What we collect,
and why.
The plain-English version of how SwarmStack handles your personal data. The technical controls live on /security; the trust narrative lives on /trust.
Last updated: 2026-05-26 · Effective: 2026-05-26
Not to advertisers, not to data brokers, not in any form.
Your Session content is not used to train models — by us or by Anthropic (ZDR endpoint).
Erasure requests fulfilled within 30 days; audit chain preserved per GDPR.
The short version.
- We don't sell your data — ever, in any form.
- We don't use your Session content to train models.
- We collect the minimum needed to run the product, and we tell you what.
- You can export or delete your data on request — within 30 days.
- Anthropic processes your prompts under a Zero Data Retention contract.
- We notify you 30 days before adding a subprocessor that touches Session content.
Seven data classes. That's the whole list.
Each card tells you the fields we collect and the purpose we collect them for. If we ever expand a class, we update this page before we ship the change.
Identity & login
- Email address (from OAuth provider).
- Display name (from OAuth provider; editable).
- OAuth provider + subject ID (Google or GitHub).
- Marketing opt-in flag (default: off).
Why: Authenticate you, address you by name in the product, and deliver transactional email about Sessions you create or accept.
Briefs, Tasks, SwarmPlans, ADRs
- The Brief you drafted during Intake.
- Task contributions from every Participant (AI Personas and SMEs).
- The synthesized SwarmPlan, Glossary, and Decision Records.
- Round metadata, conflict history, approval state.
Why: Operate the planning Session: drive the Orchestrator, render the UI, deliver the artifact to you, and support your audit/export requests.
SME profile & payments
- SME display name, bio, expertise tags, per-session rate.
- Stripe Connect account ID (set up by Stripe; we don't store payout details).
- Healthcare/legal self-attestation flag.
- Payment intent IDs and payout records (no card data — see PCI scope on /trust).
Why: List approved SMEs in the marketplace, escrow Creator payments, release payouts to SMEs, and enforce the healthcare/legal vertical block.
Usage, funnels & telemetry
- Page and funnel events (pages viewed, sign-in, Session created, Task answered, etc.) via PostHog.
- A first-touch visitor id, first-touch UTM + referrer, and device context (viewport, timezone, language, platform).
- Aggregate request counts, response times, and error rates; browser-side error reports (no PII in stack traces).
Why: Understand how the product is used and keep it reliable. On sign-in we link your anonymous device timeline to your account — one PostHog person keyed by your user id — so funnels are coherent. We never send Session content (Briefs, messages, SwarmPlan text) to analytics, and we never sell it or use it for advertising.
Email & support
- Emails we send you (invite, accept, decline, timeout, payout, rating prompt, etc.).
- Support tickets and the contents of replies.
- Suppression-list entries if you unsubscribe.
Why: Operate Session lifecycle notifications, respond to support requests, and honor unsubscribe choices across the platform (suppression is global by email — see resolved decision C3).
Forensic record
- Every state mutation: who, when, what (one row per change in audit_events).
- Failed authentication and authorization attempts.
- Webhook deliveries and their outcomes.
Why: Maintain forensic chain-of-custody (NN-8), respond to your audit requests, and investigate incidents. Append-only; we cannot UPDATE or DELETE these rows.
Scout transcripts
- Each message you send to the Scout onboarding chat and the reply it gives you.
- Your anonymous visitor id (the same id used in product analytics).
- A keyed hash of the source IP — we do not store the raw IP — and the User-Agent string.
Why: Understand what new visitors actually ask, improve Scout's answers, and shape the onboarding flow. Purged after 30 days. Never used for advertising and never sold.
Six subprocessors. No advertising network. No data brokers.
We use a small set of named vendors to run the service. Each one processes a specific data class and is bound by a Data Processing Agreement. The full list — with what each touches and where — lives on /trust#subprocessors. We notify you at least 30 days before adding a new subprocessor that processes Session content. We do not share your data with advertising networks, analytics brokers, or any party not listed in the subprocessor table.
Retention windows, by class.
| Data class | Retention | Notes |
|---|---|---|
| Account (email, name) | Until deletion | On deletion request, fields are nulled on users; foreign keys preserved per GDPR Art 17(3)(e). |
| Session content | Until deletion | Brief, SwarmPlan, Glossary, Decision Records, Task contributions. Purged within 30 days of deletion request. |
| Payment records | 7 years | Required by US tax and Stripe Connect Express obligations. Retained even after account deletion. |
| Audit log | ≥ 1 year | Append-only. actor_user_id is preserved across user deletion to keep the forensic chain intact. |
| Email suppression list | Indefinite | Global by email address. Required to honor unsubscribe across tenants. |
| Product analytics | 13 months rolling | Operational metrics (aggregated) plus PostHog product-analytics events keyed to your user id after sign-in. Purged on account deletion; never retained beyond this window. |
| Scout transcripts | 30 days rolling | Onboarding chat messages and replies. Keyed by an anonymous visitor id and a hashed IP — never the raw IP. Purged after 30 days. |
| Backups | 30 days rolling | Encrypted at rest. Restored only for disaster recovery; never queried for analytics. |
Six rights, 30-day response window.
Access
Request a copy of all personal data we hold about you. We respond within 30 days.
Rectification
Correct any inaccurate information. Most fields are user-editable in-product.
Erasure
Request deletion of your account and Session content. Purged within 30 days; audit FK preserved.
Portability
Export your Session content as JSON, Markdown, or both. Available in-product or via support.
Restriction
Ask us to pause processing while a dispute or correction is resolved.
Objection
Object to processing based on legitimate interest. We will weigh and respond within 30 days.
Submit a request by emailing privacy@swarmstack.io. We will verify your identity (via the email tied to your account) before acting on the request. There is no charge for the first request in any 12-month period.
GDPR. CCPA. International transfers.
GDPREU & UK residents
We act as a data processor for Session content you create, and as a controller for your account and usage data. Our lawful bases are contract (operating the service) and legitimate interest (security, fraud prevention, product improvement). International transfers from the EU/UK to the US rely on Standard Contractual Clauses; ask privacy@swarmstack.io for our SCC pack. You can lodge a complaint with your local supervisory authority at any time.
CCPACalifornia residents
We do not sell or share personal information as those terms are defined in the CCPA/CPRA. You have the right to know, the right to delete, the right to correct, and the right to limit use of sensitive personal information. Exercise any right at privacy@swarmstack.io — we will not discriminate against you for doing so.
Necessary cookies only. Not built for under-16s.
- Cookies & local storage. We set the cookies required to keep you signed in and to remember your preferences. We also use PostHogfor product analytics, which stores a visitor id and analytics state in your browser (localStorage plus a cookie) and, after you sign in, links your device's activity to your account so we can read product funnels. No advertising cookies, no data brokers, and no Session content is ever sent to analytics.
- Children. SwarmStack is not designed for, and should not be used by, anyone under 16. We do not knowingly collect personal data from children. If you believe a child has created an account, email privacy@swarmstack.io and we will delete it.
- Healthcare and legal data. SwarmStack hard-blocks both verticals at signup, in the database, and in the manual approval queue. We are not a HIPAA Business Associate and will not sign a BAA. Do not use SwarmStack for protected health information or legal-privilege material.
- Changes to this policy.Material changes are announced in-product and emailed to account owners at least 30 days before they take effect. Non-material clarifications (typos, re-organization) are noted with an updated “Last updated” date at the top of this page.
Privacy question, request, or complaint?
Reach the privacy team directly. We respond within 5 business days; formal data-subject requests within 30 calendar days.