Swopli logo

Cookie Policy

Version: v1.0.1
Preliminary version — subject to legal review
Nesta página

    1. What Are Cookies

    Cookies are small text files that are placed on your device (computer, smartphone, or tablet) when you visit a website or use a web application. They are widely used to make websites work more efficiently, to provide information to website operators, and to enable certain features.

    Our use of cookies is governed by:

    • The ePrivacy Directive (Directive 2002/58/EC, as amended by Directive 2009/136/EC), which requires prior informed consent before placing non-essential cookies on a user's device.
    • The General Data Protection Regulation (GDPR), specifically Article 6(1)(a) (consent) for non-essential cookies, and Article 6(1)(f) (legitimate interest) for strictly necessary cookies.
    • Applicable national implementations of the ePrivacy Directive in your country of residence.
    • Brazil LGPD (Law 13.709/2018), Article 7, I (consent for cookies that are not strictly necessary).
    • CCPA/CPRA (California Consumer Privacy Act) requirements for disclosure and opt-out.

    1.2 Types of Technologies We Use

    • Cookies: Small text files stored in your browser.
    • Local Storage: Browser-based storage (HTML5 localStorage) used for session management and user preferences.
    • Session Tokens: Authentication tokens managed by our backend (Supabase Auth).
    • Device Identifiers: Mobile app identifiers (not browser cookies) used for authentication and analytics.

    We organize the cookies and similar technologies we use into the following categories:

    2.1 Strictly Necessary

    These cookies are essential for the operation of Swopli. They cannot be disabled without breaking core functionality. No consent is required for these cookies under the ePrivacy Directive Article 5(3) exception ("service explicitly requested by the subscriber").

    Cookie / Storage Key Purpose Duration Provider
    swopli_cookie_consent Stores your cookie consent preferences (which categories you accepted or rejected) 12 months Swopli (first-party)
    sb-*-auth-token Supabase authentication session token Session / 7 days (persistent if "Remember me") Supabase (first-party)
    sb-*-auth-token-code-verifier PKCE code verifier for OAuth flows (Google, Apple, Facebook login) Session Supabase (first-party)
    $RCAnonymousID RevenueCat anonymous device identifier. Set only when user views subscription paywall or initiates a purchase. Pseudonymous device-level ID until Purchases.logIn links it to account. Required for subscription entitlement sync across platforms. Persistent (indefinite until app uninstall OR user logs in with account, whichever comes first) RevenueCat (revenuecat.com)
    Paddle iframe checkout cookies (__paddle_*, paddle_session) Third-party: Payment basket and checkout state during active web purchase (VIP/Boost via Paddle as Merchant of Record). These cookies are set by the Paddle iframe (buy.paddle.com) during checkout only. Automatically cleared after checkout completes. Session (cleared after checkout completes) Paddle (buy.paddle.com / paddle.com iframe)

    Legal basis: GDPR Article 6(1)(f) -- legitimate interest (essential for service operation). Exempt from consent requirement under ePrivacy Directive Article 5(3) as they are strictly necessary to provide the service the user has explicitly requested (authentication, checkout, subscription management).

    RevenueCat and Paddle cookies are classified as Strictly Necessary because they are required to complete a transaction the user has initiated (purchasing a subscription or boost). Under ePrivacy jurisprudence (e.g., Planet49, CJEU C-673/17), cookies that are "essential to provide a service explicitly requested" are exempt from consent. Here, the user's act of clicking "Subscribe" or "Buy Boost" is an explicit request for the transaction, and these cookies are essential to complete it.

    2.2 Functional

    These cookies enable enhanced functionality and personalization. They are not essential but improve user experience.

    Cookie / Storage Key Purpose Duration Provider
    swopli_locale Stores your selected language preference 12 months Swopli (first-party)

    Legal basis: GDPR Article 6(1)(a) -- consent (requested via cookie banner).

    In jurisdictions where consent is required (EU/EEA/UK/CH/BR): These cookies are only set after you accept "Functional" cookies in the cookie banner.

    In jurisdictions where consent is not required or is presumed (e.g., US outside California): These cookies are set by default, but you can opt out at /privacy/preferences.

    2.3 Analytics

    These cookies help us understand how users interact with Swopli so we can improve the platform. They are only set after you provide consent via the cookie banner.

