DWIXEL

Academic Privacy Policy

Last updated: 2 April 2026

1. Introduction

This Academic Privacy Policy applies to Dwixel services provided under institutional agreements with universities, colleges, and research institutions. It explains how we collect, use, and protect personal data in the context of educational use.

Dwixel Ltd is registered in England and Wales. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Our supervisory authority is the Information Commissioner's Office (ICO).

2. Data Controller and Processor Roles

When Dwixel is used under an institutional agreement, your institution is the data controller and Dwixel Ltd acts as a data processor. We process personal data only on the documented instructions of your institution, as set out in our Data Processing Agreement (DPA).

For individual accounts not covered by an institutional agreement, Dwixel Ltd acts as the data controller.

3. Data We Collect

  • Account data — name, email address, institutional role, department
  • Content data — documents, comments, edits, presentations, whiteboard content
  • Usage data — feature usage, session duration, collaboration activity (anonymised and aggregated for institutional analytics only)
  • Technical data — IP address, browser type, device information (used for security and service delivery only)
  • Authentication data — session identifiers and auth tokens (not stored beyond the session lifecycle)

4. How We Use Data

We process personal data exclusively for the following purposes:

  • Providing the Dwixel collaborative editing and workspace service
  • Authenticating users via email/password
  • Enabling real-time collaboration features
  • Generating aggregated analytics for institutional administrators
  • Ensuring security, preventing fraud, and resolving technical issues
  • Fulfilling our contractual obligations to the institution

5. What We Do NOT Do

  • We do NOT sell student or staff personal data
  • We do NOT use personal data for advertising, marketing, or profiling
  • We do NOT share personal data across institutions
  • We do NOT use personal data to train AI or machine learning models
  • We do NOT disclose personal data to third parties except as listed in our sub-processor register

6. Lawful Basis for Processing

Under UK GDPR, our lawful bases for processing are:

  • Contract (Article 6(1)(b)) — processing necessary to perform our contract with the institution
  • Legitimate interests (Article 6(1)(f)) — security, fraud prevention, service improvement
  • Legal obligation (Article 6(1)(c)) — where required by law

7. Data Retention

We retain personal data for the duration of the institutional agreement plus a grace period of 90 days. After this period, personal data is securely deleted unless the institution has requested a longer retention period.

Institutions can configure their own retention policies via the admin console. Content created by users is available for self-service export at any time.

8. Data Subject Rights

Under UK GDPR, individuals have the right to:

  • Access their personal data
  • Rectification of inaccurate data
  • Erasure ("right to be forgotten") — honoured within 30 days
  • Data portability — export in standard formats (PDF, DOCX, JSON)
  • Restrict or object to processing
  • Withdraw consent where consent is the lawful basis

For users covered by an institutional agreement, data subject requests should be directed to your institution's data protection officer. We will assist the institution in fulfilling these requests as set out in our DPA.

9. Sub-Processors

We use the following sub-processors to deliver the service:

Sub-ProcessorPurposeLocation
Supabase (AWS)Database, authentication, file storageEU (London) or as configured
TipTap / HocuspocusReal-time document collaborationEU (Germany)
AnthropicAI writing assistance (opt-in only)US (adequate safeguards)
Brevo / SendGridTransactional email deliveryEU / US
AgoraVideo calling infrastructureGlobal CDN
Sapling AIGrammar checking (opt-in only)US (adequate safeguards)

We will notify institutional data controllers before adding or changing sub-processors, providing an opportunity to object.

10. International Data Transfers

Where data is transferred outside the UK, we ensure adequate safeguards are in place as required by UK GDPR Chapter V. This includes UK International Data Transfer Agreements (IDTAs) or reliance on adequacy decisions.

Institutions can choose to store all data within the UK/EU by selecting the London (eu-west-2) data residency region in the admin console.

11. Security

We implement appropriate technical and organisational measures including:

  • Encryption at rest (AES-256) and in transit (TLS 1.2+)
  • Row-Level Security on all database tables
  • Two-factor authentication support
  • Rate limiting and DDoS protection
  • Audit logging of all administrative actions
  • Regular security reviews

For full details, see our Security page.

12. Data Breach Notification

In the event of a personal data breach, we will notify the affected institution within 72 hoursof becoming aware of the breach, in accordance with UK GDPR Article 33. The notification will include:

  • Nature of the breach and categories of data affected
  • Approximate number of individuals affected
  • Likely consequences
  • Measures taken or proposed to address the breach

13. Children's Data

Dwixel is designed for use by university and college students aged 16 and over. We do not knowingly collect personal data from children under the age of 16. Where an institution enrolls students between 13-16 (e.g., dual-enrollment programmes), the institution is responsible for obtaining appropriate parental consent.

14. Contact

For privacy enquiries related to institutional accounts:

You also have the right to lodge a complaint with the ICO:ico.org.uk/make-a-complaint