How SWIM by PhiloX handles personal information.

1. Who we are

SWIM is operated by Philoi Ltd, trading as PhiloX. For personal information collected through the SWIM website, launch access flow, and related website interactions, Philoi Ltd acts as the data controller.

As the SWIM platform develops, Philoi Ltd may also act as the controller for platform account, administration, security, and service operation data. Where SWIM handles project, organisational, or partner data on behalf of a customer, NGO, certifier, or other third party, Philoi Ltd may act as a processor and process that data in accordance with the relevant instructions or contract.

This Privacy Policy is intended to align with the UK GDPR, EU GDPR, and other applicable privacy laws, including the Australian Privacy Act 1988 (Cth) where relevant. For privacy-related enquiries, requests, or complaints, you may contact us at [email protected] or write to Philoi Ltd at 2nd Floor, 55 Ludgate Hill, London, EC4M 7JW, United Kingdom.

2. Information we collect

We collect the following categories of information:

• Identity and contact details, such as your work email address and any name, company, role, or other details you choose to provide.
• Inquiry, waitlist, launch access, and demo request information you submit through the website or in communications with us.
• Device, browser, and usage information, such as IP address, browser type, referring pages, pages viewed, approximate usage timing, and technical logs.
• Communications you send to us, including requests, feedback, and follow-up correspondence.
• If and when the SWIM platform is used, account, project, organisational, verification, and collaboration data submitted through the platform.

3. How we collect information

We collect personal information directly from you when you:

• submit a form through the website;
• request launch access or a product demo;
• communicate with us about SWIM or PhiloX; or
• interact with the website, including through standard web server logs and similar technical means.

4. Why we use information

We use personal information to:

• operate, maintain, and improve the website;
• review launch access requests and respond to inquiries;
• communicate with you about SWIM, PhiloX, launch access, demo requests, and related product updates;
• operate platform functionality, including account administration, matching, mapping, verification, collaboration, and reporting where applicable;
• monitor performance, security, and misuse of the website; and
• comply with legal obligations and enforce our website terms.

5. Legal basis for processing

Where the UK GDPR, EU GDPR, or similar laws apply, we rely on one or more of the following legal bases for processing personal information:

• Consent, including where you request marketing communications, join a waitlist, submit a demo request, or accept non-essential cookies where consent is required.
• Legitimate interests, including operating, securing, supporting, analysing, and improving SWIM, responding to business enquiries, and preventing misuse.
• Legal obligation, including compliance with applicable laws, lawful requests, regulatory expectations, dispute handling, and enforcement of our terms and policies.

6. Disclosure of personal information and platform sharing

We disclose personal information to:

• service providers that help us host, operate, secure, deliver, support, or improve the website and platform;
• professional advisers, auditors, insurers, and corporate counterparties where reasonably necessary;
• regulators, courts, law enforcement, or government authorities when required or permitted by law; and
• a purchaser or successor in connection with a merger, acquisition, restructure, or sale of assets.

Where users submit project or organisational information to the SWIM platform, that information may be made visible to other platform participants, including corporates, NGOs, certifiers, and implementation partners, in accordance with the platform's functionality, contractual arrangements, and user settings. Depending on the relevant workflow, submitted information may be public, restricted to an organisation, or shared with selected participants for matching, diligence, mapping, verification, collaboration, or reporting.

We do not sell personal information for money. If our practices change materially, we will update this Privacy Policy.

7. Cookies, analytics, and third-party tools

We use cookies, local storage, and similar technologies to operate the website, remember preferences, support security, and understand how the website is used. Our third-party providers may include, without limitation, hosting and infrastructure providers, email delivery providers, form and waitlist providers, identity and access providers, and analytics or CRM providers where those tools are deployed.

Current website operations may involve providers such as Cloudflare for website delivery and hosting, Clerk for waitlist handling, and Resend for email delivery. Where required by law, we rely on consent before placing or enabling non-essential cookies or analytics, and we will provide cookie controls through our cookie banner or equivalent consent tools when those technologies are in use. You can also manage cookies through your browser settings, although disabling certain technologies may affect website functionality.

8. International data handling

We and our service providers may process or store personal information in the United Kingdom, Australia, and other countries where our infrastructure or providers operate. Those locations may have privacy laws that differ from the laws in your jurisdiction.

Where we transfer personal information outside the UK or European Economic Area, we rely on lawful transfer mechanisms and safeguards where required. These may include adequacy decisions, the European Commission's Standard Contractual Clauses, the UK International Data Transfer Agreement or UK Addendum, or other equivalent safeguards permitted by applicable law.

9. Data retention

We retain personal information for only as long as reasonably necessary for the purposes described in this Privacy Policy, including to respond to your request, maintain business records, resolve disputes, enforce agreements, and meet legal obligations. Retention periods vary depending on the type of data and the reason we hold it.

• Waitlist and launch access data is generally retained until onboarding, withdrawal, opt-out, or up to 24 months after your last meaningful interaction, unless a longer period is needed for recordkeeping or legal reasons.
• Inquiry and demo request data is generally retained for up to 12 months after the last substantive interaction, unless ongoing discussions or legal requirements justify longer retention.
• Website logs and security records are generally retained for up to 12 months, except where a longer period is needed for security investigations, dispute resolution, or legal compliance.
• Analytics or cookie-level data, where used, is retained in accordance with provider settings and then deleted, aggregated, de-identified, or anonymised after up to 26 months unless a shorter period applies.

10. Security measures

We use technical and organisational measures designed to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. These measures include encryption in transit using TLS, access controls and least-privilege permissions, vendor due diligence and contractual safeguards, and monitoring for unauthorised access or misuse. We also apply additional safeguards where appropriate based on the sensitivity of the data and the relevant service.

No method of transmission over the internet or electronic storage is completely secure, so we cannot guarantee absolute security.

11. Your privacy rights

Subject to applicable law, you may have the right to:

• access personal information we hold about you;
• request correction or rectification of inaccurate or incomplete information;
• request erasure of personal information in certain circumstances;
• request restriction of processing in certain circumstances;
• receive a copy of certain personal information in a portable format;
• object to processing based on legitimate interests, including direct marketing;
• withdraw consent at any time where we rely on consent; and
• lodge a complaint with a regulator, including the UK Information Commissioner's Office, an EU or EEA supervisory authority, or another competent privacy regulator in your jurisdiction.

To exercise these rights, contact us using the details above. We may need to verify your identity before acting on a request. We will review and respond within a reasonable time and in accordance with applicable law.

12. Automated decision-making and AI

SWIM uses and may continue to develop algorithmic and AI-assisted functionality to help match projects, surface opportunities, organise information, and support mapping, verification, and workflow recommendations. These tools are intended to assist our team and platform users.

We do not currently make solely automated decisions that produce legal effects or similarly significant effects about individuals without meaningful human involvement. Where applicable law requires, we will provide additional information about relevant logic, significance, and available safeguards.

13. Children

The website is intended for business and professional audiences. It is not directed to children under 16, and we do not knowingly collect personal information directly from children through the website.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will post the updated version on this page and update the effective date above.