privacy / full
WonderTwin privacy policy.
Last updated: 2026-06-18 · Operating entity: WonderTwin AI · Contact: privacy@wondertwin.ai
Looking for the short version? The plain-English summary lives at /privacy.
section 01
Plain-English summary
We're a developer-tools company. We treat your data the way we'd want ours treated.
- The open-source product collects zero telemetry. Nothing about your installs, configurations, twin invocations, or anything else leaves your machine. There is no opt-out because there is nothing to opt out of.
- WonderTwin Pro collects limited operational telemetry. Pro twins are adaptive — they evolve as the real services they twin evolve — and that adaptation depends on the telemetry. We've designed the collection to give you adaptive behavior without giving us your data.
- Sanitization happens on your machine, before transmission. We never see your request payloads, response bodies, environment variables, API keys, file paths, or anything that could identify you, your employer, or your customers.
- We've never sold your data, and we couldn't if we wanted to. What we receive is bounded, anonymized aggregate signal. There is no resolution at which it could be tied back to you.
- The auth boundary is the telemetry boundary.
Signed in (Pro or MCP) means telemetry is on. Signed out means
it's off.
wt auth logoutreturns the runtime to anonymous, telemetry-free use — that's the opt-out.
The rest of this document is the legal-grade version of the same.
section 02
Who we are
WonderTwin is built and operated by WonderTwin AI. We're a small team building behavioral twins of common services for local development, testing, and CI.
- Site: https://wondertwin.ai
- Source: https://github.com/wondertwin-ai
- Privacy questions: privacy@wondertwin.ai
- Security disclosures: security@wondertwin.ai
section 03
What this policy covers
This policy applies to:
- The wondertwin.ai marketing site.
-
The WonderTwin open-source CLI (
wt) and all open-source twins in our catalog. - WonderTwin Pro.
- The WonderTwin MCP server.
This policy does not cover the third-party services that WonderTwin twins emulate. When you point your code at a WonderTwin twin instead of the real service, no data ever reaches the real service. That's the point.
section 04
Open source — zero telemetry
The WonderTwin open-source CLI (wt) and the
open-source twins in our catalog collect zero telemetry.
No usage data, no identifiers, no phone-home. When you install,
configure, run, or invoke an OSS twin, nothing about that
interaction leaves your machine.
We mean this literally. There is no opt-out, because there is nothing to opt out of. If you read our source, you will see no telemetry code paths in the OSS components.
What this means in practice:
- No event tracking.
- No usage analytics.
- No machine identifiers (no device_id, install_id, session_id).
- No anonymous pings to count installs, version checks, or feature use.
- No third-party SDKs that might do any of the above.
We measure open-source adoption through public signals only: GitHub stars, GitHub release download counts, Homebrew tap installation counts. These signals are aggregate, public, and attached to no individual.
section 05
WonderTwin Pro telemetry
WonderTwin Pro twins are adaptive. As the real services they twin evolve — new SDK versions ship, behaviors shift, known issues surface — Pro twins adapt with them. That adaptation isn't a static feature bundle; it's the result of operational signal flowing back from twins running in real environments. Without that signal, twins can't adapt. This section describes what signal we collect, what we exclude, how it's sanitized before transmission, and the auth boundary that is the only opt-out.
5.1 What Pro telemetry covers
- Twin invocations. Which twin, which version, which admin endpoint, broad outcome class (success, known-issue, unknown-error).
- SDK compatibility signals. Whether the call shape matched the expected schema for the pinned SDK version.
- Anonymized error fingerprints. Stack class only — never stack content.
- Environment metadata. CLI version, OS family, architecture, CI vs. interactive.
- Pseudonymous workspace identifier. A per-install UUID, not tied to your account, regenerable.
5.2 What Pro telemetry never includes
We do not collect any of the following. This list is exhaustive of categories we will not transmit, regardless of how telemetry payloads evolve.
- Request bodies, response bodies, headers, or payloads of any kind.
- API keys, tokens, secrets, or authentication credentials of any kind.
- Environment variables.
- File paths, file contents, or directory listings.
- Source code, configuration content, or test fixtures.
- Network addresses other than the local twin port.
- Account names, repository names, or organizational identifiers.
- Anything that could identify you, your employer, or your customers.
If we change what we collect, this list will be updated before the change ships, and significant changes will be announced in our changelog and via email to Pro account holders.
5.3 Sanitization happens on your machine
Before any Pro telemetry leaves your machine, it passes through client-side sanitization in the WonderTwin runtime. Fields are filtered against the allowlist in §5.1 and everything else is stripped. We never see what was stripped.
This is architectural, not policy. The sanitization runs in open-source code on your machine. You can read it. You can audit it.
