Privacy Policy

Last updated: 27 May 2026

Twelfth Brain is committed to protecting the privacy of everyone who visits this website or uses our services. This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have.

This policy applies to twelfthbrain.com and all services provided under the Twelfth Brain name.

1. Who we are

Twelfth Brain is operated by Zoiver LLC, a company incorporated in the State of Delaware, USA, with its registered address at 8 The Green, Suite 14790, Dover, DE 19901, USA.

For the purposes of data protection law, we are the data controller for personal data collected through this website. Where we process data on behalf of users as part of delivering the product, we may also act as a data processor. The relationship between controller and processor responsibilities is defined in the Founding Member Agreement executed at onboarding.

Primary contact for all privacy matters:

Debajit Lahiri, Zoiver LLC

8 The Green, Suite 14790, Dover, DE 19901, USA

hello@twelfthbrain.com

EU/EEA and UK representative:

Twelfth Brain serves users in the European Economic Area and the United Kingdom. Until a formal Article 27 representative is appointed, enquiries from EEA and UK data subjects should be directed to hello@twelfthbrain.com and will receive a response within the applicable statutory timeframe.

India data protection contact:

For users in India, enquiries under the Digital Personal Data Protection Act 2023 should be directed to hello@twelfthbrain.com.

2. What personal data we collect

Through this website:

  • Identity data: your name, if provided via the waitlist or contact form
  • Contact data: your email address, if you subscribe to the newsletter or apply to the waitlist
  • Professional data: your job title and organisation, if provided in the application form
  • Application data: your responses to application questions, including your description of the intelligence you wish to preserve
  • Technical data: IP address, browser type and version, device type, operating system, referring URL, pages visited, and time spent on pages
  • Communications data: the content of any emails or messages you send to us

We do not collect special category personal data (as defined under GDPR Article 9) through this website.

Through the Twelfth Brain product:

The Twelfth Brain product is designed to capture, process, and model personal intelligence data. This data is substantially more sensitive than typical product data and includes:

  • Captured thought data: observations, reactions, and inputs provided through connected channels including WhatsApp, Telegram, email, and voice notes
  • Decision pattern data: records of every approval, rejection, and edit made to system outputs, the primary dataset from which the voice model is built
  • Voice model data: the mathematical model of how a user thinks, derived from accumulated decision pattern data. This constitutes a form of behavioural intelligence data and is treated with the highest level of protection
  • Content data: written content, recordings, and materials provided by the user for seeding the voice model
  • Intelligence enrichment data: external information woven into the brain at the user's direction
  • Professional and organisational context data: information about the user's field, role, and work provided in the course of using the product

The full scope of data collected through the product and the specific purposes for which it is processed are set out in the Founding Member Agreement and Product Data Schedule executed at onboarding. Where any conflict exists between this Privacy Policy and the Founding Member Agreement on matters of product data, the Founding Member Agreement prevails.

3. How we use your personal data

Website data:

PurposeLegal basis (GDPR / UK GDPR)Legal basis (DPDPA 2023)
Processing waitlist applications and corresponding with applicantsLegitimate interestsConsent given via application
Sending the newsletter to subscribersConsentConsent
Improving and maintaining the websiteLegitimate interestsLegitimate uses
Complying with legal obligationsLegal obligationLegal obligation
Detecting and preventing fraud and security incidentsLegitimate interestsLegitimate uses

Product data:

PurposeLegal basis (GDPR / UK GDPR)Legal basis (DPDPA 2023)
Providing the Twelfth Brain service, building and maintaining the user's brain modelContract performanceConsent via Founding Member Agreement
Training and improving the voice model for the specific userContract performanceConsent
Generating outputs using the user's voice modelContract performanceConsent
Improving our systems using anonymised and aggregated data onlyLegitimate interestsLegitimate uses
Security and preventing unauthorised accessLegitimate interestsLegitimate uses
Complying with legal obligationsLegal obligationLegal obligation

We do not use any individual user's personal data to train general-purpose AI models or any model that serves other users. Each user's voice model is built exclusively from that user's own data and belongs to that user.

4. How long we keep your information

Website and waitlist data:

Application data is retained for twelve months from the date of application, or until the applicant becomes a founding member, or until they request deletion, whichever is earliest. Newsletter subscriber data is retained until you unsubscribe; upon unsubscription your email is suppressed within thirty days. Technical log data is retained for ninety days for security purposes, then deleted.

Product data:

All captured data, the voice model, and derived intelligence assets are retained for the duration of the active subscription and for ninety days following termination, during which the user may request export of their data. After that ninety-day window, all data including the voice model is permanently deleted from our systems. Voice model deletion is irreversible. We do not retain voice model data in aggregated or anonymised form without the user's explicit consent.