    Cookie / Storage Key Purpose Duration Provider
    ph_* (PostHog prefix) Analytics session tracking, feature usage events, anonymized behavioral data 12 months PostHog (eu.posthog.com)
    ph_phc_*_posthog PostHog distinct ID for session continuity and cross-device attribution (pseudonymous) 12 months PostHog (first-party domain, data stored in EU)

    Legal basis: GDPR Article 6(1)(a) -- consent. Requires explicit opt-in in EU/EEA/UK/CH/BR jurisdictions before any analytics cookies are set.

    Data processing: PostHog is hosted in the European Union (eu.posthog.com, Frankfurt data center). Analytics data is pseudonymized and aggregated. No personal identifiers (name, email, phone) are transmitted to PostHog. IP addresses are anonymized (last octet masked) before storage.

    Opt-out: You can withdraw consent at any time at /privacy/preferences. Existing cookies will be deleted and no new analytics data will be collected.

    2.4 Marketing (Third-Party)

    Swopli uses one optional third-party marketing cookie via Paddle.js on web checkout pages (/vip and /boost only). It is gated by Marketing consent in the cookie banner and by CCPA/CPRA opt-out controls.

    Cookie / Storage Key Purpose Duration Provider
    Paddle.js _fbp (Facebook Pixel) Ad attribution tracking for Paddle web checkout conversions. Enables Paddle (as Merchant of Record) to measure ad campaign effectiveness via Meta/Facebook Conversion API. 90 days Paddle.js (loads Meta/Facebook pixel on Paddle's behalf)

    Legal basis: GDPR Article 6(1)(a) -- consent. For California users, optional Paddle/Meta attribution may be treated as "sharing" under CPRA when Marketing cookies are accepted. It is disabled when Marketing consent is rejected, when a valid Global Privacy Control signal is present, or when you exercise the Do Not Sell or Share preference.

    How it works:

    • The Paddle.js script loads ONLY on /vip and /boost pages (where users initiate web purchases).
    • The script loads ONLY if the user has accepted "Marketing" cookies in the banner.
    • If Marketing consent is denied, Paddle.js loads in pTracking: false no-tracking mode and the _fbp cookie is NOT set.
    • Paddle controls the checkout attribution integration. Swopli does not receive personal data from Facebook/Meta, but Swopli treats the cookie as optional Marketing attribution and honors consent, GPC, and Do Not Sell or Share opt-outs.

    Granular control: You can revoke Marketing consent at any time at /privacy/preferences or use /privacy/do-not-sell. The _fbp cookie will be deleted on your next visit, and Paddle.js will load in no-tracking mode on future checkout pages.

    3. How We Use Cookies

    3.1 Essential Functions (Strictly Necessary)

    • Authentication: Keep you logged in across pages and sessions.
    • Security: Protect against CSRF attacks and unauthorized access.
    • Checkout: Complete subscription and boost purchases (RevenueCat, Paddle).
    • Consent management: Remember your cookie preferences so we don't re-prompt unnecessarily.

    3.2 Personalization (Functional)

    • Language: Display Swopli in your preferred language (33 supported locales).

    3.3 Analytics and Improvement

    • Usage patterns: Understand which features are most used, where users get stuck, and what improvements to prioritize.
    • Performance monitoring: Detect slow pages, error rates, and infrastructure issues.
    • A/B testing: Test different UI variants to optimize user experience (PostHog Feature Flags).

    3.4 Marketing Attribution (Third-Party)

    • Ad effectiveness: Paddle may use the Facebook Pixel to measure which ad campaigns drive conversions when Marketing consent is active. This optional attribution is disabled when Marketing cookies are rejected, GPC is present, or a Do Not Sell or Share preference is active.

    4. Managing Cookies

    You have full control over the cookies placed on your device. Here is how you can manage them:

    When you first visit Swopli from any country, a cookie banner is displayed. The banner allows you to:

    • Accept all cookies (Strictly Necessary + Functional + Analytics + Marketing).
    • Reject non-essential cookies (only Strictly Necessary cookies are set).
    • Customize your preferences by category (toggle Functional, Analytics, Marketing individually).

    Your choice is stored in the swopli_cookie_consent cookie (12-month expiry) and respected across sessions.

    Why universal consent? While cookie-consent requirements vary by jurisdiction, Swopli extends consent choice globally wherever the website or app is available to provide consistent privacy control.

