Privacy Policy

Last Updated: October 20, 2025

SwiftSheet ("we," "us," or "our") is operated by Distex Ltd. We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our SwiftSheet application (both web and iOS versions).

1. Information We Collect

1.1 Personal Information You Provide

We collect information that you voluntarily provide to us when you:

Create an account: Email address and authentication credentials (via Firebase Authentication)
Create and fill forms: Form responses, customer data (names, addresses, phone numbers, postcodes, markers, ID photos, dates)
Upload files: Photos, signatures, drawings, and documents

1.2 Automatically Collected Information

Device information: Device type, operating system, unique device identifiers
Usage data: App features used, forms accessed, submission timestamps
Log data: IP address, browser type, access times, pages viewed

1.3 Camera and Photo Library Access (iOS)

Our iOS app requests access to your device's camera and photo library to enable photo capture for form fields and customer ID photos. Photos are processed locally on your device and only uploaded when you submit a form. We do not access your photos without your explicit action.

2. How We Use Your Information

We use the information we collect to:

Provide, maintain, and improve our services
Authenticate users and manage accounts
Process and store form submissions
Generate PDF documents from your forms
Sync data between web and iOS applications
Provide customer support and respond to inquiries
Monitor and analyze usage patterns to improve user experience
Comply with legal obligations and protect against misuse

3. Third-Party Services

We use the following trusted third-party services to operate SwiftSheet:

3.1 Firebase (Google LLC)

Purpose: User authentication and account management

Data Shared: Email address, authentication tokens

Privacy Policy: https://firebase.google.com/support/privacy

Firebase processes user authentication data on our behalf. Google acts as a data processor under GDPR. We use Firebase Authentication to securely manage user accounts across both web and iOS platforms.

3.2 Dropbox Inc.

Purpose: Optional PDF storage and backup (user-initiated)

Data Shared: Generated PDF documents (only when you connect your Dropbox account)

Privacy Policy: https://www.dropbox.com/privacy

If you choose to connect your Dropbox account, we will upload generated PDFs to your Dropbox storage. This integration is optional and requires your explicit authorization. Dropbox's handling of your data is governed by their privacy policy and terms of service.

3.3 Replit, Inc.

Purpose: Application hosting and infrastructure

Data Shared: All application data passes through Replit's hosting infrastructure

Privacy Policy: https://replit.com/site/privacy

SwiftSheet is hosted on Replit's infrastructure. Replit provides the technical platform that enables our application to function but does not access or process your personal data.

3.4 Neon (Neon, Inc.)

Purpose: Database hosting and data storage

Data Stored: All application data (user accounts, forms, form submissions, customer data)

Data Location: AWS US East (Virginia), United States

Privacy Policy: https://neon.tech/privacy-policy

We use Neon's serverless PostgreSQL database platform to securely store all application data. Neon acts as a data processor on our behalf and provides enterprise-grade security, encryption, and backups. Customer personal information (addresses, phone numbers) is encrypted using AES-256-GCM encryption before storage in the database.

3.5 Replit Object Storage

Purpose: Photo and document storage

Data Stored: Customer ID photos (encrypted), form photos, document scans

Privacy Policy: https://replit.com/site/privacy

Customer ID photos (such as driver's licenses and passports) are encrypted using AES-256-GCM with per-user encryption keys before being stored in Replit's object storage system. Form photos and document scans are stored unencrypted. All files are isolated per-user to ensure your data cannot be accessed by other users. If object storage is unavailable, photos are stored as encrypted base64 data in the database as a fallback.

4. Data Security

We implement industry-standard security measures to protect your information:

Encryption: Sensitive personal data (customer addresses, phone numbers, government-issued ID photos) is encrypted using AES-256-GCM encryption. ID photos use per-user encryption keys for additional security.
Secure transmission: All data transmitted between your device and our servers uses HTTPS/TLS encryption
Authentication: Firebase authentication with secure token-based sessions
Data isolation: Per-user data isolation ensures your data is separated from other users
Audit logging: We maintain comprehensive audit logs of access to sensitive customer data
Access controls: Strict access controls limit who can view or modify data

Despite our security measures, no system is completely secure. We cannot guarantee absolute security of your data.

