Effective Date: March 12, 2026
1. Introduction
This Privacy Policy explains how Anybase Inc., doing business as Twill ("we," "us," or "our"), collects, uses, and protects your personal information when you use Twill, our AI-native project management platform ("Service").
We are committed to protecting your privacy and complying with applicable data protection laws, including the California Consumer Privacy Act (CCPA) where applicable.
2. Information We Collect
2.1 Account Information
- Email address and name (via direct registration or OAuth providers such as GitHub and Google)
- Profile information (avatar, display name)
- Password (hashed, for email-based accounts only)
- Workspace name, URL, logo, and membership role (Owner, Admin, or Member)
2.2 Usage Data
- Tasks, specifications, and tickets you create
- AI agent interactions, prompts, messages, and file attachments you submit
- Agent execution logs, output, cost metrics (token usage, duration, cost in USD), and exit codes
- Platform usage patterns, features accessed, and navigation events
- Device information (browser type, operating system)
- IP address and approximate location data
2.3 Integration Data
When you connect third-party services, we collect data specific to each integration:
GitHub: Repository names, structure, code content, commit history, file changes, pull request and issue metadata. Twill is designed to make changes on separate branches and open pull requests for your review. Whether changes can be pushed directly to a branch depends on your repository settings and protections. We recommend protecting your default branch, such as , in GitHub.
Slack: Workspace and channel identifiers, message content in threads where Twill is mentioned, user identifiers, and files shared in context. Twill reads messages only where explicitly mentioned (@twill) and sends replies and notifications back to those threads.
Linear: Organization and team identifiers, issue titles, descriptions, states, labels, and comments. Twill creates and updates issues, posts agent activity comments, and manages workflow states.
Notion: Workspace identifiers, page titles, and comment content. Twill reads and posts comments on Notion pages linked to tasks.
Sentry: Organization identifiers, project names, and error event metadata. Twill receives webhook notifications about error events to trigger agent sessions.
AWS: IAM role ARN, AWS account ID, external ID, and region configuration. Twill assumes cross-account IAM roles you configure via CloudFormation to access your cloud resources (e.g., logs).
GCP (Google Cloud Platform): GCP project identifiers, email address, and display name. Twill requests read-only access to cloud platform resources and logging data via OAuth.
2.4 Billing Data
- Stripe customer ID linked to your workspace
- Subscription tier, status, and billing cycle
- Run usage counts and bonus run allocations
- We do not store credit card numbers or payment method details—these are handled entirely by Stripe.
2.5 Communication Data
- Support tickets and correspondence
- Feedback and survey responses
- Email communications (workspace invitations, service notifications)
- Notification preferences
2.6 Bring Your Own Key (BYOK) Data
If you provide your own AI provider API keys (e.g., for Anthropic, OpenAI, or Google), these keys are encrypted at rest using industry-standard authenticated encryption and stored in our database. They are decrypted only at the time of use to route requests to your chosen provider.
3. How We Use Your Information
3.1 Service Provision
- Provide and maintain Twill's features, including AI-powered code analysis, specification generation, and agent execution
- Route your prompts, code, and codebase context to AI providers to generate responses
- Execute AI agent tasks in sandboxed environments on your behalf
- Manage your account, workspaces, integrations, and subscriptions
- Enable collaboration within workspaces (shared tasks, specifications, and agent results)
- Deliver notifications via email, Slack, Linear, Notion, and in-app channels
3.2 Service Improvement
- Analyze aggregated usage patterns to improve our platform
- Develop new features and capabilities
- Monitor system performance, error rates, and reliability
3.3 Communication
- Send important service notifications (account changes, security alerts)
- Deliver workspace invitations via email
- Provide customer support
- Share product updates and announcements, subject to your communication preferences and applicable law
4. Third-Party Services
We use the following categories of third-party services that may process your data. Each service has its own privacy policy and data practices.
