What does Two Bit Digital do?

Two Bit Digital is a SaaS development and AI engineering studio that builds mission-critical digital systems for regulated markets. We design, build, and deploy end-to-end SaaS platforms, AI-powered workflows, and secure cloud infrastructure for enterprises, startups, and government bodies across the UK, US, Australia, and Pakistan.

Is Two Bit Digital a registered company?

Yes. Two Bit Digital Ltd is registered in England and Wales under Company Number 14710072, verifiable at Companies House. The company also holds a D&B D-U-N-S Number (77-532-7428) and is registered as a UN Global Marketplace vendor (No. 1177996), and with the SECP in Pakistan (CUIN: 0250598).

Does Two Bit Digital work with government bodies?

Yes. Two Bit Digital is actively positioned to bid on government and civil tenders for web, app, and AI solutions in the UK. We are a registered UN Global Marketplace vendor and hold a D&B D-U-N-S number, meeting common procurement verification requirements.

What technology stack does Two Bit Digital use?

Two Bit Digital builds primarily on Next.js 14, TypeScript, Supabase, React Native, Vercel, and AWS. AI integrations are built using LLM APIs including OpenAI and Claude. All systems are type-safe, production-grade, and built for scale.

Where is Two Bit Digital based?

Two Bit Digital is headquartered in the United Kingdom with core development operations in Karachi, Pakistan. The studio serves clients across the UK, United States, Australia, and Pakistan.

What in-house products has Two Bit Digital built?

Two Bit Digital has built three proprietary SaaS products: Tikkit X (a live event ticketing and management platform for Pakistan), Averon Legal Systems (a CPR Part 47/36 case management SaaS for UK law firms, currently in beta), and Terra Core (a zero-knowledge AES-256 document intelligence platform, in development).

How do I contact Two Bit Digital for a project?

You can contact Two Bit Digital by emailing sales@twobitdigital.com for new project enquiries, or mwasif@twobitdigital.com to reach the Founder & CEO directly. Alternatively, use the contact form at twobitdigital.com.

Home›Privacy Policy

Privacy Policy

We built this company on the belief that privacy is architecture, not policy. This document explains what we collect, why, and what we never do with it.

🔐 Our position, plainly stated: We do not sell your personal data. We do not share it with third parties for marketing. We do not store data beyond what is operationally necessary. Our products are built on zero-knowledge principles — meaning we architect systems so that sensitive data is inaccessible even to us. That same philosophy governs how we operate as a company.

Last updated

18 April 2026

Effective date

18 April 2026

Data controller

Two Bit Digital Ltd

Jurisdiction

England & Wales

1. Data Controller

The data controller responsible for personal data collected through this website is:

Two Bit Digital Ltd
Registered in England and Wales
Companies House No. 14710072
Email: sales@twobitdigital.com

This Privacy Policy applies to all personal data processed through twobitdigital.com and any direct communications with Two Bit Digital Ltd. It is compliant with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. What Data We Collect

We collect only the minimum data necessary to operate this website and respond to enquiries.

Contact Form Submissions

When you submit a project brief through our contact form, we collect:

Your name
Your email address
Your company or organisation name (optional)
Project type (optional)
Your message or project description
Your IP address (recorded in the notification email for spam and fraud prevention — not stored in a database)

Analytics Data

We use Google Analytics 4 (GA4) to understand how visitors use this website. GA4 collects anonymised usage data including pages visited, time on site, general geographic region (country/city level), device type, and referral source. GA4 does not identify you personally. Your IP address is anonymised before processing.

Server and Infrastructure Logs

Our hosting infrastructure (Vercel) automatically records standard server access logs including IP addresses, request paths, and timestamps. These logs are retained for a maximum of 30 days for security monitoring and are not used for any other purpose.

Data We Do Not Collect

We do not collect, store, or process:

Payment card details (we have no payment processing on this website)
Sensitive personal data (health, biometric, financial account data)
Data from minors under 16
Tracking data beyond what GA4 collects with IP anonymisation

3. Our Zero-Knowledge Commitment

Zero-knowledge architecture means systems are designed so that the operator — us — cannot access the content of what users store, even if compelled to. This is a technical guarantee, not just a policy promise. We apply this same philosophy to how we handle data as a business.

Our in-house products — particularly Terra Core and Tikkit X — are built on zero-knowledge cryptographic principles. AES-256 encryption with key isolation means that encrypted data cannot be decrypted without the client's own keys. We never hold the keys.

As a company, we extend this philosophy to our business operations:

We do not store contact form submissions in any database — they are delivered to us via email and the data is not persisted on our servers.
We do not build profiles of website visitors.
We do not use retargeting pixels or behavioural advertising technologies.
We do not use session recording tools (Hotjar, FullStory, or similar).
We do not sell, rent, or trade personal data under any circumstances.