5. Data Retention

We retain your personal information for as long as necessary to:

Provide our services to you
Comply with legal obligations
Resolve disputes and enforce agreements

Active accounts: Data is retained while your account is active
Deleted accounts: Upon account deletion, we will delete or anonymize your personal data within 90 days, except where we are required to retain it by law

6. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

6.1 GDPR Rights (European Economic Area)

Access: Request access to your personal data
Rectification: Request correction of inaccurate data
Erasure: Request deletion of your data ("right to be forgotten")
Restriction: Request restriction of processing
Data portability: Request a copy of your data in a portable format
Object: Object to processing of your data
Withdraw consent: Withdraw consent at any time

6.2 CCPA Rights (California Residents)

Know what personal information we collect
Know whether we sell or share personal information
Access your personal information
Request deletion of your personal information
Opt-out of the sale of personal information (we do not sell personal information)
Non-discrimination for exercising your rights

6.3 How to Exercise Your Rights

To exercise any of these rights, please contact us using the information in the "Contact Us" section below. We will respond to your request within 30 days.

6.4 Account Deletion

You have the right to delete your account and all associated data at any time. Account deletion can be performed directly through the application:

Web App: Navigate to Settings > Account Management and click "Delete My Account Forever"
iOS App: Navigate to Settings > Account and tap "Delete Account"

What happens when you delete your account:

Your account is immediately deactivated and you are logged out
All forms, form templates, and form configurations are permanently deleted
All submissions, PDFs, and form responses are permanently deleted
All customer records, including names, addresses, phone numbers, and photos are permanently deleted
All photos stored in our system (customer ID photos, form photos) are permanently deleted
Your account settings, preferences, and user profile are permanently deleted
Any connected integrations (Dropbox, Firebase) are disconnected

Important notes:

Account deletion is permanent and cannot be undone
You will need to create a new account if you wish to use SwiftSheet again
If you have an active subscription, we recommend canceling it first through your subscription settings before deleting your account
Backup copies in third-party services (e.g., Dropbox) are not deleted and must be managed separately

7. Children's Privacy

SwiftSheet is not intended for children under 13 years of age (or under 16 in the European Economic Area). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately so we can delete it.

8. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws different from your jurisdiction.

When we transfer personal data from the EU/EEA, we ensure appropriate safeguards are in place, such as:

Standard Contractual Clauses approved by the European Commission
EU-U.S. Data Privacy Framework compliance (where applicable)
Other legally recognized transfer mechanisms

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by:

Posting the new Privacy Policy on this page
Updating the "Last Updated" date
Sending you an email notification (for significant changes)

Your continued use of SwiftSheet after changes become effective constitutes acceptance of the updated Privacy Policy.

10. Do Not Track

We do not currently respond to "Do Not Track" signals from browsers. We do not track users across third-party websites or services.

11. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you and relevant authorities as required by applicable law, typically within 72 hours of becoming aware of the breach.

12. Your Choices

Account information: You can update your account information within the app
Dropbox integration: You can disconnect Dropbox at any time from your settings
Email communications: You can opt-out of promotional emails (service-related emails cannot be opted out of)
Delete data: You can delete forms, customers, and submissions at any time
Delete account: You can permanently delete your account and all associated data at any time through Settings > Account Management. Account deletion is immediate and cannot be undone

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Distex Ltd
Email: support@swiftsheet.co.uk
Website: https://www.swiftsheet.co.uk

For GDPR-related inquiries:
Data Protection Officer
Email: support@swiftsheet.co.uk

For legal requests:
Legal Department
Email: support@swiftsheet.co.uk

14. Supervisory Authority

If you are located in the European Economic Area, you have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not complied with applicable data protection laws.