Privacy Policy
Last updated: March 27, 2026
1. Introduction
This Privacy Policy explains how Sankofa Digital OU ("we", "us", "our") collects, uses, stores, and protects your personal data when you use MyTwinVoice ("the Service").
MyTwinVoice is an AI twin creation platform that allows you to upload photos, documents, voice recordings, and other personal content to build and interact with a personalised AI agent that reflects your knowledge, personality, and voice.
We are committed to protecting your privacy and processing your data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Estonian Personal Data Protection Act, and all other applicable data protection legislation.
2. Data Controller
The data controller responsible for your personal data is:
Company: Sankofa Digital OU
Registration number: 14998798
VAT number: EE102269422
Address: Harju maakond, Tallinn, Kesklinna linnaosa, Juhkentali tn 8, 10132, Estonia
Board member: Dennis Daniel Abdulateef Duroshola
Email: info@sankofa-digital.ai
3. What Data We Collect
We collect the following categories of personal data:
3.1 Account Data
Name, email address, profile picture, password (hashed), authentication tokens, and account preferences you provide when registering and using the Service.
3.2 Voice Recordings (Biometric Data)
Audio recordings of your voice that you upload to create your AI twin. Voice data is classified as biometric data under Article 9 of the GDPR and is subject to enhanced protections. We only process voice recordings with your explicit consent.
3.3 Photos and Images
Photographs and images you upload to personalise your AI twin, including profile photos and any visual content you provide for training.
3.4 Documents and Text Content
Documents, text files, notes, and other written content you upload to train your AI twin with your knowledge and writing style.
3.5 Chat Conversations
Messages and interactions between you and your AI twin, as well as conversations between third parties and your AI twin (where you have enabled sharing).
3.6 Usage Data
Technical information about how you use the Service, including IP address, browser type, device information, operating system, pages visited, features used, timestamps, and referring URLs.
3.7 Payment Data
Subscription plan selection, payment history, and billing information. Note that full payment card details are processed directly by Stripe and are never stored on our servers.
4. Why We Collect Your Data
We process your personal data for the following purposes:
- Provide the Service: To create, train, and operate your AI twin based on the content you upload.
- Improve AI responses: To enhance the quality and accuracy of your AI twin's interactions through the data you provide.
- Account management: To create and manage your user account, authenticate your identity, and provide customer support.
- Billing: To process payments, manage subscriptions, and maintain billing records as required by law.
- Legal compliance: To comply with our legal obligations under EU and Estonian law, including tax and accounting requirements.
- Service improvement: To analyse usage patterns and improve the functionality, performance, and security of the Service.
- Communication: To send you important service updates, security notifications, and (with your consent) product news.
5. Legal Basis for Processing
We process your personal data based on the following legal grounds under the GDPR:
5.1 Consent (Article 6(1)(a))
We rely on your explicit consent for processing voice recordings and other biometric data to create your AI twin. You may withdraw your consent at any time, which will not affect the lawfulness of processing carried out before withdrawal.
5.2 Performance of a Contract (Article 6(1)(b))
Processing your account data, uploaded content (excluding biometric data), and chat conversations is necessary for the performance of our contract with you — namely, to provide the MyTwinVoice service as described in our Terms of Service.
5.3 Legitimate Interest (Article 6(1)(f))
We process usage data and analytics based on our legitimate interest in understanding how the Service is used, improving its performance, and ensuring its security. We have conducted a balancing test and determined that these interests do not override your rights and freedoms.
5.4 Legal Obligation (Article 6(1)(c))
We process billing records and certain account data to comply with tax, accounting, and other legal obligations under Estonian and EU law.
6. Special Categories of Data (Article 9)
Voice recordings used to create your AI twin constitute biometric data under Article 9 of the GDPR, as they are processed for the purpose of uniquely identifying a natural person's voice characteristics and replicating them in an AI model.
Processing of biometric data is generally prohibited under Article 9(1) unless an exception applies. We rely on Article 9(2)(a) — explicit consent as the legal basis for processing your voice recordings.
Before we process any voice recordings, we will ask for your explicit, informed, and freely given consent through a clear consent mechanism in the application. You may withdraw this consent at any time via your account settings or by contacting us. Upon withdrawal, we will cease processing your voice data and delete the associated voice model within 30 days.
7. How We Use AI
MyTwinVoice uses artificial intelligence to create a personal AI twin based on the data you upload. Here is how your data is processed:
- AI twin creation: The content you upload (documents, voice recordings, photos, and text) is processed to create vector embeddings — mathematical representations of your data that enable your AI twin to respond in a manner consistent with your knowledge and personality.
- AI model providers: We use Google (Gemini) and Anthropic (Claude) as our AI model providers to generate responses for your AI twin. When your twin is queried, relevant context from your data is sent to these providers to generate a response. These providers process data as sub-processors under our data processing agreements.
