This policy describes the current application behavior reflected in the NashTwin web app, APIs, integrations, plugin marketplace, digital twin tooling, optimization workflows, billing flows, and developer portal as of April 16, 2026.

NashTwin is hosted and operated by Gateway Corporate Solutions.

If you access NashTwin through an employer, client, or other organization workspace, that organization and its workspace administrators may control the tenant, the business data stored in it, and many of the product settings associated with your use of the service.

NashTwin processes account, authentication, and session data needed to sign users in and keep workspaces available, including names, email addresses, profile images, authentication providers, provider account identifiers, granted scopes, access or refresh tokens stored through the auth system, and active session records. Based on the current product, this can include Google, Microsoft Entra ID, X, and LinkedIn connections.

NashTwin stores workspace and CRM data created by users and teams, including tenants, memberships, invitations, contacts, contact email identities, deals, pipelines, pipeline stages, activities, mailbox connections, email threads, email messages, plugin installations, plugin configuration values, and related tenant metadata needed to operate the service.

If you use the CRM contact import feature, NashTwin may read contact data from your Google or Microsoft sign-in account after you grant the relevant read-only consent. Imported contact data can include names, email addresses, company names, job titles, and phone numbers, and NashTwin stores the resulting CRM contacts, merged email identities, and tenant activity records describing what was created, updated, or skipped during the import.

If you use the calendar import feature, NashTwin may read upcoming events from your Google primary calendar or Microsoft calendar after you grant the relevant read-only consent. Imported calendar data can include event titles, start and end times, locations, attendee counts, provider event identifiers, and event status values such as confirmed, tentative, or cancelled, and NashTwin stores tenant activity records describing the resulting calendar import.

NashTwin also stores digital twin, graph, and optimization records used by newer product features, including graph nodes, graph edges, graph mutations, graph audit events, evidence-linked records, optimization simulation runs, optimization outcomes, optimization policy decisions, recommendation payloads, model artifacts, compliance metadata, and audit history tied to those workflows.

If you use the marketplace or developer portal, NashTwin processes plugin analytics events, plugin event deliveries, developer account details, plugin submission manifests, review notes, publication status, and other data needed to review, publish, enable, disable, and monitor plugin behavior.

If you connect communications or social integrations, NashTwin processes mailbox addresses, provider account identifiers, granted scopes, sync checkpoints, outbound email records, provider thread identifiers, message metadata, message snippets or body content synced into CRM workflows, social account profile details, recent social posts, and publishing outcomes for connected X and LinkedIn accounts.

If your workspace uses paid billing, NashTwin processes subscription and seat records such as tier, billing interval, seat counts, add-ons, Stripe customer identifiers, Stripe subscription identifiers, checkout sessions, and billing portal activity needed to manage subscriptions.

If your workspace enables the Devicer website workflow or similar public submission features, NashTwin may process allowed website origins, publishable keys, contact or deal form data submitted through public endpoints, device fingerprint payloads, IP addresses, user-agent strings, device classifications, and device snapshot records used for fraud, abuse, or enrichment workflows.

We use this information to authenticate users, provision and maintain tenant-scoped workspaces, enforce role-based access, support invitations and seat management, and keep CRM records available inside the product.

Contact import data is used to create new CRM contacts, enrich existing contacts with additional email addresses or profile details when the actor is allowed to modify those records, and keep a tenant activity log of the import result.

Calendar import data is used to load and refresh the interactive calendar view with upcoming Google or Microsoft events, display event timing and status inside the product, and keep a tenant activity log of the import result.

Workspace, graph, and optimization data is used to render dashboards, maintain digital twin and evidence views, run simulations, capture outcomes, support policy-review workflows, and provide operational recommendations or scenario analysis inside the application.

Integration data is used to connect or reconnect provider accounts, sync email or social records, publish social posts when requested, send outbound email through approved provider APIs, maintain connection health, and preserve thread, sync, and audit state for future product activity.

Plugin, developer portal, analytics, and submission data is used to review manifests, support plugin enablement and delivery, troubleshoot plugin failures, monitor marketplace usage, and protect the service from misuse or unauthorized access.

Website-origin, fingerprint, and public submission data is used to validate allowed origins, accept website-submitted contacts or deals, enrich CRM records, log device classifications, and support fraud, abuse-prevention, reliability, and security workflows.

Billing information is used to create and manage subscriptions, determine seat entitlements, gate paid features, administer Devicer and other add-ons, support checkout and billing portal workflows, and respond to billing issues.

NashTwin uses third-party services where needed to deliver the product. Based on the current application behavior, these include Google and Microsoft for authentication and mailbox connectivity, X and LinkedIn for social account sync and publishing, and Stripe for subscription checkout and billing portal workflows.

NashTwin shares data with those providers only as needed to complete the requested product function, such as authenticating a user, reconnecting a mailbox, reading recent provider data, importing contacts, reading upcoming calendar events, publishing a social post, sending an email, or creating a subscription checkout session.

If you install or enable plugins, plugin code or delivery endpoints may receive workspace event payloads, metadata, or configuration values that are necessary for the enabled plugin behavior and are permitted by the relevant plugin contract or access scope.

NashTwin may also process data through hosting, infrastructure, database, and session-management providers used to operate the application, store customer data, and deliver authenticated sessions.

NashTwin retains data for as long as it is needed to provide the service, maintain account access, preserve workspace history, support integrations, enforce security controls, satisfy billing needs, review plugins, and maintain audit or governance records associated with the workspace.

Workspace administrators control much of the information stored in the product, including contacts, deals, pipelines, invitations, social or mailbox connections, plugin configuration, Devicer allowed origins, subscription choices, calendar and contact import results, and many plugin or digital twin workflows. Removing or disconnecting a feature may stop future processing, but historical records may remain where they are part of the workspace activity trail, audit trail, or billing history.

If you are an invited end user rather than the workspace owner, your organization or workspace administrator may also control business data associated with your account inside that workspace, including whether your access continues and what integrations remain connected.

Developer portal submission records and plugin review history may be retained for marketplace governance, publication history, and abuse-prevention purposes even if a submission is later rejected or unpublished.

NashTwin uses authenticated sessions, tenant membership records, role-based access, provider-scoped integration permissions, origin validation for public website submissions, and audit logging to limit access to workspace data and connected services.

Access to provider-backed features depends on the OAuth scopes or tokens granted by the connected provider. For contact and calendar imports, NashTwin currently requests read-only Google or Microsoft scopes tied to those features, and if required permissions are missing, expired, or revoked, NashTwin may require reauthorization instead of continuing to use provider data as if access were still valid.

Because some NashTwin features are designed to preserve operational history, governance context, and troubleshooting records, not every item is removed immediately when a user disconnects an integration or changes a setting.

This page describes the current application behavior reflected in the product and repository as of April 16, 2026. NashTwin may update this policy as the product, integrations, compliance requirements, or marketplace features change.

Questions about this policy can be directed to [email protected] or through https://gatewaycorporate.org/.