Privacy Policy

Introduction

This Privacy Policy describes how the Swapli Platform collects, uses, retains, and shares your personal information. This Policy is an integral part of our Terms of Service and complies with the requirements of the General Data Protection Regulation of the European Union (GDPR — Regulation (EU) 2016/679) and the Israeli Privacy Law (1981-5741).

By using the Platform at swapli.net, you confirm that you have read and understood this Privacy Policy.

Definitions

"Swapli" or "we" — Swapli by Webguy BV, a company registered in the Netherlands, company registration number KVK 72381647, located at Rokin Business Center, Rokin 92, 1012 KZ Amsterdam, The Netherlands.

"Platform" — The website swapli.net, including all subdomains, applications, and related services operated by Swapli.

"Personal Information" — Any information relating to an identified or identifiable natural person, including name, email, phone number, address, photographs, payment details, and identity information.

"Data Subject" — A person whose personal information is processed by Swapli — a user classified as a "Visitor," "Registered User (Free)," or "Member" in accordance with our Terms of Service.

"Data Processor" — A third party that processes personal information on our behalf and under our instructions, such as Stripe, Supabase, Vercel, and others.

"Biometric Data" — Information relating to the physical characteristics of a person, such as facial recognition or liveness verification.

1. Swapli as Data Controller

Swapli is the Data Controller as defined in GDPR Article 4(7). This means we determine the purposes and means of processing your personal information.

2. What Information We Collect

2.1 Information You Provide Directly

During Registration:

Full name (as it appears on your identification document)
Email address
Mobile phone number
Password (encrypted using one-way hashing — bcrypt. Swapli does not retain the password itself)
Referral code (if entered during registration)

When Creating a Profile:

Profile photograph (Required)
Personal description (Required)

When Listing a Property:

Partial property address — country and city/town only
Property description
Property information: number of rooms, number of beds, amenities, pets, and more
Up to 20 photographs of the property

When Conducting an Exchange:

Requested dates
Number of guests
Notes and special requests
Responses to checklist (optional)

During Communication:

Messages between Members (text)
Exchange requests and responses
Support inquiries

2.2 Information Collected Automatically

Technical Details:

IP address
Browser type and operating system
Device type
Cookies
Server logs (access times, pages viewed)

During Payment Processing:

Payment details are processed by Stripe only — Swapli does not see or retain credit card numbers
Payment history (amount, date, status)
Invoices
Automatic renewal status

2.3 Biometric Data — Identity Verification (KYC)

When you undergo identity verification through Didit or Stripe:

Government-issued identification document photograph
Selfie photograph (processed by third-party provider only)
Biometric data — facial recognition and liveness verification (processed by third-party provider only)

What Swapli Retains from the Verification Process:

Verification result (pass/fail)
Name as it appears on the document
Date of birth
Document type (passport, identity card, etc.)
Document number (partially encrypted)
Issuing country

What Swapli Does Not Retain:

Photographs of identity documents
Selfie photographs
Video recordings
Raw biometric data
Residential address — even if it appears on the identity document, Swapli does not retain it

3. Legal Basis for Processing Personal Information

In accordance with GDPR Article 6, all processing of personal information is based on one of the following legal bases:

Purpose	Legal Basis	Relevant Information
Account creation and management	Contract performance (Article 6(1)(b))	Name, email, phone, password
Identity verification (KYC)	Contract performance + Legitimate interest (Article 6(1)(b) + (f))	Name, date of birth, document details
Biometric data processing	Explicit consent (Article 9(2)(a))	Facial recognition data
Payment processing	Contract performance (Article 6(1)(b))	Payment details via Stripe
Platform operation	Legitimate interest (Article 6(1)(f))	IP, logs, technical data
Tax record retention	Legal obligation (Article 6(1)(c))	Payment records
Newsletter and marketing emails	Explicit consent (Article 6(1)(a))	Email, name, preferences
Use of photographs for marketing	Contract performance — license in Terms of Service (Article 6(1)(b))	Property photographs

4. Biometric Data — Special Category

In accordance with GDPR Article 9, biometric data is a special category of personal information requiring enhanced protection.

Legal Basis: Your explicit consent (Article 9(2)(a)). You will be asked to provide clear and explicit consent before beginning the identity verification process. Without consent — no processing occurs.

Processing by Third Party: Biometric data is processed by Didit or Stripe only, in accordance with their privacy policies. Swapli does not retain raw biometric data — only the verification result.

Your Rights:

You may withdraw your consent at any time (see Section 7). Note that withdrawal of consent will not affect the legality of processing that occurred before the withdrawal, but may affect your ability to use services requiring identity verification.
You may request access to retained data (see Section 7).
You may request deletion, subject to legal retention obligations (see Section 7).

5. How We Use Your Information

5.1 Essential Purposes (Do Not Require Separate Consent)

Account and Profile Management: Creating, retaining, and managing your account, authentication, password reset.
Platform Operation: Server maintenance, performance improvement, technical troubleshooting.
Payment Processing: Collecting membership fees, managing automatic renewal, issuing invoices.
Identity Verification: Verification according to KYC requirements, strengthening community trust.
Exchange Management: Matching between Members, communication, managing requests and agreements.
Security and Fraud Prevention: Detecting suspicious activity, preventing misuse.
Legal Compliance: Tax record retention, reporting to authorities as required.

