What We Collect
Information You Provide
- Email address and name
- Password (encrypted)
- Company name (optional)
- Checklists and client data you create
- Files uploaded through the service (including files shared via the file exchange feature; if you enable a supported cloud storage connection, files may also be transmitted to that customer-directed provider)
- Client portal access and security records needed to operate protected portal sessions
- Electronic-signature evidence, including signature image, timestamp, signer name/email as provided by the sending firm, IP address, user agent, consent version, and document hashes
- Payment request metadata and Stripe identifiers (Stripe processes card data directly)
- Support messages
Information Collected Automatically
- Usage data (features used, time spent)
- Device information (browser, OS, IP address)
- Analytics data (aggregated and anonymized)
- Cookie and consent preferences
Free Tools
We offer free tools (such as the Client Document Checklist Builder, Onboarding Time Calculator, Invoice Generator, Payroll Calculator, Business Health Check, and Business Name Generator) that can be used without creating an account. Here is how data is handled for these tools:
What We Do NOT Collect or Store
- We do not store or log the inputs you enter into free tools
- We do not store the outputs generated by free tools
- Downloaded files (e.g., .txt checklists, invoices) are generated in your browser and are not uploaded to our servers
AI-Powered Free Tools
Some free tools use third-party AI services (currently Groq) to generate results. When you use these tools:
- Business Health Check: Anonymized summary metrics you enter (e.g., revenue ranges, client counts, efficiency scores) are sent to Groq to generate recommendations. No personally identifiable information is included.
- Business Name Generator: Inputs such as industry, style preferences, keywords, location, and optional founder names are sent to Groq to generate name suggestions.
- Swift Coworker: Messages you send to the AI coworker are processed by Groq to generate responses and may be stored in your workspace conversation history for up to 180 days after last activity unless you delete them earlier. Confirmed actions store only safe action summaries and audit evidence needed to operate and secure the feature.
- Data sent to AI providers is used solely to generate your result. Free tool prompts and outputs are not stored by SwiftChecklist; authenticated Swift Coworker conversations follow the workspace retention period described above.
- Third-party AI providers may process this data according to their own privacy policies and data retention practices
- Do not enter confidential, privileged, highly sensitive, special-category, or regulated data into AI-powered free tools unless you have confirmed the processing is lawful and appropriate
Standard Automatic Collection on Tool Pages
When you visit free tool pages, standard automatic data collection still applies (as described above): browser type, device information, and analytics data may be collected. Cookies used on these pages follow our Cookie Policy.
How We Use Your Information
To provide the service:
- Create and manage your account
- Store your checklists and client data
- Send magic links to your clients
- Process client submissions
- Send essential emails (login, password reset, notifications)
- Power AI features via third-party AI inference providers, currently Groq where enabled
To improve the service:
- Fix bugs and improve features
- Understand how people use the app
- Develop new capabilities
We never:
- Sell your data
- Share it with advertisers
- Use it for unrelated purposes
Where Your Data Is Stored
We use secure, industry-standard services:
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database & authentication | USA |
| Vercel | Application hosting | USA |
| Resend | Email delivery | USA |
| Stripe | Payment processing | USA |
| Groq | AI content generation, OCR, and document processing where enabled | USA |
| Sentry | Error tracking, monitoring, and consent-gated diagnostic replay | USA |
| PostHog | Product analytics — anonymous cookieless mode for all users; full identified mode requires analytics consent. No client data. | EU |
| Upstash | Security rate limiting and short-lived operational cache metadata | USA / global infrastructure |
We use vendors that maintain contractual and technical safeguards appropriate to their role. More detailed enterprise privacy and transfer terms are available on request.
If you enable a Google integration, our use and transfer of Google API data is limited to providing or improving the user-facing integration, troubleshooting, security, or legal compliance. We do not use Google API data for advertising.
Client Data (Important)
When you collect information from your clients:
You are the data controller - You decide what to collect and how to use it
We are the data processor - We store and process data on your behalf
Your responsibilities:
- Get appropriate consent from clients
- Tell clients how their data will be used
- Comply with privacy laws in your jurisdiction
- Respond to client data requests
Security
We protect your data with:
- Encryption in transit and at rest
- Cookie-based authenticated sessions, optional MFA, and role-based access controls
- Monitoring, backups, and operational safeguards
- Security updates and incident response procedures
While we implement strong security measures, no system is completely secure.
Data Breaches
If a breach occurs, we will:
- Notify affected customers without undue delay when required by law or contract
- Explain the nature of the incident and the data affected, where known
- Describe the steps we're taking to address it
- Support customer notification obligations where applicable
Your Rights
You can:
- Access your data anytime through your account
- Correct information in your settings
- Export all your data (JSON format)
- Delete your account — deletion is permanent and irreversible, so export your data first; afterward we retain only audit logs and legally-required records as described below
- Opt out of non-essential emails
For EU Users (GDPR)
You also have rights to:
- Restrict or object to processing
- Data portability
- Lodge a complaint with supervisory authority
For California Users (CCPA)
You have rights to:
- Know what data we collect
- Delete your data
- Opt-out of data sale (we don't sell data)
- Use an authorized agent where permitted, subject to verification of identity and authorization
We do not sell personal information for money. We do not use or disclose sensitive personal information for purposes that require a separate right to limit under the CCPA/CPRA. If future analytics or advertising practices constitute "sharing" under California law, we will provide a clear opt-out mechanism before engaging in that practice.
To exercise your rights: Email privacy@swiftchecklist.com
Data Retention
Active accounts: Data retained as long as your account exists
Deleted accounts: Account and workspace deletion is permanent and irreversible. You are responsible for exporting any data you wish to keep before deleting — export tools are available in your account. This includes your signed documents: we keep only cryptographic signing evidence (hashes, signer identity, timestamps, consent), not the documents or signature images themselves, and they cannot be regenerated, so export any you may need to produce later first.
- On deletion, all of your content — client records, documents, files, and signed documents (including signature images) — is permanently deleted from our active systems and cannot be recovered
- We retain only electronic-signature evidence and compliance audit logs (document hashes, signer identity, timestamps, IP/user-agent, and consent records) for up to 7 years where required for legal claims, fraud prevention, and compliance, as described in the audit-log lifecycle below
- Residual copies may remain in encrypted provider backups for a short period (currently up to 30 days) until those backups rotate out, and we retain transaction records where required by tax or accounting law
Client-specific deletion requests: When an authorized account holder requests deletion of a client's data, we delete active client records and files where technically available, subject to legal holds, signed-document evidence, audit logs, payment records, backups, and asynchronous storage cleanup where applicable.
International Users
Our servers are in the United States. If you're outside the US:
- Data may be transferred and stored in the US
- Depending on the vendor and relationship, transfer mechanisms may include the EU-US Data Privacy Framework, Standard Contractual Clauses, or the UK Addendum where applicable
- You retain all privacy rights under your local laws
Legal Requests
We may preserve or disclose information when required by law, legal process, court order, regulator, or government request, or when we believe disclosure is necessary to protect rights, safety, fraud prevention, or service security. We review requests for validity and scope and may notify affected customers unless prohibited by law or where notice would create safety, fraud, or security risks. Legal requests can be sent to legal@swiftchecklist.com.
Children's Privacy
This service is intended for business and professional use and is not intended for anyone under 18 years old. We do not knowingly collect information from children.
Changes to This Policy
We may update this policy as we add features. Changes will be posted here with an updated date. For significant changes, we'll email you.
Continued use after changes means you accept the updated policy.
Contact
For privacy questions: privacy@swiftchecklist.com
For general support: support@swiftchecklist.com
We respect your privacy. We collect only what's necessary and protect it carefully.