Privacy Policy
Last updated: July 2026 (v23.0)
8.1 Introduction
This Privacy Policy explains how Hybytes Ltd ("Hybytes", "we", "us", "our") — a company registered in England and Wales, company number 13562774, registered office 251 Grays Inn Road, London WC1X 8QT — collects, uses, shares and protects personal data when you visit swiip.com, create a Swiip account, use the Swiip service, interact with a published Swiip, apply to work with us, or otherwise deal with us. It also explains your rights and how to exercise them. We are committed to processing personal data lawfully, fairly and transparently under the UK GDPR, the Data Protection Act 2018 and, where applicable, the EU GDPR, US state privacy laws, and the Australian Privacy Act 1988 (Cth).
EU representative (Article 27 GDPR): As Hybytes Ltd is established outside the EU, we have appointed Prighter EU Rep GmbH (Schellinggasse 3/10, 1010 Vienna, Austria) as our representative in the European Union and your point of contact on data-protection matters. To exercise your privacy rights or to contact our representative, please visit app.prighter.com/portal/swiip.
powered by
Prighter
8.2 Definitions
"Personal data" (also called personally identifiable information, or PII) means any information that identifies, or could identify, a living individual — on its own or combined with other information. It includes, for example: a person's name; their email address, telephone number, or postal or home address; a signature, whether handwritten or electronic; a photograph or image of a person; identification, account or reference numbers; payment or bank details; a job title together with the employer; login credentials; and IP or device identifiers. "Processing" means anything done with personal data, from collection to deletion. "Controller" means the organisation that decides why and how personal data is processed; "processor" means an organisation processing it on a controller's behalf. "Swiip" or "Wrap" means interactive content created and published with our service; "Creator" means the customer who publishes it; "Audience" means the people who view or interact with it.
8.3 Our roles: when we are controller and when we are processor
We are the controller for: visitors to swiip.com; people who create and hold Swiip accounts; people who contact us or receive our marketing; and job applicants (see the separate Job Applicant Privacy Notice).
We are a processor for: personal data that Creators include in their Swiips or collect from their Audiences (for example names, email addresses, form responses and engagement data of the Creator's own contacts and end users). For that data, the Creator is the controller and our Data Processing Agreement governs our processing. If you are an Audience member with a question or request about a Swiip you interacted with, please contact the Creator first; we will assist them in responding, and if you cannot reach the Creator, contact us and we will help route your request.
8.4 Personal data we collect
- Identity and contact data: name, email address, and where you provide it, organisation, job title, telephone number.
- Account data: username, hashed password, plan, preferences, workspace membership and role.
- Billing data: billing address, VAT or tax ID, transaction history. Full card numbers are collected and held by our payment processor, not by us; we see only card brand, last four digits and expiry.
- Content data: the Swiips you create and anything you choose to include in them.
- Audience interaction data (as processor): responses, form submissions and engagement events (views, swipes, taps) on published Swiips.
- Usage data: features used, pages visited, actions taken in the application, referral source.
- Technical data: IP address, device and browser type, operating system, language, time zone, and identifiers set by cookies or similar technologies (see our Cookie Policy).
- Communications data: support requests, emails, chat messages, survey responses, and call or meeting notes.
- Marketing data: your preferences and consent records for receiving marketing from us.
We do not intentionally collect special category data (such as health, religion, or political opinions) and ask that you do not include it in support requests. Creators are responsible for lawfulness where their Swiips collect any such data from their Audiences.
8.5 How we collect personal data
Directly from you (when you sign up, create content, contact us, or subscribe); automatically (through the service, cookies and server logs when you use swiip.com or interact with a published Swiip); and from third parties (our payment processor confirming transactions, analytics and security providers, publicly available business information, and people who invite you to a workspace or share a Swiip with you).
8.6 Purposes and lawful bases
- Providing and operating the service, including account creation, hosting and publishing Swiips, workspace collaboration and support — lawful basis: performance of a contract.
