Legal

Privacy Policy

Last updated: 20 February 2026

Dwixel Ltd (“we”, “us”, or “our”) is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share your information when you use the Dwixel platform at dwixel.com (the “Service”).

This policy is written in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. By using Dwixel, you acknowledge that you have read and understood this Privacy Policy.

1. Data Controller

The data controller responsible for your personal data is Dwixel Ltd, a private limited company registered in England and Wales (Company No. 16994994), with its registered office at Flat 41 Halley House, 32 Westmoreland Road, London, NW9 9DR, England.

If you have any questions about this Privacy Policy or our data practices, you can contact us at:

Email: support@dwixel.com
Business enquiries: business@dwixel.com

2. Information We Collect

We collect the following categories of personal data:

2.1 Account Information

Email address — provided during registration or via OAuth (Google or GitHub).
Full name — provided during registration or obtained from your OAuth provider profile.
Authentication data — securely managed by Supabase Auth, including hashed passwords for email/password accounts.

2.2 User Content

Documents and files — any content you create, upload, or collaborate on within the Service.
Comments, annotations, and messages — content you contribute during collaboration sessions.

2.3 Usage Data

Analytics data — information about how you interact with the Service, including pages visited, features used, and session duration.
Device and browser information — browser type, operating system, and screen resolution.
IP address — collected for security purposes and fraud prevention.

2.4 Payment Information

If and when paid plans are introduced, payment processing will be handled by Stripe. We do not store your full card details on our servers. Stripe may collect payment card numbers, billing addresses, and transaction history in accordance with their own privacy policy.

3. How We Use Your Information

We process your personal data on the following lawful bases under the UK GDPR:

Performance of a contract (Article 6(1)(b)) — to provide and maintain your account, deliver the Service, and enable collaboration features.
Legitimate interests (Article 6(1)(f)) — to improve the Service, analyse usage patterns, prevent abuse, and ensure platform security.
Consent (Article 6(1)(a)) — where you have opted in to receive marketing communications or non-essential features.
Legal obligation (Article 6(1)(c)) — to comply with applicable laws, regulations, or lawful requests.

Specifically, we use your data to:

Create and manage your account.
Provide real-time document collaboration.
Send transactional emails (e.g. account verification, password resets, team invitations, and task notifications).
Provide grammar-checking and document conversion features.
Analyse and improve the Service.
Detect and prevent fraud, abuse, and security incidents.
Respond to your enquiries and provide support.

4. Third-Party Services

We use the following third-party service providers to operate and improve the Service. Each processes data in accordance with their own privacy policies:

Supabase — authentication, database hosting, and backend infrastructure. Data is stored in PostgreSQL databases hosted on AWS (EU-West region).
TipTap Cloud — powers real-time collaborative editing. Document content may be temporarily processed by their servers during active editing sessions.
Brevo (formerly Sendinblue) — sends transactional emails such as verification links, password resets, and notifications.
Sapling — provides grammar and writing suggestions. Text excerpts may be sent to their API for analysis.
Google Cloud — document conversion services (e.g. exporting documents to different formats).
Stripe — payment processing (if and when paid plans are introduced). Stripe is PCI DSS Level 1 certified.
Netlify — web hosting and deployment.

We ensure that all third-party processors provide adequate safeguards for personal data. Where data is transferred outside the UK, we rely on appropriate transfer mechanisms such as Standard Contractual Clauses or adequacy decisions.

5. Data Storage and Security

Your data is stored in Supabase-managed PostgreSQL databases hosted on Amazon Web Services (AWS) in the EU-West region. We implement appropriate technical and organisational measures to protect your personal data, including:

Encryption of data in transit (TLS/HTTPS) and at rest.
Row-level security (RLS) policies in our database to ensure users can only access their own data.
Secure authentication via Supabase Auth with hashed passwords and OAuth token management.
Regular security reviews and updates.

Whilst we take all reasonable precautions, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but are committed to protecting your data to the best of our ability.

6. Data Retention

We retain your personal data for as long as your account remains active and as necessary to provide you with the Service. Specifically:

Account data — retained whilst your account is active. Upon account deletion, your personal data will be permanently removed within 30 days.
Document content — retained whilst your account is active or as long as the document exists within a shared workspace. Deleted documents are permanently removed within 30 days.
Usage analytics — retained in aggregated, anonymised form and may be kept indefinitely for service improvement purposes.
Transactional records — retained as required by applicable law (typically up to 6 years for financial records).

7. Cookies

Dwixel uses only essential and functional cookies that are strictly necessary for the operation of the Service. These include:

Authentication cookies — set by Supabase Auth to manage your login session and keep you signed in.
Preference cookies — to remember your settings such as theme preference (light/dark mode).

We do not use advertising or tracking cookies. We do not use any third-party cookies for marketing purposes.

8. Your Rights Under UK GDPR

Under the UK GDPR, you have the following rights regarding your personal data:

Right of access — you can request a copy of the personal data we hold about you.
Right to rectification — you can request that we correct any inaccurate or incomplete personal data.
Right to erasure — you can request the deletion of your personal data (the “right to be forgotten”).
Right to data portability — you can request that we provide your data in a structured, commonly used, and machine-readable format.
Right to object — you can object to processing based on legitimate interests or for direct marketing purposes.
Right to restrict processing — you can request that we limit the way we use your data.
Right to withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at support@dwixel.com. We will respond to your request within one month, as required by law.

9. Data Sharing

We do not sell your personal data. We will never sell, rent, or trade your personal information to third parties for their marketing purposes.

We may share your data only in the following limited circumstances:

Service providers — with the third-party services listed in Section 4, solely for the purpose of operating and improving the Service.
Collaboration — your name and email may be visible to other users within shared workspaces or documents that you participate in.
Legal requirements — if required by law, regulation, legal process, or governmental request.
Safety and security — to protect the rights, property, or safety of Dwixel Ltd, our users, or the public.
Business transfers — in connection with a merger, acquisition, or sale of assets, in which case your data would remain subject to this Privacy Policy.

10. International Data Transfers

Our primary data storage is within the European Economic Area (AWS EU-West region). However, some of our third-party service providers may process data outside the UK and EEA. Where this occurs, we ensure that appropriate safeguards are in place, including:

UK adequacy decisions for the receiving country.
Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner’s Office.
Other appropriate safeguards as required under the UK GDPR.

11. Age Requirements

Dwixel is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly. If you believe that a child under 16 has provided us with personal data, please contact us at support@dwixel.com.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of any material changes by posting the updated policy on this page and updating the “Last updated” date. For significant changes, we may also notify you via email.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

13. Complaints

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO):

Website: ico.org.uk
Telephone: 0303 123 1113
Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so please contact us in the first instance.

If you have any questions about this Privacy Policy, please contact us at support@dwixel.com.