5.2 Purposes Requiring Consent

Newsletter and Marketing Emails: News, tips, offers, special promotions (via FluentCRM).
Targeted Advertising: In the future, if advertising tools are added (Meta Pixel, Google Ads) — their use will require explicit consent.

6. Sharing Personal Information with Third-Party Service Providers

Swapli shares personal information with external service providers only insofar as required to operate the Platform or when you have consented to such sharing. We do not sell personal information and do not share it with any parties not listed in the table below.

Table of Service Providers (Data Processors)

Service	Function	Data Transferred	Server Location	Legal Protection	DPA Signed
Supabase	Primary database	All personal data (account, profile, property, messages, exchanges, photographs)	EU (Frankfurt)	GDPR DPA	Yes
Vercel	Website hosting and delivery	IP address, logs, cookies	EU (Paris + Frankfurt)	GDPR DPA	Yes
Stripe	Payment processing	Payment tokens (not card numbers), payment history, invoices	US (with EU processing)	EU-US DPF, PCI-DSS	Yes
Stripe Identity (optional)	KYC identity verification	Identification document, selfie, verification details	US	EU-US DPF, SCCs	Yes
Didit (optional)	KYC identity verification	Identification document, selfie, biometric data	Under review	Explicit consent + DPA	Required
Resend	System emails	Email address, name, message content	US	EU-US DPF	Yes
Twilio	SMS authentication (OTP)	Phone number	US	EU-US DPF	Yes
FluentCRM (WordPress)	Customer relationship management and newsletter	Name, email, preferences	EU	GDPR DPA	Yes

Important Notes

Credit card numbers do not pass through Swapli servers — Stripe handles them directly.
Your password is encrypted on the server and no third-party provider can see it.
Service providers in the US are protected by the EU-US Data Privacy Framework (DPF) or Standard Contractual Clauses (SCCs).
We do not share information with any parties not listed in this table.

7. International Data Transfers

Swapli operates from the Netherlands. Most data is stored within the European Union:

Within the European Union:

Supabase — Frankfurt, Germany
Vercel — Paris, France + Frankfurt, Germany
FluentCRM — Europe

Transfer to the United States:

Stripe, Resend, Twilio — United States
Legal Basis: EU-US Data Privacy Framework (DPF)
If Necessary: Standard Contractual Clauses (SCCs)

Under Review:

Didit — Server location under review. Swapli will confirm appropriate protection arrangements (DPF or SCCs) before data transfer.

8. Data Retention Periods

Swapli retains data only for as long as necessary to achieve the purpose for which it was collected:

Type of Information	Retention Period	Reason
Account details (name, email, phone)	While account is active + 30-day grace period	Service provision + account recovery
Password (encrypted)	While account is active + 30-day grace period	Security + account recovery
Profile photograph and description	While account is active + 30-day grace period	Profile display + account recovery
Property photographs	While account is active + 30-day grace period	Property profile display + account recovery
Messages between Members	Account deletion + 90 days	Documentation in case of disputes
Payment records	7 years from payment date	Dutch tax law requirement
Identity verification results (KYC)	One year	Statutory limitation period + legal protection
Identity document photographs, selfies, biometric data	Not retained by Swapli	Processed and retained by third-party provider only
IP addresses and technical logs	90 days	Security and monitoring
Cookies	Up to 12 months	Preferences and functionality

Following account deletion and completion of the grace period (30 days), all information is permanently deleted — except information required by law to be retained (payment records) or for legal protection purposes (identity verification results).

9. Your Rights Under GDPR

As a Data Subject, you have the following rights:

9.1 Right of Access (Article 15)

You are entitled to request a copy of all personal information retained about you. Swapli will provide this information within 30 days of receiving your request. Contact privacy@swapli.net.

9.2 Right of Rectification (Article 16)

If personal information retained about you is inaccurate or incomplete, you are entitled to request correction. You may update most details directly through your account settings.

9.3 Right of Erasure — "Right to be Forgotten" (Article 17)

You are entitled to request deletion of all your information. Deletion will occur after a grace period of 30 days. Note: Certain information is retained even after deletion where required by law — payment records are retained for 7 years under Dutch tax law, and identity verification results are retained as detailed in Section 8.

9.4 Right to Restrict Processing (Article 18)

You are entitled to request that we limit the processing of your information — for example while we verify its accuracy or while you contest a decision.

9.5 Right to Data Portability (Article 20)

You are entitled to request that we transfer your information in a structured, commonly-used, and machine-readable format (such as CSV or JSON) to you or to another service.

9.6 Right to Object (Article 21)

You are entitled to object to the processing of information based on legitimate interest, and in particular to processing for direct marketing purposes.

9.7 Right to Withdraw Consent (Article 7(3))

You may withdraw your consent at any time — particularly regarding biometric data, newsletter, and marketing emails. Withdrawal of consent will not affect the legality of processing that occurred before withdrawal.

