Privacy

Twentu Services Limited

Effective Date: 13th February 2026

1. Introduction

Twentu Services Limited ("Twentu", "we", "us", "our") is committed to protecting and respecting your privacy.

This Privacy Policy explains how we collect, use, store and protect personal data when you:

  • Visit our website
  • Create or use a Twentu account
  • Use our SaaS platform
  • Contact us
  • Receive communications from us

We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Who We Are

Company Name: Twentu Services Limited

Data Protection Officer (DPO): David Green

DPO Email: david.green@twentu.com

Privacy Contact Email: privacy@twentu.com

Twentu Services Limited is:

  • A Data Controller in respect of our own operational data (billing, marketing, website use, support).
  • A Data Processor in respect of personal data uploaded by our business customers into the Twentu platform.

3. About Our Services

Twentu provides B2B software services that enable organisations to:

  • Reduce paper-based processes
  • Produce staff rotas
  • Sell tickets to events
  • Manage membership databases

Our platform allows customers to upload, store and manage their own data.

We do not access, read, analyse, or use customer-uploaded data, except where necessary to provide technical support or comply with legal obligations.

4. Personal Data We Collect

4.1 Website Visitors

We may collect:

  • Name
  • Email address
  • Telephone number
  • IP address
  • Device/browser information
  • Cookie and analytics data
  • Marketing preferences

4.2 Account Holders & Business Customers

We collect and store:

  • Name
  • Email address
  • Billing address
  • Payment details (processed via secure third-party providers)
  • Account login details
  • Usage data
  • Uploaded content and database records
  • Support communications

4.3 Customer Data (We Act as Data Processor)

Our customers may upload personal data relating to:

  • Their employees
  • Event attendees
  • Members
  • Ticket purchasers
  • Other third parties

In these cases:

  • The customer is the Data Controller
  • Twentu acts as the Data Processor
  • We process this data only in accordance with our customer’s instructions

We do not use this data for marketing or our own commercial purposes.

5. Lawful Bases for Processing

Under UK GDPR, we rely on:

Contractual Necessity

To provide our SaaS services and manage accounts.

Legitimate Interests

To operate, secure and improve our services.

Legal Obligation

To comply with tax, accounting and regulatory requirements.

Consent

Where required for marketing communications or non-essential cookies.

6. How We Use Personal Data

We use personal data to:

  • Provide and maintain our platform
  • Process payments and billing
  • Provide customer support
  • Send service-related communications
  • Improve system performance and security
  • Comply with legal requirements
  • Send marketing communications (where permitted)

7. Payments

Payment details are processed securely via third-party payment providers.

Twentu Services Limited does not store full credit or debit card details on its own systems.

8. Data Sharing

We may share personal data with:

  • Hosting and infrastructure providers
  • Payment processors
  • IT and support service providers
  • Professional advisers (legal, accounting)
  • Law enforcement or regulators (where required)

All third parties are contractually required to process personal data securely and in accordance with data protection laws.

We do not sell personal data.

9. International Transfers

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, such as:

  • UK International Data Transfer Agreement (IDTA)
  • Standard Contractual Clauses (SCCs)
  • Adequacy regulations

10. Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

  • Secure hosting environments
  • Encrypted data transmission (HTTPS)
  • Access controls
  • Role-based permissions
  • Regular system monitoring

While we take strong security measures, no system can be completely secure.

11. Data Retention

We retain personal data:

  • For as long as necessary to provide services
  • For the duration of contractual agreements
  • As required by accounting or legal obligations

Customer account data may be retained for a limited period following cancellation to allow recovery or legal compliance.

12. Your Data Protection Rights

Under UK GDPR, individuals have the right to:

  • Access their personal data
  • Request correction of inaccurate data
  • Request erasure ("right to be forgotten")
  • Restrict processing
  • Object to processing
  • Data portability
  • Withdraw consent at any time (where applicable)

Requests should be sent to:

privacy@twentu.com

We may require identity verification before fulfilling requests.

13. Complaints

If you are unhappy with how we handle personal data, you may contact us first.

You also have the right to complain to:

Information Commissioner’s Office (ICO)

Website: https://ico.org.uk

14. Cookies

We use cookies and similar technologies to:

  • Ensure website functionality
  • Improve performance
  • Analyse usage
  • Store user preferences

Users can manage cookie preferences via browser settings.

Where required, we obtain consent before placing non-essential cookies.

15. Changes to This Policy

We may update this Privacy Policy from time to time.

The latest version will always be available on our website, with the effective date clearly displayed.

If you'd like, I can now:

  • ✅ Add a Data Processing Addendum (DPA) suitable for B2B contracts
  • ✅ Create a shorter website-friendly version
  • ✅ Convert this to HTML
  • ✅ Add more robust SaaS-specific clauses (sub-processors, audit rights, deletion terms, etc.)
  • ✅ Make it more “enterprise-grade” for larger clients

Would you like it positioned as a simple SME SaaS policy, or something suitable for enterprise procurement reviews?

