Privacy Policy

1. Introduction

ByteSlice, LLC. ("Company," "we," "us," or "our") operates the Swirls platform ("Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

This Privacy Policy describes how we collect, use, and share your information. Our legal basis for processing varies by jurisdiction and purpose, as described in Sections 10 and 11.

2. Information We Collect

Information you provide directly

• Account Information: When you create an account, we collect your name, email address, and authentication credentials (or tokens from third-party authentication providers such as Google or GitHub).
• Billing Information: If you subscribe to a paid plan, we collect payment information (such as credit card details) through our third-party payment processor. We do not store full payment card numbers on our servers.
• User Content: Data, workflows, graphs, configurations, secrets, and other content you create, upload, or store through the Service.
• Communications: When you contact us for support, send feedback, or otherwise communicate with us, we collect the content of those communications.

Information collected automatically

• Usage Data: We collect information about how you interact with the Service, including pages visited, features used, graph executions, API calls, timestamps, and frequency of use.
• Device and Browser Information: We collect information about the device and browser you use to access the Service, including IP address, browser type and version, operating system, device identifiers, and screen resolution.
• Log Data: Our servers automatically record information when you access the Service, including your IP address, request timestamps, referral URLs, and error logs.
• Cookies and Similar Technologies: We use cookies, local storage, and similar technologies to maintain your session, remember your preferences, and collect analytics data. See Section 7 for more details.

CLI telemetry

When you use the Swirls CLI, it transmits authentication data, usage metrics (such as command invocations and execution counts), and error reports to our servers. The CLI does not transmit the contents of your workflow data except as necessary to execute cloud-hosted operations you initiate.

Data processed on behalf of users

When third parties submit data to your workflows through forms, webhooks, or document uploads, we process that data on your behalf as a data processor. This data may include personal information. You are the data controller for such data and are responsible for ensuring lawful collection and processing.

Document processing

If you use document processing nodes, uploaded documents are processed in memory during workflow execution. Document contents are encrypted at rest using per-node encryption contexts. We support specific file types and sizes as documented in the product.

Scrape node data

If you use scrape nodes in your workflows, data collected from third-party websites during execution may include personal data. You are responsible for ensuring that your use of scrape nodes complies with applicable privacy laws and the terms of service of the websites you access.

Information from third parties

• Authentication Providers: If you sign in using a third-party provider (e.g., Google, GitHub), we receive your name, email address, and profile information as permitted by your account settings with that provider.
• Analytics Providers: We may receive aggregated or anonymized analytics data from third-party analytics services.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service;
• Process transactions and manage your account, including billing and subscription management;
• Enforce usage limits, detect abuse, and ensure fair use of the Service;
• Communicate with you, including sending service-related notices, updates, security alerts, and support messages;
• Improve, personalize, and develop new features for the Service;
• Monitor and analyze usage patterns and trends to improve the Service's performance and user experience;
• Detect, investigate, and prevent fraudulent, unauthorized, or illegal activity;
• Comply with legal obligations and enforce our Terms of Service;
• Respond to your inquiries, comments, and support requests.

4. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

• Service Providers: We share information with third-party vendors who perform services on our behalf, including cloud hosting, payment processing, analytics, email delivery, and customer support. These providers are contractually obligated to use your information only as necessary to provide their services to us.
• LLM Providers: You configure which LLM providers are used in your workflow definitions. When you use AI-powered features, your input data (prompts, context) is sent only to the providers you specify. Secrets are scoped per-node and are not shared across nodes or providers. These providers process data in accordance with their own terms and privacy policies.
• Sub-processors: A current list of sub-processors is available upon request. Contact [email protected] for details.
• Legal Requirements: We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.
• Business Transfers: In connection with any merger, acquisition, reorganization, sale of assets, or bankruptcy, your information may be transferred to the acquiring entity. We will notify you of any such change in ownership or control of your personal information.
• With Your Consent: We may share your information for any other purpose with your explicit consent.

We do not use customer workflow data to train any machine learning model.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you the Service. We may also retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Upon account termination, we will delete or anonymize your personal information within 30 days, unless retention is required by law or for legitimate business purposes.

Financial records may be retained longer as required by applicable law (for example, U.S. tax law requires 7-year retention of certain records). Audit logs may be retained for up to 2 years to support compliance objectives.

User Content (graphs, workflows, stored data) and derived key material will be deleted within 30 days of account termination. You may request an export of your User Content during this 30-day period.

