1. Data Controller
SwiftRMS (“we”, “our”, or “us”) is the data controller for personal data processed through our platform. We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
- Company: SwiftRMS Ltd (Company No. 16716937)
- Registered Address: Crawley Business Quarter, Fleming Way, Crawley, RH10 9QL
- ICO Registration: C1878685
- Contact Email: privacy@swiftrms.co.uk
- Website: swiftrms.co.uk
2. Information We Collect
We collect information that you provide directly to us when you create an account, upload media for analysis, or generate documentation. This includes:
- Account Data: Name, email address, job title, and organization details.
- Content Data: Project descriptions, site locations, risk assessments, and method statements.
- Media Data: Images and videos uploaded for AI hazard detection (processed temporarily and deleted within 24 hours).
- Usage Data: Page views and feature usage collected through analytics tools (consent-dependent).
- Technical Data: Browser information and error reports collected through Sentry for service reliability.
3. Lawful Basis for Processing
We process your personal data under the following legal bases:
| Data Category | Lawful Basis | Purpose |
|---|---|---|
| Account & profile data | Contract (Art. 6(1)(b)) | Provide the SwiftRMS service |
| RAMS & content data | Contract (Art. 6(1)(b)) | Generate and manage safety documents |
| Payment data | Contract (Art. 6(1)(b)) | Process subscription payments |
| Error & performance data | Legitimate Interest (Art. 6(1)(f)) | Maintain service reliability and fix bugs |
| Product analytics | Consent (Art. 6(1)(a)) | Improve user experience and product features |
| Transactional emails | Contract (Art. 6(1)(b)) | Account notifications, invitations, billing alerts |
4. AI Processing
SwiftRMS uses Google Gemini AI to process text descriptions and uploaded media to generate risk assessments and method statements. When you use our AI features:
- Text prompts and media are sent to Google's Gemini API for processing.
- Uploaded videos are stored temporarily (max 24 hours) and automatically deleted.
- AI-generated content is stored in your organization's workspace.
- Google does not use your data to train their models when processed through the API.
5. Sub-Processors
We share data with the following trusted service providers who process data on our behalf. All sub-processors have appropriate data processing agreements in place.
| Service | Purpose | Location | Safeguards |
|---|---|---|---|
| Supabase | Database, authentication & storage | EU (Frankfurt) | EU hosting, SOC 2 |
| Google Gemini | AI content generation | US / EU | EU-US Data Privacy Framework |
| Stripe | Payment processing | US / EU | PCI DSS Level 1, EU-US DPF |
| Resend | Transactional email | US | EU-US Data Privacy Framework |
| Loops | Onboarding & lifecycle email | US | EU-US Data Privacy Framework, SOC 2 |
| Upstash | Rate limiting (IP address processing) | EU (Ireland) | EU hosting, SOC 2 |
| PostHog | Product analytics | EU (Frankfurt) | EU hosting, consent-gated |
| Sentry | Error monitoring | US | EU-US Data Privacy Framework |
| Inngest | Background jobs | US | SOC 2, no PII processed |
| Vercel | Hosting & CDN | Global (Edge) | EU-US DPF, SOC 2 |
6. International Transfers
Some of our sub-processors operate outside the UK/EEA. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including:
- EU-US Data Privacy Framework certification
- Standard Contractual Clauses (SCCs) where applicable
- UK adequacy decisions
Our primary database (Supabase) and analytics (PostHog) are hosted in the EU (Frankfurt, Germany).
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account & profile data | Until account deletion |
| RAMS documents | Until account deletion (may be anonymized per CDM 2015) |
| Uploaded media (videos/images) | 24 hours (automatically deleted) |
| Audit logs | 2 years (automatically purged) |
| Payment records | 7 years (legal obligation under UK tax law) |
| Analytics data | Managed by PostHog per their retention policy |
8. Cookies
We use the following types of cookies:
- Essential cookies: Required for authentication and security. These cannot be disabled.
- Analytics cookies (consent-required): PostHog analytics cookies are only set after you explicitly accept cookies via our cookie banner. You can change your preference at any time in Settings > Privacy & Data.
9. Marketing Communications
We may contact business professionals by email to introduce SwiftRMS where we believe our service is relevant to their role. Our lawful basis for this is legitimate interest (UK GDPR Art. 6(1)(f)) in accordance with the Privacy and Electronic Communications Regulations 2003 (PECR), Regulation 22A, which permits direct marketing to corporate subscribers without prior consent provided that:
- The communication is sent to a business email address (not a personal address).
- The content is relevant to the recipient’s professional role.
- The sender is clearly identified as SwiftRMS Ltd.
- Every message includes a simple way to opt out of future communications.
Where we get your contact details
Business contact information used for marketing is sourced from publicly available professional profiles (such as LinkedIn) and reputable B2B data providers. We do not purchase personal email addresses or contact sole traders or partnerships without consent.
How to opt out
Every marketing email includes an unsubscribe link. You can also email info@swiftrms.co.uk at any time to request removal from our marketing lists. We will action opt-out requests within 48 hours.
Legitimate interest assessment
We have conducted a legitimate interest assessment (LIA) and concluded that the limited privacy impact of receiving a relevant B2B email (with easy opt-out) is proportionate to our legitimate interest in reaching professionals who may benefit from our health and safety documentation platform. We do not contact individuals in consumer or personal capacities for marketing purposes.
10. Your Rights (GDPR)
Under UK GDPR, you have the following rights regarding your personal data:
- Right of Access (Art. 15): Request a copy of your personal data. Use the “Export My Data” feature in Settings > Privacy & Data.
- Right to Rectification (Art. 16): Update your personal information in Settings > Profile.
- Right to Erasure (Art. 17): Delete your account and data. Use the “Delete Account” feature in Settings > Privacy & Data. Note: safety documents may be anonymized rather than deleted per CDM 2015 regulatory requirements.
- Right to Data Portability (Art. 20): Export your data in a machine-readable JSON format via the self-service export tool.
- Right to Object (Art. 21): Object to processing based on legitimate interest by contacting us.
- Right to Withdraw Consent (Art. 7): Withdraw analytics consent at any time via the cookie banner or privacy settings.
To exercise any of these rights, use the self-service tools in your account settings or contact us at privacy@swiftrms.co.uk. We will respond within 30 days.
11. Security
We implement industry-standard security measures to protect your data, including:
- Encryption at rest and in transit (TLS 1.2+)
- Row Level Security (RLS) ensuring data isolation between organizations
- Role-based access control with hierarchical permissions
- Comprehensive audit logging of all data access and modifications
- Regular automated cleanup of temporary files
- Secure authentication via Supabase Auth with password hashing (bcrypt)
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a notice on our platform. Your continued use of SwiftRMS after changes are posted constitutes your acceptance of the updated policy.