Privacy Policy
Last updated: 20 April 2026
This Privacy Policy explains how CSXII LTD (trading as Swizero), company number 17156821, registered office 128 City Road, London EC1V 2NX, United Kingdom (“CSXII”, “Swizero”, “we”, “us”, “our”) collects, uses, and protects your personal information when you visit swizero.com or join our waitlist.
We are committed to protecting your privacy and handling your data transparently in accordance with the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.
1. Who We Are (Data Controller)
The data controller for personal information collected through this website is:
CSXII LTD
Company number: 17156821
Registered office: 128 City Road, London EC1V 2NX, United Kingdom
Trading as: Swizero
Data protection enquiries: via our contact form (select “Privacy & data rights”)
General enquiries: hello@swizero.com
We are incorporated in England and Wales. As a UK-established controller, we do not require a European Union Article 27 representative.
We are not required to appoint a Data Protection Officer at our current scale, but we take our data protection obligations seriously. All enquiries should be directed to the contact details above.
2. Information We Collect
We collect the following categories of personal data:
- Email address: provided by you when you join our waitlist. This is the primary personal identifier we hold.
- Referral code and referral count: a unique code generated for each waitlist member and a count of successful referrals attributed to your code.
- Usage and analytics data: page views, session duration, navigation paths, click events, and similar behavioural signals collected via our analytics provider (see Section 7).
- Session recording data: where enabled, we record anonymised interaction replays for product improvement purposes. Input fields are masked by default and we do not record the content of text inputs.
- Technical data: IP address (anonymised where possible), browser type and version, operating system, referring URL, and request timestamps. Collected automatically as part of normal web server and analytics operations.
We do not collect payment card data, government identifiers, or special-category data as defined in UK GDPR Article 9. We do not knowingly collect data from children under 13 (see Section 10).
3. How We Use Your Information and Our Legal Basis
We process your personal data only where we have a lawful basis to do so under UK GDPR Article 6. The table below sets out each purpose, the data used, and the applicable legal basis.
| Purpose | Data used | Legal basis (UK GDPR Art. 6) |
|---|---|---|
| Sending waitlist confirmation and position updates | Email address | Art. 6(1)(b): performance of a contract (steps at your request before joining the waitlist) |
| Sending product launch and pre-launch update emails | Email address | Art. 6(1)(a): consent (given at sign-up; you may withdraw at any time) |
| Operating the referral programme (tracking referrals, awarding perks) | Email address, referral code, referral count | Art. 6(1)(b): performance of a contract |
| Understanding how visitors use our website (analytics) | Usage data, technical data, session recordings | Art. 6(1)(f): legitimate interests (improving our product and user experience; we have assessed this does not override your interests) |
| Detecting and preventing fraud and abuse of the referral system | Email address, referral data, technical data | Art. 6(1)(f): legitimate interests (protecting the integrity of our systems and other users) |
| Complying with legal obligations (e.g. responding to data subject requests) | As relevant to the request | Art. 6(1)(c): legal obligation |
Where we rely on legitimate interests (Art. 6(1)(f)), you may object to that processing at any time (see Section 9). We will then cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
4. Categories of Recipients
We share your personal data with the following categories of third-party processors, each under a data processing agreement or equivalent contractual safeguard, and only to the extent necessary for the purposes described above:
| Category | Purpose |
|---|---|
| Cloud hosting and edge delivery provider | Website hosting and global content delivery |
| Cloud database provider | Storage of waitlist sign-ups and referral data |
| Transactional email delivery provider | Sending waitlist confirmations and product updates |
| Privacy-focused product analytics provider | Understanding aggregate site usage and session replays (input-masked) |
We do not sell, rent, or disclose your personal data to any other third party for marketing purposes.
5. International Transfers
Some of our processors are based outside the United Kingdom. Where this is the case, we ensure a similar degree of protection for your personal data by relying on approved transfer mechanisms, including the UK International Data Transfer Agreement (IDTA), EU Standard Contractual Clauses with the UK Addendum, or the EU-US Data Privacy Framework where applicable.
You may contact us via our contact form if you want further information on the specific mechanism used for any transfer.
