Privacy Policy
Last updated: 5 April 2026
This Privacy Policy explains how Tactus Adaptive Group Ltd ("we", "us", "our"), trading as Swiftshot, collects, uses, and protects your personal data when you use the Swiftshot service at swiftshot.app ("the Service").
We are committed to protecting your privacy and complying with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), the Data Protection Act 2018, and the California Consumer Privacy Act (CCPA).
1. Data Controller
Tactus Adaptive Group Ltd is the data controller for the personal data processed through the Service. You can contact us at obsidlabs@gmail.com.
2. Data We Collect
Account data
When you create an account, we collect:
- Email address
- Name (if provided)
- Authentication data (managed by Clerk)
Meeting data
When you use the Service, we process:
- Meeting notes you submit
- Extracted action items (generated by AI)
- Meeting titles and timestamps
Team member data
You provide us with:
- Team member names and email addresses
- Slack workspace data (if you connect Slack)
Payment data
Payment processing is handled by Stripe. We store your Stripe customer ID but do not store card numbers or payment details. See Stripe's Privacy Policy.
Usage data
We collect error reports and performance data via Sentry to maintain and improve the Service. This may include IP addresses, browser type, and page interactions.
3. How We Use Your Data
| Purpose | Legal Basis (UK GDPR) |
|---|---|
| Providing the Service (extracting actions, sending notifications) | Contract performance (Art. 6(1)(b)) |
| Processing payments | Contract performance (Art. 6(1)(b)) |
| Sending transactional emails (action notifications) | Contract performance (Art. 6(1)(b)) |
| Error monitoring and service improvement | Legitimate interest (Art. 6(1)(f)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
4. AI Processing
Meeting notes you submit are sent to Anthropic's Claude API for action extraction. Anthropic processes this data as a sub-processor under our instructions. Your meeting notes are not used to train AI models. See Anthropic's Privacy Policy.
5. Third-Party Processors
We use the following third-party services to operate Swiftshot:
| Provider | Purpose | Location |
|---|---|---|
| Clerk | Authentication | US |
| Supabase | Database hosting | EU/US |
| Anthropic | AI action extraction | US |
| Resend | Email delivery | EU |
| Stripe | Payment processing | US |
| Vercel | Hosting | US |
| Sentry | Error monitoring | US |
| Slack | Action delivery (optional) | US |
Where data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs), adequacy decisions, or equivalent mechanisms recognised under applicable law.
6. Data Retention
- Meeting data: Retained while your account is active, subject to your plan's history limits
- Account data: Retained until you delete your account
- Payment records: Retained for 7 years as required by UK tax law
- Error logs: Retained for 90 days
7. Your Rights
UK and EEA residents
Under UK GDPR and EU GDPR, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase your data ("right to be forgotten")
- Restrict processing of your data
- Port your data to another service
- Object to processing based on legitimate interest
California residents (CCPA)
If you are a California resident, you have the right to:
- Know what personal information we collect and how it is used
- Delete your personal information
- Opt out of the sale or sharing of your personal information — we do not sell or share your data with third parties for advertising purposes
- Non-discrimination for exercising your privacy rights
We do not sell personal information as defined under the CCPA. We do not use your data for cross-context behavioural advertising.
All users
To exercise any of these rights, email obsidlabs@gmail.com. We will respond within 30 days (or 45 days for CCPA requests if an extension is needed).
8. Cookies
The Service uses essential cookies for authentication and session management. We do not use advertising or tracking cookies. Third-party services (Clerk, Stripe) may set their own cookies as described in their respective privacy policies.
9. Security
We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), encrypted database connections, and role-based access controls. We use the Supabase service role key exclusively on the server side.
10. Children
The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notice. The "Last updated" date at the top of this page indicates when the policy was last revised.
12. Complaints
If you are unhappy with how we handle your data, you have the right to lodge a complaint with your local data protection authority:
- UK: Information Commissioner's Office (ICO) at ico.org.uk
- EU: Your national Data Protection Authority — see EDPB member list
- California: The California Attorney General at oag.ca.gov/privacy
13. Contact
For questions about this Privacy Policy, contact us at obsidlabs@gmail.com.