9.8 Right Regarding Automated Decisions (Article 22)

If a decision that affects you was made automatically — for example, failure of identity verification or content removal — you have the right to request that a member of the Swapli team review the decision. Contact us at support@swapli.net and we will review the case within 14 business days.

9.9 How to Exercise Your Rights

For any request relating to your rights, contact privacy@swapli.net or dpo@swapli.net. We will respond within 30 days. If we cannot fulfill your request, we will explain why.

10. Your Rights Under Israeli Privacy Law

Swapli is a Dutch company and is directly subject to GDPR. The Israeli Privacy Law (5741-1981) does not formally apply to us. However, because the Platform is directed at Israeli families and processes information of Israeli residents, we voluntarily respect the rights granted under Israeli law:

Right of Inspection: You are entitled to inspect information retained about you.
Right of Rectification: You are entitled to request correction of inaccurate information.
Right of Erasure: You are entitled to request deletion of information in accordance with law.
Right to Object: You are entitled to object to the use of information for marketing purposes.

For requests: privacy@swapli.net

11. Cookies

11.1 Essential Cookies

session_id — Maintaining login status (deleted after inactivity period)
csrf_token — Protection against CSRF attacks
auth_token — User authentication

11.2 Preference Cookies

theme_preference — Display preference (light/dark)
language_preference — Preferred language
timezone — Time zone

11.3 Third-Party Cookies

As of the date of this Policy update, Swapli does not use third-party cookies (Google Analytics, Meta Pixel, or similar tools). If analytics or advertising tools are added in the future, we will provide advance notice and require your consent.

Full Cookie Policy available at: swapli.net/legal/cookie-policy

12. Children's Privacy

Swapli is intended for persons 18 years of age and older. We do not knowingly collect personal information from minors. If we discover that information of a person under 18 has been collected, we will delete it immediately.

13. Information Security

13.1 Our Measures

Swapli implements technical and organizational security measures to protect your information:

Communication Encryption: All communication with the Platform is encrypted using HTTPS/TLS.
Password Encryption: Passwords are encrypted using bcrypt (one-way hashing). Even we cannot see your password.
Access Control: Only authorized staff members can access personal information, and only to the extent required for their role.
Encrypted Backups: Database backups are encrypted and stored securely.
Monitoring: We monitor our systems to detect suspicious activity.

13.2 Your Role

You are also a partner in securing your account:

Choose a strong password (at least 12 characters, combining letters, numbers, and symbols).
Do not share your password or OTP codes with anyone.
Be cautious when connecting through unsecured public Wi-Fi networks.
Keep your browser updated.

If you suspect unauthorized access to your account, report it immediately to security@swapli.net.

14. Data Breach Notification

In accordance with GDPR Articles 33-34:

14.1 Our Obligations

If a data breach is discovered that may harm your rights:

We will report to the Dutch supervisory authority (Autoriteit Persoonsgegevens) within 72 hours.
We will notify you within a reasonable time, typically within 5 business days.
The notice will include: the nature of the breach, what data was affected, what we are doing about it, and how you can protect yourself.

14.2 Methods of Notification

We will notify you via: email to the address registered on your account, notification within the Platform, and in serious cases — also through public announcement.

15. Marketing Communications

15.1 Consent

Marketing emails and newsletters are sent only based on your explicit consent. Consent is obtained during registration or through your account settings.

15.2 Withdrawal of Consent

You may unsubscribe from marketing communications at any time — via the "unsubscribe" link at the bottom of each marketing email, or through your account settings.

15.3 Non-Marketing Emails

Emails related to service operation (registration confirmations, exchange notifications, renewal reminders) do not require consent and will be sent as long as your account is active.

16. Changes to This Policy

Swapli may update this Privacy Policy from time to time. Material changes will:

Be published on the website at least 30 days before taking effect.
Be notified via email to all registered Members.
Upon your next login to the Platform following an update, you will be prompted to approve the updated Policy. You cannot continue using the Platform without providing your approval. Once approved, the updated Policy takes effect immediately.

If you do not agree with changes, you may cancel your membership and close your account.

17. Filing Complaints

In the Netherlands:

Autoriteit Persoonsgegevens (AP) — Dutch Data Protection Authority
Website: www.autoriteitpersoonsgegevens.nl

In Israel:

The Privacy Protection Authority — Ministry of Justice
Website: www.gov.il/he/departments/the_privacy_protection_authority

18. Prevailing Language

This Privacy Policy is available in Hebrew and in English. In the event of any conflict or inconsistency between the versions, the Hebrew version shall prevail.

19. Contact

Data Protection Officer (DPO): Daniel, Founder of Swapli Email: dpo@swapli.net

Privacy questions: privacy@swapli.net Security reports: security@swapli.net Legal questions: legal@swapli.net General support: support@swapli.net

Swapli by Webguy BV Rokin Business Center, Rokin 92, 1012 KZ Amsterdam, The Netherlands Registration Number: KVK (COC) 72381647