Academic Privacy Policy
Last updated: 2 April 2026
1. Introduction
This Academic Privacy Policy applies to Dwixel services provided under institutional agreements with universities, colleges, and research institutions. It explains how we collect, use, and protect personal data in the context of educational use.
Dwixel Ltd is registered in England and Wales. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Our supervisory authority is the Information Commissioner's Office (ICO).
2. Data Controller and Processor Roles
When Dwixel is used under an institutional agreement, your institution is the data controller and Dwixel Ltd acts as a data processor. We process personal data only on the documented instructions of your institution, as set out in our Data Processing Agreement (DPA).
For individual accounts not covered by an institutional agreement, Dwixel Ltd acts as the data controller.
3. Data We Collect
- Account data — name, email address, institutional role, department
- Content data — documents, comments, edits, presentations, whiteboard content
- Usage data — feature usage, session duration, collaboration activity (anonymised and aggregated for institutional analytics only)
- Technical data — IP address, browser type, device information (used for security and service delivery only)
- Authentication data — session identifiers and auth tokens (not stored beyond the session lifecycle)
4. How We Use Data
We process personal data exclusively for the following purposes:
- Providing the Dwixel collaborative editing and workspace service
- Authenticating users via email/password
- Enabling real-time collaboration features
- Generating aggregated analytics for institutional administrators
- Ensuring security, preventing fraud, and resolving technical issues
- Fulfilling our contractual obligations to the institution
5. What We Do NOT Do
- We do NOT sell student or staff personal data
- We do NOT use personal data for advertising, marketing, or profiling
- We do NOT share personal data across institutions
- We do NOT use personal data to train AI or machine learning models
- We do NOT disclose personal data to third parties except as listed in our sub-processor register
6. Lawful Basis for Processing
Under UK GDPR, our lawful bases for processing are:
- Contract (Article 6(1)(b)) — processing necessary to perform our contract with the institution
- Legitimate interests (Article 6(1)(f)) — security, fraud prevention, service improvement
- Legal obligation (Article 6(1)(c)) — where required by law
7. Data Retention
We retain personal data for the duration of the institutional agreement plus a grace period of 90 days. After this period, personal data is securely deleted unless the institution has requested a longer retention period.
Institutions can configure their own retention policies via the admin console. Content created by users is available for self-service export at any time.
8. Data Subject Rights
Under UK GDPR, individuals have the right to:
- Access their personal data
- Rectification of inaccurate data
- Erasure ("right to be forgotten") — honoured within 30 days
- Data portability — export in standard formats (PDF, DOCX, JSON)
- Restrict or object to processing
- Withdraw consent where consent is the lawful basis
For users covered by an institutional agreement, data subject requests should be directed to your institution's data protection officer. We will assist the institution in fulfilling these requests as set out in our DPA.
9. Sub-Processors
We use the following sub-processors to deliver the service:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Supabase (AWS) | Database, authentication, file storage | EU (London) or as configured |
| TipTap / Hocuspocus | Real-time document collaboration | EU (Germany) |
| Anthropic | AI writing assistance (opt-in only) | US (adequate safeguards) |
| Brevo / SendGrid | Transactional email delivery | EU / US |
| Agora | Video calling infrastructure | Global CDN |
| Sapling AI | Grammar checking (opt-in only) | US (adequate safeguards) |
We will notify institutional data controllers before adding or changing sub-processors, providing an opportunity to object.
10. International Data Transfers
Where data is transferred outside the UK, we ensure adequate safeguards are in place as required by UK GDPR Chapter V. This includes UK International Data Transfer Agreements (IDTAs) or reliance on adequacy decisions.
Institutions can choose to store all data within the UK/EU by selecting the London (eu-west-2) data residency region in the admin console.
11. Security
We implement appropriate technical and organisational measures including:
- Encryption at rest (AES-256) and in transit (TLS 1.2+)
- Row-Level Security on all database tables
- Two-factor authentication support
- Rate limiting and DDoS protection
- Audit logging of all administrative actions
- Regular security reviews
For full details, see our Security page.
12. Data Breach Notification
In the event of a personal data breach, we will notify the affected institution within 72 hoursof becoming aware of the breach, in accordance with UK GDPR Article 33. The notification will include:
- Nature of the breach and categories of data affected
- Approximate number of individuals affected
- Likely consequences
- Measures taken or proposed to address the breach
13. Children's Data
Dwixel is designed for use by university and college students aged 16 and over. We do not knowingly collect personal data from children under the age of 16. Where an institution enrolls students between 13-16 (e.g., dual-enrollment programmes), the institution is responsible for obtaining appropriate parental consent.
14. Contact
For privacy enquiries related to institutional accounts:
- Email: privacy@dwixel.com
- Data Protection Officer: dpo@dwixel.com
- Postal: Dwixel Ltd, London, United Kingdom
You also have the right to lodge a complaint with the ICO:ico.org.uk/make-a-complaint