Privacy Policy
Effective date: 6 July 2026
TheDouble is operated by Wojciech Rokosz, an individual based in Poland (contact: wojciech.rokosz@gmail.com). This policy explains what personal data we collect, why, and your rights under the General Data Protection Regulation (GDPR) and Polish law.
1. Data we collect
We collect only what is necessary to provide the service:
- Phone number — used as your account identifier and verified via SMS.
- Contact names and phone numbers — only contacts you explicitly grant the app permission to read; used to match you with other TheDouble users.
- Messages with your Double — the conversations you have with your AI Double, stored to provide continuity across sessions.
- AI-derived memories and insights — facts and preferences your Double learns from your conversations, stored as structured memory entries.
- Push notification tokens — device tokens used to deliver notifications; never shared with third parties for marketing.
- Usage telemetry — anonymised event data (e.g. feature interactions, error logs) used to improve the service. This data does not identify you individually.
- Double-to-Double shared information — when you and a contact both use TheDouble, your Doubles may hold scheduled conversations with each other. During such conversations, your Double may share information it knows about you with your contact's Double, limited by your sharing settings and built-in discretion rules (for example, it withholds things intended to stay private, such as surprises). Any information your contact's Double learns in this way becomes part of that user's Double's memory, subject to their own privacy settings and the same discretion rules.
We do not collect your real name unless you choose to provide it in Settings. We do not collect precise location, payment data, or any data not listed above.
2. Purposes of processing
- Providing and operating the TheDouble service (AI companion, messaging, memories).
- Account authentication and security.
- Delivering push notifications about new messages.
- Improving service reliability and detecting bugs via anonymised telemetry.
- Enabling Double-to-Double conversations — facilitating scheduled exchanges between Doubles of mutual contacts, governed by each user's sharing settings and built-in discretion rules.
- Complying with legal obligations.
3. Legal bases (GDPR Article 6)
- Consent (Art. 6(1)(a)) — processing your messages and AI-derived memories; contact list access. You give this consent during onboarding and may withdraw it by deleting your account.
- Legitimate interest (Art. 6(1)(f)) — anonymised usage telemetry and security logging, where our interest in improving and securing the service does not override your privacy rights.
- Contract performance (Art. 6(1)(b)) — storing your phone number and processing it for authentication is necessary to deliver the service you have signed up for.
4. Processors and sub-processors
We use the following third-party processors. Each processes only the data necessary for their role and is bound by a Data Processing Agreement or equivalent standard contractual clauses (SCCs).
| Processor | Role | Data transferred | Location |
|---|---|---|---|
| Supabase, Inc. | Database hosting and backend API | All account and message data | EU (Frankfurt region) where available; US otherwise (SCC-covered) |
| Anthropic, PBC | AI processing (Claude models) | Message content and memory context sent per request | United States (SCC-covered) |
| Twilio Inc. | SMS verification | Phone number, one-time passcode | United States (SCC-covered) |
| Google LLC (Firebase) | Push notifications | Device push token | United States (SCC-covered) |
We do not sell your data to any third party.
5. International data transfers
Processors listed above that are based in the United States receive your data under Standard Contractual Clauses (SCCs) approved by the European Commission, providing an adequate level of data protection as required by GDPR Chapter V.
6. Retention
We retain your personal data for as long as your account is active. When you delete your account, all personal data — including your Double, memories, messages, and profile — is permanently deleted within 30 days. Anonymised, non-identifiable telemetry aggregates may be retained longer for service improvement purposes.
7. EU AI Act transparency notice (Article 50)
8. Your rights under GDPR
You have the following rights regarding your personal data:
- Right of access — request a copy of the data we hold about you.
- Right to rectification — ask us to correct inaccurate data.
- Right to erasure ("right to be forgotten") — request deletion of your data. You can do this directly in the app (Settings → Danger zone → Delete account) or by emailing us.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to withdraw consent — withdraw your consent to AI processing at any time; this will require account deletion as the service cannot function without it.
- Right to object — object to processing based on legitimate interest.
- Right to lodge a complaint — you have the right to complain to the Polish supervisory authority, Urząd Ochrony Danych Osobowych (UODO) at uodo.gov.pl, or to the supervisory authority of your EU member state of residence.
To exercise any of the above rights, email wojciech.rokosz@gmail.com. We will respond within 30 days.
9. Security
Data is encrypted in transit (TLS) and at rest. Access to production systems is restricted to the operator. We do not store passwords; authentication is phone-based (OTP).
10. Children
TheDouble is not directed at persons under the age of 16. We do not knowingly collect data from children under 16. If you believe a minor has registered, please contact us immediately.
11. Changes to this policy
We may update this policy. Material changes will be communicated in-app. The effective date at the top of this page reflects the most recent version.
12. Contact
Wojciech Rokosz
wojciech.rokosz@gmail.com