5. Who we share your data with

We do not sell your personal data. We do not share your personal data with third parties for their own marketing or commercial purposes.

We may share data with:

  • Cloud infrastructure and hosting providers, for data storage and processing, contracted under data processing agreements prohibiting use of the data for any purpose other than providing services to us
  • Email delivery providers, for newsletter and transactional communications
  • Analytics providers, for website analytics using anonymised data where possible
  • AI model infrastructure providers, for the computation underlying the voice model, contractually prohibited from using data for any purpose other than providing services to us
  • Professional advisors including lawyers and accountants, under professional confidentiality obligations
  • Regulatory and law enforcement authorities, where required by law, court order, or regulatory requirement; we will notify you of such disclosure where we are legally permitted to do so
  • An acquiring entity, in the event of a merger, acquisition, or sale of a substantial part of our business; we will notify you before your data is transferred and becomes subject to a different privacy policy

6. International data transfers

Zoiver LLC is incorporated in Delaware, USA. Our operations span India and the United States and we use service providers located in multiple countries. Your data may be transferred to and processed in countries other than your country of residence.

Transfers to the USA:

Where we transfer EEA or UK personal data to the USA, we rely on Standard Contractual Clauses approved by the European Commission, incorporated into our agreements with US-based processors, and on the EU-US Data Privacy Framework where applicable service providers are certified.

Transfers affecting India:

Data from Indian users is processed in accordance with the Digital Personal Data Protection Act 2023. Where data is transferred outside India, appropriate contractual safeguards consistent with DPDPA requirements are in place.

You may request details of the safeguards in place for any transfer of your data by contacting hello@twelfthbrain.com.

7. Security

We implement appropriate technical and organisational security measures to protect your personal data, including:

  • Encryption of personal data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)
  • Access controls limiting data access to authorised personnel on a need-to-know basis
  • Multi-factor authentication for all internal systems that process personal data
  • Regular security assessments of our infrastructure and third-party processors
  • Incident response procedures for detecting, investigating, and notifying of personal data breaches

Voice model data and captured intelligence data are subject to additional security controls, including segregated storage and heightened access restrictions, given their sensitive nature.

No method of transmission over the internet is completely secure. In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and in accordance with applicable law.

8. Your rights

All users:

You may request access to the personal data we hold about you, ask us to correct inaccurate data, request deletion of your personal data (subject to legal obligations), and withdraw consent where processing is based on consent.

EEA and UK users (GDPR / UK GDPR):

You additionally have the right to restrict processing in certain circumstances, the right to data portability in a structured machine-readable format, and the right to object to processing based on legitimate interests.

Indian users (DPDPA 2023):

You have the right to access information about your personal data and the identities of all data fiduciaries and processors, the right to correction and erasure, the right to grievance redressal (and, if unresolved, the right to approach the Data Protection Board of India), and the right to nominate another individual to exercise your rights in the event of your death or incapacity.

California users (CCPA / CPRA):

You have the right to know what personal data we have collected, used, or disclosed; the right to delete; the right to opt out of sale (we do not sell personal data); and the right to non-discrimination for exercising your privacy rights.

To exercise any of these rights, contact hello@twelfthbrain.com with the subject line Privacy Rights Request, stating your name, your jurisdiction, and the right you wish to exercise. We will respond within the timeframe required by applicable law: thirty days for GDPR, forty-five days for CCPA, thirty days for DPDPA. We may need to verify your identity before processing your request.

9. Cookies

See our Cookie Policy for details of the cookies we use and how to manage them. In summary: we use strictly necessary cookies to operate the website and analytics cookies to understand how people use it. We do not use advertising or tracking cookies.

10. Children

Our website and services are not directed at anyone under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently done so, please contact hello@twelfthbrain.com and we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will post the updated policy on this page with a revised last updated date and, where we hold your email address, notify you by email at least fourteen days before the changes take effect.

12. Contact and complaints

For all privacy questions, rights requests, and complaints:

Debajit Lahiri, Zoiver LLC

8 The Green, Suite 14790, Dover, DE 19901, USA

hello@twelfthbrain.com

EEA users:

If not satisfied with our response, you may lodge a complaint with the supervisory authority in your EU member state. A list of EEA supervisory authorities is at edpb.europa.eu.

UK users:

You may complain to the Information Commissioner's Office at ico.org.uk, or by post at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

Indian users:

You may raise a complaint with the Data Protection Board of India once constituted under the DPDPA 2023.

California users:

You may contact the California Privacy Protection Agency at cppa.ca.gov.