Data Processing Addendum

Last updated: 13 July 2026

This Data Processing Addendum (“DPA”) forms part of the Twigged Terms of Service. It applies when a customer uses Twigged for client work and Twigged processes personal data on that customer’s behalf. In this DPA, that information is “Client Personal Data”.

1. Roles and scope

The customer is the controller of Client Personal Data and Twigged is its processor. The terms “controller”, “processor”, “personal data”, “processing” and “data subject” have the meanings given in applicable UK data-protection law.

Twigged is separately a controller for account administration, billing, security, service diagnostics and the structured product- improvement processing described in our Privacy Notice. This DPA does not turn those controller activities into processing on the customer’s behalf.

2. Processing details

  • Subject matter and purpose: hosting and displaying garden projects; generating requested design suggestions and images; providing collaboration, share, export, reminder, support, security and deletion functions.
  • Nature of processing: collection, recording, organisation, storage, retrieval, consultation, transmission to the approved service providers below, restriction and deletion.
  • Duration:for the customer’s use of the Service and the deletion and backup periods in the Privacy Notice, unless the law requires longer retention.
  • Types of personal data: names, contact details, project and property details, addresses or approximate/exact locations, photographs, comments, design instructions and any other personal data the customer chooses to include in a project.
  • Categories of data subject:the customer’s clients, prospective clients, collaborators and other people whose information the customer lawfully places in Twigged.

3. Customer instructions and responsibilities

The Terms, this DPA, the customer’s use of product controls and any written support instruction accepted by Twigged are the customer’s documented instructions. Twigged will process Client Personal Data only on those instructions, including for an international transfer, unless UK law requires otherwise. Where the law permits, Twigged will tell the customer before carrying out a legally required instruction.

The customer is responsible for the lawfulness and accuracy of Client Personal Data, the notices given to data subjects, its instructions, and any permissions needed to upload property images or use share links. Twigged will tell the customer if, in our reasonable opinion, an instruction infringes applicable data-protection law and may pause the affected processing while the parties resolve it.

4. Twigged’s processor obligations

Twigged will:

  • ensure that people authorised to process Client Personal Data are bound by confidentiality duties;
  • maintain appropriate technical and organisational measures taking account of the nature of the data, available technology, cost and processing risk;
  • help the customer respond to data-subject requests, taking account of the nature of the processing and the product controls available;
  • help with security, breach notification, data-protection impact assessments and prior consultation where the processing makes that reasonably necessary;
  • notify the customer without undue delay after becoming aware of a personal-data breach affecting Client Personal Data and provide available information needed for the customer’s response;
  • make information reasonably necessary to demonstrate compliance with this DPA available to the customer; and
  • allow a reasonable audit where documentary evidence is insufficient, subject to appropriate confidentiality, security, scope, timing and cost arrangements and without exposing another customer’s data.

5. Security measures

Measures used for the Service include encrypted transport; managed encryption at rest; authenticated access; row-level database access rules; private storage for non-public project files; separation of privileged service credentials from browser code; rate limiting; payment processing through Stripe rather than storage of card data by Twigged; minimised error reporting; dependency maintenance; and account export and deletion controls. Measures may evolve where the overall protection is not materially reduced.

6. Sub-processors

The customer gives general written authorisation for Twigged to use sub-processors needed to provide the Service. Depending on the features the customer uses, these may include Supabase (database, authentication and storage), Vercel (hosting and AI Gateway), OpenAI, Anthropic and Google (requested AI processing), Mapbox and postcodes.io (location functions), Resend (transactional email), Proton Mail (privacy, support and business correspondence), Sentry (minimised error diagnostics), Cloudflare (sign-up abuse protection) and Upstash (rate limiting). Stripe acts under its own terms for payment processing.

Twigged will impose data-protection obligations on each sub-processor that are appropriate to the service it performs and remains responsible for its processor obligations. We will give account holders reasonable advance notice of a material new sub-processor, normally by email or an in-product notice. A customer with a reasonable data-protection objection should contact privacy@twigged.design promptly. The parties will try to resolve it in good faith; if no reasonable alternative is available, the customer may stop using the affected feature or end the Service.

7. International transfers

Where Client Personal Data is transferred outside the UK, Twigged will use an applicable UK adequacy regulation or an appropriate safeguard made available in the relevant provider terms, such as the UK International Data Transfer Agreement or UK Addendum, together with supplementary measures where required.

8. Return and deletion

During an active account, the customer can retrieve project data using Twigged’s export and project controls. On the customer’s instruction or when the Service ends, Twigged will delete or return Client Personal Data, at the customer’s choice where reasonably practicable, unless UK law requires retention. Active deletion and backup ageing follow the periods in the Privacy Notice. Data retained in a protected backup remains unavailable for ordinary use and is removed on the normal backup cycle.

9. Priority and contact

If this DPA conflicts with the Terms on the processing of Client Personal Data, this DPA takes priority. The rest of the Terms, including their governing-law provisions, continues to apply. Data-processing questions can be sent to privacy@twigged.design.