International Data Protection Compliance

1. GDPR — European Economic Area (EEA)

If you are located in the European Economic Area, the following rights apply under the General Data Protection Regulation (EU) 2016/679:

• Right of Access (Art. 15): You may request a copy of all personal data we process about you, including the purposes of processing, categories of data, and recipients.
• Right to Rectification (Art. 16): You may request correction of inaccurate or incomplete personal data.
• Right to Erasure (Art. 17): You may request deletion of your personal data. You can delete your account directly from the Profile & Settings page.
• Right to Restrict Processing (Art. 18): You may request that we limit the processing of your personal data under certain circumstances.
• Right to Data Portability (Art. 20): You may receive your personal data in a structured, commonly used, machine-readable format.
• Right to Object (Art. 21): You may object to processing based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent (Art. 7): You may withdraw consent for biometric data processing at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local Data Protection Authority (DPA).

2. LGPD — Brazil

If you are located in Brazil, the following rights apply under the Lei Geral de Proteção de Dados (Lei nº 13.709/2018):

• Confirmação e Acesso (Art. 18, I-II): You may confirm whether we process your data and request access to it.
• Correção (Art. 18, III): You may request correction of incomplete, inaccurate, or outdated data.
• Anonimização, Bloqueio ou Eliminação (Art. 18, IV): You may request anonymization, blocking, or deletion of unnecessary or excessive data.
• Portabilidade (Art. 18, V): You may request data portability to another service provider.
• Eliminação (Art. 18, VI): You may request deletion of personal data processed with your consent.
• Informação sobre Compartilhamento (Art. 18, VII): You may request information about which third parties we share your data with.
• Revogação do Consentimento (Art. 18, IX): You may revoke your consent at any time.
• Oposição (Art. 18, §2º): You may oppose processing that does not comply with LGPD provisions.

For LGPD-related requests, contact our Data Protection Officer at [email protected]. We comply with ANPD (Autoridade Nacional de Proteção de Dados) guidelines and Resolution CD/ANPD No. 19/2024 regarding international data transfers.

3. CCPA/CPRA — California, USA

If you are a California resident, the following rights apply under the California Consumer Privacy Act (as amended by the CPRA):

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You may request deletion of your personal information. You can delete your account directly from the Profile & Settings page.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information as defined by the CCPA. However, you may exercise this right at any time.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
• Right to Limit Use of Sensitive Personal Information: You may limit our use of sensitive personal information (including biometric data) to what is necessary to provide our services.

We do not sell personal information. We do not use or disclose sensitive personal information for purposes other than providing our services. To submit a verifiable consumer request, contact us at [email protected].

4. International Data Transfers

TwinsDo is operated from the United States. If you access our platform from outside the United States, your data will be transferred to and processed in the United States. We implement the following safeguards for international data transfers: Standard Contractual Clauses (SCCs) approved by the European Commission for EEA transfers; compliance with LGPD international transfer requirements and ANPD Resolution CD/ANPD No. 19/2024 for Brazilian transfers; and appropriate technical and organizational measures to ensure data protection equivalent to your home jurisdiction.

5. Data Protection Impact Assessments

In compliance with GDPR Article 35 and CCPA requirements, we conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities, including the collection and processing of biometric data for avatar creation and voice cloning. These assessments evaluate the necessity, proportionality, and risks of our data processing activities.

6. EU AI Act Compliance

TwinsDo complies with the EU Artificial Intelligence Act (Regulation (EU) 2024/1689) transparency requirements. Our AI systems that generate digital avatars and voice clones fall under transparency obligations for AI systems that generate synthetic content. We clearly label all AI-generated content, inform users when they are interacting with AI-generated materials, and maintain documentation of our AI systems as required.

7. Data Protection Officer

Our Data Protection Officer can be reached at [email protected] for any data protection inquiries, rights requests, or complaints. We are committed to responding to all requests within the timeframes required by applicable law: thirty (30) days for GDPR and LGPD requests, and forty-five (45) days for CCPA requests (with possible extensions as permitted by law).

8. Self-Service Account Deletion

You can delete your account and all associated data at any time directly from the Profile & Settings page in your dashboard. This action is immediate and irreversible. Upon deletion, all personal data, avatars, voice clones, and generated videos will be permanently erased within thirty (30) days. You do not need to contact us to exercise your right to erasure.

9. Supervisory Authorities

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction. For EEA residents, contact your local Data Protection Authority. For Brazilian residents, contact the ANPD (Autoridade Nacional de Proteção de Dados). For California residents, contact the California Privacy Protection Agency (CPPA).