- Billing, invoicing, tax and accounting — lawful bases: performance of a contract; legal obligation.
- Securing the service: authentication, fraud and abuse prevention, logging, monitoring, enforcing our Acceptable Use Policy — lawful basis: legitimate interests (keeping the service and its users safe).
- Improving the service: analytics, diagnostics, feature development and testing — lawful basis: legitimate interests (understanding and improving how the service performs). Where we use aggregated or de-identified data, it is no longer personal data.
- Communicating with you: service messages, renewal reminders, changes to terms — lawful bases: performance of a contract; legal obligation.
- Marketing our own services to you, where you have opted in or where we may lawfully rely on the soft opt-in for existing customers, always with an unsubscribe — lawful bases: consent; legitimate interests.
- Establishing, exercising or defending legal claims, and complying with law enforcement or regulatory requests we are legally required to answer — lawful bases: legitimate interests; legal obligation.
- Website analytics via Google Analytics — lawful basis: consent (Article 6(1)(a)), withdrawable at any time via Cookie Settings.
Where we rely on legitimate interests we balance them against your rights, and you may object (Section 8.12).
8.7 Cookies and similar technologies
Our use of cookies is described in the Cookie Policy at swiip.com/legal/cookies, including the strictly necessary storage used on the website, essential sign-in and session storage in the application, and engagement measurement on published Swiips carried out for Creators under the DPA. You can manage preferences through the cookie banner and your browser.
8.8 Who we share personal data with
- Sub-processors and service providers who host and support the service (cloud infrastructure, email delivery, CRM, payments) under written contracts — the current list is published at swiip.com/legal/subprocessors with 30 days notice of changes.
- Professional advisers (accountants, auditors, lawyers, insurers) under confidentiality, where needed.
- Authorities, regulators and law enforcement where we are legally required, applying the minimisation approach in Section 8.21.
- A buyer or successor in a merger, acquisition or asset sale, under confidentiality and with notice to you where required.
We do not sell personal data, and we do not share it with third parties for their own advertising.
8.9 International transfers
We are UK-based and host the service in the EU (London) region (eu-west-2). Where personal data is transferred outside the UK or EEA (for example to a sub-processor operating globally), we rely on: adequacy regulations or decisions where they exist; the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses for transfers from the UK; and the EU Standard Contractual Clauses for transfers from the EEA — in each case with transfer risk assessments and supplementary measures where appropriate. Details are available on request.
8.10 Security
We protect personal data with technical and organisational measures including encryption in transit and at rest, least-privilege access with multi-factor authentication, environment separation, backups with tested restores, logging and monitoring, vulnerability management, staff training, and a documented incident response process. Product-level detail appears in the Swiip Security Overview and DPA Annex II. No system is perfectly secure; if a breach affects your data and risks your rights, we will notify you and the regulator as required by law.
8.11 How long we keep personal data
- Account and content data: for the life of the account; deleted or anonymised within 90 days of closure (Creators can export Content for 30 days after termination). Inactive free accounts may be deleted earlier, on notice, as described in Terms Section 2.6.
- Audience data processed for Creators: for as long as the Creator instructs, and deleted or returned at the end of their service per the DPA.
- Billing and tax records: 6 years plus the current year, as UK law requires.
- Support communications: 24 months after closure of the matter.
- Server and security logs: 12 months, longer where an investigation requires.
- Marketing consents and suppression lists: until you withdraw consent, plus a suppression record so we do not contact you again.
- Acceptance records for our terms: life of the account plus 6 years.
8.12 Your rights (UK and EU)
You have the right to: access your personal data and receive a copy; rectify inaccurate or incomplete data; erasure ("right to be forgotten") where there is no overriding reason to keep it; restrict processing while a dispute or objection is resolved; data portability of data you provided, in a structured, commonly used, machine-readable format; object to processing based on legitimate interests, and to direct marketing at any time (absolute right); and withdraw consent at any time where processing is based on consent, without affecting prior processing.
