Privacy Policy

1. Introduction

SwiftCase ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at www.swiftcase.co.uk or use our workflow automation platform and related services (collectively, the "Services").

We are registered in England and Wales. For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we are the data controller responsible for your personal data.

Please read this policy carefully. By using our Services, you acknowledge that you have read and understood this Privacy Policy. This policy should be read alongside our Terms of Service and Cookie Policy.

2. Information We Collect

2.1 Information You Provide

We collect personal information that you voluntarily provide when you:

• Register for an account or request a demo
• Subscribe to our newsletter or marketing communications
• Complete forms on our website
• Contact us via email, phone, or other channels
• Participate in surveys, promotions, or events
• Apply for employment opportunities

This information may include:

• Name and job title
• Email address and phone number
• Company name and business address
• Account credentials (username and password)
• Billing and payment information
• Any other information you choose to provide

2.2 Information Collected Automatically

When you access our Services, we automatically collect certain technical information, including:

• IP address and approximate geographic location
• Browser type and version
• Operating system and device information
• Pages visited, time spent, and navigation paths
• Referring website or source
• Date and time of access

2.3 Information from Your Use of the Platform

If you use our workflow automation platform, we also collect:

• Workflow configurations and automation rules you create
• Usage data and feature interactions
• Integration settings and API usage
• Error logs and performance data
• Data you input or process through workflows (as a data processor)

3. Legal Basis for Processing

Under UK GDPR, we must have a valid legal basis for processing your personal data. We rely on the following legal bases:

• Contract: Processing necessary to perform our contract with you or take steps at your request before entering a contract (e.g., providing the Services, managing your account).
• Legitimate Interests: Processing necessary for our legitimate business interests, provided these are not overridden by your rights (e.g., improving our Services, fraud prevention, marketing to existing customers).
• Consent: Where you have given clear consent for us to process your data for a specific purpose (e.g., marketing communications to non-customers).
• Legal Obligation: Processing necessary to comply with our legal obligations (e.g., tax records, responding to lawful requests from authorities).

4. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our Services
• Process transactions and send related information
• Create and manage your account
• Respond to your enquiries and provide customer support
• Send technical notices, updates, and security alerts
• Send marketing communications (where permitted)
• Monitor and analyse usage trends and preferences
• Detect, investigate, and prevent fraudulent or illegal activities
• Comply with legal obligations and enforce our terms
• Personalise your experience and provide tailored content

5. Data Sharing and Disclosure

We do not sell your personal data. We may share your information in the following circumstances:

Service Providers

We engage trusted third-party companies to perform services on our behalf, such as hosting, payment processing, analytics, email delivery, and customer support. These providers are contractually bound to protect your data and may only use it for the specified purposes.

Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.

Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of SwiftCase, our users, or others.

With Your Consent

We may share your information for other purposes with your explicit consent.

6. International Data Transfers

Your data is primarily stored and processed in the United Kingdom using UK-based data centres. Where we transfer data outside the UK, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses approved by the UK ICO
• Transfers to countries with adequate data protection laws
• Other legally recognised transfer mechanisms

7. Data Security

We implement appropriate technical and organisational security measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS/SSL) and at rest
• Regular security assessments and penetration testing
• Access controls and role-based permissions
• Multi-factor authentication options
• Regular backups and disaster recovery procedures
• Employee security training and awareness programmes
• Cyber Essentials certification

While we strive to protect your data, no method of transmission or storage is completely secure. We cannot guarantee absolute security but will notify you of any breach affecting your personal data as required by law.

8. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, including:

• Active accounts: For the duration of your account plus a reasonable period after closure
• Marketing contacts: Until you unsubscribe or withdraw consent
• Financial records: 7 years as required by UK tax law
• Legal claims: For the applicable limitation period

When data is no longer required, we securely delete or anonymise it.

9. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure: Request deletion of your data in certain circumstances ("right to be forgotten").
• Right to Restriction: Request that we limit how we use your data.
• Right to Data Portability:Request your data in a structured, machine-readable format.
• Right to Object: Object to processing based on legitimate interests or for direct marketing.
• Rights Related to Automated Decisions:Not be subject to decisions based solely on automated processing.
• Right to Withdraw Consent:Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, please contact us using the details below. We will respond to your request within one month, though we may extend this period for complex requests.

