Last Updated: April 20, 2026

1. Information We Collect

a. Account & Profile Information

• Email address, display name, and password (stored as a one-way hash — we never store your plaintext password).

• Optional phone number for two-factor authentication (2FA).

• Date of birth, gender, profile photo, relationship anniversary date, partner display name, and love language preference.

• Sign in with Apple or Sign in with Google identifiers, if you use those sign-in methods.

• A biometric enable/disable flag. Your biometric template (Face ID / Touch ID / Fingerprint) is processed entirely on your device and is never transmitted to our servers.

b. Content You Create

• Chat messages, photos (up to 10 MB), videos (up to 100 MB), voice notes, memories, timeline posts, mood entries, activity responses, relationship goals, bucket lists, wish lists, and any feedback or support messages you send us.

c. Location Data

• Only when you actively choose to share your location with your partner using the in-app location feature. We do not collect background location unless you explicitly enable a feature that requires it. You may revoke location permission at any time in your device settings.

d. Payment & Subscription Information

• Subscription purchases are processed by Apple App Store or Google Play and our subscription management provider. We receive only a confirmation of subscription status and a non-sensitive subscription identifier. We do not receive, process, or store your full card number or bank details.

e. Usage & Diagnostic Data

• Device model, operating system version, app version, language, timezone, and network type.

• Features used, screens viewed, session duration, crash reports, error logs, and performance metrics.

• IP address, processed transiently for security purposes and not stored long-term.

• Push notification tokens issued by Apple (APNs) and Google (FCM).

f. Waitlist & Website Data

• If you sign up on our website waitlist, we collect your email address and any optional details you provide.

• Standard website analytics data including pages visited, referral source, and browser type, collected via analytics tools. See Section 5 (Cookies) for more detail.

g. Sensitive & Relationship Data

Content you share within the App — including messages, mood entries, personal goals, photos, and voice notes — may reveal details about your intimate relationship, emotional state, and personal wellbeing. You provide this data voluntarily to share with your partner. We treat this category of data with the highest level of care, protected by access controls so that only you and your paired partner can access it. We do not read, analyse, or use your private relationship content for any other purpose.

2. Partner Pairing & Shared Data

Twoory is a couples app. A core feature is that certain content you create is shared with one specific partner you invite and pair with inside the App.

• Content shared with your partner: chat messages, timeline posts, memories, mood entries, shared goals, bucket lists, activity responses, and media you post to shared spaces are visible to your paired partner by design.

• Content private to you: your account credentials, payment records, device identifiers, and support correspondence are not visible to your partner.

• Unpairing: if you unpair from your partner, previously shared content remains in each user's account history unless you delete it. We cannot delete content on your former partner's account on your behalf, unless a safety concern is reported to us.

• Account deletion: deleting your account removes your data from our servers within 30 days. It does not automatically remove content your partner has saved or downloaded.

• Safety: if you experience abuse, harassment, or feel unsafe within the App, contact support@twoory.com immediately. We take relationship safety seriously and will act promptly on credible safety reports.

3. How We Use Your Information

We use the information we collect to:

• Create and maintain your account and pair you with your partner.

• Deliver your messages, content, and shared relationship features.

• Process your subscription and manage billing.

• Send transactional emails such as account confirmations, security alerts, and support replies.

• Send optional marketing communications — only with your consent, and you may unsubscribe at any time.

• Secure the service against fraud, abuse, and unauthorised access.

• Debug crashes, fix bugs, and improve existing features.

• Comply with applicable legal obligations.

• Power the in-app AI relationship coach ("Luna") — messages sent to Luna are processed solely to generate a response for you and are not used to train AI models.

We do not use your data for cross-context behavioural advertising. We do not sell your personal information.

Legal Bases for Processing (GDPR)

4. How We Protect Your Information

We implement industry-standard technical and organisational safeguards:

• All data transmitted between your device and our servers is encrypted using HTTPS/TLS.

• Data stored in our database and object storage is encrypted at rest.

• Session tokens and encryption keys on your device are stored in hardware-backed secure storage (iOS Keychain / Android Keystore).

• Row-level security policies ensure that only you and your paired partner can access your shared content. No other user — and no Twoory employee — has routine access to your private content.

• Passwords are stored as one-way hashes. We never store your plaintext password.

• Optional security features: biometric app lock, PIN lock, and SMS-based two-factor authentication.

• Automated rate-limiting and anomaly detection to prevent brute-force and abuse attacks.

Data breach notification: in the event of a personal data breach likely to result in a risk to your rights, we will notify the relevant supervisory authority within 72 hours and will notify affected users without undue delay as required by law.

No method of electronic transmission or storage is 100% secure. You are responsible for keeping your login credentials and device secure.

5. Cookies & Tracking Technologies

The Twoory mobile app does not use browser cookies. It uses on-device storage (local database, secure key store, and file cache) to enable offline functionality. This data remains on your device.

The Twoory website (twoory.com and waitlist.twoory.com) uses the following:

• Strictly necessary: session management and security tokens required for the site to function. These cannot be disabled.

• Analytics cookies: to understand how visitors interact with our website (e.g. pages visited, referral source). These are only set with your consent via our cookie banner.

• Marketing cookies: only set if you have explicitly consented via our cookie banner.