    4.2 Privacy Preferences Page

    You can change your cookie preferences at any time by visiting:

    https://swopli.com/privacy/preferences

    This page allows you to:

    • View which cookie categories are currently active.
    • Toggle each category on or off.
    • Clear all non-essential cookies immediately.
    • View a list of all cookies set by Swopli and their purposes.

    Changes take effect immediately. Previously set cookies are deleted within 24 hours.

    4.3 Browser Settings

    Most web browsers allow you to control cookies through their settings. You can typically:

    • View which cookies are stored on your device.
    • Delete specific cookies or all cookies.
    • Block cookies from specific websites or all websites.
    • Set notifications when a cookie is being set.

    Common browsers:

    • Chrome: Settings > Privacy and security > Cookies and other site data
    • Safari: Preferences > Privacy > Manage Website Data
    • Firefox: Settings > Privacy & Security > Cookies and Site Data
    • Edge: Settings > Cookies and site permissions

    Warning: Blocking Strictly Necessary cookies will prevent Swopli from functioning correctly (e.g., you may not be able to log in, complete purchases, or save preferences).

    4.4 Do Not Track (DNT)

    Swopli respects the "Do Not Track" (DNT) browser signal. If your browser sends a DNT signal (DNT: 1 HTTP header), we will:

    • Not set Analytics or Marketing cookies, regardless of your cookie banner selection.
    • Still set Strictly Necessary cookies (authentication, checkout) as these are essential for service operation.

    DNT support is honored in addition to GPC (see below).

    4.5 Global Privacy Control (GPC)

    Swopli recognizes the Global Privacy Control (GPC) signal as a valid opt-out for:

    • Sale of personal information (CCPA/CPRA "Do Not Sell or Share" right).
    • Targeted advertising.
    • Analytics cookies.
    • Marketing cookies.

    If your browser sends a GPC signal (Sec-GPC: 1 HTTP header), we will:

    • Not set Analytics or Marketing cookies.
    • Not share your data with third parties for advertising purposes.
    • Treat the signal as a binding opt-out under CCPA/CPRA §§ 1798.135(b)(2).

    You can enable GPC in browsers that support it (e.g., Brave, Firefox with Privacy Badger, DuckDuckGo).

    4.6 Mobile App (iOS/Android)

    The native mobile app (iOS and Android) does not use browser cookies. Instead, it uses:

    • Secure local storage: For authentication tokens (Supabase session).
    • Device identifiers: For analytics (PostHog) and subscription management (RevenueCat).
    • App-level permissions: You control location, notifications, camera, photo library via iOS/Android system permissions.

    Managing mobile app tracking:

    • iOS: Settings > Privacy & Security > Tracking. You can disable "Allow Apps to Request to Track" globally or deny tracking for Swopli specifically. Swopli respects Apple's App Tracking Transparency (ATT) framework and does not track across apps/websites owned by other companies.
    • Android: Settings > Privacy > Ads. You can opt out of personalized ads via "Opt out of Ads Personalization."
    • In-app: Swopli Settings > Privacy & Data > Analytics Opt-Out (toggles PostHog tracking).

    5. Third-Party Cookies

    Swopli uses minimal third-party cookies. Third-party cookies are set by domains other than swopli.com.

    5.1 Current Third-Party Cookies

    Provider Cookie Name Purpose Category Set On Duration
    Paddle __paddle_*, paddle_session Checkout session state (Merchant of Record iframe) Strictly Necessary /vip, /boost web checkout only Session
    Facebook (via Paddle.js) _fbp Ad attribution tracking (Paddle's conversion pixel) Marketing /vip, /boost web checkout only (if Marketing consent granted) 90 days

    5.2 Why So Few?

    Swopli minimizes third-party cookies to:

    • Reduce privacy risk.
    • Comply with ePrivacy Directive Article 5(3) and GDPR data minimization (Article 5(1)(c)).
    • Improve page load performance.
    • Reduce dependence on third-party tracking infrastructure (which is increasingly blocked by browsers).

    What we don't use:

    • Google Analytics (we use PostHog instead, which is EU-hosted and more privacy-friendly).
    • Swopli-operated Facebook Pixel (optional Paddle/Meta checkout attribution is described above and controlled by Marketing consent and privacy opt-outs).
    • Google Ads remarketing.
    • Third-party advertising networks.
    • Social media tracking pixels (except Paddle's opt-in Facebook Pixel as described above).