To exercise any right, email [email protected]. We may need to verify your identity. We respond within one month; for complex or numerous requests we may extend by up to two further months and will tell you why. Exercising rights is free unless a request is manifestly unfounded or excessive. If you are unhappy, our Data Protection Complaints Procedure explains next steps; you may also complain to the Information Commissioner's Office (ico.org.uk) or, in the EU, your local supervisory authority.
8.13 Automated decision-making and profiling
We do not make decisions producing legal or similarly significant effects about you based solely on automated processing. Analytics and personalisation involve profiling only to deliver the service you or the Creator have chosen.
8.14 Children
The service is not directed at children under 16 and we do not knowingly collect their personal data as controller. If you believe a child has provided personal data to us, contact [email protected] and we will delete it. Creators are responsible for ensuring their published Swiips comply with laws applying to children's data in their audiences (for example COPPA where directed at under-13s in the US).
8.15 Additional information for US residents
Categories collected
In the last 12 months we have collected the categories described in Section 8.4: identifiers (name, email, IP address, account IDs); commercial information (transactions, plan history); internet or network activity (usage and technical data); professional information (organisation, job title where provided); and inferences limited to service preferences. Sources: you, your devices, our service providers (Section 8.5). Purposes: as in Section 8.6. Disclosure: to the service providers and other recipients in Section 8.8, for business purposes only.
Sale and sharing
We do not sell personal information, and we do not share it for cross-context behavioural advertising, as those terms are defined in the California Consumer Privacy Act (as amended). We have not done so in the preceding 12 months. We do not knowingly sell or share personal information of consumers under 16.
Your rights
Depending on your state, you may have the right to know and access the personal information we hold, correct it, delete it, receive it in a portable format, opt out of sale, sharing or targeted advertising, limit use of sensitive personal information (we do not use sensitive personal information for purposes requiring such a limit), and not be discriminated against for exercising rights. Submit requests to [email protected]; we verify requests against account information. You may use an authorised agent with written permission and identity verification. We honour opt-out preference signals such as Global Privacy Control where required. If we decline a request we will explain why and you may appeal by replying to our decision; appeal outcomes include the contact details of your state attorney general.
8.16 Additional information for Australian residents
We handle personal information consistently with the Privacy Act 1988 (Cth) and the Australian Privacy Principles, including APP 8 for overseas disclosures (see Section 8.9). You may request access to and correction of your personal information at [email protected]. If you have a complaint, contact us first and we will respond within 30 days; if unresolved, you may complain to the Office of the Australian Information Commissioner (oaic.gov.au). Eligible data breaches are handled under the Notifiable Data Breaches scheme.
8.17 Third-party links
The website and published Swiips may link to third-party sites and services we do not control; their privacy practices are their own, and we encourage you to read their notices.
8.18 Marketing preferences
Every marketing email includes an unsubscribe link, and you can update preferences from your account or by emailing [email protected]. Opting out of marketing does not stop service messages (billing, security, changes to terms), which we must still send.
8.19 Changes to this policy
We may update this policy from time to time. Material changes are notified by email or in-app notice before they take effect, and previous versions remain available in our policy archive. The "last updated" date at the top shows the current version.
8.20 Contact us
Privacy questions, requests and complaints: [email protected], or by post: Data Protection, Hybytes Ltd, 251 Grays Inn Road, London WC1X 8QT, United Kingdom. Security reports: see our Vulnerability Disclosure Policy. Content complaints: see our Copyright and Content Complaints Policy.
8.21 Requests from third parties and authorities
Where we receive a request for personal data from any third party or public authority, we disclose only what we are legally obliged to provide, we limit disclosure to the minimum necessary, and — where we are lawfully able to — we notify the affected customer first. For personal data that customers include in their Swiips or collect from their audiences, we act only as a processor and will not disclose it except on the customer's documented instructions or where required by law.