You can manage your cookie preferences at any time via the cookie settings link in the footer of our website, or through your browser settings. Withdrawing consent does not affect any prior processing.

6. Sharing of Information

We do not sell, trade, or rent your personal information to third parties. We share data only with carefully selected service providers bound by written data processing agreements, who are prohibited from using your data for their own purposes.

Categories of providers:

• Authentication and database provider: stores your account data, content, and media securely with encryption at rest and row-level access controls.

• Cloud infrastructure and API provider: processes API requests between your device and our backend.

• Push notification delivery provider: delivers push notifications to your device.

• Mobile platform providers (Apple and Google): app distribution, sign-in, push notification infrastructure, and in-app purchase processing.

• Subscription management provider: validates and manages your subscription status and purchase receipts.

• SMS / phone verification provider: sends one-time passcodes via SMS only if you opt into SMS-based two-factor authentication.

• Transactional email provider: delivers account confirmation, security, and support emails from our domain.

• AI inference provider: processes messages sent to the in-app relationship coach solely to generate responses. Not used for model training.

• Mapping and location provider: provides location search and map display only when you actively use location features.

• GIF content provider: returns GIF search results only when you open the GIF picker. This provider may receive your search query and IP address.

• Crash reporting and performance monitoring provider: receives error logs and crash reports to help us fix bugs.

• Website analytics provider: collects anonymised website usage data with your consent.

A full list of our specific data processors is available upon request at privacy@twoory.com.

Other sharing scenarios:

• Legal requirements: we may disclose your data to comply with a legal obligation, court order, or lawful government request, or to protect the rights and safety of Twoory, our users, or the public.

• Business transfers: in the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you via email and/or a prominent in-app notice before your data becomes subject to a different privacy policy.

International data transfers: some providers are located outside the EU/EEA, including in the United States. All such transfers are protected by Standard Contractual Clauses (EU Commission Decision 2021/914) and, where applicable, the UK International Data Transfer Addendum.

7. Your Rights

Subject to applicable law, you have the following rights regarding your personal data:

• Access: obtain a copy of the personal data we hold about you.

• Rectification: request correction of inaccurate or incomplete data.

• Erasure ("right to be forgotten"): request deletion of your account and data. You can initiate this directly via Settings → Account → Delete Account in the App.

• Restriction: request that we limit how we process your data in certain circumstances.

• Data portability: receive your data in a structured, machine-readable format via the Export Data feature in Settings.

• Objection: object to processing based on our legitimate interests.

• Withdraw consent: for any processing based on consent, withdraw it at any time without affecting prior processing.

• Opt out of marketing communications: unsubscribe via any marketing email or contact us directly.

• Not be subject to automated decision-making: we do not make decisions with legal or similarly significant effects based solely on automated processing.

• Lodge a complaint: with your local data protection authority at any time.

To exercise your rights, use the in-app options under Settings → Account, or contact us at privacy@twoory.com. We respond within 30 days, extendable to 60 days for complex requests.

California Residents (CCPA/CPRA)

You have the right to know, delete, correct, and opt out of the sale or sharing of your personal information. We do not sell your personal information and do not share it for cross-context behavioural advertising. No opt-out action is required. Contact privacy@twoory.com to exercise your California rights. You may designate an authorised agent to submit requests on your behalf.

EU / UK / Swiss Residents (GDPR / UK GDPR)

• EU/EEA supervisory authority complaints: https://edpb.europa.eu/about-edpb/about-edpb/members_en

• UK ICO complaints: https://ico.org.uk

• Swiss FDPIC complaints: https://www.edoeb.admin.ch

• DPO contact: dpo@twoory.com

• Copies of applicable Standard Contractual Clauses are available on request.

8. Third-Party Links

Our website and App may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policy of any third-party site you visit.

9. Children's Privacy

Twoory is designed for adults in romantic relationships and is not directed at children.

• USA / general: minimum age is 13 (COPPA).

• EU/EEA: minimum age is 16, or the applicable national age of digital consent in your country (e.g. 14 in Spain and Italy, 15 in France, 16 in Germany).

• UK: minimum age is 13.

We do not knowingly collect personal data from anyone below the applicable minimum age. If we discover that a user below the minimum age has created an account, we will delete that account and all associated data promptly. Parents or guardians who believe their child has provided us with personal information should contact privacy@twoory.com immediately.

10. Data Retention

We retain personal data only for as long as necessary to provide our services and comply with legal obligations:

When you delete your account, we initiate deletion of your personal data from our primary systems within 30 days.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do:

• We will update the "Last Updated" date at the top of this page.

• For material changes that significantly affect your rights or how we use your data, we will notify you by in-app notification, push notification, or email at least 30 days before changes take effect.

• For minor or clarificatory changes, updating the date is sufficient notice.

We encourage you to review this Policy periodically. Your continued use of Twoory after changes take effect constitutes your acceptance of the updated Policy.

12. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact us:

Privacy requests and general privacy questions: privacy@twoory.com

EU/UK data protection (DPO): dpo@twoory.com

General support: support@twoory.com

Please include "Privacy Request" in your subject line and indicate your country of residence so we can apply the correct legal framework. We aim to acknowledge all requests within 5 business days and respond fully within 30 days.