4. Legal Basis for Processing

Under UK GDPR, we process personal data on the following legal bases:

Legitimate interests — Processing contact form submissions to respond to project enquiries. Our legitimate interest is to communicate with prospective clients who have actively contacted us.
Legitimate interests — Analytics to understand website performance and improve user experience. GA4 is configured with IP anonymisation.
Legal obligation — Retaining server access logs for security monitoring and fraud prevention.
Consent — Where we seek your agreement before processing (e.g. future marketing communications, if any). We will always be explicit when seeking consent.

5. How We Use Your Data

We use the data we collect solely for the following purposes:

Responding to project enquiries submitted through the contact form
Assessing whether we can help with a project brief
Communicating about a potential or active engagement
Understanding how the website is used so we can improve it (analytics only)
Detecting and preventing spam, fraud, and abuse

We will never use your data to send unsolicited marketing communications without your explicit consent. If you contact us and we wish to add you to any form of mailing list, we will ask you separately and clearly.

7. Cookies

This website uses a minimal set of cookies. We do not use advertising cookies, tracking pixels, or behavioural profiling cookies.

Analytics cookies (GA4) — Set by Google Analytics to distinguish users and sessions. These cookies do not contain personally identifiable information. You can opt out of Google Analytics across all sites at tools.google.com/dlpage/gaoptout ↗.
Session / functional cookies — Cookies set by our hosting infrastructure (Vercel) for load balancing and security purposes. These are strictly necessary and cannot be disabled without affecting site function.

We do not use third-party advertising cookies, social media tracking pixels, or any form of cross-site behavioural tracking.

8. Data Retention

We retain personal data only for as long as necessary:

Contact form enquiries — retained in our email inbox for the duration of the business relationship, or a maximum of 3 years from last contact, whichever is sooner. Email communications forming part of an active client engagement are retained for 7 years to comply with legal and accounting obligations.
GA4 analytics data — retained for 14 months, per our GA4 configuration.
Server access logs — retained for a maximum of 30 days by Vercel.
IP addresses in notification emails — not stored separately; present only in the email record governed by the email retention policy above.

9. Your Rights Under UK GDPR

If you are located in the UK or European Economic Area, you have the following rights:

Right of access — You can request a copy of all personal data we hold about you.
Right to rectification — You can ask us to correct inaccurate data.
Right to erasure — You can ask us to delete your personal data where there is no compelling reason to retain it.
Right to restriction — You can ask us to pause processing of your data in certain circumstances.
Right to data portability — You can request your data in a machine-readable format.
Right to object — You can object to processing based on legitimate interests.
Right to withdraw consent — Where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, email us at sales@twobitdigital.com. We will respond within 30 days. If you are unsatisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO) ↗.

10. International Data Transfers

Some of our third-party service providers process data outside the UK and EEA — specifically Resend, Google, and Vercel, which are US-based. Where this occurs, we rely on:

UK adequacy regulations for transfers to countries with equivalent protection
Standard Contractual Clauses (SCCs) / International Data Transfer Agreements (IDTAs) where required
The service provider's own binding corporate rules where applicable

We do not transfer your personal data to any country or organisation outside these approved mechanisms.

11. Security

We implement technical and organisational measures to protect personal data against unauthorised access, loss, or destruction:

All data in transit is encrypted via TLS 1.2/1.3 (HTTPS enforced via HSTS)
API endpoints are rate-limited and protected against injection attacks
Contact form data is transmitted directly to our email inbox — it is not persisted in any web-accessible database
Security headers (X-Frame-Options, X-Content-Type-Options, CSP, Referrer-Policy) are configured on all responses
Access to internal systems is protected by multi-factor authentication

In the event of a personal data breach that is likely to result in risk to individuals, we will notify the ICO within 72 hours and affected individuals without undue delay, as required by UK GDPR Article 33.

12. Children's Privacy

This website and our services are directed at businesses and professional individuals. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child has submitted personal data to us, please contact us immediately and we will delete it.

13. US and Australian Residents

California (CCPA/CPRA): We do not sell personal information as defined under the California Consumer Privacy Act. California residents have the right to know what personal information is collected, to delete it, to opt out of sale (not applicable — we do not sell), and to non-discrimination for exercising these rights. Contact us at sales@twobitdigital.com to make a request.

Australia (Privacy Act 1988): We comply with the Australian Privacy Principles. Australian residents have the right to access and correct personal information we hold. Contact us to make a request.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. We will not retroactively reduce your rights under this policy without your consent. For material changes, we will provide prominent notice on this website.

15. Contact Us

For any questions about this Privacy Policy, to exercise your rights, or to make a complaint, contact us at:

Two Bit Digital Ltd
Data Protection Enquiries
sales@twobitdigital.com
Companies House No. 14710072
Registered in England and Wales