- Embedding storage: Vector embeddings of your content are stored in Supabase (hosted in EU Frankfurt) and are used to retrieve relevant context for AI responses.
- No model training by third parties: Your data is used solely for real-time inference (generating responses). We have contractual agreements with our AI providers that prohibit them from using your data to train their general-purpose models.
8. Data Sharing and Sub-processors
We do not sell, rent, or trade your personal data to any third party. We share data only with the following sub-processors, strictly for the purpose of providing the Service:
| Sub-processor | Purpose | Data location |
|---|---|---|
| Supabase | Database, authentication, file storage, vector embeddings | EU (Frankfurt, Germany) |
| Vercel | Application hosting and edge functions | EU |
| Google Cloud (Gemini) | AI model inference for twin responses | EU/US (with SCCs) |
| Anthropic (Claude) | AI model inference for twin responses | US (with SCCs) |
| Stripe | Payment processing | EU/US (with SCCs) |
| Resend | Transactional email delivery | US (with SCCs) |
Each sub-processor is bound by a data processing agreement (DPA) that ensures they process your data only on our instructions and in compliance with GDPR requirements.
9. International Data Transfers
Your data is primarily stored and processed within the European Union (Frankfurt, Germany). However, some of our sub-processors operate in the United States.
Where data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place as required by Chapter V of the GDPR, including:
- Standard Contractual Clauses (SCCs): We use the European Commission's approved Standard Contractual Clauses with all sub-processors that process data outside the EU/EEA.
- Supplementary measures: Where necessary, we implement additional technical and organisational measures (such as encryption) to ensure your data receives an equivalent level of protection.
You may request a copy of the relevant safeguards by contacting us at info@sankofa-digital.ai.
10. Data Retention
We retain your personal data only for as long as necessary for the purposes described in this policy:
| Data type | Retention period |
|---|---|
| Account data | Until account deletion + 30 days |
| Voice recordings and biometric data | Until you delete them or close your account |
| Uploaded documents and content | Until you delete them or close your account |
| Chat conversations | Until you delete them or close your account |
| Billing and payment records | 7 years (Estonian tax law requirement) |
| Server and access logs | 90 days |
When you delete your account, we will delete or anonymise all your personal data within 30 days, except where retention is required by law (e.g., billing records).
11. Your Rights Under GDPR
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Article 15): You have the right to obtain confirmation as to whether your personal data is being processed, and to request a copy of that data.
- Right to rectification (Article 16): You have the right to request correction of inaccurate personal data and completion of incomplete data.
- Right to erasure (Article 17): You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent.
- Right to restriction (Article 18): You have the right to request restriction of processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
- Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
- Right to object (Article 21): You have the right to object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
- Right to withdraw consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
- Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.
12. How to Exercise Your Rights
You can exercise your rights in the following ways:
- In-app settings: Access your data, download your content, delete individual items, or delete your entire account via your account settings.
- Email: Send a request to info@sankofa-digital.ai. We will verify your identity and respond within 30 days as required by the GDPR.
We will respond to all legitimate requests within one month. In complex cases, we may extend this by a further two months, in which case we will inform you within the first month.
Exercising your rights is free of charge. However, we may charge a reasonable fee for manifestly unfounded or excessive requests, or refuse to comply with such requests.
13. Data Security
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Encryption at rest: All stored data is encrypted using AES-256 encryption.
- Encryption in transit: All data transmitted between your device and our servers is protected using TLS 1.3.
- Row Level Security (RLS): Database-level access controls ensure that users can only access their own data through Supabase RLS policies.
- Authentication: Secure authentication with hashed passwords and multi-factor authentication support.
- Access controls: Internal access to user data is restricted to authorised personnel only, on a need-to-know basis.
- Regular security reviews: We conduct periodic reviews of our security measures and update them as necessary.
While we take all reasonable steps to protect your data, no method of transmission over the internet or electronic storage is 100% secure. If you become aware of any security breach, please contact us immediately at info@sankofa-digital.ai.
14. Children
MyTwinVoice is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without appropriate parental consent, we will take steps to delete that data as soon as possible.
If you are a parent or guardian and believe your child has provided us with personal data, please contact us at info@sankofa-digital.ai.
16. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
When we make material changes, we will notify you by email (using the email address associated with your account) and/or by placing a prominent notice within the Service at least 30 days before the changes take effect.
We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes become effective constitutes your acceptance of the revised policy.
17. Contact and Data Protection Officer
If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:
Sankofa Digital OU
Harju maakond, Tallinn, Kesklinna linnaosa, Juhkentali tn 8, 10132, Estonia
Email: info@sankofa-digital.ai
For data protection matters, please direct your enquiries to info@sankofa-digital.ai with the subject line "Data Protection Enquiry".