Privacy Policy

SwaftyFlow Privacy Policy and Data Protection Information

Last updated: November 2025

1. Who we are

SwaftyFlow ("SwaftyFlow", "we", "our" or "us") is a product of Epigos Ltd (also known as Epigos AI), a company registered in England and Wales with its registered office at 20–22 Wenlock Road, London, England, N1 7GU.

Epigos Ltd is the data controller for personal data processed in connection with:

  • the SwaftyFlow marketing website, and
  • customer accounts created to use the SwaftyFlow platform,

except where we act as a data processor on behalf of our business customers when processing WhatsApp conversations between them and their end users (see section 3.2).

This Privacy Policy explains how we collect, use, disclose and protect personal data when you:

  • visit or interact with the SwaftyFlow website,
  • create an account or otherwise engage with us as a customer or prospective customer, or
  • use SwaftyFlow to connect AI support agents to your WhatsApp Business number.

2. The services we provide

SwaftyFlow is an AI-powered automation platform that enables businesses to:

  • create and configure AI customer-support agents, and
  • connect those agents to their WhatsApp Business numbers and other channels (where supported),

to automate and improve customer support operations.

We process personal data both about:

  • our customers and website visitors ("Customer Data"), and
  • end users of our customers who interact with SwaftyFlow-powered agents via WhatsApp or other channels ("End-User Data").

Unless stated otherwise, this Privacy Policy applies to both categories of data.

3. What personal data we collect

3.1 Data we collect about customers and website visitors

We may collect the following categories of personal data when you visit our website, contact us, or create and use a SwaftyFlow account:

  • Account and contact details: name, job title, company name, email address, phone number, password and authentication data.
  • Business information: company size, industry, and any information you choose to share about your use case.
  • Billing and payment information: billing name, address, VAT or tax details, subscription details and payment method information (processed via secure payment providers).
  • Support and communications: messages you send to us (e.g. support tickets, emails, chat messages, call notes), feedback and survey responses.
  • Website and product usage data: pages visited, features used, links clicked, referring URLs, timestamps, session duration, crash/diagnostic logs and similar analytics data.
  • Device and technical data: IP address, browser type and version, operating system, device identifiers and similar technical information.

3.2 Data we process about end users (WhatsApp and other channels)

When our business customers connect their WhatsApp Business number or other channels to SwaftyFlow, we process personal data about their end users on their behalf. This may include:

  • Identification data: WhatsApp profile name, phone number, display picture, and other identifiers made available through the WhatsApp Business API.
  • Message content: text messages, images, videos, audio, documents and other media sent or received through the integrated channel.
  • Conversation metadata: message timestamps, delivery and read status, channel identifiers, conversation IDs and routing information.
  • Support context: information about orders, tickets or cases where our customer chooses to pass such data into SwaftyFlow (e.g. order ID, customer ID, account status).

For this End-User Data, our customers are typically the data controllers, and SwaftyFlow (Epigos Ltd) acts as a data processor under the GDPR and similar laws. We process such data strictly in accordance with our customers' instructions and our contractual terms.

3.3 Special category and sensitive data

Our services are not designed to intentionally collect special categories of personal data (such as data about health, religion, political opinions, or similar). We ask our customers not to intentionally use SwaftyFlow to process such data unless:

  • this is clearly necessary for their use case, and
  • they have a lawful basis and appropriate safeguards in place.

If you believe we are processing special category data inappropriately, please contact us (see section 12).

3.4 Children

Our website and services are not intended for children under 13, and we do not knowingly collect personal data from children under 13. If we learn that we have collected such data, we will take reasonable steps to delete it.

