Privacy Policy

1.1 The data controller for the processing of personal data described in this Privacy Policy is:

1.2 VynFi.com LLC (i.G.) operates the AssureTwin platform and determines the purposes and means of processing personal data in connection with the Service.

1.3 Data Protection Officer. For all data protection inquiries, requests to exercise your rights, or complaints, please contact our Data Protection Officer at dpo@assuretwin.com, or our general privacy address at privacy@assuretwin.com.

1.4 EU Representative. Pursuant to Article 27 of the General Data Protection Regulation (GDPR), the appointment of an EU representative is in process. Details will be published on this page once the appointment is confirmed.

2.1 This Privacy Policy applies to all personal data processed in connection with the AssureTwin platform, including the web application at assuretwin.com, the Sandbox feature, and API access.

2.2 The AssureTwin Desktop Application (Tauri) operates locally on your device. Data processed exclusively within the Desktop App does not leave your infrastructure and is not subject to this Policy, except where you choose to enable optional cloud features (e.g., synchronization, collaboration).

2.3 This Policy complies with the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and the Swiss Federal Act on Data Protection (nDSG, in force since September 1, 2023).

3.1 We process your personal data on the following legal bases under GDPR Article 6(1):

4.1 Account Data. When you create an account via Microsoft Entra ID, we receive and store: your display name, email address, Entra ID object identifier, and tenant identifier. We do not receive or store your password — authentication is handled entirely by Microsoft Entra ID.

4.2 Usage Data. We collect data about how you interact with the Service, including: pages viewed, features used, simulation configurations selected, engagement creation and execution events, and navigation patterns. This data is used to improve the Service and is not shared with third parties for advertising purposes.

4.3 Technical Data. We automatically collect: IP address, browser type and version, operating system, device type, screen resolution, referral URLs, and timestamps. This data is used for security monitoring, abuse prevention, and infrastructure optimization.

4.4 Simulation Data. Engagement configurations, parameters, blueprint selections, and simulation results. All simulation data is synthetic — generated algorithmically by the DataSynth engine based on your configurations. Simulation data does not contain, derive from, or represent real financial information.

4.5 Payment Data. If you subscribe to a paid tier, payment processing is handled by Stripe, Inc. We receive and store a billing email address, subscription status, and payment method metadata (card brand, last four digits, expiration date). We do not receive or store full card numbers, CVVs, or bank account details.

4.6 Communication Data. If you contact us via email or support channels, we store the content of your communications and any associated metadata for the purpose of responding to your inquiry.

• Real financial data, including actual journal entries, trial balances, financial statements, or ledger records
• Client data from your audit engagements or your clients' organizations
• Passwords — authentication is managed entirely by Microsoft Entra ID
• Special categories of personal data (Art. 9 GDPR) — we do not process health data, biometric data, political opinions, religious beliefs, or similar sensitive categories
• Payment card details beyond what is necessary for Stripe to process transactions — we do not store full card numbers

6.1 We process personal data for the following purposes:

• Service delivery: Operating the platform, executing simulations, generating synthetic data, and providing formal verification results
• Account management: User authentication, access control, tier enforcement, and session management
• Billing: Processing payments, issuing invoices, and maintaining financial records as required by law
• Security: Detecting and preventing unauthorized access, fraud, abuse, and threats to the Service
• Improvement: Analyzing usage patterns to improve functionality, performance, and user experience
• Communication: Responding to support requests and sending service-related notifications (not marketing)
• Legal compliance: Fulfilling legal obligations, including tax record retention and responding to lawful requests from authorities

7.1 We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. The following retention periods apply:

7.2 Upon account deletion, we will remove your personal data within 30 days, except where retention is required by applicable law (e.g., billing records) or where the data has been anonymized and aggregated for statistical purposes.

8.1 We do not sell, rent, or trade your personal data. We share personal data only with subprocessors who process data on our behalf and under our instructions, subject to appropriate data processing agreements.

8.2 A complete, current list of our subprocessors, including their purposes and locations, is maintained on our Subprocessor List page.

8.3 We may also disclose personal data where required by law, court order, or governmental regulation, or where necessary to protect the rights, property, or safety of VynFi, its users, or the public.

8.4 In the event of a merger, acquisition, or sale of substantially all of our assets, your personal data may be transferred to the successor entity, subject to the same privacy protections described in this Policy.

9.1 Our primary infrastructure is hosted on Microsoft Azure in the Switzerland North region (Zurich). Data replication occurs within the EU to the West Europe region (Netherlands) for disaster recovery.

9.2 Some of our subprocessors are located in the United States. For transfers of personal data outside the EEA and Switzerland to countries without an adequacy decision, we rely on:

• Standard Contractual Clauses (SCCs) adopted by the European Commission, supplemented with additional technical and organizational measures as appropriate
• EU-U.S. Data Privacy Framework (DPF) where the subprocessor is a certified participant

9.3 For Swiss data transfers, we rely on the Swiss-U.S. Data Privacy Framework and the Swiss Federal Data Protection and Information Commissioner's (FDPIC) recognized transfer mechanisms.

9.4 You may request a copy of the applicable transfer mechanisms by contacting privacy@assuretwin.com.

10.1 Under the GDPR (Articles 15-22) and the Swiss nDSG, you have the following rights with respect to your personal data:

10.2 To exercise any of these rights, contact privacy@assuretwin.com. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

10.3 Exercising your rights is free of charge. In cases of manifestly unfounded or excessive requests, we may charge a reasonable fee or refuse to act, in accordance with Article 12(5) GDPR.

11.1 We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Authentication via Microsoft Entra ID with support for multi-factor authentication (MFA)
• Role-based access controls (RBAC) within the platform
• Infrastructure hosted on Microsoft Azure, which maintains SOC 2 Type II, ISO 27001, and other certifications
• Regular security monitoring and automated threat detection
• Secrets management via Azure Key Vault with hardware security modules (HSM)
• Principle of least privilege for internal access to production systems

11.2 No method of electronic storage or transmission is 100% secure. While we strive to use commercially reasonable means to protect your data, we cannot guarantee absolute security. If we become aware of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with Articles 33-34 GDPR.

12.1 AssureTwin uses the Anthropic Claude API for certain AI-assisted features, including workpaper generation, anomaly explanation, and natural language queries over simulation data.

12.2 Data sent to the Anthropic API consists exclusively of synthetic simulation data (engagement configurations, generated financial data, and formal verification results). No personal data is included in API requests unless it forms part of your natural language query (e.g., your name in a prompt).

12.3 Anthropic processes data under our instructions as a subprocessor, subject to a data processing agreement. Anthropic's data handling practices are detailed in our Subprocessor List.

12.4 AI-generated outputs are not used for automated decision-making within the meaning of Article 22 GDPR. All AI outputs are presented as suggestions for human review and judgment.

13.1 The Service is a professional tool designed for use by audit professionals, academics, and business organizations. It is not directed at children under the age of 16.

13.2 We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly. If you believe we have inadvertently collected such data, please contact privacy@assuretwin.com.

14.1 If you believe that our processing of your personal data infringes applicable data protection law, you have the right to lodge a complaint with a supervisory authority:

14.2 Before filing a complaint with a supervisory authority, we encourage you to contact us at privacy@assuretwin.com so that we may attempt to resolve your concern directly.

15.1 We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. Material changes will be communicated with at least 30 days' advance notice via email or a prominent notice within the Service.

15.2 The "Last updated" date at the top of this page indicates when the Policy was most recently revised. We encourage you to review this Policy periodically.

For privacy-related questions, data subject requests, or to exercise any of your rights, please contact: