Privacy Policy

This Privacy Policy explains how Swopli LTDA ("Swopli", "we", "us", "our") collects, uses, shares, and protects personal data when you use the Swopli platform — our website, mobile application, and related services (collectively, the "Platform"). Swopli is a peer-to-peer barter marketplace that enables users to exchange products and services directly, without financial transactions between users.

This Policy is organized into a Global Baseline section that applies to all users worldwide, followed by jurisdiction-specific sections that provide additional rights, disclosures, and protections required by local law. If you reside in a jurisdiction covered by one of the specific sections below, that section supplements (and in case of conflict, prevails over) the Global Baseline.

Data Controller: Swopli LTDA CNPJ: 61.902.473/0001-79 Rua Alm Protogenes 289, Sala 122, Cond Office Jd Negocios C, Jardim, Santo Andre/SP, CEP 09090-760, Brazil

Data Protection Officer (DPO): Email: dpo@swopli.com

---

Global Baseline

This section applies to all Swopli users wherever Swopli makes the relevant service or feature available under the Feature Availability Schedule. We apply GDPR-first principles as our baseline standard, meaning all users benefit from high data protection standards regardless of local law requirements.

Data We Collect

Data You Provide

Category	When Collected	Examples
Identification	Registration	Full name, username, email, phone (E.164), date of birth
Profile	Onboarding	Photo, bio, city, preferred language
Address	Shipping enablement	Street, number, complement, postal code, city, state, country
Tax and verification identifiers	Product publishing, Swap Protection, KYC, fraud prevention, and single-account enforcement	CPF or equivalent tax identification number where required
Content	Platform use	Listed products, photos, descriptions, messages, reviews
Payment	VIP/Boost purchase	Payment data processed by RevenueCat (iOS/Android), Paddle (web), or Stripe (Swap Protection) — Swopli does not store card numbers

Data Collected Automatically

Category	How Collected	Purpose
Technical identifiers	Server logs	IP address, user agent, device identifier
Platform usage	In-app events	Pages visited, actions taken, timestamps
Approximate location	IP geolocation (automatic)	Cookie banner jurisdiction detection, fraud prevention
Precise location	Opt-in device permission	Search radius filters (~100m precision)
Functional cookies	Browser	Session, language preference, cookie consent
Analytics cookies	Browser, after consent	PostHog usage events (EU-hosted: eu.posthog.com)

Third-Party Data

When you sign up via Google, Apple, or Facebook, we receive from the provider: email, full name (if authorized), profile photo (if authorized), and a unique provider identifier. We do not receive your provider account password.

Purposes and Legal Bases

Purpose	Legal Basis	GDPR Reference
Account registration and operation	Performance of contract	Art. 6(1)(b)
Facilitating trades between users	Performance of contract	Art. 6(1)(b)
Processing VIP/Boost/shipping payments	Performance of contract	Art. 6(1)(b)
Transactional communications (trade notifications, messages)	Performance of contract	Art. 6(1)(b)
Tax and regulatory compliance	Legal obligation	Art. 6(1)(c)
Fraud prevention and platform security	Legitimate interest	Art. 6(1)(f)
Platform improvement via analytics (PostHog)	Consent	Art. 6(1)(a)
Dispute resolution between users	Performance of contract + Legitimate interest	Art. 6(1)(b) + Art. 6(1)(f)
Compliance with court orders or authority requests	Legal obligation	Art. 6(1)(c)

We do not use your personal data for: automated decision-making or profiling that produces legal effects (GDPR Art. 22), selling your data to third parties, or Swopli-operated targeted advertising based on your personal data. Optional Paddle/Meta checkout attribution is described in the Cookie Policy and is disabled when Marketing cookies, GPC, or Do Not Sell or Share settings opt out.

Sub-Processors

Swopli shares personal data with the following providers and sub-processors. Where the provider acts as Swopli's processor, the relationship is covered by a Data Processing Agreement (DPA) or equivalent contractual safeguards:

