Transparency is core to our mission. Below are the documents that describe our approach to data protection under GDPR, Quebec Law 25, PIPEDA, CASL, and the EU AI Act. The set has been rebuilt to a single canonical data model (Model Specification v1.0): Actors, the reasoning/intelligence firewall, sovereign profiles, and consent-gated group intelligence.
Status: This compliance set is a working draft under legal review (last updated June 4, 2026). Documents and statuses are labelled honestly below. Nothing is described as “approved,” “verified,” or “live” — items reach those states only when they genuinely have. Items marked Planned are pending real-world facts or testing and are available to regulators on request.
1. Privacy Policy v1.3Primary commitment to data protection and user rights. Rebuilt to the Actor model, the reasoning/intelligence firewall, sovereign profiles, and the four-step consent sequence.
Version 1.3Draft — in review
2. Terms of Service v1.3Agreement governing service use, Actors, group participation, and educational contexts. Acceptable-use mirrors Swomi’s own no-scrape commitment.
Version 1.3Draft — in review
3. Data Governance Charter v1.0Internal roles, DPO responsibilities, model change-control, and escalation paths. Drafted as a template.
TemplateDraft — names pending
Risk & Legal Basis
4. PIA / DPIA Summary v1.2Risk assessment for the Actor model, the firewall, group contribution, and special-category inference.
Version 1.2Pending sign-off
5. Legitimate Interest Assessment (Security) v1.2Justification for Zone A security profiling without consent; includes the confirmed-threat firewall note and Art. 22 path.
Ref: PP §9Draft — in review
6. AI Act Conformity Assessment v1.0Mapping to EU AI Act Art. 5 (prohibitions), Art. 50 (transparency), and Art. 22 human review. Drafted.
EU focusDraft — in review
7. Data Transfer Impact AssessmentCross-border data-flow analysis (Canada / US / EU). Depends on the finalized Sub-Processor List (#10).
SCCsPlanned — pending #10
Operational Records
8. Record of Processing Activities (ROPA) v1.3Master inventory of data flows and legal bases; adds reasoning-engine processor, groups/contribution, the Art. 9 store, and the world-graph.
Ref: PP §3Draft — in review
9. Data Architecture Diagram v1.0One-page visual of the two levels, the firewall, the consent gate, Zone A/B, the walled Art. 9 store, and the anonymized world-graph. Drafted.
TechnicalDraft — in review
10. Sub-Processor List & SCCsCurrent vendors (cloud, vector store, reasoning provider) and the status of signed Standard Contractual Clauses.
VendorsPlanned — pending facts
11. Data Retention Schedule v1.0Periods, basis, and deletion/anonymization method for every category. Drafted. Summary in Privacy Policy §8.
Ref: PP §8Draft — in review
Rights & Response
12. Rights Fulfillment Runbook v1.2Steps for Access, Erasure, Rectification, Portability, Objection, and Withdrawal — per-Actor, with the Art. 9 store and contribution-retraction handling.
InternalDraft — in review
13. Breach Notification Protocol v1.0Detection, assessment, containment, and notification (GDPR 72h / Law 25 CAI / PIPEDA OPC). Drafted; tabletop test pending.
Ref: PP §14Draft — in review
14. Consent Management Log (Methodology) v1.0How consent is recorded (append-only, per-Actor/per-group) and how it demonstrates Art. 7 validity. Drafted.
Ref: PP §5Draft — in review
15. Acceptable Use Policy v1.0Prohibited use, Actor/agent rules, the data-harvesting ban, and educational contexts. Drafted.
Ref: ToS §6Draft — in review
Supporting & Technical Artifacts
Canonical Model Specification v1.0The single source of truth every document is built against.
InternalLocked
Compliance Database Schema v1.3MySQL. Enforces consent, the walled Art. 9 store, and contribution retraction.
MySQLDraft — verify in prod
Consent Flow Mapping v1.3The four-step contextual consent sequence; basis for the swomi.com screen.
DesignDraft — in review
Master Compliance Matrix v1.3UI-to-legal “sync proof” mapping every element to a clause and artifact.
Sync ProofDraft — in review
Outstanding before any item can be marked “verified” or “approved”
Independent engineering verification: Zone A/B isolation; the reasoning/intelligence firewall de-identification stripping; and contribution blend-irreversibility. These are asserted by design and tested before being claimed.
Vendor facts (#10): the real Sub-Processor List and signed SCCs/DPAs — which in turn unblock the Data Transfer Impact Assessment (#7).
Sign-offs: DPO and CTO/CEO signatures on the PIA/DPIA (#4); named owners in the Data Governance Charter (#3).
Live consent flow: the swomi.com consent screen validates the Art. 7 conditions (freely-given, specific, informed, unambiguous, withdrawable).
Engine / intelligence specifications: propagation of the model into the internal engine documents.
Note: Internal documents are available in full to regulators on request; redacted summaries are provided here for transparency. Return to swomi.com or sign in. Status labels reflect each document’s genuine current state and are updated only as drafts are finalised, signed off, and operational controls are independently verified. Swomi does not scrape, source, or cold-contact non-users, does not sell personal data, and does not use it for targeted advertising.