4. How we use personal data and legal bases (GDPR)

We process personal data only where we have a lawful basis under the UK GDPR / EU GDPR. Depending on the context, we may process personal data on the following bases:

  • Contract: to perform a contract with you or take steps at your request before entering into a contract (e.g. creating and managing your SwaftyFlow account, providing the service, processing payments).
  • Legitimate interests: to operate, secure and improve our services, communicate with you about our services and protect our business, provided that our interests are not overridden by your rights and interests.
  • Consent: for certain marketing activities (e.g. email newsletters), where required by law, and for cookies or similar technologies where applicable.
  • Legal obligation: where processing is necessary to comply with legal or regulatory obligations (e.g. tax, accounting, law-enforcement requests).

We use personal data for the following purposes:

4.1 Providing and operating the SwaftyFlow service

  • Creating and administering accounts.
  • Authenticating users and securing access to the platform.
  • Configuring, deploying and running AI agents for customer support.
  • Processing WhatsApp and other channel messages to generate automated responses.
  • Providing customer support and resolving technical issues.

Legal basis: performance of a contract; legitimate interests (to provide a reliable and secure service).

4.2 Improving, securing and developing our services

  • Monitoring performance, usage and reliability.
  • Debugging, troubleshooting and preventing abuse or security incidents.
  • Developing new features, models and capabilities (including training and evaluating AI systems using appropriate safeguards such as aggregation, pseudonymisation or anonymisation where possible).

Legal basis: legitimate interests (to improve and secure our services).

4.3 Marketing and communication

  • Sending service-related announcements (e.g. changes to terms, security or privacy updates).
  • Sending product updates, newsletters and marketing communications, where permitted.
  • Responding to your enquiries and requests.

Legal basis: legitimate interests (to grow and develop our business); consent where required by law. You can opt out of marketing at any time (see section 10).

4.4 Compliance and protection

  • Complying with legal, regulatory and tax obligations.
  • Responding to lawful requests from public authorities.
  • Enforcing our agreements and protecting our rights, property and safety, and those of our users, customers and others.

Legal basis: legal obligation; legitimate interests (to protect our business and users).

5. How we process WhatsApp and Meta data

Our platform integrates with the WhatsApp Business API, which is provided by Meta Platforms and/or its affiliates. When you or your customers use WhatsApp with SwaftyFlow:

  • Message content and related metadata are exchanged between WhatsApp and SwaftyFlow in order to deliver, process and respond to messages.
  • Meta and WhatsApp act as independent controllers for data they process through WhatsApp; their processing is governed by their own terms and privacy policies. We encourage you and your end users to review WhatsApp's and Meta's privacy documentation.
  • We process WhatsApp data only:
    • to route and deliver messages,
    • to generate AI responses and provide automation services,
    • to provide analytics and dashboards to our customers, and
    • to ensure security, fraud prevention and abuse detection.

We do not sell End-User Data and we do not use End-User WhatsApp messages for our own independent marketing to those end users.

Where we use conversation data to improve our AI models or services, we do so in accordance with our contracts with customers and with appropriate safeguards (for example, aggregation, pseudonymisation or anonymisation where feasible).

6. Data sharing and disclosure

We do not sell personal data. We may share personal data in the following circumstances:

6.1 Service providers (processors)

We use trusted third-party service providers to help us run SwaftyFlow, such as:

  • cloud hosting and infrastructure providers,
  • database, logging and monitoring providers,
  • payment processors and billing platforms,
  • customer support and communication tools,
  • analytics and error monitoring services.

These providers process personal data only on our instructions, under written contracts, and must implement appropriate security measures.

6.2 Business customers

For End-User Data, we share conversation data with our relevant business customer (the controller) so that they can view and manage their customer interactions, including through dashboards, exports and integrations they configure.

6.3 Legal and compliance

We may disclose personal data where necessary to:

  • comply with applicable laws or legal processes,
  • respond to legitimate requests from public authorities,
  • enforce our agreements or protect our rights, property or safety, or
  • protect our users, customers or others from harm or fraud.

6.4 Business transfers

If we are involved in a merger, acquisition, financing, reorganisation, or sale of all or part of our business, personal data may be transferred as part of that transaction, subject to appropriate safeguards and continuity of protections.

