Twigged

Privacy Policy

Last updated: 14 April 2026

This Privacy Policy explains how Twigged (“we”, “us”) collects and uses personal data when you use our web application at twigged.app (the “Service”). Twigged is operated from the United Kingdom and this policy is written to comply with the UK GDPR and the Data Protection Act 2018.

1. Who we are

Twigged is a garden design platform for professional garden designers. If you have questions about this policy or want to exercise any of your rights, contact us at privacy@twigged.app.

2. What we collect

When you create an account and use the Service we process:

  • Account data — your email address, a hashed password, and any display or company name you choose to add in Settings.
  • Design data — the garden projects you create, including project names, client names you enter, dimensions, canvas drawings, plant selections, notes, comments, and any photos you upload to the Visualiser.
  • Usage data — which features you use and how often, recorded only for quota enforcement and abuse prevention (for example the AI routes count successful requests to enforce tier limits).
  • Technical data — the IP address of your requests is read from HTTP headers for rate limiting; we do not store it.

3. Why we use it and our lawful basis

  • Contract — we process account and design data because it is necessary to deliver the Service you have signed up for (UK GDPR Art. 6(1)(b)).
  • Legitimate interests — we process technical and usage data to keep the Service secure, prevent abuse, and enforce subscription tiers (Art. 6(1)(f)). You can object at any time.
  • Legal obligation — we retain minimal records where required for tax, accounting, or regulatory compliance (Art. 6(1)(c)).

4. Client data you upload

If you are a professional designer using Twigged to plan gardens for your clients, you may enter client names, addresses, photos, or other personal data belonging to your clients. With respect to that data:

  • You are the data controller. Your clients are your clients. You are responsible for having a lawful basis for collecting their data and for informing them how you will use it.
  • Twigged is your data processor. We process client data only on your documented instructions — to store it, show it back to you, and send it to the AI providers listed below strictly for the purpose of fulfilling your design requests.
  • A Data Processing Addendum reflecting this allocation of roles applies automatically to all paid accounts and is incorporated by reference into our Terms of Service.

5. How we improve the AI (your design activity as a learning signal)

The AI that generates plant palettes, recommends alternatives, and critiques designs improves over time by learning from how designers actually use it. Specifically, we record:

  • Palette generations — every AI palette is stored with the brief text you provided, the resulting plant list, the validator scores, and any thumbs feedback you leave.
  • Design edits — when you swap, lock, remove, or adjust quantities of plants in the studio, those edits are logged with the species involved (no free text). This tells the AI which of its choices real designers reject and which they keep.
  • Planner activity — the shapes you draw, the beds you drag onto the canvas, plant picks, moves, and palette generations in the planner are recorded the same way. This lets us eventually score plans and feed that signal back into future AI design features.
  • Questions and clarifications— when you use the “ask about this palette” feature or answer a clarifying question during brief setup, we log that an interaction happened and a length indicator. We do not store the question text itself, which may contain client details.
  • Visualise feedback— thumbs on generated images and the AI’s own vision-model score are kept alongside the image for learning.

How this data is used.A nightly background job reviews recent activity and extracts patterns — species that perform badly in certain conditions, briefs that the AI consistently misreads, edits designers make most often. Those patterns are injected into the prompt on future generations as guidance. This means your design work directly shapes how everyone’s palettes get better.

Lawful basis. We rely on legitimate interests (UK GDPR Art. 6(1)(f)) for AI improvement; our assessment is that the benefit to the Service and its users is proportionate and balanced against your interests. You can object at any time.

Opt-out.In Settings → Data & privacy you can turn off AI-learning capture for your account; the features continue to work, but your activity no longer contributes to the shared learning set. You can also export or delete your full event history from the same page.

Retention. Raw behavioural events are kept for two years before being purged or aggregated. Aggregate patterns (no individual identifiers) are retained indefinitely.

6. Who we share your data with (sub-processors)

We share the minimum personal data necessary with a small number of service providers who help us operate the Service. All sub-processors are bound by confidentiality and data-protection obligations at least as protective as this policy.

  • Supabase (EU / US) — database, authentication, and file storage.
  • Vercel (US) — application hosting and deployment.
  • OpenAI (US) — processes your AI prompts (design briefs, visualisation prompts) to generate suggestions and images. OpenAI does not use API content to train its models.
  • Anthropic (US) — processes certain AI prompts for design recommendations and validation. Anthropic does not use API content to train its models.
  • Perenual (US) — plant database provider, queried to return horticultural data. We do not send your personal data to Perenual.
  • SerpAPI (US) — used for plant price lookups. We send the plant name only; no personal data.
  • Upstash (EU / US, optional) — distributed rate limiting. Stores only a hashed IP-address counter, no content.
  • Google (US) — if you choose to sign in with Google, Google processes your sign-in.

International transfers to US-based sub-processors rely on the Standard Contractual Clauses approved by the UK Information Commissioner's Office, together with each provider's own data-processing addendum.

7. How long we keep your data

  • Account and design data — for as long as your account is active, plus up to 30 days after closure to handle backups and recovery requests, after which it is deleted.
  • Usage events — retained for the duration of the current billing cycle plus 12 months for fraud prevention and support.
  • Rate-limit records — purged within one hour.

8. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Have inaccurate data corrected.
  • Request deletion of your data — you can delete your account and all associated data yourself from the Settings page, or email us.
  • Object to, or restrict, processing based on legitimate interests.
  • Port your data to another provider.
  • Complain to the UK Information Commissioner's Office at ico.org.uk.

9. AI sub-processor training policy

We do not use your content to train AI models. Our AI providers (OpenAI and Anthropic) are configured on enterprise API tiers that exclude customer content from model training. Outputs from the Visualiser and AI Design features belong to you; you are responsible for ensuring any photos you upload to the Visualiser do not depict people or property you do not have the right to upload.

10. Security

We protect your data with industry-standard measures including encryption in transit and at rest, row-level access controls, rate limiting, password hashing, and regular dependency updates. No system is perfectly secure — if we become aware of a breach affecting your personal data we will notify you and the ICO within 72 hours where required by law.

11. Children

Twigged is intended for professional use and is not directed at children under 16. Please do not use the Service if you are under 16.

12. Changes to this policy

We may update this policy from time to time. Material changes will be notified by email to registered users at least 14 days before they take effect.

13. Contact

For any privacy question or to exercise your rights, email privacy@twigged.app.

This policy is a working draft. A UK solicitor should review it before Twigged takes its first paying customer.