Privacy Policy

Last Updated: December 23, 2025

At 2WinAI, your privacy is important. This Privacy Policy explains how we collect, use, disclose, and protect your information in compliance with Vietnamese law (including the Personal Data Protection Decree 2023 - PDPD, Cybersecurity Law 2018, Civil Code 2015), U.S. laws (including CCPA/CPRA), the EU General Data Protection Regulation (GDPR), and applicable international standards.

We are the data controller and/or processor of your personal data. Contact us at support-2winai@googlegroups.com for privacy requests.

1. Information We Collect

We collect the following categories of data:

1.1 Basic Personal Data

  • Identifiers: Name, email address, login credentials.
  • Financial: Payment details (processed via PayPal/VNPAY/MoMo; we store only transaction IDs and masked details).

1.2 Usage Data

  • Interaction data: Chat history, subscription details, saved queries, preferences, and AI query logs.

1.3 Technical Data

  • Device and network: IP address, device type, operating system, browser, cookies, pixels, and session logs for analytics and security.
  • We use cookies for essential functions (authentication) and optional analytics (e.g., Google Analytics).

1.4 User Content

  • Content you provide: Text queries, uploaded images (processed by leading AI providers).

1.5 Third-Party Data

  • Inferred or aggregated data: Market insights from financial data APIs, AI-generated outputs. We do not collect sensitive personal data (e.g., race, health, political opinions) unless you voluntarily provide it.

We collect data directly from you, automatically via tools, or from third parties (e.g., PayPal for billing).

2. How We Use Your Information

We use data to:
- Provide and personalize the Services (e.g., generate AI responses),
- Authenticate accounts, prevent fraud, and ensure security,
- Manage subscriptions and process payments,
- Improve Services through analytics and debugging,
- Communicate updates, promotions (with consent), or support,
- Comply with legal obligations (e.g., tax reporting, anti-money laundering).

We do not use automated decision-making that produces legal effects without human oversight. We do not sell personal data.

3. Legal Basis for Processing (GDPR and PDPD Vietnam)

For EU and Vietnamese users, we process data based on:
- Consent (e.g., optional cookies, marketing),
- Contract performance (e.g., subscriptions, query fulfillment),
- Legitimate interest (e.g., security, analytics—balanced against your rights),
- Legal compliance.

You may withdraw consent at any time without affecting prior processing. Withdrawal may result in suspension of certain Services.

4. Sharing and Disclosure

We may share data with:
- Service Providers: Leading AI providers, financial data APIs, payment processors—bound by data processing agreements.
- Infrastructure Providers: Cloud hosting, analytics (anonymized IPs).
- Business Partners: In mergers, acquisitions, or audits (with notice).
- Authorities: When required by law or to protect rights/safety.

We require third parties to handle data securely and only for specified purposes. No sharing for unrelated marketing.

5. Payments

Payments are processed by PayPal/VNPAY/MoMo. We receive only confirmation and transaction details. Their privacy policies apply to payment data. We retain billing records for up to 7 years as required by law.

6. Data Retention

  • Account and usage data: Retained while your account is active, plus 6 months post-deletion for backups.
  • Financial records: Up to 7 years as required by law.
  • Technical logs: Up to 12 months for security.
  • You may request deletion; we will comply unless legally required to retain (e.g., audits, anti-money laundering).

7. Your Rights

Depending on jurisdiction:
- All Users: Access, correct, delete, restrict processing; object; data portability.
- Vietnamese Users (PDPD 2023): Right to be informed, consent, withdraw consent, deletion (limited if legally required to retain), restriction, complaint, compensation for damages.
- CCPA/CPRA (California Residents): No "sale" of data; request disclosure; non-discrimination.
- GDPR (EU Residents): Withdraw consent; object to automated processing; lodge complaints with your Data Protection Authority.

Submit requests to support-2winai@googlegroups.com. We respond within 30-45 days. Verification required (e.g., email confirmation).

In case of data breaches, we notify affected users and authorities as required (e.g., within 72 hours under GDPR/PDPD).

8. Security

We implement reasonable safeguards, including:
- Encryption (TLS in transit, AES-256 at rest),
- Access controls, multi-factor authentication, role-based permissions,
- Regular vulnerability scans, audits, and employee training,
- Incident response plans.

However, no system is infallible; you share responsibility for secure practices.

9. Cookies and Tracking

We use:
- Essential cookies: For login and sessions (no consent required).
- Analytics cookies: For performance (opt-in for EU/Vietnamese users via consent banner).
- You can manage cookies via browser settings or our consent tool. Opting out may limit functionality.

10. Children’s Privacy

The Services are not directed to children under 18 (or 16 in some jurisdictions). We do not knowingly collect data from minors. If discovered, we delete it promptly.

11. International Data Transfers

Data is processed in the United States. For EU/UK/Vietnamese users, we use approved mechanisms (Standard Contractual Clauses - SCCs). Contact us for copies of SCCs.

12. Changes

We may update this Privacy Policy at any time without notice. Continued use indicates acceptance.

13. Contact

Questions or requests:
support-2winai@googlegroups.com or 2WinAI, Inc., [Your Address], Delaware, USA.