    6. Cookies by Jurisdiction

    Different jurisdictions have different cookie laws. Here's how Swopli complies:

    6.1 European Union / EEA / United Kingdom / Switzerland

    Law: ePrivacy Directive (2002/58/EC), GDPR, UK GDPR, Swiss FADP.

    Requirements:

    • Prior informed consent required for all non-essential cookies (Functional, Analytics, Marketing).
    • Granular choice (ability to accept/reject by category).
    • Easy withdrawal of consent (via /privacy/preferences).
    • No cookie walls (service remains accessible if you reject non-essential cookies).
    • Clear information about cookie purposes, durations, and third parties.

    How Swopli complies:

    • Cookie banner shown on first visit with granular controls.
    • Strictly Necessary cookies set immediately (ePrivacy Article 5(3) exemption).
    • Non-essential cookies set only after explicit consent.
    • Privacy Preferences page available 24/7 for consent withdrawal.

    6.2 Brazil

    Law: LGPD (Law 13.709/2018), Article 7, I (consent for personal data processing) + Article 11, II (explicit consent for sensitive personal data).

    Requirements:

    • Consent required for cookies that process personal data beyond what is strictly necessary for service delivery.
    • Clear information about purposes, recipients, and retention.
    • Right to withdraw consent at any time.

    How Swopli complies:

    • Cookie banner shown to all Brazilian users.
    • Consent collected before setting Analytics or Marketing cookies.
    • Privacy Preferences page available in Portuguese (pt-BR).

    6.3 United States (California)

    Law: CCPA (California Consumer Privacy Act), CPRA (California Privacy Rights Act), effective 2023.

    Requirements:

    • Disclosure of cookies that collect personal information.
    • Opt-out of sale/sharing of personal information.
    • GPC signal recognition (CPRA § 1798.135(b)(2)).
    • No prior consent required for cookies (unless they constitute a "sale" under CCPA).

    How Swopli complies:

    • Cookie Policy (this document) provides detailed disclosure.
    • "Do Not Sell or Share My Personal Information" link in footer (routes to /privacy/do-not-sell).
    • GPC signal respected (see Section 4.5).
    • Paddle's Facebook Pixel is gated by Marketing consent and disabled by GPC or Do Not Sell or Share preferences. Swopli treats this optional attribution conservatively as potential CPRA "sharing."

    6.4 Canada

    Law: PIPEDA (Personal Information Protection and Electronic Documents Act), Quebec Law 25.

    Requirements:

    • Meaningful consent for personal information collection.
    • Clear disclosure of purposes.
    • Opt-out mechanism.

    How Swopli complies:

    • Cookie banner provides meaningful consent choice.
    • Privacy Preferences page available in English and French (for Quebec users).

    6.5 Other Countries

    For users in other countries (Latin America, Asia-Pacific, Middle East, Africa), Swopli applies the highest common denominator approach:

    • Universal cookie banner (consent requested even if not legally required).
    • Granular controls (by category).
    • Easy opt-out (Privacy Preferences page).
    • Transparency (full cookie list in this policy).

    This ensures Swopli is compliant as new cookie laws are adopted (e.g., India DPDPA, Thailand PDPA, Vietnam PDP Decree 13/2023/ND-CP) without requiring emergency changes.

    7. Changes to This Policy

    We may update this Cookie Policy from time to time to reflect changes in:

    • The cookies we use.
    • Our practices.
    • Legal requirements.
    • Third-party integrations (new processors, new technologies).

    When we make material changes -- such as adding new cookie categories, introducing new third-party cookies, or changing how we process cookie data -- we will:

    • Update this document and change the "Last Updated" date.
    • Notify you via the cookie banner (a new consent prompt will appear on your next visit).
    • If new cookie categories are introduced, we will request your consent again before setting cookies in those new categories.

    Non-material changes (corrections, clarifications, formatting) may be made without re-prompting for consent. We will note these in the version history.

    Version history:

    • v1.0.1 (2026-05-04): Clarified that universal cookie consent applies globally where Swopli is available, and aligned Paddle/Meta attribution with consent, GPC, and Do Not Sell or Share controls.
    • v1.0 (2026-04-30): Initial version covering RevenueCat, Paddle, PostHog, and Supabase cookies. Universal consent banner for all supported visitors.

    8. Questions and Contact

    Questions about cookies?

    Complaints or concerns:

    If you believe our use of cookies violates your rights, you can:

    Related documents: