Privacy Policy

SwiftSheet ("we," "us," or "our") is operated by Distex Ltd. We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our SwiftSheet application (both web and iOS versions).

1. Information We Collect

1.1 Personal Information You Provide

We collect information that you voluntarily provide to us when you:

• Create an account: Email address and authentication credentials (via Firebase Authentication)
• Create and fill forms: Form responses, customer data (names, addresses, phone numbers, postcodes, markers, ID photos, dates)
• Upload files: Photos, signatures, drawings, and documents

1.2 Automatically Collected Information

• Device information: Device type, operating system, unique device identifiers
• Usage data: App features used, forms accessed, submission timestamps
• Log data: IP address, browser type, access times, pages viewed

1.3 Camera and Photo Library Access (iOS)

Our iOS app requests access to your device's camera and photo library to enable photo capture for form fields and customer ID photos. Photos are processed locally on your device and only uploaded when you submit a form. We do not access your photos without your explicit action.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our services
• Authenticate users and manage accounts
• Process and store form submissions
• Generate PDF documents from your forms
• Sync data between web and iOS applications
• Provide customer support and respond to inquiries
• Monitor and analyze usage patterns to improve user experience
• Comply with legal obligations and protect against misuse

3. Third-Party Services

We use the following trusted third-party services to operate SwiftSheet:

3.1 Firebase (Google LLC)

Purpose: User authentication and account management

Data Shared: Email address, authentication tokens

Firebase processes user authentication data on our behalf. Google acts as a data processor under GDPR. We use Firebase Authentication to securely manage user accounts across both web and iOS platforms.

3.2 Dropbox Inc.

Purpose: Optional PDF storage and backup (user-initiated)

Data Shared: Generated PDF documents (only when you connect your Dropbox account)

If you choose to connect your Dropbox account, we will upload generated PDFs to your Dropbox storage. This integration is optional and requires your explicit authorization.

3.3 Replit, Inc.

Purpose: Application hosting and infrastructure

Data Shared: All application data passes through Replit's hosting infrastructure

SwiftSheet is hosted on Replit's infrastructure. Replit provides the technical platform that enables our application to function but does not access or process your personal data.

3.4 Neon (Neon, Inc.)

Purpose: Database hosting and data storage

Data Stored: All application data (user accounts, forms, form submissions, customer data)

We use Neon's serverless PostgreSQL database platform to securely store all application data. Neon acts as a data processor on our behalf and provides enterprise-grade security, encryption, and backups. Customer personal information (addresses, phone numbers) is encrypted using AES-256-GCM encryption before storage in the database.

3.5 Replit Object Storage

Purpose: Photo and document storage

Data Stored: Customer ID photos (encrypted), form photos, document scans

Customer ID photos (such as driver's licenses and passports) are encrypted using AES-256-GCM with per-user encryption keys before being stored in Replit's object storage system. Form photos and document scans are stored unencrypted. All files are isolated per-user to ensure your data cannot be accessed by other users.

4. Data Security

We implement industry-standard security measures to protect your information:

• Encryption: Sensitive personal data (customer addresses, phone numbers, government-issued ID photos) is encrypted using AES-256-GCM encryption. ID photos use per-user encryption keys for additional security.
• Secure transmission: All data transmitted between your device and our servers uses HTTPS/TLS encryption
• Authentication: Firebase authentication with secure token-based sessions
• Data isolation: Per-user data isolation ensures your data is separated from other users
• Audit logging: We maintain comprehensive audit logs of access to sensitive customer data
• Access controls: Strict access controls limit who can view or modify data

Despite our security measures, no system is completely secure. We cannot guarantee absolute security of your data.

5. Data Retention

We retain your personal information for as long as necessary to:

• Provide our services to you
• Comply with legal obligations
• Resolve disputes and enforce agreements

Active accounts: Data is retained while your account is active
Deleted accounts: Upon account deletion, we will delete or anonymize your personal data within 90 days, except where we are required to retain it by law

6. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

6.1 GDPR Rights (European Economic Area)

• Access: Request access to your personal data
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your data ("right to be forgotten")
• Restriction: Request restriction of processing
• Data portability: Request a copy of your data in a portable format
• Object: Object to processing of your data
• Withdraw consent: Withdraw consent at any time

6.2 CCPA Rights (California Residents)

• Know what personal information we collect
• Know whether we sell or share personal information
• Access your personal information
• Request deletion of your personal information
• Opt-out of the sale of personal information (we do not sell personal information)
• Non-discrimination for exercising your rights

6.3 How to Exercise Your Rights

To exercise any of these rights, please contact us using the information in the "Contact Us" section below. We will respond to your request within 30 days.

6.4 Account Deletion

You have the right to delete your account and all associated data at any time. Account deletion can be performed directly through the application:

• Web App: Navigate to Settings > Account Management and click "Delete My Account Forever"
• iOS App: Navigate to Settings > Account and tap "Delete Account"

What happens when you delete your account:

• Your account is immediately deactivated and you are logged out
• All forms, form templates, and form configurations are permanently deleted
• All submissions, PDFs, and form responses are permanently deleted
• All customer records, including names, addresses, phone numbers, and photos are permanently deleted
• All photos stored in our system (customer ID photos, form photos) are permanently deleted
• Your account settings, preferences, and user profile are permanently deleted
• Any connected integrations (Dropbox, Firebase) are disconnected

Important notes:

• Account deletion is permanent and cannot be undone
• You will need to create a new account if you wish to use SwiftSheet again
• If you have an active subscription, we recommend canceling it first through your subscription settings before deleting your account
• Backup copies in third-party services (e.g., Dropbox) are not deleted and must be managed separately

7. Children's Privacy

SwiftSheet is not intended for children under 13 years of age (or under 16 in the European Economic Area). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately so we can delete it.

8. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws different from your jurisdiction.

When we transfer personal data from the EU/EEA, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses approved by the European Commission
• EU-U.S. Data Privacy Framework compliance (where applicable)
• Other legally recognized transfer mechanisms

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last Updated" date
• Sending you an email notification (for significant changes)

Your continued use of SwiftSheet after changes become effective constitutes acceptance of the updated Privacy Policy.

10. Do Not Track

We do not currently respond to "Do Not Track" signals from browsers. We do not track users across third-party websites or services.

11. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you and relevant authorities as required by applicable law, typically within 72 hours of becoming aware of the breach.

12. Your Choices

• Account information: You can update your account information within the app
• Dropbox integration: You can disconnect Dropbox at any time from your settings
• Email communications: You can opt-out of promotional emails (service-related emails cannot be opted out of)
• Delete data: You can delete forms, customers, and submissions at any time
• Delete account: You can permanently delete your account and all associated data at any time through Settings > Account Management. Account deletion is immediate and cannot be undone

14. Supervisory Authority

If you are located in the European Economic Area, you have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not complied with applicable data protection laws.