Sub-Processor	Purpose	Location	Transfer Mechanism
Supabase (AWS sa-east-1)	Database hosting, authentication, file storage	Brazil (AWS sa-east-1) — Supabase Inc. is US-based	Domestic for Brazilian users; SCCs Module 2 for international users
Stripe, Inc. / Stripe Payments Brasil Serviços Financeiros Ltda.	Swap Protection checkout, refundable deposits, refunds, transfers, KYC Connect, and shipping/payment support where applicable	Brazil / USA, depending on flow	Brazil domestic processing where handled by Brazilian entity; SCCs Module 2 + DPF where applicable
RevenueCat Inc	Cross-platform subscription orchestration (iOS/Android/Web), Customer Center, VIP entitlement management	USA	SCCs Module 2 + UK IDTA (International Data Transfer Addendum) — not DPF certified
Paddle.com Market Limited	Merchant of Record for web checkout (VIP/Boost), global tax collection, auto-currency conversion	UK + USA	UK adequacy decision (Commission Implementing Decision (EU) 2025/2574 amending Decision (EU) 2021/1772, valid until 2031-12-27); EU SCCs with UK Approved Addendum for UK→US
Apple Inc / Google LLC	Push notifications + In-App Purchase processing (merchant-of-record for iOS/Android)	USA	Platform DPAs; In-App Purchase (IAP) scope
Resend	Transactional email delivery	USA	SCCs Module 2 + TIA
Cloudflare	CDN, DDoS protection, IP geolocation for cookie banner	Global	SCCs Module 2 + TIA; global edge network; EU representative appointed
PostHog	Product analytics (consent-gated in EU/UK/CH)	EU (Frankfurt)	No transfer (EU-hosted)
Sentry	Error monitoring (PII minimized and scrubbed where configured)	USA	SCCs Module 2 + TIA
Nominatim (self-hosted OpenStreetMap geocoding)	Reverse geocoding for location display	EU (self-hosted)	No third-party transfer by Nominatim; hosting covered by infrastructure providers listed above
OpenAI OpCo, LLC / OpenAI Ireland Ltd.	Automated text/content moderation and trust & safety review	USA / Ireland (where applicable)	SCCs Module 2 + UK Addendum; OpenAI DPA
Melhor Envio	Shipping label generation and tracking (Brazil only)	Brazil	No transfer (domestic)

For the complete, versioned sub-processor list with changelog and 30-day update notifications, see our Subprocessors List.

Data Retention

Category	Retention Period	Reason
Active account data	While the account exists	Service operation
Messages between users	While the account exists; deleted upon account deletion	Trade context
Financial transaction records	5 years after the transaction	Tax obligation (Brazil: Art. 173 CTN; EU: varies by member state)
Server access logs	6 months	Security monitoring
Security audit logs	1 year	Legitimate security interest
Analytics data (PostHog)	12 months (anonymized identifiers)	Product improvement (consent-based)
Error reports (Sentry)	90 days	Bug resolution cycle
Anonymized/aggregated data	Indefinite	No longer personal data

After the applicable period, data is permanently deleted or irreversibly anonymized. We review retention periods annually.

Security Measures

We implement technical and organizational measures to protect your data:

• Encryption in transit: All connections use TLS 1.2+.
• Encryption at rest: Sensitive data encrypted by infrastructure providers (Supabase, Stripe).
• Access control: Row Level Security (RLS) in the database prevents cross-user data access.
• Authentication: OAuth-based authentication (Google, Apple) with secure session management via Supabase Auth.
• Error monitoring: Sentry for incident detection (PII minimized and scrubbed where configured).
• Audit logging: Sensitive actions are logged with actor, timestamp, and action type.
• Dependency management: Security updates applied regularly.

Despite these measures, no system is 100% secure. In case of a data breach affecting your personal data, we will notify you and the relevant authorities as required by applicable law (72 hours for EU supervisory authorities per GDPR Art. 33; "reasonable time" for ANPD per LGPD Art. 48).

Age Restriction

Swopli is not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. We verify age through the date of birth provided at registration. If we identify a minor's account, we will immediately deactivate it and delete the associated data.

If you are a parent or legal guardian and believe a minor has created an account, contact dpo@swopli.com for immediate removal.

Your Rights (Global)

All users, regardless of jurisdiction, may exercise the following rights:

Right	How to Exercise
Access	Settings > Privacy & Data > Export My Data (ZIP download), or email dpo@swopli.com
Rectification	Settings > Edit Profile, or email dpo@swopli.com
Erasure	Settings > Privacy & Data > Delete My Account (permanent hard delete within 24 hours)
Data Portability	Export delivers structured JSON files in a ZIP archive
Withdraw Consent	Settings > Email Notifications; /privacy/preferences for cookies
Object	Email dpo@swopli.com for processing based on legitimate interest
Complaint	Contact your local data protection authority (see jurisdiction sections below)

Response time: Up to 30 days (extendable by 60 days for complex requests, with notification). Exercising these rights is free.

Web form: Submit a data subject request at swopli.com/privacy/data-request or email dpo@swopli.com.