10. Marketing Communications

We may send you marketing communications about our products, services, and events if you have:

• Requested information from us or purchased our services
• Provided consent to receive marketing
• Not opted out of receiving such communications

You can opt out of marketing communications at any time by clicking the "unsubscribe" link in any email, updating your account preferences, or contacting us directly.

11. Children's Privacy

Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately and we will take steps to delete such information.

12. Third-Party Links

Our website may contain links to third-party websites and services. We are not responsible for the privacy practices of these external sites. We encourage you to review the privacy policies of any third-party sites you visit.

13. Google User Data and Gmail Integration

If you connect a Google account to SwiftCase (for example, to enable email automation workflows that read or send email on your behalf), SwiftCase accesses your Google account data through Google's OAuth 2.0 authorisation flow. This section explains, in line with the Google API Services User Data Policy (including its Limited Use requirements), what we access, why we access it, and how we handle that data.

13.1 OAuth Scopes We Request

When you connect a Google account to enable Gmail-based workflows, SwiftCase requests the following OAuth scopes:

• https://www.googleapis.com/auth/gmail.readonly — to list and retrieve messages (and their attachments) from the connected mailbox so that workflow rules can ingest them as cases or trigger automations. This scope is read-only; it does not permit modifying, labelling, archiving, trashing, or deleting any mail.
• https://www.googleapis.com/auth/gmail.send — to send email messages on your behalf as part of workflows, case correspondence, and campaigns you have configured. This scope only permits sending; it does not grant access to read mail.

The exact scopes requested are displayed by Google on the consent screen at the point of connection. You can review or revoke SwiftCase's access at any time from your Google Account permissions page.

13.2 How We Use Google User Data

We use Google user data solely to provide the user-facing features you have enabled, namely:

• Reading inbound messages from the connected mailbox so that workflow rules can trigger on incoming email and create or update cases.
• Extracting structured data from those messages (sender, recipient, subject, plain-text and HTML body, attachments, received timestamp, Gmail message ID) and storing it within SwiftCase against the relevant case or record.
• Sending email on your behalf as part of workflows, case correspondence, and email campaigns you have authorised.

Technically, SwiftCase calls the Gmail API in three ways only: listing messages in the mailbox (users.messages.list), fetching the content of an individual message (users.messages.get), and sending a new message (users.messages.send). SwiftCase does not call modify, trash, delete, label, or draft endpoints.

13.3 Limited Use of Google User Data

SwiftCase's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. In particular:

• We do not use Google user data for serving advertising, including retargeting, personalised, or interest-based advertising.
• We do not sell Google user data or transfer it to third parties for purposes unrelated to the user-facing features you have requested.
• We do not allow humans to read Google user data, except: (a) with your explicit consent for specific messages; (b) where strictly necessary for security purposes, such as investigating abuse; (c) to comply with applicable law; or (d) where the data has been aggregated and anonymised for internal operations.
• We do not use Google user data to develop, improve, or train generalised or third-party AI or machine learning models. Any AI features we offer that process your email content operate only on the data necessary to perform the specific user-facing task you have triggered.

13.4 Storage, Retention and Deletion

Google user data is processed and stored using the security controls described in Section 7, with data primarily held on UK-based infrastructure. We retain Google user data only for as long as needed to provide the features you have enabled, or as required by law.

You may at any time:

• Disconnect your Google account from within SwiftCase, which revokes our stored OAuth tokens and stops further processing.
• Revoke SwiftCase's access directly via Google at myaccount.google.com/permissions.
• Request deletion of any Google user data we have stored by contacting privacy@swiftcase.co.uk.

13.5 Sharing of Google User Data

We do not share Google user data with third parties except: (a) with sub-processors strictly necessary to deliver the Services (such as our hosting providers), under contractual obligations consistent with this policy and Google's requirements; (b) where required by law, regulation, or valid legal process; or (c) with your explicit consent.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on our website and updating the "Last updated" date. For significant changes, we may also notify you by email. We encourage you to review this policy periodically.

15. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your rights, or have concerns about how we handle your data, please contact us:

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection, if you believe your rights have been violated. You can contact the ICO at ico.org.uk or by calling 0303 123 1113.