5.4 What we will and won't do with it
Because sanitization happens before transmission and the allowlist is narrow, we receive only the bounded set of signals in §5.1. Those signals contain no PII, no business-sensitive content, no customer data, and nothing identifiable to you or your organization beyond a pseudonymous UUID you control.
- We never sell telemetry data.
- We never share it with third parties for advertising.
- We never use it for behavioral profiling.
- We never transfer it to data brokers.
The architecture makes these commitments structural rather than aspirational. The data we receive has no resolution at which it could be tied back to you.
5.5 Inspect what would be sent
Coming. We're building an inspection mode that prints the exact telemetry payload to stderr without transmitting it, so you can verify our claims against the wire before trusting them. When it ships, we'll document the invocation here.
5.6 Opt out
WonderTwin Pro telemetry is not optional for signed-in use. Pro twins' adaptive behavior is the product, and the telemetry signal is what makes the adaptation possible — there is no granular knob to turn telemetry off while staying signed in. The auth boundary is the telemetry boundary.
If you need to operate without telemetry, return to the open-source path:
$ wt auth logoutThe runtime flips back to anonymous mode. No telemetry leaves your machine. Pro twins become unavailable on this install; open-source twins continue to work locally.
5.7 Where Pro telemetry is sent and how long it's kept
WonderTwin Pro telemetry is transmitted over TLS to WonderTwin's analytics infrastructure, hosted on Amazon Web Services in the United States. Raw events are retained for 90 days for drift analysis, after which they are aggregated to non-reversible form for long-term version-trend reporting.
We never share telemetry with any third party other than our hosting provider, which acts solely as a data processor under contract.
5.8 Pro account data
If you create a WonderTwin Pro account, we hold:
- Your email address.
- Your billing identifier (via Stripe — we never see your card number, CVV, or banking details).
- A pseudonymous workspace UUID.
- Your license entitlement state.
We retain account data while your subscription is active. On cancellation, we delete personally-identifying account data within 30 days. Aggregate, non-reversible telemetry derived during your subscription is retained indefinitely (because it can no longer be tied to you).
section 06
The marketing site
The wondertwin.ai marketing site uses PostHog for lightweight analytics — page views, referrer, country-level geolocation, browser family, and autocapture of click and form-submission events. We have intentionally minimized this surface.
What we collect: page views, referrer, country-level IP geolocation, browser family, click and form-submission events (button labels and link targets, never form-field values).
What we don't collect: cross-site tracking, advertising profiles, persistent identifiers across sessions, full IP addresses, session replay, or form-field input values.
Do Not Track. Browsers configured to send the DNT header are excluded from analytics entirely.
section 07
Your rights
Depending on where you live, you may have the right to:
- Know what data we hold about you.
- Receive a copy of that data.
- Correct that data.
- Delete that data.
- Object to certain processing.
- Withdraw consent for processing.
Email privacy@wondertwin.ai and we'll respond within 30 days. For deletion requests, the architectural design of our telemetry means that for Pro telemetry signals we typically cannot identify your specific data — but we will delete your account-level data and confirm.
section 08
Sub-processors
We use a small number of sub-processors to operate the service. We commit to maintaining a current public list and notifying Pro account holders before adding a new one.
- Stripe — billing and subscription management for WonderTwin Pro. Card details are entered directly into Stripe; we never see card numbers, CVV, or banking details.
- Amazon Web Services (United States) — hosting for all WonderTwin services, including the Pro telemetry collector, the marketing site, and the product application.
- PostHog — analytics for the wondertwin.ai marketing site (page views, referrer, autocapture); §6 describes the configuration.
- Resend — transactional email (account lifecycle, billing notifications, twin-update notifications).
section 09
Security
We protect data with industry-standard measures:
- TLS in transit for all telemetry and account data.
- Encryption at rest for stored telemetry and account data.
- Principle of least privilege for internal access.
- SOC-ready posture. Controls and processes are designed to support a SOC 2 audit; we are not yet certified.
To report a security issue, email security@wondertwin.ai . We'll acknowledge within two business days.
section 10
Children
WonderTwin is a developer tool. Our marketing site and products are not intended for anyone under 16. We do not knowingly collect data from anyone under 16. If you believe we have inadvertently collected such data, email privacy@wondertwin.ai and we will delete it.
section 11
Changes to this policy
We'll update this policy as we add features or as the law requires. The Last updated date at the top of each privacy page is read from the git commit history of the page itself, so it reflects an actual change to the document rather than a deploy timestamp. Significant changes affecting Pro telemetry collection or third-party data sharing will be announced in our public changelog and emailed to Pro account holders before they take effect.
section 12
Contact
- Privacy questions: privacy@wondertwin.ai
- Security disclosures: security@wondertwin.ai
- Source code: https://github.com/wondertwin-ai
- General: hello@wondertwin.ai