6. Data Security

We implement technically rigorous security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• AES-256-GCM encryption with per-node encryption contexts. Data encrypted by one node cannot be decrypted by another.
• HKDF-SHA512 key derivation. Key material is derived on demand and discarded after use. Keys are not persisted.
• HMAC-SHA256 cryptographically chained authorization tokens enforcing least-privilege access at the workspace, deployment, execution, node, and tool levels.
• SHA-512 tamper-evident audit trail on append-only, immutable storage.
• Secrets encrypted at rest using AES-256-GCM with per-node scoping.

However, no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially reasonable means to protect your personal information, we cannot guarantee its absolute security.

7. Cookies and Tracking Technologies

We use the following types of cookies:

• Essential Cookies: Required for the Service to function, including session management and authentication. These cannot be disabled.
• Analytics Cookies: Help us understand how users interact with the Service so we can improve it. These collect aggregated, anonymized usage data.
• Preference Cookies: Remember your settings and preferences (such as theme or layout choices) to provide a personalized experience.

You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of the Service.

We will ask for your consent before setting non-essential cookies. You can manage your cookie preferences at any time through your browser settings or through the cookie consent mechanism provided on our website.

8. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal information:

• Access: You may request a copy of the personal information we hold about you.
• Correction: You may request that we correct inaccurate or incomplete personal information.
• Deletion: You may request that we delete your personal information, subject to certain exceptions (such as legal obligations or fraud prevention).
• Portability: You may request a copy of your personal information in a structured, commonly used, machine-readable format.
• Objection: You may object to the processing of your personal information for certain purposes, such as direct marketing.
• Restriction: You may request that we restrict the processing of your personal information under certain circumstances.
• Withdrawal of Consent: Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, contact us at byteslice.co/contact. We will respond to your request within 30 days (or sooner if required by applicable law).

9. International Data Transfers

The Service is operated from the United States. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, we rely on the EU-US Data Privacy Framework or Standard Contractual Clauses (SCCs) as applicable. We take appropriate measures to ensure that your personal information receives an adequate level of protection in the jurisdictions in which we process it.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: You may request information about the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purpose for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to Correction: You may request that we correct inaccurate personal information we hold about you.
• Right to Limit Use of Sensitive Personal Information: You may request that we limit our use of your sensitive personal information to purposes necessary to provide the Service.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
• No Sale of Personal Information: We do not sell your personal information as defined by the CCPA.

To exercise your California privacy rights, contact us at byteslice.co/contact. We may need to verify your identity before processing your request.

For more information about your California privacy rights, you may also contact the California Privacy Protection Agency at cppa.ca.gov.

11. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

• Legal Basis for Processing: We process your personal data based on: (a) your consent; (b) the necessity to perform our contract with you (the Terms of Service); (c) our legitimate interests (such as improving the Service, preventing fraud, and ensuring security); or (d) compliance with legal obligations.
• Legal Basis Mapping: We process personal data on the following bases: consent (analytics cookies and non-essential tracking), contract (service delivery and account management), legitimate interests (security monitoring, fraud prevention, and service improvement), and legal obligation (tax and financial record-keeping).
• Privacy Contact: You may contact us regarding data protection matters at byteslice.co/contact.
• Supervisory Authority: You have the right to lodge a complaint with a supervisory authority in your country of residence if you believe we have violated your data protection rights.
• Automated Decision-Making: Workflows using AI or LLM nodes may constitute automated processing under Article 22 of the GDPR. If you process personal data of EEA residents through such workflows, you are responsible for ensuring compliance with Article 22 requirements, including providing meaningful information about the logic involved and ensuring appropriate safeguards.

12. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe we have inadvertently collected information from a child under 18, please contact us at byteslice.co/contact.

13. Third-Party Links and Services

The Service may contain links to or integrate with third-party websites, services, or applications that are not operated by us. This Privacy Policy does not apply to third-party services. We are not responsible for the privacy practices of third parties, and we encourage you to review the privacy policies of any third-party services you access through the Service.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least thirty (30) days before the changes take effect. The "Last updated" date at the top of this page indicates when this Privacy Policy was last revised. Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

15. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at byteslice.co/contact.

For privacy and data protection inquiries, including GDPR and CCPA rights requests, contact [email protected].

For security inquiries and vulnerability reports, contact [email protected].