6. How Long We Keep Your Data
We retain personal data only for as long as necessary for the purpose for which it was collected:
| Data category | Retention period |
|---|---|
| Waitlist email address | Until product launch or 24 months from sign-up, whichever is sooner, unless you request deletion earlier |
| Referral code and referral count | Until your deletion request is fulfilled, or until 90 days after product launch (to allow perk fulfilment), whichever is sooner |
| Analytics and usage data | 26 months from collection, after which it is deleted or anonymised in line with our analytics provider’s default data retention settings |
| Session recordings | Up to 26 months; input fields are masked and not stored |
| Technical server logs | Up to 90 days, in line with our hosting providers’ default log retention |
When the retention period expires, we securely delete or anonymise the data. If you request earlier deletion, we will act on your request within 30 days (see Section 9).
7. Cookies and Similar Technologies
We use a small number of cookies and similar technologies on our website. We do not use advertising cookies or cross-site tracking cookies.
| Category | Purpose | Legal basis |
|---|---|---|
| Functional / strictly necessary | A/B test assignment and session consistency | Art. 6(1)(f) legitimate interests; no prior consent required for functional cookies |
| Analytics | Measuring aggregate site usage and powering session replays | Art. 6(1)(f) legitimate interests; you may opt out (see below) |
Opt-out: To opt out of analytics cookies, you can configure your browser to block or delete cookies, or contact us via our contact form and we will configure a server-side opt-out for your session.
8. Your Rights Under UK GDPR
Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data. Most requests will be fulfilled within one calendar month; complex requests may take up to three months (we will notify you if this applies).
- Right of access (Art. 15): You may request a copy of the personal data we hold about you and information about how we use it.
- Right to rectification (Art. 16): You may ask us to correct inaccurate or incomplete personal data.
- Right to erasure / “right to be forgotten” (Art. 17): You may ask us to delete your personal data. This right applies in certain circumstances; we will confirm whether it applies to your request.
- Right to restriction of processing (Art. 18): You may ask us to restrict how we process your data in certain circumstances, for example while a dispute about accuracy is resolved.
- Right to data portability (Art. 20): Where processing is based on consent or contract and carried out by automated means, you may ask for your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21): You may object to processing based on legitimate interests (Art. 6(1)(f)) at any time. We will stop processing unless we demonstrate compelling legitimate grounds.
- Right to withdraw consent (Art. 7): Where processing is based on your consent (e.g. marketing emails), you may withdraw consent at any time without affecting the lawfulness of prior processing. Use the unsubscribe link in any email we send, or contact us directly.
- Right not to be subject to solely automated decisions (Art. 22): We do not currently make automated decisions that produce legal or similarly significant effects on individuals. If this changes, we will update this policy and provide the required safeguards.
To exercise any of these rights, contact us via our contact form (select “Privacy & data rights”) or write to us at our registered office. We will respond within one month and may need to verify your identity before acting on a request.
Right to lodge a complaint: If you are not satisfied with how we handle your data or your request, you have the right to lodge a complaint with the UK’s supervisory authority, the Information Commissioner’s Office (ICO), at ico.org.uk, or by calling 0303 123 1113.
9. Children
Our website and waitlist are intended for use by individuals aged 13 and over. We do not knowingly collect personal data from children under the age of 13. If you believe a child under 13 has provided us with personal data, please contact us via our contact form and we will delete that data promptly.
10. Security
We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. Specific measures include:
- TLS encryption for all data in transit between your browser and our servers.
- Database-level encryption at rest and encrypted connections at our data layer.
- Access controls limiting who within CSXII LTD can access personal data.
- Regular review of sub-processor security posture.
No method of transmission over the internet or electronic storage is 100% secure. If you become aware of a security issue affecting your data, please contact us immediately via our contact form.
11. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify waitlist members by email at least 14 days before those changes take effect, with a clear description of what has changed. The updated policy will also be posted on this page with a revised “last updated” date.
Non-material changes (for example, corrections of typographical errors or clarifications that do not alter your rights) may be published on this page without prior email notice.
If you object to any change, you may request deletion of your data at any time (see Section 9).
12. Contact
For any questions about this Privacy Policy, to exercise your rights, or for any data protection matter, please contact us:
Contact form (preferred): swizero.com/contact — select “Privacy & data rights” for any GDPR request.
By email (general enquiries): hello@swizero.com
By post: CSXII LTD, 128 City Road, London EC1V 2NX, United Kingdom
We aim to respond to all privacy enquiries within five working days and to fulfil rights requests within one calendar month of receiving a verified request.