Privacy Policy.

Last updated 23 May 2026.

1. Who we are

This Privacy Policy explains how MyAITwin collects, uses and protects personal data when you use our service.

For the purposes of UK data protection law, the data controller is:

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us using the details above.

2. The personal data we collect

We collect and process the following categories of personal data:

Account data

Your email address. MyAITwin uses a magic link sign-in flow, so your email is the only credential we hold.

Stored knowledge

Knowledge items, voice note transcripts, documents and URLs that you choose to store in your account. This content is provided by you and only by you. We do not crawl, scrape or import data without your explicit action.

Usage data

Information about how you use MyAITwin, including MCP tool calls and timestamps. We use this to operate the service, apply rate limits and detect abuse.

Technical data

Your IP address, browser type, device information and basic server log data. This is the standard data any web service receives when you connect to it.

We do not intend to collect special category personal data. Please do not store sensitive personal data unless you are comfortable with the cloud storage and access controls described in section 12.

3. How we collect personal data

We collect personal data:

• directly from you when you sign up, sign in, store content or use any tool in the service
• automatically when you connect to the service, through server logs
• through the MCP protocol when an AI assistant connected to your account makes tool calls on your behalf

4. How we use your personal data

We use personal data for the following purposes:

To provide the service

We use your email to authenticate sessions. We use your stored knowledge to power the retrieval, search and synthesis tools you call from your AI assistant.

To operate and secure the service

We use usage and technical data to run the platform, apply rate limits, detect abuse, debug issues and improve performance.

To communicate with you

We may send service-related messages, such as sign-in links, security notices and material changes to this policy.

To comply with legal and regulatory obligations

We may process personal data where this is necessary to comply with the law or to protect our legal rights.

We do not use your stored knowledge to train AI models. We do not share your stored knowledge with third parties for any purpose other than providing the service.

5. Our lawful bases for processing

We rely on the following lawful bases under the UK GDPR:

Contract

Most of our processing is necessary to provide the service you have signed up for, including storing your knowledge, returning search results and authenticating sessions.

Legitimate interests

We rely on legitimate interests for service security, abuse prevention, debugging and product improvement, where our interests are not overridden by your rights and freedoms.

Consent

Where required, we rely on your consent, for example for any non-essential cookies if we add them in future. You can withdraw consent at any time.

6. Cookies

MyAITwin sets one cookie:

• mt_session — strictly necessary, used to keep you signed in across pages

We do not currently set analytics cookies or third-party tracking cookies. If we add any non-essential cookies in future, we will ask for your consent before setting them.

7. Sharing your personal data

We share personal data with trusted infrastructure providers where necessary to run the service, including:

• Supabase (database hosting)
• Pinecone (vector storage)
• OpenAI (embeddings and language model calls made on your behalf when you use the synthesis tool)
• Vercel (web hosting)
• Resend (sign-in emails)

We require service providers that process personal data on our behalf to do so only on our instructions and to keep it secure.

We do not sell personal data and we do not share it with advertising or analytics networks.

8. International transfers

Some of our service providers may process personal data outside the UK. Where personal data is transferred outside the UK, we rely on adequacy regulations or appropriate contractual safeguards.

9. Data retention

We keep personal data only for as long as necessary:

• stored knowledge is retained for as long as your account is active, or until you delete it or request deletion
• account data is retained until you delete your account
• magic link tokens are deleted on use or on expiry, whichever happens first
• session tokens expire on sign-out or when the session lifetime ends
• usage and technical logs are kept for a limited period to support security and debugging

You can delete your account and all associated data at any time from your account page. Deletion is immediate and irreversible.

10. Your rights

Under UK data protection law, you may have the right to:

• request access to your personal data
• request correction of inaccurate data
• request deletion of your personal data
• object to or request restriction of processing
• request transfer of your personal data in certain circumstances
• withdraw consent where we rely on consent

These rights are not absolute, and some exceptions apply.

To exercise any of your rights, please contact us at team@lutolearn.com.

11. Complaints

If you have concerns about how we handle your personal data, please contact us first and we will try to resolve the issue.

You also have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection.

12. Security

We take reasonable technical and organisational measures to protect personal data against unauthorised access, loss, misuse or alteration. These include bearer token authentication, multi-tenant data isolation, rate limiting, audit logging and prompt injection guardrails.

However, no method of transmission over the internet or electronic storage is completely secure, so we cannot guarantee absolute security.

13. Third-party websites

Our service may contain links to third-party websites. We are not responsible for the privacy practices or content of those websites. You should read their privacy policies separately.

14. Governing law

This Privacy Policy is governed by the law of England and Wales. The Information Commissioner's Office is our supervisory authority.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The latest version will always be posted on this page.