Swapp Privacy Policy

Effective as of January 5, 2025

Swapp, a French limited liability company (SARL) registered with the Versailles Trade and Companies Register under number 904 693 264, whose head office is located at 64 route de Versailles, 78430 Louveciennes (“Swapp”), is committed to protecting and respecting the privacy and personal data (“Data”) of the users (“Users”) of its website www.swapp.fr and its mobile application “Swapp” (the “Application”).

This Privacy Policy aims to provide transparent information about:

• The types of Data collected,

• The purposes and legal bases for processing such Data,

• The duration of Data retention and how Data is shared,

• The rights of Users,

• The security measures adopted by Swapp to protect this Data.

For any questions regarding this Policy, Users may contact Swapp:

• By email: team@swapp.fr

• By post: 64 route de Versailles, 78430 Louveciennes, France

• Data Protection Officer (DPO): Arthur FEINGOLD – arthur@swapp.fr

1. Data Collected

1.1 Data Collected When Creating an Account

When registering for the Application, Swapp collects the following information:

• Last Name (required)

• First Name (required)

• Email Address or Phone Number, depending on the chosen authentication method (required)

• Profile Picture (required)

• Connection details via third-party services (Google, Apple, LinkedIn), if applicable

Legal basis: Performance of contract (Terms of Use) — these details are necessary for providing Swapp’s services.

1.2 Data Collected When Creating and Exchanging Digital Business Cards

When a User creates a digital business card, they may freely choose the information to include, such as:

• Professional or personal contact details (phone number, email, postal address)

• Links to social network profiles

• Images, videos, files, and documents (optional)

• Titles, texts, and any other links

When two Users exchange cards, Swapp may collect location, date, and time of the exchange, used to show the event on the map at the time of exchange.

These details are not stored permanently and are only used to enrich the user experience during the exchange.

Legal basis: Performance of contract (facilitating connection and card sharing).

1.3 Sensitive Data

Swapp does not intentionally collect sensitive data as defined by the GDPR. However, Users are solely responsible for any information (including sensitive information) they choose to add or share.

2. Purposes and Legal Basis for Processing

Swapp uses the Data collected for the following purposes:

1. Creation and management of User accounts: Performance of contract (necessary for providing account-based services).

2. Creation and sharing of digital business cards: Performance of contract (enabling card exchange between Users).

3. Statistical analysis and improvement of the Application:

   • Swapp uses Firebase Analytics and Crashlytics to collect usage data and diagnose crashes.

   • The data processed by these tools is generally pseudonymized or anonymized.

   • Legal basis: Swapp’s legitimate interest in ensuring the stability, security, and improvement of the Application.

1. Technical support and assistance: Performance of contract (handling support requests).

Swapp does not carry out commercial prospecting or marketing profiling without the explicit consent of Users.

3. Cookies and Other Trackers

Swapp does not use marketing cookies or advertising tracking technologies. The website and Application are limited to using Firebase Analytics and Crashlytics for statistical and stability improvement purposes:

• Firebase Analytics: measures overall audience and usage of the App/website.

• Firebase Crashlytics: automatically collects certain information (device type, OS version, etc.) to diagnose crash causes.

The data collected is primarily pseudonymized and does not directly identify individual Users.

4. Data Retention Period

Swapp retains Data only for as long as is necessary to fulfill the purposes for which it was collected:

• Account Data (first name, last name, email/phone, etc.): retained while the User’s account is active.

• In the event of prolonged inactivity (3 years), Swapp will automatically delete the account’s Data.

• If a User voluntarily deletes their account, the Data will be deleted immediately, unless there is a legal requirement to retain it.

• Exchange Data (location, date, time) is not permanently stored.

• Technical logs (including Crashlytics) are kept for the time strictly necessary for troubleshooting and diagnosing crashes, typically a few weeks to a few months (the default period in Firebase).

5. Data Sharing

5.1 Sharing with Third Parties

Swapp relies on Firebase (Google Cloud Platform) for hosting and technical services. Google Cloud acts as a data processor, in compliance with EU data protection and security standards.

5.2 Data Location

Data is hosted on Google Cloud servers in the European Union (Europe region). If transfers outside the EU become necessary (for specific technical operations), Swapp will ensure appropriate safeguards (e.g., Standard Contractual Clauses approved by the European Commission) are in place to ensure an adequate level of protection.

6. Users’ Rights

In accordance with the GDPR, Users have the following rights:

• Right of Access: to obtain confirmation as to whether their Data is being processed, and if so, a copy of that Data.

• Right to Rectification: to request correction of inaccurate or incomplete Data.

• Right to Erasure (“Right to be Forgotten”): to request the deletion of their Data, subject to legal obligations to retain certain information.

• Right to Object: to object, on legitimate grounds, to the processing of their Data.

• Right to Data Portability: to receive their Data in a structured, commonly used format, and to transmit it to another controller.

• Right to Restriction of Processing: to request a temporary suspension of Data processing.

To exercise these rights, Users may contact Swapp:

• By email: team@swapp.fr

• By indicating “DPO” in the subject line to reach Arthur FEINGOLD (Data Protection Officer) directly if needed.

Swapp may request proof of identity in order to process certain requests. In compliance with the GDPR, Swapp commits to responding within one month (extendable by two months in the case of complex requests).

In case of complaints, Users can contact the CNIL (French Data Protection Authority) or seek a remedy in the competent courts.

7. Data Security

Swapp implements appropriate technical and organizational measures to ensure the security and confidentiality of Data:

• Encryption in transit (HTTPS): all communications between the Application/website and Swapp’s servers are secured using TLS/SSL.

• Secure Hosting: Google Cloud servers in Europe comply with recognized security standards (ISO 27001, etc.).

• Access Controls: Data access is restricted to authorized Swapp personnel only.

• Monitoring and Logging: Access logs are maintained to detect and prevent malicious activities.

Users are responsible for keeping their login credentials (passwords, etc.) confidential.

8. Notification of Data Breach

In the event of a personal data breach, Swapp undertakes to:

• Notify the CNIL without undue delay and, where feasible, within 72 hours of becoming aware of the breach, when required by law.

• Inform the affected Users if the breach is likely to result in a high risk to their rights and freedoms (e.g., identity theft).

9. Minors

Swapp is not intended for individuals under 15 years of age. If a minor creates an account without parental authorization, the account will be deleted as soon as Swapp becomes aware of it.

10. Changes to This Policy

Swapp reserves the right to modify this Privacy Policy at any time. In the event of any significant changes, Users will be notified via a notification within the Application or by any other appropriate means (email, update on the website, etc.).

11. Contact

For any questions regarding this Policy or to exercise their rights, Users can contact Swapp:

• By email: team@swapp.fr

• By post: 64 route de Versailles, 78430 Louveciennes, France

• Data Protection Officer (DPO): Arthur FEINGOLD – arthur@swapp.fr

Last updated: January 5, 2025