Privacy Policy
Twine is operated by Redwood LLC (“we”, “us”, “our”). This policy describes how we collect, use, and protect information when you use the Twine app at app.twinechats.com and our mobile apps (together, the “Service”).
Summary
Twine is built for private messaging. Message bodies are end-to-end encrypted on your device before they are sent. Our servers store and relay ciphertext only — we cannot read the content of your encrypted messages or channel keys.
Information we collect
Account information
When you create an account, we collect:
- Email address
- Display name
- Password (stored as a one-way hash, never in plain text)
- Optional profile avatar you upload
Messaging metadata
To deliver the Service, our servers process information needed to route messages and run rooms, including:
- Server, room, and channel membership
- Sender user and device identifiers attached to each message
- Timestamps and delivery-related metadata
- Encrypted message payloads (ciphertext) and their sizes
- Public encryption keys registered for your devices
- Read-position cursors and typing/presence signals
- Emoji reactions (not encrypted message bodies)
Mobile push notifications
If you enable push on a mobile device, we store a device push token so we can wake the app. Push payloads contain no message text, sender name, or room title — only a minimal sync signal. Your device fetches ciphertext from the API, decrypts locally, and decides whether to show a notification.
Technical logs
Like most online services, our hosting infrastructure may temporarily process standard request logs (for example IP address, user agent, and request timing) for security, abuse prevention, and reliability. We do not use these logs to read your messages.
What we do not collect
- Plaintext contents of end-to-end encrypted messages
- Your encryption private keys, recovery passphrase, or channel keys
- Advertising profiles or cross-app tracking data
How we use information
We use the information above to:
- Provide, operate, and improve the Service
- Authenticate you and maintain your account
- Deliver messages, presence, and notifications
- Respond to support requests and protect against abuse
- Comply with law where required
We do not sell your personal information.
How we share information
We do not sell, rent, or trade your personal information. We share data only with:
- Service providers that host or operate Twine on our behalf (for example Amazon Web Services for infrastructure, Google FCM and Apple APNs for push delivery, Expo for mobile build services). They may access data only to provide those services to us.
- Other Twine users, as you direct (for example your display name, avatar, and messages you send to rooms you join).
- Authorities when required by law or to protect safety, security, or rights.
Security
We use technical and organizational measures to protect data, including:
- TLS encryption for data in transit between your device and our servers
- End-to-end encryption for message bodies (ciphertext on our servers)
- One-way password hashing (Argon2id / bcrypt)
- Access controls on production systems
- Encrypted local message cache on mobile devices (see below)
No method of transmission or storage is 100% secure. We cannot guarantee absolute security.
Local storage on your devices
To show chat history quickly, Twine may cache decrypted messages on your device. On mobile, that cache is encrypted at rest with keys held in the system secure store. When you log out or delete your account in the app, local cached messages on that device are cleared. A compromised unlocked device is outside what encryption-at-rest can fully prevent.
Service providers
We use third-party infrastructure to run Twine, including cloud hosting (for example Amazon Web Services), databases, and mobile push delivery (for example Google FCM / Apple APNs via Expo). These providers process data on our behalf under our instructions and their own terms.
Data retention and deletion
We retain account and ciphertext data while your account is active and as needed to operate the Service. When you delete your account, we delete associated server-side data (profile, ciphertext, memberships, device keys, push tokens). Short-lived backups may retain data for a limited period before automatic purge.
Delete your account in the app under Me → Delete Account, or follow the steps at twinechats.com/delete-account.html. Temporary deactivation or logging out does not delete server-side data.
Your choices
- Update your display name or avatar in the app
- Disable mobile push notifications in device or app settings
- Delete your account in-app or via our account deletion page
Children
The Service is not directed at children under 13, and we do not knowingly collect personal information from them. Contact us if you believe a child has provided us data.
International users
Twine is operated from the United States. If you use the Service from elsewhere, your information may be processed in the U.S.
Changes
We may update this policy from time to time. We will post the revised version on this page and update the “Last updated” date.
Contact
Questions about privacy or data requests: support@redwoodchip.com
Redwood LLC
California, United States