4.1 AI Providers
- Anthropic (Claude): AI model services for code analysis, specification generation, and agent execution
- OpenAI (GPT): AI model services for code analysis and scorecard repository analysis
- Google (Gemini): AI model services for code analysis and agent execution
Your prompts, messages, code snippets, and repository context may be sent to these providers to generate responses and perform requested analyses. The Twill scorecard feature may run inside OpenAI-hosted containers via the Responses API. In those cases, Twill may clone a repository into an OpenAI-hosted container so the scorecard can inspect the repository contents directly. We access these providers via their APIs and configure our OpenAI API usage so customer content is not shared with OpenAI for model training. If you use the BYOK feature, requests are routed directly to the provider using your own API key.
4.2 Infrastructure and Sandbox Providers
- Vercel: Application hosting and deployment
- OpenAI-hosted containers (Responses API shell): Hosted container environments managed by OpenAI and used for certain repository analysis features, including the scorecard
- Modal: Cloud-based isolated sandbox environments for AI code execution
- Daytona: Remote development sandbox environments for AI code execution
- Google Cloud Storage: Temporary storage of screenshots and artifacts generated during agent sessions
Sandbox and container providers may receive the repository code, repository metadata, shell commands, shell outputs, environment variables, and secrets needed to execute the relevant agent task or requested analysis.
4.3 Analytics and Observability
- PostHog: Usage analytics, product insights, and event tracking
We collect usage data including prompts, messages sent to AI agents, task creation events, pull request events, agent invocation details, and cost metrics. We use this information to operate the Service, understand usage patterns, and improve service quality. Analytics data is not used by us to train AI models.
4.4 Integrations
- GitHub: Repository access, pull request creation, issue and PR comment notifications (via GitHub App)
- Slack: Receiving mentions, reading thread context, sending task notifications and interactive messages
- Linear: Issue management, agent session tracking, comment notifications, label management
- Notion: Reading and posting comments on linked pages, task notifications
- Sentry: Error event monitoring, webhook-triggered agent sessions
4.5 Payments and Email
- Stripe: Payment processing, subscription management, and billing (PCI-compliant; card data never touches our servers)
- Resend: Transactional email delivery (workspace invitations, notifications)
4.6 Cloud Infrastructure Integrations
- AWS (Amazon Web Services): Cross-account IAM role assumption for accessing customer cloud resources (logs, monitoring)
- GCP (Google Cloud Platform): OAuth-based read-only access to customer cloud projects and logs
We only share data necessary for service functionality and choose providers with strong privacy and security commitments.
5. Data Sharing and Disclosure
5.1 We Do Not Sell Your Data
We never sell, rent, or trade your personal information to third parties for their marketing purposes.
5.2 We Do Not Train AI Models on Your Data
Your prompts, code, and codebase content are never used to train AI models. We do not use your content to train, fine-tune, or improve any AI models—ours or third-party providers'. Data is processed solely to deliver the Service.
5.3 Cross-Platform Data Flow
When you trigger a task or analysis (from the Twill UI, public scorecard, Slack, Linear, Notion, Sentry, or the API), your data may flow across multiple services in the course of fulfilling that request. For example, a task triggered from Slack may involve reading your GitHub repository, sending code to an AI provider for analysis, executing code in a sandbox, creating a pull request on GitHub, and posting a summary back to Slack. A scorecard request may involve cloning a repository into an OpenAI-hosted container, analyzing that repository, and returning a scored report. By using these features and integrations, you consent to this cross-platform data flow.
5.4 Limited Sharing
We may share your information only in these circumstances:
- With your consent for specific purposes
- Service providers who help operate Twill (under strict data processing agreements)
- Legal requirements if required by law, court order, or to protect our rights
- Business transfers in case of merger, acquisition, or sale (with notice to affected users)
5.5 Workspace Data
Information you share within workspaces—including tasks, specifications, agent results, and integration data—is accessible to all workspace members based on their role. Workspace Owners and Admins can invite new members, configure integrations, and manage API keys. You are responsible for managing workspace membership appropriately.
