Subprocessors
Nesta página
1. Purpose
This document lists third-party service providers and subprocessors that Swopli LTDA (CNPJ 61.902.473/0001-79) uses to operate Swopli. Some providers act as Swopli processors under a DPA; others act as independent merchant-of-record, app-store, or self-hosted infrastructure/reference-data providers as noted below.
This list is maintained for transparency and to comply with data protection obligations under:
- Brazil's Lei Geral de Proteção de Dados (LGPD), Law 13.709/2018
- EU General Data Protection Regulation (GDPR), Regulation 2016/679
- Other applicable data protection laws in countries where Swopli makes services or features available under the Feature Availability Schedule
For full details on how Swopli processes personal data, see our Privacy Policy.
2. Update Notification
Swopli will provide 30 days' advance notice of any changes to this subprocessor list, including:
- Addition of a new subprocessor
- Removal of an existing subprocessor
- Material changes to a subprocessor's role or data processing activities
Notification will be sent via email to the address associated with your Swopli account. You may also subscribe to updates by visiting swopli.com/en/legal/subprocessors.
If you object to the addition of a new subprocessor, you may terminate your account within the 30-day notice period. For details on account termination, see our Terms of Service.
3. Current Subprocessors
The following table lists all current providers, the purpose for which they process or support data, the types of data involved, their location, and links to their data processing agreements (DPAs), privacy policies, or applicable reference materials.
| Subprocessor | Purpose | Data Processed | Location | DPA Link |
|---|---|---|---|---|
| Supabase, Inc. | Database, authentication, storage | Account data, product listings, messages, trade records, images | Brazil (AWS sa-east-1) for primary storage; Supabase, Inc. is US-based | supabase.com/legal/dpa |
| Stripe, Inc. / Stripe Payments Brasil Serviços Financeiros Ltda. | Swap Protection checkout, refundable deposits, refunds, transfers, KYC Connect, and payment support where applicable | Payment methods, transaction data, billing address, bank account info, tax identification data where required, shipping address | Brazil / United States, depending on flow | stripe.com/legal/dpa |
| RevenueCat, Inc. | Cross-platform subscription orchestration (iOS/Android/Web via Paddle sync), Customer Center, VIP entitlement management | Purchase receipts, subscription status, user ID, device info | United States | revenuecat.com/dpa |
| Paddle.com Market Limited | Merchant of Record for web checkout (VIP/Boost), global tax collection, auto-currency conversion | Payment methods, transaction data, billing address, email, IP address | United Kingdom, United States | paddle.com/legal/dpa |
| Apple Inc. | In-app purchases (iOS) | Purchase receipts, Apple ID (hashed), device info | United States | apple.com/legal/privacy (Apple acts as merchant of record) |
| Google LLC | In-app purchases (Android) | Purchase receipts, Google account info, device info | United States | policies.google.com/privacy (Google acts as merchant of record) |
| Resend, Inc. | Transactional email delivery | Email address, name, email content (account confirmations, trade notifications, support responses) | United States (AWS us-east-1) | resend.com/legal/dpa |
| Cloudflare, Inc. | CDN, DDoS protection, edge computing | IP address, user agent, request metadata (logs for 24 hours) | United States (with global edge network) | cloudflare.com/cloudflare-customer-dpa |
| Sentry (Functional Software, Inc.) | Error monitoring, crash reporting | Error logs, stack traces, device info, user ID, IP address | United States | sentry.io/legal/dpa |
| PostHog, Inc. | Product analytics (opt-in for EU/EEA/UK/CH) | Event data, user ID, device info, feature usage, anonymized behavior | European Union (PostHog Cloud EU) | posthog.com/docs/privacy/dpa |
| Nominatim (self-hosted OpenStreetMap geocoding) | Reverse geocoding for location display | Coordinates, location search queries | European Union (self-hosted) | N/A for self-hosted instance; OpenStreetMap privacy reference |
| OpenAI OpCo, LLC / OpenAI Ireland Ltd. | Moderation API for automated trust & safety review before publication | Product listings, messages, profile text where moderated, moderation metadata | United States / Ireland (where applicable) | openai.com/policies/data-processing-addendum |
| Melhor Envio | Shipping label generation, tracking, reverse logistics (Brazil only) | Tracking codes, sender/recipient addresses, package dimensions, shipment status | Brazil | melhorenvio.com.br/termos-de-uso |
Paddle/Meta attribution note: Paddle may load Meta/Facebook attribution on consent-gated web checkout pages as described in the Cookie Policy. Swopli treats this as optional Marketing attribution and honors consent, GPC, and Do Not Sell or Share opt-outs. It is not part of the core Platform processing required to use Swopli.
4. Transfer Mechanisms
4.1 International Data Transfers
Some subprocessors are located outside the European Economic Area (EEA), Brazil, or your country of residence. Swopli ensures that all international data transfers are protected by appropriate safeguards, including:
- EU Standard Contractual Clauses (SCCs): For transfers from the EU/EEA to countries without an adequacy decision (e.g., United States, Brazil), Swopli and the subprocessor execute the EU Commission's Standard Contractual Clauses (Modules 2 and 3 as applicable).
- Transfer Impact Assessment (TIA): Swopli has conducted a Transfer Impact Assessment for all high-risk transfers to ensure that the SCCs provide effective protection in practice.
- Brazil (LGPD) SCCs: For transfers involving Brazilian user data, Swopli uses the LGPD-compliant Standard Contractual Clauses or relies on the user's explicit consent where required by Article 33 of the LGPD.
- Data Processing Addendum (DPA): All subprocessors have executed DPAs that incorporate the applicable SCCs and require the subprocessor to implement appropriate technical and organizational measures to protect personal data.
4.2 Sub-subprocessors
Some subprocessors listed above may engage their own subprocessors (e.g., cloud infrastructure providers). Where this occurs:
- The primary subprocessor remains fully liable to Swopli for the sub-subprocessor's compliance.
- Sub-subprocessor relationships are governed by the primary subprocessor's DPA and privacy policy (linked in the table above).
- Swopli audits primary subprocessors to ensure they flow down equivalent data protection obligations to sub-subprocessors.
4.3 Data Residency
- Brazil: User data for Brazilian residents is stored in AWS sa-east-1 (São Paulo) via Supabase, in compliance with LGPD data residency best practices.
- EU/EEA: PostHog data is stored in the EU via PostHog Cloud EU. Other subprocessors may store data in the United States or globally, subject to SCCs.
- Rest of World: Data storage location varies by subprocessor. See the "Location" column above.
5. Your Rights
Under applicable data protection laws, you have the right to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete data
- Delete your data (subject to legal retention obligations)
- Object to processing based on legitimate interests
- Restrict processing in certain circumstances
- Data portability (receive your data in a structured, machine-readable format)
To exercise these rights, please visit swopli.com/privacy/data-request or email dpo@swopli.com.
For full details on your rights and how Swopli processes personal data, see our Privacy Policy.
6. Questions
If you have questions about this subprocessor list, data transfers, or our data protection practices:
- Data Protection Officer (DPO): dpo@swopli.com
- General inquiries: help@swopli.com
- Legal inquiries: legal@swopli.com
For EU/EEA users, you may also contact our GDPR representative (Article 27):
- EU Representative: Appointment in progress — contact dpo@swopli.com in the interim