SwarmHawk s.r.o., Czech Republic, is the data controller for all personal data processed through the platform.
We process data based on contract performance, legitimate interests, legal obligation, and consent as appropriate.
Security and data minimisation are built into our architecture β we collect only what is strictly necessary.
In case of a data breach, we notify the supervisory authority within 72 hours and affected users promptly.
SwarmHawk is headquartered in the Czech Republic, an EU member state, and the General Data Protection Regulation (GDPR) β Regulation (EU) 2016/679 β applies directly to our operations. We take GDPR compliance seriously as both a legal obligation and a core business value.
This page provides a structured overview of how SwarmHawk complies with GDPR requirements, both as a data controller (when processing user account data) and as a data processor (when scanning domains on behalf of business customers).
SwarmHawk is built to help your organisation achieve GDPR compliance β we monitor domains for exposed personal data, misconfigured email authentication (which enables GDPR-violating phishing), and more. See Section 8 for details.
When you create an account and use our platform, SwarmHawk acts as the data controller for the personal data you provide (email, name, organisation). We determine the purposes and means of processing that data.
When your organisation uses SwarmHawk to scan your own domains and those domains may involve personal data (e.g. employee subdomains, email addresses in WHOIS records), SwarmHawk acts as your data processor. In this capacity:
Enterprise customers can request a Data Processing Agreement (DPA) by contacting hello@swarmhawk.com. The DPA covers all Art. 28 GDPR requirements and includes our standard contractual clauses for sub-processors.
| Data Category | Examples | Legal Basis (Art. 6) | Retention |
|---|---|---|---|
| Account data | Email, name, password hash | Art. 6(1)(b) β Contract | Account lifetime + 30 days |
| Scan data | Domain names, scan results | Art. 6(1)(b) β Contract | 12 months |
| Technical logs | IP address, request logs | Art. 6(1)(f) β Legitimate interests (security) | 90 days |
| Audit logs | Login events, API calls | Art. 6(1)(c) β Legal obligation (NIS2) | 36 months |
| Billing records | Invoice amount, VAT ID | Art. 6(1)(c) β Legal obligation (accounting law) | 10 years |
| Marketing emails | Name, email, preferences | Art. 6(1)(a) β Consent | Until consent withdrawn |
We apply data minimisation: only data necessary for the stated purpose is collected. Fields marked optional in forms are genuinely optional and not required to receive the core service.
As a data subject under GDPR, you have the following rights. We respond to all requests within 30 days (extendable by 2 months for complex requests, with notice):
Request a copy of all personal data we hold about you, including the purposes and recipients.
Ask us to correct or complete inaccurate or incomplete personal data.
Request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
Ask us to pause processing your data while you contest its accuracy or our legal basis.
Receive your account data in a structured, machine-readable JSON format (available in account settings).
Object to processing based on legitimate interests (e.g. analytics), with effect unless we have compelling grounds.
We do not make legally significant automated decisions about individuals. AI risk scores apply to domain names, not people.
Revoke marketing consent at any time via the unsubscribe link in emails or in account settings. Withdrawal does not affect prior lawful processing.
To exercise any right, use the form in Section 9 or email hello@swarmhawk.com. If you are unsatisfied with our response, you have the right to lodge a complaint with the Czech Office for Personal Data Protection (ΓOOΓ):
ΓΕad pro ochranu osobnΓch ΓΊdajΕ― (ΓOOΓ)
Address: Pplk. Sochora 27, 170 00 Prague 7, Czech Republic
Website: www.uoou.cz
Email: posta@uoou.cz
We use the following sub-processors to deliver the Service. All are bound by data processing agreements and appropriate transfer safeguards:
| Sub-processor | Role | Location | Safeguard |
|---|---|---|---|
| Supabase Inc. | Database hosting (PostgreSQL) | EU (Frankfurt) | Adequacy / SCCs |
| Render Inc. | Application server hosting | US (Oregon) | SCCs (2021/914) |
| Anthropic PBC | AI text generation (domain risk summaries) | US | SCCs + DPA |
| Portkey AI | LLM gateway / observability | US | SCCs |
| Stripe Inc. | Payment processing | US / EU | SCCs + Adequacy |
| Cloudflare Inc. | CDN & DDoS protection | Global edge | SCCs |
We will notify affected customers at least 30 days before adding a new sub-processor that processes personal data, giving customers the opportunity to object.
Some sub-processors are based in the United States, a country that does not benefit from a blanket EU adequacy decision. We protect these transfers using:
Copies of our SCCs are available on request at hello@swarmhawk.com.
Our incident response procedure for data breaches complies with GDPR Art. 33β34:
To report a suspected security issue, contact security@swarmhawk.com. For responsible disclosure, we offer a coordinated disclosure programme.
Beyond our own compliance, SwarmHawk helps your organisation meet GDPR obligations by monitoring domains under your control:
For a GDPR-focused integration guide, see our API Documentation.
Use the form below or email hello@swarmhawk.com to exercise your GDPR rights. We will verify your identity and respond within 30 days.
SwarmHawk has appointed a Data Protection Officer (DPO) who can be reached for any GDPR-related query:
Data Protection Officer
Email: hello@swarmhawk.com
For Data Processing Agreement requests: hello@swarmhawk.com
Security / breach reports: security@swarmhawk.com
SwarmHawk s.r.o. Β· Czech Republic Β· www.swarmhawk.com