Privacy Policy - SwiftSheet

SwiftSheet ("we," "us," or "our") is operated by Distex Ltd. We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our SwiftSheet application (both web and iOS versions).

1. Information we collect

1.1 Personal information you provide

We collect information that you voluntarily provide to us when you:

Create an account: Email address and authentication credentials (via Firebase Authentication)
Create and fill forms: Form responses, customer data (names, addresses, phone numbers, postcodes, markers, ID photos, dates)
Upload files: Photos, signatures, drawings, and documents

1.2 Automatically collected information

Device information: Device type, operating system, unique device identifiers
Usage data: App features used, forms accessed, submission timestamps
Log data: IP address, browser type, access times, pages viewed

1.3 Camera and photo library access (iOS)

Our iOS app requests access to your device's camera and photo library to enable photo capture for form fields and customer ID photos. Photos are processed locally on your device and only uploaded when you submit a form. We do not access your photos without your explicit action.

2. How we use your information

We use the information we collect to:

Provide, maintain, and improve our services
Authenticate users and manage accounts
Process and store form submissions
Generate PDF documents from your forms
Sync data between web and iOS applications
Provide customer support and respond to inquiries
Monitor and analyze usage patterns to improve user experience
Comply with legal obligations and protect against misuse

3. Third-party services

We use the following trusted third-party services to operate SwiftSheet:

3.1 Firebase (Google LLC)

Purpose: User authentication and account management

Data shared: Email address, authentication tokens

Firebase processes user authentication data on our behalf. Google acts as a data processor under GDPR.

3.2 Dropbox Inc.

Purpose: Optional PDF storage and backup (user-initiated)

Data shared: Generated PDF documents (only when you connect your Dropbox account)

3.3 Replit, Inc.

Purpose: Application hosting and infrastructure

3.4 Neon (Neon, Inc.)

Purpose: Database hosting and data storage. Customer personal information is encrypted using AES-256-GCM encryption before storage.

3.5 Replit Object Storage

Purpose: Photo and document storage. Customer ID photos are encrypted using AES-256-GCM with per-user encryption keys.

3.6 Google Gemini AI (Google LLC)

Purpose: AI-powered form generation (Beta feature). Only your form description is sent, no personal customer data. Google's Privacy Policy.

4. Data security

We implement industry-standard security measures to protect your information:

Encryption: Sensitive data encrypted using AES-256-GCM. ID photos use per-user encryption keys.
Secure transmission: HTTPS/TLS for all data in transit
Authentication: Firebase auth with secure token-based sessions
Data isolation: Per-user data isolation
Audit logging: Comprehensive audit logs of access to sensitive data
Access controls: Strict access controls limit who can view or modify data

Despite our security measures, no system is completely secure.

5. Data retention

We retain your personal information for as long as necessary to provide our services, comply with legal obligations, and resolve disputes.

Active accounts: Data is retained while your account is active.
Deleted accounts: Personal data deleted or anonymized within 90 days of account deletion, except where retention is required by law.

6. Your rights

6.1 GDPR rights (EEA)

Access: Request access to your personal data
Rectification: Request correction of inaccurate data
Erasure: Request deletion ("right to be forgotten")
Restriction: Request restriction of processing
Data portability: Request a copy in portable format
Object: Object to processing of your data
Withdraw consent: Withdraw consent at any time

6.2 CCPA rights (California)

Know what personal information we collect
Know whether we sell or share personal information (we do not sell)
Access your personal information
Request deletion of your personal information
Non-discrimination for exercising your rights

6.3 Account deletion

Delete your account anytime: Web - Settings > Account Management > Delete My Account Forever. iOS - Settings > Account > Delete Account.

Account deletion is immediate and permanent. All forms, submissions, customer records, photos, and profile data are deleted. Connected integrations are disconnected. Backups in third-party services (e.g. Dropbox) must be managed separately.

7. Children's privacy

SwiftSheet is not intended for children under 13 (or under 16 in the EEA). We do not knowingly collect information from children.

8. International data transfers

Information may be transferred to and processed outside your country of residence. For EU/EEA transfers we use Standard Contractual Clauses, EU-U.S. Data Privacy Framework compliance, and other legally recognized mechanisms.

9. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We'll notify you of material changes by posting updates here, updating the "Last Updated" date, and emailing you for significant changes.

10. Do Not Track

We do not currently respond to "Do Not Track" browser signals. We do not track users across third-party websites.

11. Data breach notification

In the event of a breach affecting your personal information, we will notify you and relevant authorities as required by law, typically within 72 hours of becoming aware.

12. Contact us

Questions, concerns, or requests regarding this Privacy Policy:

SwiftSheet
Email: support@swiftsheet.co.uk
Website: https://www.swiftsheet.co.uk

13. Supervisory authority

If you're located in the EEA, you have the right to lodge a complaint with your local data protection authority.