Cookies

Swopli uses cookies and similar technologies on its website. For full details on which cookies we use, their purposes, retention periods, and how to manage them, see our Cookie Policy.

• EU/EEA/UK/CH: Consent banner on first visit; opt-in required for non-essential cookies.
• Other jurisdictions: Notice banner with opt-out for analytics; strictly necessary cookies always active.
• All users: Manage preferences at /privacy/preferences at any time.

Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements.

Material changes (affecting your rights, data categories, or processing purposes): at least 30 days' advance notice via email and/or in-app notification, with clear description of changes.

Non-material changes (clarifications, formatting): may take effect without prior notice. The "Last Updated" date always reflects the most recent revision.

---

Brazil (LGPD)

Applies to: Users residing in Brazil. Governing law: Lei Geral de Proteção de Dados (LGPD — Lei nº 13.709/2018).

Controller and DPO

Swopli LTDA is the controller (controlador) of your personal data under the LGPD.

Data Protection Officer (DPO): Email: dpo@swopli.com Postal address: Rua Alm Protogenes 289, Sala 122, Cond Office Jd Negocios C, Jardim, Santo Andre/SP, CEP 09090-760 (Designated as "Encarregado" under LGPD Art. 41)

The DPO is responsible for: accepting complaints and communications from data subjects; receiving communications from the ANPD; guiding employees and contractors on data protection practices; and performing duties assigned by the controller (Art. 41 LGPD).

Legal Bases Under LGPD

The LGPD provides specific legal bases for processing personal data (Art. 7). We rely on:

Purpose	Legal Basis	LGPD Article
Account creation and service delivery	Performance of contract	Art. 7, V
Tax and regulatory obligations	Legal obligation	Art. 7, II
Fraud prevention, platform security	Legitimate interest	Art. 7, IX
Analytics (PostHog)	Consent	Art. 7, I
Exercising rights in legal proceedings	Exercise of rights	Art. 7, VI
Credit protection (seller verification)	Credit protection	Art. 7, X

Your Rights Under LGPD (Art. 18)

In addition to the rights listed in the Global Baseline, Brazilian users have the following specific rights under Art. 18 of the LGPD:

1. Confirmation of processing — confirm whether we process your personal data.
2. Access — obtain a copy of your personal data.
3. Correction — correct incomplete, inaccurate, or outdated data.
4. Anonymization, blocking, or deletion — of unnecessary, excessive, or non-compliant data.
5. Portability — transfer your data to another service provider (Art. 18, V).
6. Deletion — of personal data processed with your consent, when consent is withdrawn.
7. Information about sharing — know which public and private entities your data has been shared with.
8. Information about consent — be informed about the possibility and consequences of not providing consent.
9. Withdrawal of consent — withdraw consent at any time (Art. 18, IX).

Data Localization

Your primary account data is stored in Brazil (Supabase AWS sa-east-1, São Paulo region). International transfers to sub-processors such as Stripe/Stripe Brasil, RevenueCat, Sentry, Resend, Cloudflare, and other providers listed above are covered by appropriate contractual safeguards, including Standard Contractual Clauses where applicable, and comply with LGPD Art. 33.

Language

This Privacy Policy is available in Portuguese (pt-BR) as required by Brazilian consumer protection law (CDC Art. 31). In case of conflict between the Portuguese and English versions, the Portuguese version prevails for Brazilian users.

Supervisory Authority

Autoridade Nacional de Proteção de Dados (ANPD) Website: https://www.gov.br/anpd Email: comunicacao@anpd.gov.br

---

EU/UK/CH (GDPR)

Applies to: Users residing in the European Economic Area (30 countries), the United Kingdom, and Switzerland. Governing law: General Data Protection Regulation (GDPR — Regulation (EU) 2016/679), UK GDPR (UK Data Protection Act 2018), Swiss Federal Act on Data Protection (FADP/nDSG).

EU Representative (Art. 27 GDPR)

As Swopli LTDA is established outside the EU, we are in the process of appointing an EU representative pursuant to Art. 27 GDPR and a UK representative pursuant to UK GDPR Art. 27:

EU/UK Representative: Appointment in progress — details will be published here once finalized. Contact dpo@swopli.com in the interim.

The appointed representative will also act as our representative under Art. 13 of the Digital Services Act (DSA).

Legal Bases (Art. 6 GDPR)

We process your personal data based on the legal bases described in the Global Baseline section. Where we rely on legitimate interest (Art. 6(1)(f)), we have conducted balancing tests (Legitimate Interest Assessments) to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting dpo@swopli.com.

