance, and generate invoices
• Send transactional communications (receipts, password resets, service alerts)
• Detect, prevent, and address fraud, abuse, and security threats
• Analyze usage patterns to improve service quality (in aggregate and anonymized form)
• Comply with legal obligations and respond to lawful requests
• Enforce our Terms of Service

We do not sell, rent, or trade your personal data to third parties for marketing or advertising purposes. We do not use your data for targeted advertising.

6. Call Encryption & Security

Every call made through TwinPhone is encrypted using TLS (Transport Layer Security) for signaling and SRTP (Secure Real-Time Transport Protocol) for audio. This encryption is automatic, always-on, and cannot be disabled. TwinPhone employees cannot listen to or access the audio content of your calls. We implement industry-standard technical and organizational measures to protect your data, including encrypted data storage, access controls, and regular security audits. However, no system is 100% secure, and we cannot guarantee absolute security of data transmitted over the Internet.

Personal Data Breach Notification

We maintain an internal incident-response procedure for personal data breaches. If a breach is likely to result in a risk to your rights and freedoms, we will notify our lead supervisory authority (the Czech Office for Personal Data Protection, ÚOOÚ) without undue delay and, where feasible, within 72 hours of becoming aware of it, in accordance with Article 33 of the GDPR. Where a breach is likely to result in a high risk to you, we will also inform affected users without undue delay (Article 34 GDPR), describing the nature of the breach, the likely consequences, and the measures we have taken. We keep an internal register of all breaches regardless of whether notification is required.

7. Data Sharing & Third-Party Processors

We share personal data only with the following categories of service providers, solely to the extent necessary for the Service to function:

• Telecom infrastructure: Call routing via third-party carriers (Twilio). Call metadata is shared to connect your calls.
• Payment processing: Stripe processes your payments. We share only the minimum data required for transactions.
• Hosting & infrastructure: Cloud hosting providers (Vercel, Supabase) that store and serve our application data.
• Analytics: Loaded only after you consent via the cookie banner.
  • Firebase Analytics and Vercel Analytics / Speed Insights: aggregate, privacy-friendly usage and performance metrics. No PII.
  • Mixpanel: product analytics tied to your account. When you are signed in we send your account email and display name so we can analyze in-product behavior at the user level. Mixpanel is contractually bound by a Data Processing Agreement and does not use your data for advertising.
• Error monitoring & session replay: Sentry receives error reports with no default PII. When you have consented to analytics, a small percentage of sessions in which an error occurs are recorded as a privacy-masked replay (text content masked, media blocked) so we can reproduce and fix the issue. Replays are not collected for error-free sessions and are never collected before consent.

All third-party processors are bound by data processing agreements and are required to handle your data in compliance with applicable privacy laws. We do not sell personal data to any third party.

8. International Data Transfers

hrhelperg s.r.o. is established in the Czech Republic (EU). Some of our sub-processors (such as Stripe, Twilio, Vercel, Supabase, Mixpanel, and Sentry) process data in the United States or other countries outside the European Economic Area (EEA) and the UK. Where we transfer personal data outside the EEA, UK, or Switzerland, we rely on appropriate safeguards recognized under the GDPR and UK GDPR, such as the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, the EU–US and UK–US Data Privacy Framework (where the recipient is certified), and data processing agreements with our sub-processors. By using the Service, you acknowledge these transfers. If you are located in the EEA, UK, or Switzerland, you may request a copy of the applicable safeguards by contacting us.

9. Data Retention

• Account data: Retained while your account is active and for 90 days after deletion to process pending transactions and comply with legal obligations.
• Call metadata: Retained for the duration of your account plus 90 days after deletion.
• Payment records:Retained as required by applicable tax and financial regulations (typically 5–7 years).
• Server logs: Automatically purged after 90 days.

10. Your Rights

For All Users

Regardless of your location, you may: access and download your personal data through your account dashboard, request correction of inaccurate data, request deletion of your account and associated data, and opt out of non-essential communications at any time.

European Economic Area, United Kingdom & Switzerland (GDPR / UK GDPR)

If you are located in the EEA, UK, or Switzerland, you additionally have the right to: restrict or object to certain processing, request data portability in a machine-readable format, withdraw consent at any time (without affecting prior processing), and lodge a complaint with a supervisory authority. As our controller is established in the Czech Republic, our lead supervisory authority is the Czech Office for Personal Data Protection (Úřad pro ochranu osobních údajů, ÚOOÚ, uoou.gov.cz); you may also complain to the authority in your own country (e.g., the ICO in the UK, CNIL in France, or BfDI in Germany).

California Residents (CCPA / CPRA)

Under the California Consumer Privacy Act and the California Privacy Rights Act, you have the right to: know what personal information we collect, request deletion, opt out of the sale or sharing of personal information (we do not sell your data), and not be discriminated against for exercising your rights. To submit a verifiable consumer request, email us at support@twin-phone.com. We will respond within 45 days. In the preceding 12 months, we have not sold any personal information.

Other U.S. States

If you reside in a U.S. state with a comprehensive consumer privacy law (for example, Virginia, Colorado, Connecticut, Utah, or Texas), you may have similar rights to access, correct, delete, and opt out of the sale or sharing of your personal information. We honor these rights in accordance with applicable law.

Other Jurisdictions

If your jurisdiction provides additional privacy rights (e.g., Brazil's LGPD, Canada's PIPEDA, Australia's Privacy Act, Japan's APPI, or South Korea's PIPA), we will honor those rights in accordance with applicable law. Contact us to exercise them.

To exercise any of these rights, email support@twin-phone.com. We will verify your identity and respond within the timeframes required by applicable law. We do not charge a fee for rights requests unless they are manifestly unfounded or excessive.

11. Children's Privacy

The Service is not directed at children under the age of 18 (or the applicable age of majority in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without verified parental consent, we will promptly delete it. If you believe a child has provided us with personal data, please contact us at support@twin-phone.com.

12. Automated Decision-Making

We may use automated systems for fraud detection and abuse prevention. These systems may flag or suspend accounts based on usage patterns. You have the right to request human review of any automated decision that significantly affects you.

13. Do Not Track & Global Privacy Control

We honor Do Not Track ("DNT") browser signals. When we detect a DNT signal, we disable non-essential analytics tracking for that session. We do not engage in cross-site tracking regardless of DNT settings.

We also honor Global Privacy Control ("GPC") signals as required by the CCPA/CPRA, Colorado Privacy Act, Connecticut Data Privacy Act, and other applicable US state privacy laws. When we detect a GPC signal, we treat it as a legally binding opt-out of the sale or sharing of personal information and disable non-essential analytics for that session. TwinPhone does not sell or share personal information for advertising purposes.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated via email to registered users or via a prominent notice on the Service at least 30 days before taking effect. Your continued use of the Service after the effective date of the revised policy constitutes your acceptance of the changes. We encourage you to periodically review this page.

15. Governing Law

This Privacy Policy is governed by the laws of the Czech Republic and applicable EU data protection law, without prejudice to mandatory data protection and consumer rules of your country of residence. For dispute resolution and other contract terms, please see our Terms of Service (Section 14).

Nothing in this policy limits your right to lodge a complaint with a data protection authority — our lead authority is the Czech ÚOOÚ, and you may also contact the authority in your own country (e.g., the ICO in the UK, CNIL in France, BfDI in Germany) — or any rights that cannot be waived under applicable consumer protection or data protection law in your jurisdiction.

16. Contact

For any privacy-related questions, data requests, or complaints, contact us at: support@twin-phone.com. We aim to respond to all inquiries within 30 days, or sooner where required by applicable law.