Product Privacy Notice
Education Bot, Inc. (operating as swivl) · Effective Date: January 10, 2026
This notice is addressed to operators and organizations ("Customers") who use swivlStudio to manage customer and tenant communications across their locations. It explains how swivl processes personal information through the platform on your behalf, and what obligations you, as the data controller, are responsible for with respect to your own customers, tenants, and end users.
1. Understanding the Roles: Controller and Processor
When you use swivl to handle calls, texts, and web chat on behalf of your locations, two distinct roles exist under data protection law.
Data Controller
You determine why personal information is collected from your customers and tenants and how it will be used. You own the direct relationship with the individuals whose data is processed. This makes you the Controller under CCPA, PIPEDA, and GDPR.
Data Processor
swivl processes personal information strictly on your instructions, through swivlStudio and the services you configure. We do not use your customer or tenant data for our own commercial purposes. This makes swivl the Processor (or "Service Provider" under CCPA).
Because you are the Controller, your customers' and tenants' privacy rights run to you first. When an end user asks who recorded their call, or requests deletion of their data, they are exercising rights against your organization. swivl supports you in fulfilling those obligations, but the primary legal responsibility is yours.
2. What swivl Processes on Your Behalf
Through swivlStudio, swivl may process the following categories of personal information belonging to your customers, tenants, leads, and prospects, depending on the features you have enabled:
| Category | Examples | Features Involved |
|---|---|---|
| Contact identifiers | Name, email, phone, address | All channels |
| Account and unit data | Balance, payment status, unit number, gate code | Support Agent, Billing Agent, FMS integrations |
| Voice recordings | Inbound/outbound call recordings and transcriptions | Voice AI (Disruptor), Contact Center |
| Written communications | SMS content, web chat transcripts, email | SMS, chat, email channels |
| Behavioral data | Reservation intent, collections response, review status | Agents, Sequences |
| Device and session data | IP address, browser type, local storage identifiers | Web chat widget |
How swivl Retrieves Account Data: FMS Integration
Much of the account and tenant data swivl processes is retrieved in real time through a secure API connection to your Facility Management Software ("FMS"), such as SiteLink, StorEdge, QuikStor, or SSM Cloud. When an end user contacts your location via voice, SMS, or web chat, swivl queries your FMS to look up account details, unit information, gate codes, or payment status needed to fulfill the interaction.
A few important points on this:
- Your FMS vendors are not swivl's subprocessors. They are your own systems of record, operating under your separate agreements with those vendors. swivl queries them on your behalf but does not control or process data within those systems.
- Data accuracy depends on your FMS. swivl can only surface information that exists and is accurate in your FMS. If a record is incomplete or outdated, the data swivl retrieves will reflect that.
- FMS API credentials are provided by you. You are responsible for ensuring swivl's API access is properly authorized and that access is revoked upon termination of your swivl subscription.
3. Your Obligations as the Data Controller
Because you are the Controller, applicable privacy laws place specific obligations on your organization when you engage a vendor like swivl to process data on your behalf.
- Update your privacy policy. Your privacy policy must disclose that you use third-party AI communications technology to process customer and tenant interactions, including voice calls, SMS, and web chat. Identify swivl by name or by category. See Section 4 for sample language.
- Establish a lawful basis for processing. For most operators, this will be contract performance and legitimate interests. In jurisdictions requiring affirmative consent (Quebec, GDPR-covered locations), you are responsible for obtaining and documenting that consent.
- Obtain consent for outbound AI communications. If you use swivl's outbound voice AI, SMS sequences, or collections outreach, you are responsible for ensuring you have required consents under TCPA, CASL, and any other applicable law.
- Respond to data subject requests. When a customer or tenant exercises a privacy right, that request is directed to you. swivl will assist you in fulfilling such requests as described in our DPA. You are responsible for responding within applicable legal timeframes.
- Notify end users of voice recording. Many US states and Canadian provinces require notice before recording a call. You are responsible for ensuring your locations comply. swivl's platform supports configurable AMD disclosures and scripted openings to help.
- Honor opt-outs and suppression lists. swivl's platform honors opt-out statuses imported from your FMS. You are responsible for keeping those records accurate and current.
swivl's compliance infrastructure is built to support your compliance program. It does not replace it. The obligation to comply with applicable privacy and communications laws is yours as the operator.
4. Updating Your Own Privacy Policy
At a minimum, your privacy policy or customer-facing disclosures should include:
- Types of personal information collected through customer and tenant interactions
- Purposes for which that information is used
- Disclosure that you use third-party AI communication technology (swivl) to handle certain interactions, including voice calls, SMS, and web chat
- How customers and tenants can exercise their privacy rights
- Contact information for privacy inquiries
We strongly recommend consulting with legal counsel in your jurisdiction to ensure your privacy disclosures are complete and compliant.
5. Jurisdiction-Specific Requirements
The following is a non-exhaustive summary of key compliance considerations by geography. This is not legal advice. Consult qualified counsel in each jurisdiction where you operate.
United States
California residents have rights to know, delete, correct, and opt out. TCPA governs SMS and voice outreach consent. Many states have call recording laws requiring all-party consent.
Canada
PIPEDA requires consent for collection and use. CASL requires express or implied consent for commercial electronic messages. Quebec Law 25 adds enhanced disclosure and portability rights.
European Union
GDPR applies based on data subject location. If your locations are accessed by EU or UK residents, stricter requirements apply. Contact swivl to discuss GDPR-compliant DPA terms.
If you use swivl's outbound SMS or email sequences to contact Canadian residents, you must have either express or implied consent under CASL before initiating those messages. Express consent must be affirmatively obtained and documented. We recommend maintaining your own consent records in your FMS or CRM.
6. Sample Disclosure Language
The following is sample language you may adapt for inclusion in your customer-facing privacy policy or notice. Review with your own legal counsel before use.
"We use swivl, an AI-powered communications platform operated by Education Bot, Inc., to handle certain customer interactions at our locations, including inbound and outbound phone calls, text messages, and web chat. swivl processes personal information such as your name, phone number, email address, and account information on our behalf. swivl does not use your personal information for its own commercial purposes. For more information, visit tryswivl.com/legal/privacy."
"Calls to and from our locations may be recorded and transcribed using AI technology for quality assurance and operational purposes. By calling us, you consent to the recording and transcription of your call. If you do not consent, please inform our staff at the start of the call."
"By providing your mobile phone number, you agree to receive automated text messages from [Business Name] regarding your account, including account reminders, payment notices, and service information. Message and data rates may apply. Reply STOP to opt out at any time."
"If you have a past-due balance on your account, you may receive automated calls or text messages from our AI communications system regarding your account status. These communications are made on behalf of [Business Name]. To speak with a staff member, reply HELP or call us directly at [phone number]."
7. A Note on GDPR
swivl is a US-based company and our standard agreements are designed for US and Canadian compliance. GDPR applies based on where the data subject is located, not where your business operates. If your locations are accessed by EU or UK residents, GDPR obligations may apply to you.
swivl's standard DPA covers US and Canadian legal requirements. If you require GDPR-compliant processing terms, including Standard Contractual Clauses for cross-border data transfers, please contact us before deploying swivl to process EU resident data. We will work with you to put appropriate supplemental terms in place.
8. Questions
5900 Balcones Drive, Suite 4000 · Austin, TX 78731 · Attention: Compliance
Education Bot, Inc. (operating as swivl) · tryswivl.com · swivl.studio · info@tryswivl.com
This Product Privacy Notice was last updated on January 10, 2026.