Where we rely on consent (Art. 6(1)(a)), you may withdraw consent at any time via Settings > Privacy & Data or /privacy/preferences. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

Your GDPR Rights (Art. 15-22)

In addition to the rights in the Global Baseline, EU/UK/CH users have the following specific rights:

• Right of Access (Art. 15): Obtain confirmation of processing and a copy of your data, including information about purposes, categories, recipients, retention periods, and safeguards for international transfers.
• Right to Rectification (Art. 16): Have inaccurate data corrected and incomplete data completed.
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"). Account deletion via Settings is permanent (hard delete within 24 hours). Exceptions: legal obligations, defense of legal claims, public interest.
• Right to Restriction of Processing (Art. 18): Restrict processing when you contest accuracy, processing is unlawful, we no longer need the data, or you have objected pending verification.
• Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (JSON in ZIP).
• Right to Object (Art. 21): Object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right Not to Be Subject to Automated Decisions (Art. 22): Swopli does not make decisions based solely on automated processing that produce legal effects concerning you.

International Transfers (Chapter V)

Transfers of personal data outside the EEA/UK/CH comply with GDPR Chapter V through the following mechanisms:

• EU→Brazil (Supabase): Standard Contractual Clauses (SCCs) Module 2 (controller-to-processor), adopted by European Commission Decision 2021/914, supplemented by Transfer Impact Assessment (TIA).
• EU→USA (Stripe): SCCs Module 2 + EU-U.S. Data Privacy Framework (DPF) where applicable.
• EU→USA (RevenueCat): SCCs Module 2 + UK IDTA (International Data Transfer Addendum). RevenueCat is not DPF certified.
• EU→UK (Paddle): UK adequacy decision (Commission Implementing Decision (EU) 2025/2574 of 19 December 2025, amending Decision (EU) 2021/1772, valid until 2031-12-27). UK→USA sub-processors covered by EU SCCs with UK Approved Addendum.
• EU→USA/global (Sentry, Resend, Cloudflare): SCCs Module 2 (controller-to-processor) + TIA for Swopli's direct processor relationships. Onward subprocessor transfers are governed by the provider's DPA and applicable SCCs or equivalent safeguards.
• EU→EU (PostHog): No transfer required — hosted in Frankfurt.

You may request a copy of the applicable SCCs and TIAs by contacting dpo@swopli.com.

Cookie Consent (ePrivacy Directive)

Non-essential cookies (analytics, marketing) require your prior opt-in consent in EU/EEA/UK/CH jurisdictions. Our cookie banner is displayed on first visit and allows you to accept all, reject non-essential, or customize by category. See our Cookie Policy for details.

DSA Compliance

Swopli complies with the Digital Services Act (Regulation (EU) 2022/2065) as a hosting service. Our content moderation practices, notice-and-action procedures, and transparency obligations are detailed in our Content Moderation & Takedown Policy.

Supervisory Authorities

You have the right to lodge a complaint with the supervisory authority of your country of residence:

• Complete list of EEA authorities: https://edpb.europa.eu/about-edpb/about-edpb/members_en
• UK Information Commissioner's Office (ICO): https://ico.org.uk/make-a-complaint/
• Swiss Federal Data Protection and Information Commissioner (FDPIC): https://www.edoeb.admin.ch/

---

United States

Applies to: Users residing in the United States. Governing law: California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA); Virginia Consumer Data Protection Act (VCDPA); Colorado Privacy Act (CPA); and other applicable state privacy laws.

Swopli applies the CCPA/CPRA as a US-wide baseline, providing all US users with California-level protections regardless of their state of residence.

Categories of Personal Information (CCPA Disclosure)

Under CCPA section 1798.100 and 1798.110, we disclose the categories of personal information collected in the preceding 12 months:

CCPA Category	Collected	Examples	Business Purpose
A. Identifiers	Yes	Name, email, username, IP address, device ID, OAuth ID	Account operations, communications
B. Cal. Civ. Code 1798.80(e)	Yes	Name, address (when provided for shipping)	Platform services, shipping
C. Protected classifications	Yes	Date of birth (age verification only)	Eligibility verification
D. Commercial information	Yes	Products listed, trade history, VIP/Boost purchases	Platform services, analytics
F. Internet activity	Yes	Browsing history on Platform, interactions, analytics events	Analytics, improvement, fraud prevention
G. Geolocation	Yes	Approximate (IP); precise only with consent (search radius)	Search, fraud prevention
K. Inferences	Yes	Product interest categories, engagement patterns	Platform improvement

Categories E, H, I, J, L: Not collected.

