Sign in Get started free

Legal

Privacy Policy

Last updated: 15 May 2026

Lateral Vision Pty Ltd (ABN 71 624 831 223) trading as Swyvl ("Swyvl", "we", "us", "our") operates the Swyvl platform at swyvl.io, hub.swyvl.io, and docs.swyvl.io. This Privacy Policy explains how we collect, use, store, disclose, and protect your personal information.

We are committed to complying with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). Where we process personal data of individuals in the European Economic Area (EEA) or the United Kingdom, we also comply with the General Data Protection Regulation (GDPR).

This Privacy Policy describes how we handle your information. By creating an account, you acknowledge that you have read and understood this policy.

1. Information we collect

Account information

When you create a Swyvl account, we collect:

  • Full name
  • Email address
  • Organisation name and data region preference
  • Profile photo (if provided)

Swyvl is passwordless — you sign in with a magic link emailed to you, or with Google. We do not set, store, or transmit user passwords. If you sign up via Google SSO, we receive your name, email address, and profile photo from Google. We do not receive any Google credentials. We may add additional SSO providers in the future; this policy will be updated accordingly.

Spatial and project data

When you use Swyvl, you may upload spatial files (point clouds, imagery, 3D models, PDFs, and other file types). These files are stored in your selected data region. We also store metadata you provide, including site names, collection descriptions, and client details associated with share links.

Usage and activity data

We log activity events within the platform for security and audit purposes, including:

  • Actions performed (e.g. file uploads, share link creation, login events)
  • Timestamps
  • IP addresses
  • Approximate geolocation derived from IP address (city and country level only)
  • Browser user agent

Payment information

Payments are processed by Paddle, which acts as the Merchant of Record for transactions on the Swyvl platform. This means Paddle is the seller of record, handles billing, and is responsible for collecting and remitting applicable taxes (including GST, VAT, and sales tax) in jurisdictions where required. We do not store credit card numbers or bank account details on our servers. Paddle handles all payment data in accordance with PCI-DSS requirements. We retain your Paddle customer ID and subscription status.

Support interactions

If you contact us through our in-app support system, we collect the content of your messages, any attached files, and associated metadata.

Google user data

If you sign in to Swyvl using your Google account, we receive a limited set of data from Google via the OAuth 2.0 flow. This subsection describes how we handle that data, as required by the Google API Services User Data Policy, including the Limited Use requirements.

Data accessed. When you sign in with Google, we request the following from your Google account through OAuth 2.0:

  • Email address — used as your Swyvl account identifier
  • Name — used to populate your Swyvl profile
  • Profile photo (avatar URL) — used to populate your Swyvl profile picture

We request only the openid, email, and profile OAuth scopes. We do not request, receive, or store access to Gmail, Drive, Calendar, Contacts, or any other Google service or restricted scope. We never receive your Google password.

Data usage. The Google user data we receive is used solely to:

  • Create and authenticate your Swyvl account
  • Display your name and avatar within the Swyvl application and to other members of your organisation
  • Send you transactional emails relating to your Swyvl account (magic-link sign-in, share-link notifications, account alerts)

We do not use Google user data for advertising, profiling, or any purpose unrelated to providing the Swyvl service. We do not use Google user data to develop, improve, or train generalised AI/ML models. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Data sharing. We do not sell Google user data. We do not share Google user data with third parties for advertising, marketing, or any unrelated purpose. We do share limited Google user data with the subprocessors listed in Section 4 (Supabase for authentication, Resend for transactional email delivery) strictly to operate the Swyvl service on our behalf. These providers are contractually bound to protect the data and use it only for the purposes we direct.

Data storage and protection. Google user data is stored in our Supabase database within the data region you selected at sign-up. It is protected by the security controls described in Section 8, including encryption in transit (TLS 1.2+), encryption at rest (AES-256), row-level security on all database tables, audit logging, and secrets managed via Google Secret Manager.

Data retention and deletion. We retain Google user data for as long as your Swyvl account is active. When you delete your Swyvl account, all associated Google user data is permanently removed from our systems within 30 days, except where retention is required by law (see Section 6). To request deletion at any time, email support@swyvl.io — we respond within 30 days.

Revoking Google access. You can revoke Swyvl's access to your Google account at any time at myaccount.google.com/permissions. Revoking access prevents further sign-in via Google SSO; your existing Swyvl account remains accessible via magic-link email sign-in.

2. How we use your information

We use personal information to:

  • Provide, maintain, and improve the Swyvl platform
  • Authenticate your identity and secure your account
  • Process file uploads, generate thumbnails, and extract metadata
  • Send transactional emails (e.g. verification, share notifications, delivery confirmations)
  • Provide customer support
  • Maintain audit logs for security and compliance
  • Process payments and manage subscriptions
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

We do not use your spatial data to train AI models. AI processing (file classification) operates on filenames and metadata only, not on the content of your files.

