Privacy Policy

Last updated: January 1, 2026

Twelve Data Pte. Ltd. ("Twelve Data", "we", "us") (UEN No. 202006058W) respects your privacy and is committed to protecting personal data across multiple jurisdictions. This Privacy Policy describes how Twelve Data collects, uses, and discloses personal data in compliance with applicable privacy laws, including but not limited to the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), Lei Geral de Proteção de Dados (LGPD), Personal Information Protection and Electronic Documents Act (PIPEDA), Personal Data Protection Act 2012 of Singapore (PDPA), Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data in the United Arab Emirates, and other US state laws such as Delaware's Personal Data Privacy Act (DPDPA, effective Jan 1, 2025), Minnesota's Consumer Privacy Act (MCPA, effective Jul 31, 2025), Nebraska's Data Privacy Act (NPDPA, effective Jan 1, 2025), New Jersey's Data Privacy Act (effective Jan 15, 2025), and Maryland's Online Data Privacy Act (MODPA, effective Oct 1, 2025).

This Privacy Policy is intended to meet the requirements of applicable data protection laws in the jurisdictions in which we operate, in addition to other international privacy regulations referenced below.

1. Personal data we collect

We adhere to data minimization principles, collecting only the personal data necessary for the purposes outlined in this policy.

Twelve Data may collect the following types of personal data, either directly or through third-party services, depending on your interaction with us:

  • - Personal identifiers: First name, last name, company name, email address
  • - Account information: Password, usage data, IP addresses, device information, cookies
  • - Financial information: Payment details (processed via third-party payment services like Stripe)
  • - Geolocation data: When you access our services, your approximate location may be determined

We collect personal data either directly from users (e.g., when signing up for services) or automatically (e.g., through cookies and analytics tools).

Legal Basis for Processing (for regions such as the EU under GDPR): We process personal data based on the following grounds:

  • - Your consent
  • - Performance of a contract
  • - Compliance with legal obligations
  • - Legitimate business interests (e.g., improving services)

For residents of California (CCPA/CPRA), other US states with similar laws (e.g., DPDPA, MCPA, NPDPA), Brazil (LGPD), Canada (PIPEDA), and other regions with similar legal requirements, you may also be entitled to specific rights outlined below.

Where required by applicable local law, including the Singapore PDPA and UAE data protection legislation, we ensure that personal data is processed only where a valid lawful basis exists under the relevant jurisdiction.

2. How we use personal data

We use personal data for the following purposes:

  • - Service provision: To deliver the data feed services that you subscribe to
  • - Customer support: Responding to your inquiries and providing assistance
  • - Analytics and improvement: To analyze how users interact with our website and services, and to improve user experience
  • - Payment processing: To process payments for subscriptions and services (e.g., via Stripe)
  • - Security and fraud prevention: To protect against malicious activity, fraud, and unauthorized access
  • - Marketing: With your consent, we may send you promotional materials and updates. You can opt-out at any time via unsubscribe links in emails or by contacting us.

We do not sell personal data under any circumstances. However, we may share data with trusted third-party service providers (see Section 3) who process data on our behalf.

If we use automated decision-making or AI (e.g., for fraud detection), we ensure human oversight where required, and you have the right to object or request review under applicable laws like the EU AI Act.

3. How we disclose personal data

We may share your personal data with the following:

  • - Third-party service providers (sub-processors): We share your data with trusted partners, such as Microsoft Azure (cloud storage and infrastructure), Stripe and PayPal (payment processors), and Google Analytics (web analytics provider), solely for the purposes outlined in this policy
  • - Business transfers: In case of mergers, acquisitions, or any form of asset sale, your personal data may be transferred to third parties involved in the transaction
  • - Legal obligations: We may disclose personal data if required to comply with a legal obligation, regulation, or governmental request

We do not control third-party websites linked from our services and are not responsible for their privacy practices. Please review their policies separately.

4. International data transfers

Where we transfer personal data internationally, we ensure appropriate safeguards are in place to protect your data, regardless of where it is transferred. This includes:

  • - EU-U.S. data transfers: If we transfer personal data to countries outside the European Economic Area (EEA), we do so under appropriate mechanisms, such as Standard Contractual Clauses, binding corporate rules, or the EU-US Data Privacy Framework (DPF) if certified
  • - Other jurisdictions: We comply with local privacy laws when transferring data across borders, including requirements under CCPA/CPRA, other US state laws, LGPD, PIPEDA, and other regional privacy laws
  • - Where personal data originates from Singapore or the United Arab Emirates: cross-border transfers are conducted in compliance with applicable local requirements, and appropriate safeguards are implemented to ensure an adequate level of protection for the transferred personal data. For UK transfers, we use the International Data Transfer Agreement (IDTA) where applicable.