RevenueCat receives Category A (identifiers) and Category D (purchase data). Paddle receives Category A, Category D, and last 4 digits of card. Where Marketing cookies are accepted on web checkout pages, Paddle/Meta attribution may receive cookie identifiers, IP address, user agent, and checkout event metadata for attribution. These activities do not introduce additional CCPA categories beyond those disclosed above.

Sale and Sharing Choices

Swopli does NOT sell personal information as defined by CCPA section 1798.140(ad). Swopli does not use personal information for cross-context behavioral advertising as part of the core Platform.

Optional Paddle/Meta attribution on web checkout pages may be treated as "sharing" under CPRA when Marketing cookies are accepted. This attribution is disabled if you reject Marketing cookies, exercise the Do Not Sell or Share preference, or send a valid Global Privacy Control signal. A Do Not Sell or Share link is available in our website footer.

Your CCPA/CPRA Rights

All US users may exercise these rights:

• Right to Know (§1798.100): Request disclosure of categories and specific pieces of personal information collected, sources, purposes, and third-party recipients.
• Right to Delete (§1798.105): Request deletion of personal information. Via Settings > Privacy & Data > Delete My Account, or email dpo@swopli.com.
• Right to Correct (CPRA): Request correction of inaccurate personal information. Via Settings > Edit Profile.
• Right to Opt-Out of Sale/Sharing (§1798.120): We do not sell personal information. You may opt out of optional Marketing-cookie attribution that may be treated as "sharing" under CPRA.
• Right to Limit Sensitive PI (§1798.121): We only collect date of birth as sensitive PI, used solely for age verification. No additional uses.
• Right to Non-Discrimination (§1798.125): We will not discriminate against you for exercising any CCPA right.

Exercising Your Rights

• In-app: Settings > Privacy & Data (export, delete, correct)
• Web form: swopli.com/privacy/data-request
• Email: dpo@swopli.com

We will acknowledge receipt within 10 business days and respond substantively within 45 calendar days (extendable by 45 days with notice). We verify your identity before fulfilling requests. Authorized agents must provide signed written authorization.

Global Privacy Control (GPC)

Swopli honors the Global Privacy Control (GPC) browser signal as required by CCPA regulations. When a GPC signal is detected, we treat it as a valid opt-out of sale/sharing request.

Supervisory Authorities

• California Attorney General: https://oag.ca.gov/privacy — (916) 210-6276
• Federal Trade Commission: https://www.ftc.gov/complaint

---

Canada (PIPEDA)

Applies to: Users residing in Canada. Governing law: Personal Information Protection and Electronic Documents Act (PIPEDA); Quebec Act Respecting the Protection of Personal Information in the Private Sector (Law 25).

PIPEDA Principles

Swopli adheres to the 10 fair information principles under Schedule 1 of PIPEDA:

1. Accountability: Swopli LTDA is responsible for personal information under its control. Our Data Protection Officer (dpo@swopli.com) oversees compliance.
2. Identifying Purposes: We identify the purposes for collection at or before the time of collection (see Global Baseline — Purposes and Legal Bases).
3. Consent: We obtain meaningful consent for collection, use, and disclosure. Consent may be express (account creation, analytics) or implied (necessary platform operations).
4. Limiting Collection: We collect only information necessary for identified purposes.
5. Limiting Use, Disclosure, and Retention: Personal information is used and disclosed only for the purposes for which it was collected, and retained only as long as necessary.
6. Accuracy: We take reasonable steps to ensure personal information is accurate, complete, and up-to-date. You can correct your information via Settings > Edit Profile.
7. Safeguards: We protect personal information through security measures proportionate to the sensitivity of the data (see Global Baseline — Security Measures).
8. Openness: This Privacy Policy details our policies and practices regarding personal information management.
9. Individual Access: You may request access to your personal information and challenge its accuracy (see Global Baseline — Your Rights).
10. Challenging Compliance: You may challenge our compliance with these principles by contacting dpo@swopli.com. If we cannot resolve your concern, you may file a complaint with the Office of the Privacy Commissioner.

Quebec Law 25

For users residing in Quebec, the following additional provisions apply:

• Privacy Impact Assessment (PIA): We conduct PIAs for cross-border transfers involving personal information of Quebec residents, as required by Law 25.
• Privacy Officer: Our DPO (dpo@swopli.com) serves as the designated privacy officer for Quebec Law 25 compliance.
• French Language: This Privacy Policy is available in French for Quebec users.
• Consent: Express consent is required for collection and use of sensitive personal information, including biometric data (Swopli does not collect biometric data) and precise geolocation (opt-in only).

