Privacy Policy
1. Who We Are
This Privacy Policy describes how Swipy ("we", "us", "our"), the operator of the website-building platform available at swipy.org (the "Service"), collects, uses, and protects personal data.
Swipy is operated by a private individual based in Ukraine (the "Operator"). The Operator's full legal name and address are provided on written request to [email protected].
Data Controller contact details:
Email: [email protected]
Data protection contact: [email protected]
If you are in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) or its UK equivalent applies to our processing of your personal data. If you are a California resident, the California Consumer Privacy Act as amended by the CPRA ("CCPA") applies — see Section 12.
2. Our Roles: Controller and Processor
Swipy is a website-builder platform. This creates distinct data relationships, and it is important to understand which one applies to you:
(a) Swipy as Data Controller. When you create a Swipy account and use the Service, we are the controller of your personal data (such as your email address). This Privacy Policy governs that relationship.
(b) Swipy as Data Processor. When you build and publish a website using Swipy, your site may collect personal data from its visitors — for example, through contact forms, scheduling/booking features, or similar submissions. For that site-visitor data, you (the site owner) are the controller, and Swipy is a processor acting on your instructions. That relationship is governed by our Data Processing Agreement (DPA), available at swipy.org/dpa, not by this Privacy Policy.
(c) Platform security (visitor technical data). Independently of (b), Swipy processes limited technical data of visitors to customer-built websites — IP address, request metadata, and timestamps — as a controller, solely for the security, integrity, and abuse prevention of the platform itself (for example, rate limiting, denial-of-service protection, and blocking malicious traffic). The legal basis is our legitimate interest in keeping the Service secure and operational (Art. 6(1)(f) GDPR). This data is not used for advertising, profiling, or any other purpose, and is retained as described in Section 8.
If you are a visitor to a website built with Swipy: the owner of that website is responsible for how the data you submit is collected and used. Please consult that website's own privacy policy. Swipy stores and processes such submitted data only on the site owner's behalf and does not use it for its own purposes.
3. Personal Data We Collect (as Controller)
We practice data minimization. We currently collect:
(a) Account data
Email address — required to create and authenticate your account.
(b) Technical and security data
IP address, browser type, device information, and access timestamps, collected automatically in server logs when you use the Service. We use this data only to operate, secure, and debug the Service (e.g., abuse prevention, rate limiting, incident investigation).
(c) Payment and billing data (when paid plans are available)
Payments are processed by Stripe (see Section 6). Swipy does not store full payment card numbers. We retain limited billing metadata such as transaction identifiers, plan type, billing country, and payment status, as needed for billing administration, accounting, and tax compliance.
(d) Communications
If you contact us (e.g., support requests), we process the contents of that communication and your contact details to respond.
We do not collect special categories of personal data (Art. 9 GDPR), and we ask that you do not submit such data to us.
4. Purposes and Legal Bases for Processing
| Purpose | Data | Legal basis (GDPR Art. 6) |
|---|---|---|
| Account creation, authentication, providing the Service | Email address | Art. 6(1)(b) — performance of a contract |
| Service security, abuse prevention, debugging | Technical/log data (including visitor technical data per Section 2(c)) | Art. 6(1)(f) — legitimate interests (keeping the Service secure and operational) |
| Processing payments and managing subscriptions | Billing metadata | Art. 6(1)(b) — contract; Art. 6(1)(c) — legal obligations (accounting, tax) |
| Responding to support requests | Communications | Art. 6(1)(b) — contract; Art. 6(1)(f) — legitimate interests |
| Service announcements (e.g., security notices, material changes) | Email address | Art. 6(1)(f) — legitimate interests; Art. 6(1)(c) where legally required |
| Marketing emails (if introduced) | Email address | Art. 6(1)(a) — consent; you may withdraw at any time |
| Establishing, exercising, or defending legal claims | Relevant records | Art. 6(1)(f) — legitimate interests |
Where we rely on legitimate interests, we have assessed that our interests are not overridden by your rights and freedoms. You may object at any time (Section 10).
We do not use your personal data for automated decision-making producing legal or similarly significant effects (Art. 22 GDPR), and we do not sell your personal data.