6. Data Security
We implement appropriate technical and organizational measures to protect your data:
- Encryption in transit: All data transmitted via HTTPS/TLS
- Encryption at rest: Environment secrets, BYOK API keys, and OAuth integration tokens are encrypted at rest using industry-standard authenticated encryption
- API key security: API keys are cryptographically hashed before storage; the full key is displayed only once at creation and is never retrievable afterward
- Webhook verification: Cryptographic signature verification for incoming webhooks from GitHub, Slack, Stripe, and Sentry
- Rate limiting: API endpoints are rate-limited to prevent abuse
- Access controls: Role-based workspace permissions (Owner, Admin, Member) enforced at the application and database levels
- OAuth state protection: CSRF protection via time-limited, single-use state tokens for all OAuth flows
No internet transmission or electronic storage method is 100% secure. We cannot guarantee absolute security but continuously work to improve our protections.
6.1 Sandbox Environment Security
When Twill's main AI agents execute code on your behalf, they operate in isolated sandbox environments provided by third-party providers such as Modal and Daytona. Separately, the scorecard feature may run repository analysis inside OpenAI-hosted containers. We implement:
- Isolation: Resource-limited containers (CPU, memory, disk quotas) per task
- Scoped GitHub workflow: Twill is designed to make changes on separate branches and open pull requests for your review. Whether changes can be pushed directly to a branch depends on your repository settings and protections. We recommend protecting your default branch, such as , in GitHub.
- Ephemeral environments: Sandbox environments are created per task and destroyed after execution; they are not persistent
Despite these measures, sandbox and hosted-container environments may process sensitive information including repository code, shell commands, shell outputs, environment variables, and secrets you configure. You should not store highly sensitive production credentials in Twill sandboxes or submit them to scorecard or other repository analyses unless necessary for the requested task.
7. Data Retention
We retain your data for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements.
7.1 Account Data
Retained while your account is active and for up to 2 years after account deletion (unless longer retention is required by law).
7.2 Agent Execution Data
Task data, agent logs, and execution results are retained while your workspace is active.
7.3 Usage Analytics
Analytics data may be retained for a limited period in identifiable form and for longer in aggregated or de-identified form for service improvement, analytics, and operational purposes.
7.4 Integration Tokens
OAuth tokens for connected integrations are retained until the integration is disconnected or the workspace is deleted.
8. International Data Transfers
Your data is primarily processed in the United States. If you are accessing Twill from outside the United States, your data may be transferred to and processed in the United States and other countries where our service providers operate. By using the Service, you consent to these transfers.
9. Your Rights
Depending on your jurisdiction, you may have certain rights regarding your personal data:
9.1 General Rights
- Request access to your personal data
- Request correction of inaccurate data
- Request deletion of your personal data
- Object to or restrict certain processing
- Unsubscribe from marketing communications
9.2 California Residents (CCPA)
If you are a California resident, you have the right to:
- Know what personal information we collect and how it is used
- Request deletion of your personal information
- Opt out of the sale of personal information (we do not sell your data)
- Non-discrimination for exercising your privacy rights
9.3 How to Exercise Your Rights
To exercise any of these rights, contact us at
dan@twill.ai. We will respond within the timeframe required by applicable law.
10. Cookies and Local Storage
10.1 Essential Cookies
We use necessary cookies for:
- Authentication and session management
- Security and CSRF prevention
- Basic site functionality
10.2 Analytics Cookies
We use analytics cookies and similar technologies, including PostHog, to understand how the Service is used, measure performance, and improve the user experience.
10.3 Local Storage
We use browser local storage to remember your preferences, such as your last-accessed workspace and in-progress form drafts. This data remains on your device and is not transmitted to our servers.
10.4 Cookie Management
You can control cookies through your browser settings, though disabling essential cookies may affect functionality.
11. Children's Privacy
Twill is not directed at children under the age of 16. We do not knowingly collect personal information from children. If you believe we've collected information from a child, please contact us immediately at
dan@twill.ai and we will promptly delete it.
12. Changes to This Policy
We may update this Privacy Policy periodically. We'll notify you of material changes by:
- Email notification
- Prominent notice in our Service
- Updating the "Effective Date" above
Your continued use after changes take effect constitutes acceptance of the updated policy.
13. Contact Us
For any privacy-related questions or concerns, please contact us at:
Anybase Inc.
1411 Broadway, 16th Floor
New York, NY 10018
Email:
dan@twill.ai
Last updated: March 5, 2026