Cross-Border Transfers

Transfers of personal information outside Canada are disclosed in the Sub-Processors table (Global Baseline). We ensure all transfers comply with PIPEDA s. 5(3) and that receiving organizations provide comparable levels of protection.

Supervisory Authority

Office of the Privacy Commissioner of Canada (OPC) Website: https://www.priv.gc.ca Toll-free: 1-800-282-1376

Commission d'accès à l'information du Québec (CAI) (for Quebec residents) Website: https://www.cai.gouv.qc.ca

---

Latin America

Applies to: Users residing in Mexico, Argentina, Chile, Colombia, Peru, Uruguay, Costa Rica, Guatemala, Honduras, and Nicaragua.

Data protection laws in Latin America generally follow the ARCO rights framework (Acceso, Rectificación, Cancelación, Oposición). Swopli respects these rights for all Latin American users.

Your ARCO Rights

Right	Description	How to Exercise
Acceso (Access)	Know what personal data we hold about you	Settings > Privacy & Data > Export My Data
Rectificación (Rectification)	Correct inaccurate or incomplete data	Settings > Edit Profile
Cancelación (Cancellation/Deletion)	Request deletion of your personal data	Settings > Privacy & Data > Delete My Account
Oposición (Objection)	Object to processing of your data for specific purposes	Email dpo@swopli.com

Response time: Up to 20 business days (varies by country).

Country-Specific Notes

Mexico (LFPDPPP): Swopli's privacy notice (aviso de privacidad) is this Privacy Policy. We process your data based on consent obtained at registration. You may revoke consent at any time by contacting dpo@swopli.com. Transfers to third parties are disclosed in the Sub-Processors table.

Argentina (Ley 25.326): You have the right to access your personal data free of charge at intervals of no less than 6 months (Art. 14). The Dirección Nacional de Protección de Datos Personales (DNPDP) is the supervisory authority: https://www.argentina.gob.ar/aaip/datospersonales

Colombia (Ley 1581 de 2012): We process your data based on your authorization (autorización) obtained at registration. You have rights of access, correction, deletion, and revocation of authorization. Superintendencia de Industria y Comercio (SIC): https://www.sic.gov.co

Chile (Ley 19.628): You have rights of access, rectification, cancellation, and objection. The new data protection framework strengthens these rights. Consejo para la Transparencia: https://www.consejotransparencia.cl

Peru (Ley 29733): Your personal data is processed based on your consent. You may exercise ARCO rights by contacting dpo@swopli.com. Autoridad Nacional de Protección de Datos Personales: https://www.gob.pe/anpd

Uruguay (Ley 18.331): Uruguay has an EU adequacy decision, providing a high level of data protection. Unidad Reguladora y de Control de Datos Personales (URCDP): https://www.gub.uy/unidad-reguladora-control-datos-personales

Costa Rica, Guatemala, Honduras, Nicaragua: We apply GDPR-first principles as a baseline for countries where data protection frameworks are still developing.

Cross-Border Transfers

International transfers of personal data for Latin American users are covered by the mechanisms described in the Global Baseline Sub-Processors table. We ensure transfers comply with applicable local requirements, including consent-based transfers where required.

---

India (DPDPA)

Applies to: Users residing in India. Governing law: Digital Personal Data Protection Act, 2023 (DPDPA).

Data Fiduciary

Swopli LTDA acts as a Data Fiduciary under the DPDPA with respect to personal data of Indian users.

Consent as Primary Basis

Under the DPDPA, consent is the primary legal basis for processing personal data. Unlike the GDPR, the DPDPA does not recognize "legitimate interest" as an independent legal basis.

We obtain your consent for processing at the time of account registration. Your consent covers all purposes listed in the Global Baseline section, including fraud prevention and platform security. Your consent is:

• Free: Not conditioned on additional services.
• Informed: This Privacy Policy serves as your notice (Section 5 DPDPA).
• Specific: Consent is obtained for each identified purpose.
• Unconditional: Not tied to unrelated conditions.

You may withdraw consent at any time via Settings > Privacy & Data or by emailing dpo@swopli.com. Withdrawal may affect your ability to use certain Platform features.

Your Rights Under DPDPA

Right	Description
Right to Access	Obtain a summary of your personal data and processing activities (Section 11)
Right to Correction and Erasure	Request correction of inaccurate data and erasure of personal data (Section 12)
Right to Grievance Redressal	Submit grievances to our Grievance Officer (Section 13)
Right to Nominate	Nominate another individual to exercise your rights in case of death or incapacity (Section 14)

Grievance Officer

Grievance Officer: dpo@swopli.com Response time: Within 72 hours of receipt, with resolution within 30 days.

