Privacy Policy

1. Introduction

Swarm ("we," "us," or "our") provides an AI-powered user experience testing platform for product teams. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform at useswarm.co and any associated services (the "Service").

By accessing or using the Service, you agree to the terms of this Privacy Policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Name and email address
• Profile image (if provided or obtained through OAuth)
• Hashed password (for email/password authentication)
• Email verification status

2.2 Organization Information

If you create or join an organization, we collect:

• Organization name and slug
• Organization logo (if provided)
• Membership role and permissions
• Plan type and seat limits

2.3 Session & Authentication Data

When you log in, we collect session data to maintain your authentication state:

• Session token and expiry
• IP address and user agent string
• OAuth provider tokens (if using third-party login)
• Active organization context

2.4 Test & Experiment Data

When you run tests through our platform, we process:

• Target URLs and page configurations you submit for testing
• Persona configurations and test parameters
• Screenshots captured during automated browser sessions
• Test results, reports, and aggregated analytics
• Duration and status of test runs

2.5 Authentication Configurations

If your tests require authenticated access to your application, you may provide login credentials or session cookies. These are encrypted using AES-256-GCM encryption before storage and are only decrypted during active test execution. We never store your credentials in plaintext.

2.6 Usage & Analytics Data

We collect anonymized usage data to improve our product:

• Page views and feature usage patterns (via PostHog, identified users only)
• Error reports and performance metrics (via Sentry)
• Browser type and device information

2.7 Payment Information

Payment processing is handled entirely by Stripe. We do not store credit card numbers, CVVs, or full payment details on our servers. We retain only a reference to your Stripe customer ID and subscription status.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service
• Authenticate your identity and manage your account
• Execute automated browser tests on your behalf
• Generate test reports, insights, and recommendations
• Process payments and manage your subscription
• Send transactional emails (verification, password resets, invitations)
• Monitor and improve platform reliability and performance
• Detect and prevent fraud or abuse
• Comply with legal obligations

4. We Do Not Use Your Data for AI Training

We do not use your test data, screenshots, application content, authentication credentials, or any other customer data to train artificial intelligence or machine learning models. Your data is used solely to provide you with the Service. The AI models that power Swarm are provided by third-party model providers and are not trained or fine-tuned on customer data.

5. Data Storage & Security

5.1 Infrastructure

Your data is stored and processed using the following infrastructure:

• PostgreSQL database for account, organization, and test metadata
• Amazon S3 for screenshot and asset storage
• Amazon SQS for secure job queue processing
• All data is encrypted in transit (TLS) and at rest

5.2 Encryption

Sensitive data, including authentication configurations provided for testing, is encrypted using AES-256-GCM with a dedicated encryption key. Session tokens and passwords are hashed using industry-standard algorithms.

5.3 Access Controls

We implement role-based access controls at both the platform and organization level. Your data is scoped to your organization and is not accessible by other customers. Internal access to production data is restricted and logged.

6. Third-Party Services

We integrate with the following third-party services, each with their own privacy policies:

• Stripe — Payment processing and subscription management
• Resend — Transactional email delivery (verification, invitations, password resets)
• PostHog — Product analytics (identified users only, no anonymous tracking)
• Sentry — Error monitoring and performance tracking
• Browserbase — Secure browser automation infrastructure for test execution
• Amazon Web Services — Cloud infrastructure (S3, SQS)

We do not sell your data to any third parties. Data shared with third-party services is limited to what is necessary for the functionality they provide.

7. Cookies & Tracking

We use cookies and similar technologies for:

• Session management — essential cookies to keep you logged in
• Analytics — PostHog cookies to understand product usage (identified users only)
• Error tracking — Sentry cookies for performance monitoring

We do not use advertising cookies or share cookie data with ad networks.

8. Data Retention

We retain your data as follows:

• Account data is retained for the duration of your account and deleted upon request
• Test screenshots and results are retained for the duration of your subscription
• Session data is automatically expired and purged based on token expiry
• Authentication configurations are encrypted and retained only for the duration of the associated test run
• Payment records are retained as required by applicable financial regulations

9. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access — request a copy of the personal data we hold about you
• Correction — request correction of inaccurate data
• Deletion — request deletion of your account and associated data
• Portability — request your data in a machine-readable format
• Objection — object to certain processing of your data
• Withdrawal of consent — withdraw consent where processing is based on consent

To exercise any of these rights, contact us at privacy@useswarm.co.

10. GDPR Compliance

For users in the European Economic Area (EEA), we process personal data under the following legal bases:

• Contract — processing necessary to provide the Service you requested
• Legitimate interest — analytics and security monitoring
• Consent — where required (e.g., optional analytics)
• Legal obligation — compliance with applicable laws

11. Children's Privacy

Swarm is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at: