Privacy Policy

Last updated: May 31, 2026

Swarmz Labs Ltd (company number 17217227), registered office 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, UK ("Swarmz", "we", "us", "our") is the controller of personal data you provide when you use swarmz.net, the Swarmz application, and the authentication service at auth.swarmz.net.

This policy explains what we collect, why we collect it, how we use it, and the rights you have over it. It covers the marketing site, the signed-in app, and the auth subdomain together. It does not cover third-party services you connect to your account, which have their own privacy policies.

You can reach our privacy team at privacy@swarmz.net. For general or legal questions, write to legal@swarmz.net. Our registration with the UK Information Commissioner's Office is pending; the registration number will appear here once issued.

We collect the data you give us, the data we generate as you use the service, and a small amount of technical data your browser sends to any website. The categories below describe what we hold.

Account data. The email address you sign up with, the name you provide, and a salted hash of your password. We never see or store your password in plain text. If you sign in through a third-party identity provider, we receive your email, a stable identifier from that provider, and any profile fields you choose to share.

Profile and onboarding data. Your display name, avatar, locale, time zone, and answers to optional onboarding questions about how you plan to use Swarmz. You can edit or remove this information from your account settings at any time.

Workspace and project content. Names of workspaces and projects, code you write or generate, chat messages, AI prompts and responses, files you upload, and any other content you create inside the service. This is your content. We hold it so we can show it back to you, run the features you ask us to run, and back it up.

Billing data. If you subscribe to a paid plan we store your Stripe customer ID, the billing address you provide, your EU VAT number where applicable, and a record of invoices and payments. Card details go directly to Stripe and we never see or store them.

Telemetry, with your consent. If you accept analytics cookies we record page views, basic interaction events, performance metrics, and front-end errors. We use this to fix bugs and to understand which features people use. You can change your choice at any time from the cookie settings link in the footer, and we honour the Global Privacy Control signal.

Security data. Your IP address and user agent string. For waitlist and lead-form submissions we store only a hashed version. For active sessions we keep the raw values briefly so you can see where your account is signed in and revoke sessions you don't recognise.

Authentication data. Supabase session and refresh tokens, the second-factor methods you configure (such as TOTP), and encrypted access tokens for any third-party integrations you connect. Integration tokens are encrypted at rest and used only to carry out actions you initiate.

Communications. Emails you send to our support addresses, transactional email metadata (delivery status, bounces, opens where available), and any feedback you submit through the product.

We use the data above for the following purposes, under the legal bases shown.

• To deliver the service. Authenticating you, saving your work, running the features you ask for, and showing you content you have access to. Legal basis: performance of our contract with you.
• To handle billing and meet our tax obligations. Processing payments through Stripe, issuing invoices, and keeping financial records as required by HMRC. Legal basis: performance of contract and compliance with a legal obligation.
• To keep accounts and the service secure. Detecting suspicious sign-ins, blocking abuse, preventing fraud, and investigating incidents. Legal basis: our legitimate interest in running a secure service, balanced against your privacy.
• To understand how the product is used, only with your consent. Product analytics and error monitoring are off until you accept them. Legal basis: consent, which you can withdraw at any time.
• To send transactional emails. Sign-in alerts, billing receipts, security notices, and changes to these documents. Legal basis: performance of contract and legitimate interest in keeping you informed about your account. We do not send marketing email without a separate opt-in.

We do not sell your data. We share it with a small set of vendors that help us run the service, and only with the data they need to do their job. All vendors are bound by data processing agreements that limit what they can do with the data.

The categories of processors we use are:

• Cloud hosting and database providers.
• Payment processors.
• Transactional email providers.
• AI model providers, where you use AI features.
• Error monitoring providers.
• Product analytics providers.
• Source-control, design, and other integration platforms you choose to connect to your account.

A current list of named sub-processors is available to enterprise customers under our Data Processing Addendum. Email legal@swarmz.net if you need a copy.

We also disclose data in three other situations: when valid legal process compels us to (a court order, a regulator's request, or a law enforcement request that meets the legal threshold); during a business transfer such as a merger, acquisition, or sale of assets, in which case we will give you notice; and with your consent, when you ask us to share it with someone.

We keep data only as long as we need it to run the service or to meet a legal obligation. The table below covers the main categories.

• Active accounts. While your account is active.
• Deleted accounts. Erased within 30 days of deletion, except billing and tax records, which we are required to keep for 7 years under HMRC rules.
• Waitlist signups. Held until we launch and you convert to an account, up to a maximum of 36 months.
• Enterprise lead forms. 24 months from the last contact you have with us.
• Audit logs. Billing-related audit logs for 7 years. Other audit logs for 90 days.
• Analytics events. Up to 25 months, then aggregated or deleted.
• Error logs. 90 days.
• Transactional email metadata. 12 months.
• Backups. Encrypted, on a rolling 30-day retention.

When a retention period ends we delete the data or anonymise it so that it can no longer be linked to you.

Under UK GDPR you have the following rights over your personal data:

• Access a copy of the data we hold about you.
• Correct data that is inaccurate or incomplete.
• Ask us to erase your data, subject to the retention rules above and any legal obligation we have to keep it.
• Restrict how we process your data while a question about it is resolved.
• Object to processing we carry out under a legitimate interest.
• Receive a copy of the data you provided to us in a portable, machine-readable format.
• Withdraw any consent you have given.
• Object to a decision made solely by automated processing that has a legal or similarly significant effect on you. Swarmz does not currently make any such decisions about you.

To exercise any of these rights, email privacy@swarmz.net or use the account deletion option in your account settings. We respond within 30 days. The service is free, but if a request is manifestly unfounded or excessive we may charge a reasonable fee or refuse to act on it, as UK GDPR allows.

We protect your data with the controls you would expect from a modern SaaS provider. All traffic between your browser and our servers uses TLS. Data is encrypted at rest wherever the underlying storage layer supports it. Access to production data is role-based, logged, and limited to the people who need it for their job.

You can turn on multi-factor authentication on your account. Tokens for third-party integrations are encrypted before they touch our database, and audit logs record sensitive actions.

If you find a security issue, please report it to security@swarmz.net. We treat reports seriously and will work with you to confirm and fix the issue.

No system is ever perfectly secure. We commit to protecting your data to a high standard, but we cannot guarantee that it will never be exposed to an unauthorised party.

Your data may be processed in the United Kingdom, the European Economic Area, and the United States, depending on which of our sub-processors handles it.

Transfers outside the UK are protected by the UK International Data Transfer Agreement (IDTA), the EU Standard Contractual Clauses combined with the UK Addendum, or another valid mechanism under Chapter V of the UK GDPR. We review the receiving country's legal framework and the technical and organisational measures of the recipient before we use them.

Specifics are set out in the Data Processing Addendum available to enterprise customers. Email legal@swarmz.net for a copy.

Swarmz is not intended for children under 16. We do not knowingly collect personal data from children under 16, and we do not target our marketing at them.

If you are a parent or guardian and you believe we hold data about a child under 16, email privacy@swarmz.net and we will delete it.

We may update this policy as the service evolves or the law changes. The "Last updated" date at the top reflects when we last changed it.

If we make a material change to how we collect or use your data, we will give you at least 30 days' notice by email and through an in-app notice before the new version takes effect. If you keep using the service after that date, the new version applies to you.

You can also lodge a complaint with the UK Information Commissioner's Office at ico.org.uk if you believe we have mishandled your data. We would rather hear from you first at privacy@swarmz.net so we can put it right, but you do not need to come to us first.