7. International data transfers

Epigos Ltd is based in the United Kingdom, but we may use service providers and infrastructure located in other countries, including outside the UK and European Economic Area (EEA).

Where personal data is transferred outside the UK or EEA, we will ensure that appropriate safeguards are in place, such as:

  • adequacy decisions issued by the European Commission or UK government,
  • standard contractual clauses approved by the European Commission and/or UK government, or
  • other lawful transfer mechanisms recognised under applicable data protection laws.

You can contact us for more information about these safeguards.

8. Data security

We implement technical and organisational measures designed to protect personal data, including:

  • encryption of data in transit (and at rest where appropriate),
  • access controls and authentication mechanisms,
  • regular backups and resilience measures,
  • logging and monitoring for suspicious activity,
  • internal policies and staff training on information security and privacy.

However, no system can be completely secure; we cannot guarantee absolute security of your data. If we become aware of a data breach affecting your personal data, we will notify you and/or the relevant authorities in accordance with applicable law.

9. Data retention

We retain personal data only for as long as necessary for the purposes described in this Policy, and to comply with our legal, regulatory and contractual obligations.

In general:

  • Customer account data is kept for the duration of the contract and for a reasonable period afterwards (for example, to deal with queries or disputes), unless a longer retention period is required by law.
  • Billing and transaction data is kept for the period required by tax and accounting laws.
  • End-User conversation data (e.g. WhatsApp chats) is retained according to settings agreed with our customers and as necessary to provide the service; customers may be able to configure or request shorter retention periods where supported.
  • Analytics and log data is retained for a limited period to support troubleshooting, security and service improvement.

When data is no longer required, we will delete it or anonymise it so that it can no longer be linked to an identifiable individual.

10. Your rights under data protection laws

Depending on where you are located and subject to applicable law, you may have the following rights in relation to your personal data:

  • Right of access: to obtain confirmation of whether we process your personal data and, if so, a copy of that data.
  • Right to rectification: to request correction of inaccurate or incomplete personal data.
  • Right to erasure: to request deletion of your personal data in certain circumstances (e.g. where it is no longer needed or you withdraw consent).
  • Right to restriction: to request that we restrict processing of your data in specific situations.
  • Right to data portability: to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller where technically feasible.
  • Right to object: to object to processing based on our legitimate interests, and to object at any time to processing for direct marketing.
  • Right to withdraw consent: where processing is based on consent, you may withdraw it at any time, without affecting the lawfulness of processing before withdrawal.

If we act as a processor for our business customers (for example, for End-User Data processed via WhatsApp), we may need to refer your request to the relevant customer (the controller), who is ultimately responsible for handling it.

To exercise any of your rights, please contact us using the details in section 12.

You also have the right to lodge a complaint with a supervisory authority, in particular in the UK (the Information Commissioner's Office) or in the EU member state where you live or work, or where you believe a breach has occurred.

11. Cookies and tracking technologies

Like many websites and online services, we may use cookies and similar technologies (such as pixels and local storage) to:

  • remember your preferences and settings,
  • keep you signed in to your account,
  • understand how our website and product are used, and
  • improve the performance and user experience of our services.

Where required by law, we will ask for your consent before placing non-essential cookies and will provide you with options to manage your preferences. You can also control cookies through your browser settings, although disabling cookies may affect how our website and services function.

12. Contact details

If you have any questions about this Privacy Policy or how we handle personal data, or if you wish to exercise your rights, please contact us:

  • Email (support): hello@epigos.ai
  • Postal address: Epigos Ltd, 20–22 Wenlock Road, London, England, N1 7GU

When you contact us, we may ask for information to help verify your identity before we act on your request.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect changes in our services, legal requirements or industry practices. When we make material changes, we will take appropriate steps to inform you (such as by email or a notice on our website) and will update the "Last updated" date at the top of this Policy.

By using SwaftyFlow's website or services after an update, you acknowledge that you have read and understood the updated Privacy Policy.