Twixt Privacy Policy
Last updated: July 2, 2026
Twixt ("we", "us", "Twixt") is a food, recovery, and training app, operated by ShopJimmy.com, LLC.
This policy explains what we collect, why, how it's protected, and your rights over it. **We do
not sell your personal data, and we do not show ads.**
Information we collect
- Account information — the email address, password (stored as a one-way hash, never in
plain text), and display name you provide when you create an account.
- Health profile — age, sex, height, weight, timezone, and training preferences (goals,
available equipment, injuries, preferred training split) you choose to enter. All optional.
- Daily check-ins — your self-reported sleep, energy, mood, soreness, stress, available
training time, and free-text notes. If you connect Apple Health, we read your sleep
duration, heart-rate variability, and resting heart rate on your device to pre-fill
this check-in — you can review and edit every value before saving. Only the values you
actually submit (whether pulled from Apple Health or edited by you) are sent to and stored
on our servers; we do not have standing access to your Apple Health data beyond what you
submit in a check-in.
- Meals you log — a label, timestamp, and (if you scanned a barcode) the product's
identifier and our computed score for it.
- Glucose readings — if you connect a continuous glucose monitor (Dexcom) or log a
reading manually, we store the value, timestamp, and source.
- Workout logs — the sessions Twixt generates for you and the sets, reps, and loads you
log against them.
- Barcode scans — when you scan or look up a product, we send only the barcode number to
OpenFoodFacts (a public, non-profit food-database project) to look up the product. We do
not send your account information, email, or any other personal data with that request.
- Connected-device data (optional) — if you connect Oura, Dexcom, or Fitbit, we receive
the recovery, activity, or glucose data those services share under the permissions you
grant, used solely to sharpen your daily readiness and training recommendations. Your
OAuth access tokens for these connections are encrypted at rest (Fernet/AES, with the
encryption key stored separately from our database credentials) — not just access-
controlled, actually encrypted. Disconnecting a service immediately and permanently deletes
its stored tokens.
- Push notification token — if you opt in to notifications, we store the token needed to
deliver them. You can turn this off at any time.
- Crash/error diagnostics — if our error-monitoring tool (Sentry) is enabled, it receives
the technical details of a crash (what code path failed) with personal-data collection
explicitly turned off in our configuration. We do not send meal contents, glucose values,
check-in answers, or any other health data to this tool.
We do not use any advertising or analytics SDK — no ad network, no Mixpanel/Amplitude/
Segment/Facebook-style tracking, no behavioral profiling for marketing. We checked.
How we use your information
- To calculate your daily readiness score and generate a training plan adapted to it.
- To show you what's actually in a scanned product, including ingredients that are
restricted, banned, or subject to genuine scientific debate in other countries — this is
informational, not a medical or safety determination about you personally.
- To remember your history so your training and food patterns are accurate over time.
- To send you an optional daily reminder, if you turn that on.
- To operate, secure, debug, and improve the service.
How we share information
We do not sell your personal data, and we do not share it for advertising. We share data
only with the small set of service providers strictly necessary to run Twixt:
- Fly.io and Neon (our hosting and database providers, both US-based), to store and
serve your data.
- OpenFoodFacts, receiving only the barcode you scan (no account identifier), to look up
product information.
- Expo's push notification service, receiving your device's push token and notification
text, only if you opt in to notifications.
- Oura, Dexcom, and/or Fitbit, only if and to the extent you connect that specific
service — governed by that service's own OAuth consent screen and terms.
- Sentry, receiving crash/error technical details only (personal data collection is
disabled in our configuration), if enabled.
- When required by law.
Data retention and security
We keep your data while your account is active. Integration access tokens are encrypted at
rest. Passwords are hashed, never stored in plain text. Session tokens are stored as hashes,
not the raw token. Our servers are hosted in the United States.
A small number of authorized Twixt staff can access account-level support information
(email, display name, plan, and aggregate activity counts) through an internal admin tool to
help with support requests; this internal tool does not expose the contents of your meals,
check-ins, or glucose readings.
Your choices and rights
- Export your data. Settings → Export my data returns a complete copy of your data as a
downloadable file: your account details, health profile, check-in history, meals, glucose
readings, readiness scores, workout logs, scan history, and favorites. Connected-service and
push-notification entries are included by provider/platform and date only — never the
underlying secret token, which stays encrypted and out of the export.
- Delete your account. Settings → Delete account permanently and immediately deletes
your account and every piece of data associated with it — profile, check-ins, meals,
glucose readings, workout logs, scan history, favorites, connected-service tokens, and
push tokens. This cannot be undone.
- Disconnect a connected service at any time from Settings → Connected devices; this
immediately deletes that service's stored access tokens.
- EU/UK/California residents (GDPR/UK GDPR/CCPA): in addition to the above, you have the
right to access, correct, restrict, or object to our processing of your data, and to
lodge a complaint with your local data protection authority. Contact us (below) to
exercise any of these rights beyond the in-app export/delete tools.
Children
Twixt is not directed to children and is not intended for use by anyone under 18.
Health disclaimer
Twixt provides general food-transparency information, a self-reported readiness score, and
adaptive training suggestions. It is not a medical device, does not diagnose, treat, cure, or
prevent any disease or condition, and is not a substitute for professional medical advice.
Talk to a qualified professional about your health and before starting or changing an
exercise program.
Changes to this policy
We may update this policy as the service changes. We'll update the "Last updated" date above
when we do.
Contact
Questions about this policy, or to exercise a data right beyond the in-app tools: support@twixt.life.
Twixt is operated by ShopJimmy.com, LLC.