3. Data storage and regions

Swyvl stores your files in the data region you select at account creation. Available regions are:

  • Australia (Sydney)
  • US East (Virginia)
  • US West (Oregon)
  • United Kingdom (London)
  • Europe (Frankfurt)
  • Canada (Toronto)
  • Japan (Tokyo)
  • Singapore

Files are stored in Wasabi (S3-compatible object storage) in the selected region. Account data, metadata, and activity logs are stored in Supabase (PostgreSQL). Our application infrastructure runs on Google Cloud Platform.

Your data region is set at account creation and cannot be changed. This ensures your spatial data remains in your chosen jurisdiction for the lifetime of your account.

4. Data sharing and disclosure

We do not sell your personal information. We share data only in the following circumstances:

Service providers

We use trusted third-party services to operate the platform:

ProviderPurposeData shared
SupabaseDatabase, authenticationAccount data, metadata
WasabiFile storageUploaded files
Google CloudApplication hostingTransient request data
PaddlePayment processing and Merchant of RecordName, email, billing address, transaction details
ResendEmail deliveryEmail addresses, email content
AnthropicAI file classificationFilenames and metadata only

Share links

When you create a share link, the files and metadata you include become accessible to anyone with the link (or invited recipients, depending on your sharing settings). You control what is shared and with whom.

Legal requirements

We may disclose information if required by law, subpoena, court order, or government request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Business transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your data is subject to a different privacy policy.

5. Cookies and tracking

Swyvl uses a small number of tools to keep the platform working and understand how visitors find us:

  • Authentication session cookies on the application (hub.swyvl.io) — strictly necessary to keep you signed in.
  • Cloudflare Web Analytics on the application (hub.swyvl.io and share.swyvl.io) — anonymous, cookieless page-view and performance metrics. No cross-site tracking, no identifiers stored on your device.
  • Google Analytics 4 on the marketing site (swyvl.io and docs.swyvl.io) — anonymous traffic and source measurement. Loaded only after you accept via the consent banner; if you decline or do not respond, no GA cookies or scripts are loaded.

We do not use advertising or marketing cookies, social media tracking scripts, or cross-site tracking of any kind.

6. Data retention

We retain your data as follows:

  • Account data: retained while your account is active. If you delete your account, we remove your personal data within 30 days, except where retention is required by law.
  • Uploaded files: retained while your account is active. Deleted files are permanently removed from storage within 30 days of deletion.
  • Activity logs: retained for up to 2 years for security and compliance purposes.
  • Payment records: retained as required by Australian tax law (generally 7 years).
  • Support conversations: retained for 2 years after resolution.

7. Your rights

All users

Regardless of your location, you have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate or incomplete information
  • Delete your account and associated data
  • Export your uploaded files at any time
  • Withdraw consent where processing is based on consent

To exercise any of these rights, email support@swyvl.io. We will respond within 30 days.

Australian users (APPs)

Under the Australian Privacy Principles, you have the right to access and correct your personal information. If you believe we have breached the APPs, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

EEA and UK users (GDPR)

If you are in the EEA or UK, you have additional rights under the GDPR:

  • Right to erasure: request deletion of your personal data
  • Right to restriction: request we limit processing of your data
  • Right to data portability: receive your data in a structured, machine-readable format
  • Right to object: object to processing based on legitimate interests
  • Right to lodge a complaint: with your local data protection authority

Our lawful bases for processing under GDPR are: contractual necessity (to provide the service), legitimate interests (security, fraud prevention, platform improvement), and consent (where applicable).

8. Security

We take reasonable steps to protect your information, including:

  • Encryption in transit (TLS/HTTPS) for all connections
  • Encryption at rest for stored data
  • Row-level security (RLS) on all database tables
  • Pre-signed URLs with expiry for file access
  • Passwordless authentication — sign-in by magic-link OTP or Google SSO; no user passwords are set, stored, or transmitted
  • Optional two-factor authentication (TOTP)
  • Audit logging with IP and geolocation tracking
  • Secrets managed via Google Secret Manager

No system is perfectly secure. If you become aware of a security vulnerability, please contact us at support@swyvl.io.

9. Data breach notification

In the event of a data breach likely to result in serious harm to affected individuals, we will notify affected users and the relevant supervisory authorities as required by applicable law. For Australian users, this is governed by the Notifiable Data Breaches (NDB) scheme under the Privacy Act. For EEA and UK users, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required under GDPR Article 33, and notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

10. Children's privacy

Swyvl is not directed at children under 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will delete it promptly. Note that account holders must be at least 18 years of age, as set out in our Terms of Service.

11. International data transfers

Australian users' account data is primarily processed in Australia, though some service providers may process transient request data in other jurisdictions (including the United States). Your spatial files remain in the data region you selected at account creation.

Where data is transferred outside the EEA or UK, we ensure appropriate safeguards are in place, including standard contractual clauses or reliance on adequacy decisions where available.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and, where appropriate, by email. The "Last updated" date at the top reflects the most recent revision.

13. Contact us

If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:

  • Email: support@swyvl.io
  • Company: Lateral Vision Pty Ltd (ABN 71 624 831 223)
  • Location: Australia

For complaints regarding our handling of your personal information, you may also contact the Office of the Australian Information Commissioner.