5. Data Processed Through Customer-Built Sites (as Processor)
When site visitors submit data through websites built on Swipy (form submissions, scheduling requests, and similar features):
- We process that data solely on the documented instructions of the site owner and only to provide the Service.
- We do not use site-visitor data for advertising, profiling, or any independent purpose.
- The site owner is responsible for providing a privacy notice to their visitors, establishing a legal basis for collection, and honoring visitor rights requests.
- We support site owners in fulfilling data subject rights requests (access, deletion, etc.) concerning visitor data, as set out in the DPA.
- Upon termination of a customer account, site-visitor data is deleted or returned in accordance with the DPA and Section 8.
Site owners who are subject to the GDPR and use Swipy to collect personal data from visitors should execute our DPA, available at swipy.org/dpa.
6. Service Providers and Third Parties
We share personal data only with the following categories of recipients:
(a) DigitalOcean, LLC — hosting and managed database services. Our application data, including account data, is stored in DigitalOcean Managed Databases and hosted in Frankfurt (FRA1) or Amsterdam (AMS3), within the EEA. DigitalOcean acts as our processor under a data processing agreement incorporating the European Commission's 2021 Standard Contractual Clauses; for any incidental access from the United States by DigitalOcean's US parent, the SCCs apply, with DigitalOcean's certification under the EU–US Data Privacy Framework available as a secondary safeguard.
(b) Stripe, Inc. — payment processing. When you make a payment, your payment details are collected and processed directly by Stripe. Stripe acts in different data protection capacities depending on the activity: it is our processor when processing a payment on our instructions, and an independent controller for its own purposes such as fraud prevention, regulatory and anti-money-laundering compliance, and identity verification. Stripe's handling of your data is governed by its own privacy policy (stripe.com/privacy). Swipy never stores your full card details.
(c) Mailgun (Sinch) — delivery of authentication and service emails. Mailgun processes recipient email addresses and message content to deliver authentication and service emails on our behalf, using its EU sending region. Any incidental processing in the United States is covered by the European Commission's 2021 Standard Contractual Clauses incorporated into our agreement with Mailgun, with any applicable Data Privacy Framework certification as a secondary safeguard.
(d) Professional advisers and authorities. We may disclose personal data to lawyers, accountants, auditors, or public authorities where required by law or necessary to establish, exercise, or defend legal claims.
We maintain a current list of sub-processors (in respect of data we process on customers' behalf) at swipy.org/subprocessors and will notify account holders of changes as described in the DPA.
We do not sell or share personal data for cross-context behavioral advertising.
7. International Data Transfers
We are EU-focused, and we recommend and use EU-region data hosting where possible. However, some of our service providers (including DigitalOcean and Stripe) are headquartered in the United States, and some processing may involve transfers outside the EEA/UK.
Where personal data is transferred outside the EEA, the UK, or Switzerland, we rely on:
- Standard Contractual Clauses (SCCs) adopted by the European Commission in 2021 (Implementing Decision (EU) 2021/914), together with a transfer impact assessment and supplementary measures where appropriate — our primary transfer mechanism; and
- The EU–US Data Privacy Framework (DPF), where the recipient holds an active DPF certification — as a secondary mechanism.
As of the Last Updated date above, the European Commission's DPF adequacy decision remains valid and in force. Because its long-term status remains subject to ongoing legal proceedings, we maintain the SCCs as our primary safeguard so that lawful transfers can continue regardless of the outcome.
You may request a copy of the relevant safeguards by contacting us at [email protected].
8. Data Retention
| Data | Retention period |
|---|---|
| Account data (email) | For the life of your account, plus 90 days after deletion to allow for accidental-deletion recovery, then permanently deleted |
| Server logs / technical data (including visitor technical data per Section 2(c)) | 12 months, then deleted or anonymized |
| Billing records | Retained for as long as required by applicable accounting and tax law, then deleted |
| Support communications | 24 months after resolution |
| Site-visitor data processed on behalf of customers | Per the site owner's instructions and the DPA; deleted or returned upon account termination |
When retention periods expire, data is deleted or irreversibly anonymized. Backups containing deleted data are overwritten on a rolling basis within ninety (90) days, and remain protected by this policy until overwritten.
