TQtwenty.quest

Privacy Policy

Last updated 22 April 2026

twenty.quest is operated by Ortomate Limited, a New Zealand company (“we”, “us”). This policy explains what personal information we collect, how we use it, who we share it with, and the choices you have.

1. Who this policy applies to

This policy covers two groups of people who interact with twenty.quest:

  • Facilitators: people who create an account, upload strategy documents, and run quests for a leadership team.
  • Participants: people a facilitator invites to answer the twenty questions. Participants do not have accounts; they access the service through a one-time magic link emailed to them.

2. Information we collect

2.1 Information facilitators provide

  • Account email address, used for sign-in and for sending notifications.
  • Quest content: the title, the brief you write, the strategy documents you upload (board decks, OKRs, offsite notes, and similar).
  • The list of participants you invite: their names and email addresses.

2.2 Information participants provide

  • Answers to the twenty questions, submitted as text or as a voice recording that we transcribe.
  • Any optional context a participant adds to an answer.

2.3 Information generated by the service

  • Generated questions, derived from the facilitator’s brief and uploaded documents.
  • Synthesis artifacts: concept maps, themes, tensions, attributed quotes, reports, and a narrated recap video.
  • Server and application logs needed to run and secure the service.

3. How we use information

  • To operate the service: generating questions, collecting answers, producing synthesis artifacts, and delivering them to the facilitator.
  • To send service emails: magic links for participants, and operational notifications for facilitators.
  • To keep the service running, secure, and reliable (monitoring, abuse detection, debugging).
  • To improve twenty.quest. We do not train third-party foundation models on your quest content.

4. How we share information

We share information with the third-party sub-processors listed below, only to the extent needed to run the service. We do not sell personal information.

  • Vercel: application hosting and serverless functions.
  • Supabase: Postgres database and object storage for quest content, uploaded documents, and recap videos.
  • Railway: hosts the renderer that composites the recap video.
  • Anthropic: the large language model provider that generates questions, synthesis, and supporting text. Anthropic processes the inputs we send and returns outputs; it does not train its models on this data under our API agreement.
  • ElevenLabs: voices the narration in the recap video.
  • Resend: delivers magic-link and notification emails.
  • Plausible: privacy-respecting, cookieless analytics. Plausible records aggregate page views and referrer information; it does not use cookies, does not track individuals across sites, and does not collect personal data.

We may also share information when required by law, to enforce our terms, or to protect the rights and safety of our users.

5. Attribution and participant visibility

twenty.quest is deliberately non-anonymous. When a participant submits an answer, the facilitator sees that answer attributed to the participant by name. Synthesis artifacts, including quotes in reports and the recap video, may name participants. If you are a participant and you are not comfortable with attribution, do not submit an answer; speak with your facilitator instead.

6. Data retention

We retain facilitator accounts, quests, and their artifacts until a facilitator requests deletion. Invitation magic links expire automatically. Server logs are retained for up to 90 days. You can request deletion of a specific quest or your entire account at any time by emailing privacy@twenty.quest.

7. Security

Data is encrypted in transit. Databases and object storage are encrypted at rest through Supabase. Access to production data is restricted to authorised personnel and logged.

8. Your rights

Depending on where you live, you may have rights to access, correct, or delete personal information we hold about you, and to object to or restrict certain processing. To exercise any of these rights, email privacy@twenty.quest. We will respond within 30 days.

9. International transfers

twenty.quest is operated from New Zealand. Our sub-processors operate in the United States and other countries. By using the service, you consent to the transfer of your information to these jurisdictions.

10. Changes to this policy

We may update this policy as the service evolves. If we make material changes, we will notify facilitators by email. The “Last updated” date at the top of this page reflects the current version.

11. Contact

Questions about this policy, or requests about your data, can be sent to privacy@twenty.quest.

Ortomate Limited, Level 1, 2-12 Allen Street, Wellington 6011, New Zealand.