If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India once constituted.

Children's Data

For users under 18 in India, the DPDPA requires verifiable parental consent before processing personal data. Since Swopli requires all users to be 18+, this provision is satisfied by our age gate.

Cross-Border Transfers

The DPDPA permits cross-border transfers except to countries specifically restricted by the Central Government. As of the date of this Policy, no restrictions have been notified. Transfers are disclosed in the Sub-Processors table (Global Baseline).

Business Purpose Restriction

We process personal data of Indian users only for the specific purposes disclosed in this Privacy Policy. Processing beyond these purposes requires fresh consent.

---

Asia-Pacific

Applies to: Users residing in Indonesia, Malaysia, Philippines, Singapore, Thailand, Vietnam, Japan, South Korea, Taiwan, and Hong Kong.

Data protection laws across the Asia-Pacific region vary significantly. This section addresses the key requirements for each jurisdiction.

Japan (APPI)

The Act on the Protection of Personal Information (APPI) governs data processing in Japan.

• Foreign Transfer Disclosure: We disclose that your personal data is transferred to countries listed in the Sub-Processors table (Global Baseline). Japan has an EU adequacy decision, facilitating transfers.
• Sensitive Information: Swopli does not collect special care-required personal information (要配慮個人情報) as defined by APPI Art. 2(3). If we ever need to collect such data, we will obtain your prior opt-in consent.
• Opt-Out of Third-Party Provision: You may opt out of third-party data provision by contacting dpo@swopli.com.
• Personal Information Protection Commission (PPC): https://www.ppc.go.jp/en/

South Korea (PIPA)

The Personal Information Protection Act (PIPA) provides comprehensive data protection rights.

• Consent: We obtain your consent for collection, use, and cross-border transfer at registration. Consent for cross-border transfers specifically discloses: the recipients, the countries, the purposes, and the types of data transferred.
• Cross-Border Transfer: Transfers are disclosed in the Sub-Processors table. We comply with PIPA Art. 17 and Art. 28-2 regarding overseas transfers.
• Rights: Access, correction, deletion, and suspension of processing. Via Settings or dpo@swopli.com.
• Personal Information Protection Commission (PIPC): https://www.pipc.go.kr/eng/

Singapore (PDPA)

The Personal Data Protection Act 2012 (PDPA) governs data processing in Singapore.

• Data Protection Officer: dpo@swopli.com serves as our designated DPO for PDPA compliance.
• Consent: We collect and use personal data based on consent obtained at registration, or deemed consent where reasonably expected (PDPA s. 15).
• Transfer: We ensure recipients provide comparable protection as required by PDPA s. 26.
• Do Not Call Registry: Swopli does not conduct telemarketing.
• Personal Data Protection Commission (PDPC): https://www.pdpc.gov.sg/

Thailand (PDPA)

The Personal Data Protection Act B.E. 2562 (2019) is in effect. Implementing regulations are still being finalized.

• Status: MONITOR — Zero enforcement actions against foreign platforms as of this Policy's date. We apply GDPR-first principles as a baseline.
• Rights: Access, correction, deletion, restriction, portability, and objection — all available via Settings or dpo@swopli.com.
• Office of the Personal Data Protection Committee (PDPC): https://www.pdpc.or.th/

Vietnam (PDP Decree)

Decree 13/2023/ND-CP on personal data protection is in force.

• Status: MONITOR — The mandatory filing portal for cross-border transfers (MPS) has not yet launched. We will file when the portal becomes operational.
• Consent: We obtain consent for processing and cross-border transfers at registration.
• Data Protection Impact Assessment (DPIA): We maintain DPIA templates ready to file when the MPS portal opens.

Indonesia (PDP Law)

Law No. 27 of 2022 on Personal Data Protection is in effect. Implementing regulations are pending.

• Status: MONITOR — Implementing regulations not yet issued. We apply GDPR-first principles.
• Consent: We obtain consent for processing at registration.
• Rights: Access, correction, deletion, and restriction.

Malaysia (PDPA 2010)

• Consent: Obtained at registration. We comply with the Personal Data Protection Act 2010.
• Rights: Access, correction, and withdrawal of consent.
• Department of Personal Data Protection: https://www.pdp.gov.my/

Philippines (DPA 2012)

• Consent: Obtained at registration. We comply with Republic Act No. 10173.
• Rights: Access, correction, erasure, objection, and portability.
• National Privacy Commission (NPC): https://www.privacy.gov.ph/

Taiwan (PDPA)

• Consent: Obtained at registration. We comply with the Personal Data Protection Act.
• Rights: Access, correction, deletion, and cessation of processing.