5. Your rights and choices

Depending on your location and applicable privacy laws, you may have the following rights. We process requests within 30 days under GDPR (extendable to 60 days), 45 days under CCPA/CPRA (extendable), or as required by other laws. Use our dedicated email: dpo@twelvedata.com for rights requests.

For European Union residents (GDPR):
  • - Right to access: Request a copy of your data
  • - Right to rectification: Correct any inaccuracies in your data
  • - Right to erasure (right to be forgotten): Request deletion of your data
  • - Right to data portability: Receive your data in a machine-readable format
  • - Right to restriction of processing: Request that we limit the processing of your data
  • - Right to object: Object to certain types of processing, such as marketing
  • - Right to withdraw consent: Withdraw your consent at any time, where consent is the basis for processing
For US residents (CCPA/CPRA and other state laws, e.g., DPDPA, MCPA, NPDPA, NJDPA, MODPA):
  • - Right to know: Request disclosure of categories and specific pieces of personal data collected, sold, or shared
  • - Right to delete: Request deletion, subject to exceptions
  • - Right to opt-out: Opt-out of sales/sharing (we do not sell), targeted advertising, or sensitive data processing
  • - Right to correct: Correct inaccurate data
  • - Right to limit: Limit use of sensitive personal information
  • - Right to non-discrimination: No discriminatory treatment for exercising rights
For Brazilian residents (LGPD):
  • - Right to confirmation: Request confirmation of whether your data is processed
  • - Right to access and correction: Request access to or correction of your personal data
  • - Right to anonymization, blocking, or deletion: Request anonymization or deletion of unnecessary or excessive data
  • - Right to data portability: Receive your data in a structured, commonly used format
For Canadian residents (PIPEDA):
  • - Right to access: Request access to your personal information
  • - Right to correction: Correct inaccurate or incomplete data
  • - Right to withdraw consent: Withdraw consent for processing
  • - Right to challenge compliance: Challenge our compliance with PIPEDA
For Singapore residents (PDPA):
  • - In accordance with the Singapore Personal Data Protection Act (PDPA), you may request access to personal data we hold about you and request correction of any inaccurate or incomplete personal data, subject to applicable legal exceptions.
For United Arab Emirates residents:
  • We process personal data in accordance with applicable UAE data protection laws, including Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, where applicable. Individuals may have rights relating to access, correction, deletion, or withdrawal of consent, subject to legal and regulatory requirements.

To exercise these rights, contact dpo@twelvedata.com. We do not discriminate against users exercising rights.

6. Security and data retention

We implement industry-standard security measures to protect personal data from unauthorized access, alteration, disclosure, or destruction. These include encryption, firewalls, secure access controls, multi-factor authentication, regular vulnerability scans, employee privacy training, and compliance with standards like ISO 27001 and NIST frameworks.

In the event of a personal data breach, we will assess the incident and notify relevant supervisory authorities (e.g., within 72 hours under GDPR) and affected individuals without undue delay, in accordance with requirements under the Singapore PDPA, UAE laws, and other applicable regulations.

Data retention: Personal data will be retained only for as long as necessary to fulfill the purposes outlined in this policy or as required by law. Examples:

  • - Account information: Retained for 2 years after account closure
  • - Financial information: Retained for 7 years for tax compliance
  • - Usage data: Retained for 1 year for analytics

Upon expiration, data will be securely deleted or anonymized.

7. Children's privacy

Our services are not intended for individuals under the age of 16 (or 13 under US COPPA where applicable). If you are a parent or guardian and believe your child has provided us with personal data, please contact us, and we will take steps to delete such data.

8. Cookies and tracking technologies

Twelve Data uses cookies and similar tracking technologies to provide functionality and analyze service usage. You can manage preferences through your browser or our consent management tool. For details, refer to our Cookie Policy.

9. Updates to this Privacy Policy

We may update this Privacy Policy to reflect changes in our personal data practices or applicable laws. The "Last updated" date indicates the last revision. Significant changes (e.g., new data uses) will be notified via website postings, email to active users, or direct contact.

10. Contact us

For questions or concerns regarding this Privacy Policy or our data protection practices, contact us at:

Twelve Data Pte. Ltd.
20A Tanjong Pagar Road
Singapore 088443
Website: https://twelvedata.com
Email: legal@twelvedata.com
Support: support@twelvedata.com

Privacy-related inquiries, including requests to exercise data protection rights, are handled by our data protection function.