This is a SME Saas so add anything appropriate

Perfect — for an SME B2B SaaS we’ll keep it clear, compliant, and commercially sensible, but slightly stronger than a basic template so it stands up to procurement checks.

Below is a more complete, SME-appropriate UK GDPR Privacy Policy for Twentu Services Limited.

Privacy Policy

Twentu Services Limited

Effective date: [Insert Date]

1. Introduction

Twentu Services Limited ("Twentu", "we", "us", "our") is committed to protecting personal data and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This Privacy Policy explains how we collect, use, store and protect personal data when you:

  • Visit our website
  • Use our SaaS platform
  • Create an account
  • Upload data to our systems
  • Contact us
  • Receive communications from us

2. Who We Are

Company Name: Twentu Services Limited

Data Protection Officer: David Green

DPO Email: david.green@twentu.com

Privacy Contact Email: privacy@twentu.com

Twentu Services Limited acts as:

  • A Data Controller for our own business operations (billing, website use, marketing, support).
  • A Data Processor when processing data uploaded by our business customers into the Twentu platform.

3. About Our Services

Twentu provides B2B software designed to help organisations:

  • Reduce paper-based processes
  • Produce staff rotas
  • Sell tickets to events
  • Manage membership databases

Customers may upload and store personal data within the platform.

Twentu does not access, analyse, sell, or use customer data for its own purposes, except:

  • To provide technical support
  • To maintain system functionality
  • To comply with legal obligations

Customers remain responsible for ensuring they have a lawful basis to collect and use personal data within the platform.

4. Personal Data We Collect

4.1 Website Visitors

We may collect:

  • Name
  • Email address
  • Telephone number
  • IP address
  • Device and browser information
  • Cookie and analytics data
  • Marketing preferences

4.2 Account Holders & Business Users

We collect:

  • Name
  • Email address
  • Billing address
  • Account login credentials
  • Payment information (via third-party processors)
  • Usage data
  • Uploaded files and database records
  • Support communications

4.3 Customer-Uploaded Data (Processor Role)

Our customers may upload personal data relating to:

  • Employees
  • Event attendees
  • Members
  • Ticket purchasers
  • Other individuals

In these cases:

  • The customer is the Data Controller
  • Twentu is the Data Processor
  • We process data only on documented customer instructions

5. Lawful Bases for Processing (Controller Data)

We rely on the following lawful bases:

Contract

To provide services and manage accounts.

Legitimate Interests

To operate, improve, secure, and develop our services.

Legal Obligation

To comply with accounting, tax, and regulatory requirements.

Consent

For marketing communications and non-essential cookies where required.

6. How We Use Personal Data

We use personal data to:

  • Provide and maintain our SaaS services
  • Manage billing and payments
  • Provide customer support
  • Communicate important service updates
  • Improve performance and security
  • Prevent fraud or misuse
  • Send marketing communications (where permitted)

We do not sell personal data.

7. Payments

Payments are processed securely by third-party payment providers.

Twentu Services Limited does not store full credit or debit card details on its own servers.

8. Sub-Processors

To operate our services, we may use trusted third-party providers including:

  • Cloud hosting providers
  • Payment processors
  • Email delivery services
  • Analytics providers
  • IT support providers

All sub-processors are subject to written contracts requiring compliance with data protection laws and appropriate security measures.

Customers may request information about current sub-processors by contacting privacy@twentu.com.

9. International Data Transfers

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, such as:

  • UK International Data Transfer Agreement (IDTA)
  • Standard Contractual Clauses
  • Transfers to countries with UK adequacy decisions

10. Data Security

We implement appropriate technical and organisational security measures including:

  • Secure cloud infrastructure
  • Encrypted data transmission (HTTPS/TLS)
  • Access controls and role-based permissions
  • Strong authentication measures
  • Regular system monitoring and updates

Access to customer data is limited to authorised personnel only where necessary.

11. Data Retention

We retain personal data only for as long as necessary:

  • Account data is retained for the duration of the contract.
  • Following account closure, data may be retained for a limited period for backup, recovery, legal compliance or dispute resolution.
  • Financial records are retained in accordance with UK tax law (typically 6 years).
  • Enquiries may be retained for up to 24 months unless further engagement occurs.

Customer-uploaded data is retained in accordance with contractual agreements.

12. Data Subject Rights

Individuals have the right to:

  • Access their personal data
  • Rectify inaccurate data
  • Request erasure
  • Restrict processing
  • Object to processing
  • Data portability
  • Withdraw consent (where applicable)

Requests should be submitted to:

privacy@twentu.com

Where we act as a Data Processor, we will forward requests to the relevant customer (the Data Controller).

13. Data Breaches

In the event of a personal data breach:

  • We will investigate promptly
  • Where required, notify affected customers without undue delay
  • Assist customers in meeting their regulatory obligations

14. Complaints

If you have concerns about how we handle personal data, please contact us first.

You also have the right to lodge a complaint with:

Information Commissioner’s Office (ICO)

Website: https://ico.org.uk

15. Children’s Data

Our services are designed for businesses and are not intended for direct use by children under 18.

16. Cookies

We use cookies to:

  • Enable website functionality
  • Analyse traffic and usage
  • Improve performance
  • Store user preferences

Where required, we obtain consent before placing non-essential cookies. Users can manage cookies through browser settings.

17. Changes to This Policy

We may update this Privacy Policy from time to time.

The latest version will always be available on our website with the effective date shown at the top.

DATA PROCESSING ADDENDUM (DPA)

Twentu Services Limited

This Data Processing Addendum (“DPA”) forms part of the agreement between:

Twentu Services Limited ("Processor")

and

The Customer ("Controller")

and applies where Twentu processes Personal Data on behalf of the Customer.


1. Definitions

For the purposes of this DPA:

  • Controller, Processor, Personal Data, Processing, Data Subject, and Personal Data Breach have the meanings given in the UK GDPR.
  • Data Protection Laws means the UK GDPR, the Data Protection Act 2018, and any other applicable UK data protection legislation.
  • Services means the SaaS platform and related services provided by Twentu.


2. Scope and Roles

2.1 The parties acknowledge that:

  • The Customer is the Data Controller.
  • Twentu Services Limited is the Data Processor.

2.2 This DPA applies to all Personal Data processed by Twentu on behalf of the Customer in connection with the Services.


3. Nature and Purpose of Processing

Nature of Processing

Hosting, storing, organising, structuring, retrieving, and transmitting Personal Data within the Twentu platform.

Purpose of Processing

To enable the Customer to:

  • Manage rotas
  • Sell event tickets
  • Manage membership databases
  • Reduce paper-based processes
  • Administer their own business operations

Duration of Processing

For the duration of the Services agreement and any agreed post-termination retention period.


4. Categories of Data Subjects

Depending on Customer use, this may include:

  • Employees
  • Contractors
  • Volunteers
  • Members
  • Event attendees
  • Ticket purchasers
  • Website users
  • Other individuals whose data is uploaded by the Customer


5. Categories of Personal Data

The Customer may upload and process:

  • Names
  • Contact details (email, phone, address)
  • Employment details
  • Membership information
  • Event booking details
  • Attendance records
  • Payment references
  • Uploaded documents
  • Any other data entered by the Customer

The Customer is responsible for ensuring it has a lawful basis for processing such data.


6. Processor Obligations

Twentu shall:

6.1 Process Personal Data only on documented instructions from the Customer.

6.2 Not use Personal Data for its own commercial purposes.

6.3 Ensure that persons authorised to process Personal Data are subject to confidentiality obligations.

6.4 Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

6.5 Assist the Customer, where reasonably requested, in responding to:

  • Data subject rights requests
  • Regulatory enquiries
  • Data protection impact assessments (where applicable)

6.6 Notify the Customer without undue delay upon becoming aware of a Personal Data Breach affecting Customer data.


7. Security Measures

Twentu maintains appropriate security measures, including:

  • Secure cloud hosting
  • Encrypted transmission (HTTPS/TLS)
  • Role-based access controls
  • Password protection and authentication controls
  • System monitoring and updates

Security measures may evolve over time provided they maintain an appropriate level of protection.


8. Sub-Processors

8.1 The Customer authorises Twentu to use sub-processors to provide the Services.

8.2 Twentu shall ensure sub-processors:

  • Are subject to written contracts
  • Provide appropriate data protection safeguards

8.3 A current list of sub-processors is available upon request.


9. International Transfers

Where Personal Data is transferred outside the UK, Twentu shall ensure appropriate safeguards are in place, including:

  • UK International Data Transfer Agreement (IDTA), or
  • Standard Contractual Clauses, or
  • Transfers to countries recognised as adequate by the UK Government.


10. Data Subject Rights

If Twentu receives a request directly from a Data Subject relating to Customer data, Twentu shall:

  • Notify the Customer promptly
  • Not respond directly unless authorised

The Customer remains responsible for responding to such requests.


11. Data Breach Notification

In the event of a Personal Data Breach affecting Customer data, Twentu shall:

  • Notify the Customer without undue delay
  • Provide reasonable information to assist the Customer
  • Take appropriate remedial action

The Customer remains responsible for regulatory notifications unless otherwise agreed.


12. Audit and Information Rights

12.1 Twentu shall make available information reasonably necessary to demonstrate compliance with this DPA.

12.2 Audits shall:

  • Be conducted on reasonable notice
  • Occur no more than once per year (unless required by law)
  • Not unreasonably interfere with Twentu’s operations
  • Be at the Customer’s cost


13. Return or Deletion of Data

Upon termination of the Services:

  • The Customer may request export of its data within a reasonable period.
  • After this period, Twentu may securely delete Customer data unless legally required to retain it.

Backup copies may persist for a limited period in accordance with normal system backup cycles.


14. Liability

Liability under this DPA shall be subject to the limitations of liability set out in the main Services Agreement.


15. Governing Law

This DPA is governed by the laws of England and Wales.