Hong Kong (PDPO)

• Consent: We comply with the Personal Data (Privacy) Ordinance (Cap. 486).
• Data Protection Principles: Our practices align with the six DPPs.
• Office of the Privacy Commissioner for Personal Data: https://www.pcpd.org.hk/

---

Rest of World

Applies to: Users residing in Australia, New Zealand, South Africa, United Arab Emirates, Bahrain, Egypt, Israel, Jordan, Kuwait, Oman, Qatar, Lebanon, Moldova, Ukraine, Azerbaijan, and Pakistan.

For countries in this section, we apply GDPR-first principles as a worldwide baseline. Where local law provides additional specific rights or requirements, we address them below.

Australia (Privacy Act 1988)

The Australian Privacy Principles (APPs) govern data handling.

• APP 1 (Openness): This Privacy Policy serves as our APP-compliant privacy policy.
• APP 5 (Notification): We notify you at or before the time of collection of the matters required by APP 5.
• APP 8 (Cross-Border Disclosure): We disclose overseas transfers in the Sub-Processors table and take reasonable steps to ensure recipients comply with the APPs.
• APP 12 (Access): You may access your personal information via Settings or dpo@swopli.com.
• APP 13 (Correction): You may correct your personal information via Settings > Edit Profile.
• Office of the Australian Information Commissioner (OAIC): https://www.oaic.gov.au/

New Zealand (Privacy Act 2020)

• Information Privacy Principles (IPPs): Our practices comply with the 13 IPPs.
• Cross-Border Transfer: We ensure transferees are subject to comparable privacy protections.
• Office of the Privacy Commissioner: https://www.privacy.org.nz/

South Africa (POPIA)

The Protection of Personal Information Act 4 of 2013 (POPIA) is in effect.

• Responsible Party: Swopli LTDA is the responsible party for personal information processing.
• Conditions for Lawful Processing: We comply with the 8 conditions under POPIA Chapter 3.
• Cross-Border Transfer: Transfers comply with POPIA s. 72 (adequate protection or consent or contractual necessity).
• Rights: Access, correction, deletion, objection. Via Settings or dpo@swopli.com.
• Information Regulator: https://inforegulator.org.za/

Middle East (UAE, Bahrain, Egypt, Israel, Jordan, Kuwait, Oman, Qatar, Lebanon)

Data protection frameworks in the Middle East region are evolving. We apply GDPR-first principles as a baseline and comply with specific requirements where applicable:

• UAE (Federal Decree-Law No. 45 of 2021): We process data based on consent and contractual necessity. Data Protection Office: https://tdra.gov.ae/
• Israel (Protection of Privacy Law 5741-1981): Israel has an EU adequacy decision. We comply with the Israeli Privacy Protection Authority requirements. https://www.gov.il/en/departments/the_privacy_protection_authority
• Bahrain (PDPL 2018): We obtain consent for processing and cross-border transfers.
• Egypt: MONITOR — The Data Protection Center (DPC) has not yet become operational. We will comply with operational requirements when the DPC launches.
• Qatar (Law No. 13 of 2016): We process data based on consent and comply with the National Data Privacy Office requirements.

Eastern Europe (Moldova, Ukraine, Azerbaijan)

• Ukraine (Law on Personal Data Protection No. 2297-VI): We process data based on consent and comply with data protection requirements. Given the ongoing situation, we take additional care with data security for Ukrainian users.
• Moldova: We apply EU-aligned data protection principles.
• Azerbaijan: We apply GDPR-first principles as a baseline.

Pakistan

Pakistan's data protection framework is developing. We apply GDPR-first principles and will comply with specific requirements when legislation is enacted and enforced.

General Contact for Rest of World

For users in any Rest of World country, exercise your data rights by:

• In-app: Settings > Privacy & Data
• Email: dpo@swopli.com
• Web form: swopli.com/privacy/data-request

---

Questions about this Privacy Policy? Contact our Data Protection Officer at dpo@swopli.com or write to: Swopli LTDA, Rua Alm Protogenes 289, Sala 122, Santo Andre/SP, CEP 09090-760, Brazil.

For details on our cookies, see our Cookie Policy. For details on our sub-processors, see our Subprocessors List. For data subject requests, visit /privacy/data-request.