9. Security
We implement appropriate technical and organizational measures to protect personal data, including encryption in transit (TLS), encryption at rest for our managed databases, access controls and least-privilege administration, and logging and monitoring of production systems.
No system is perfectly secure. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it, as required by GDPR Art. 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will inform affected individuals without undue delay (Art. 34). Where we act as a processor, we will notify the affected site owner without undue delay.
10. Your Rights (GDPR)
If you are in the EEA, the UK, or Switzerland, you have the right to:
- Access — obtain a copy of the personal data we hold about you, including the specific recipients to whom it has been disclosed (Art. 15)
- Rectification — correct inaccurate or incomplete data (Art. 16)
- Erasure — request deletion of your data ("right to be forgotten") (Art. 17)
- Restriction — restrict processing in certain circumstances (Art. 18)
- Portability — receive your data in a structured, commonly used, machine-readable format (Art. 20)
- Objection — object to processing based on legitimate interests, and to direct marketing at any time (Art. 21)
- Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing (Art. 7(3))
To exercise these rights, email [email protected]. We will respond without undue delay and in any event within one month of receipt (extendable by two further months for complex or numerous requests, in which case we will inform you within the first month). We may need to verify your identity before fulfilling a request. Exercising these rights is free of charge, except for manifestly unfounded or excessive requests.
Complaints: You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or the place of an alleged infringement (Art. 77). A list of EU supervisory authorities is available at edpb.europa.eu.
Note: if your request concerns data submitted through a website built by one of our customers, we will refer your request to that site owner (the controller) and assist them in responding, per Section 5.
11. Cookies and Similar Technologies
The Service uses only strictly necessary cookies required for authentication and session management (e.g., keeping you logged in) and security (e.g., CSRF protection). Under Article 5(3) of the ePrivacy Directive these are exempt from the consent requirement because they are strictly necessary to provide the service you have requested.
We do not currently use analytics, advertising, or tracking cookies on swipy.org. If this changes, we will update this policy and obtain your prior consent before setting any non-essential cookies.
Websites built by our customers may set their own cookies; those are governed by the respective site owner's policies.
12. California Privacy Rights (CCPA/CPRA)
This section applies to California residents.
Categories of personal information collected (in the preceding 12 months): identifiers (email address, IP address), internet/network activity (log data), and commercial information (billing metadata, once payments launch). Sources: directly from you, and automatically from your use of the Service. Purposes: as described in Section 4.
We do not sell personal information and do not share personal information for cross-context behavioral advertising. We have not done so in the preceding 12 months. We do not use or disclose sensitive personal information for purposes that would give rise to a right to limit.
California residents have the right to:
- Know/Access — the categories and specific pieces of personal information we have collected
- Delete — request deletion of personal information, subject to legal exceptions
- Correct — request correction of inaccurate personal information
- Limit — limit the use and disclosure of sensitive personal information (to the extent any is ever collected)
- Non-discrimination — not receive discriminatory treatment for exercising these rights
To exercise these rights, email [email protected] with the subject "California Privacy Request." We will verify your identity (typically by confirming control of the account email) and respond within 45 days, extendable by a further 45 days with notice. You may designate an authorized agent to act on your behalf; we will require proof of authorization.
Because we do not sell or share personal information, and we state that fact here, we are not required to and do not provide a "Do Not Sell or Share My Personal Information" link. We nonetheless honor Global Privacy Control (GPC) browser signals as opt-out requests.
13. Children's Privacy
The Service is not directed to children. We do not knowingly collect personal data from anyone under the applicable age of digital consent. Under GDPR Art. 8 the default age is 16, though individual EU member states may set a lower threshold of no less than 13; in the United States, COPPA applies to children under 13. If you believe a child has provided us personal data, contact [email protected] and we will delete it.
14. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify account holders by email and/or a prominent notice in the Service at least 30 days before the changes take effect. The "Last Updated" date at the top reflects the latest revision. Continued use of the Service after the effective date constitutes acceptance of the updated policy, except where the law requires fresh consent.
15. Contact
Questions, concerns, or rights requests:
- Rights requests and privacy questions: [email protected]
- Legal and data protection matters (including DPA, transfer safeguards, and Operator identity requests): [email protected]