S

Privacy Policy

Last updated June 2026

This policy is maintained by the Swaption team. It describes what data we collect and what you can do about it. We are the data controller for the information processed through this app.

1. What we collect

  • Account: email, password hash, display name, username, optional avatar, bio, location.
  • Listings & content: photos, titles, descriptions, prices, categories, and the messages you send.
  • Transactions: orders, offers, fees, tracking numbers, shipping addresses, dispute records.
  • Device & usage: IP address, browser, OS, pages visited, approximate location derived from IP.
  • Optional: precise location only if you explicitly grant browser permission for a meet-up search.

2. Why we use it (lawful basis)

  • Contract: to operate your account and process orders you make.
  • Legitimate interest: to keep the marketplace safe (fraud, abuse, moderation), to debug, and to improve features.
  • Consent: analytics and marketing cookies (see cookie policy); marketing emails when you opt in.
  • Legal obligation: to keep tax/payment records, respond to lawful requests.

3. Subprocessors we use

We rely on the following companies to run Swaption. Each one only sees what's needed for its job and is bound by its own data-processing agreement.
  • Supabase (Lovable Cloud) — database, authentication, file storage. Servers in the EU.
  • Lovable AI Gateway — automated content moderation of listing images and text.
  • Mailgun (via Lovable Emails) — sending transactional and authentication emails.
  • Google Maps Platform — map tiles for meet-up locations.
  • Cloudflare — CDN and DDoS protection.

4. Sharing

We do not sell your personal data. Other members see your public profile (display name, avatar, bio, location string, listings, reviews). Email addresses and shipping addresses are only shared with the counterparty of an active order. Aggregated, anonymized usage statistics may be shared with investors and partners.

5. Retention

  • Account & profile: while your account exists.
  • Listings: while published, plus 12 months in a soft-deleted state for fraud review.
  • Messages: 24 months after the conversation goes idle.
  • Orders, payments, invoices: 7 years for tax compliance.
  • Dispute records: 5 years.
  • Backups: rolling 30-day window, then purged.

6. Your rights

Where the GDPR or equivalent laws apply, you have the right to access, correct, export, restrict, and erase your personal data, and to object to processing based on legitimate interest. Most of these are self-serve:
  • Access & export — "Download my data" on your profile.
  • Correction — edit your profile.
  • Erasure — "Delete account" on your profile. Some records are kept where law requires.
  • Other requests: privacy@swaption.app.
If you are in the EU/UK, you may also lodge a complaint with your local data-protection authority.

7. Children

Swaption is not for users under 16. If we discover we are processing the data of a child, we delete the account.

8. International transfers

Some subprocessors operate in the United States. Where personal data of EU/UK residents is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses.

9. Security

We use TLS in transit, encryption at rest, row-level security on user-owned tables, and least-privilege roles for our staff. No system is perfectly secure; report suspected vulnerabilities to security@swaption.app.

10. Changes

We will email you and post an in-app notice at least 14 days before material changes take effect.

11. Contact

privacy@swaption.app.