Privacy Policy

1. Data Controller Identity and Scope

Until the incorporation of a dedicated legal entity, the entity responsible for the processing of your personal data (the “Data Controller”) is Emanuele Cresta (operating commercially under the brand name SWOOPP), with Spanish Tax Identification Number (NIE/NIF) Y8922606T and registered tax address at Calle La Placita 149, Chayofa, Santa Cruz de Tenerife, Spain.

SWOOPP is not legally required to appoint a Data Protection Officer (DPO). For any privacy-related inquiries, you can contact us at privacy@swooppapp.com.

Age Restriction: SWOOPP is not intended for individuals under the age of 18. We do not knowingly collect personal data from children.

2. Information We Collect

Certain personal data is required to provide our services. Failure to provide such data may prevent us from creating an account or delivering requested exchange quotations. We collect:

• Account and Registration Data: Full name, email address, password (hashed using industry-standard cryptographic algorithms), and profile preferences.
• Identity and Verification Data (B2B Users Only): For currency exchange offices registering on our platform, we collect official ID documents, corporate registration data, and biometric/video verification data (processed via partners like Sumsub) for mandatory KYC/KYB compliance.
• Geolocation Data: Real-time GPS location data is collected only while the application is in use and only after explicit consent via your device settings. It is processed in real time to identify nearby exchange offices and is not retained after the search unless required for security.
• Financial and Transactional Interest Data: Currencies searched, amounts queried, and interactions with exchange rates.
• Technical and Usage Data: IP address, device type, operating system, and app usage analytics.

3. Purposes of Processing

Your personal data is processed for the following specific purposes:

• To operate, maintain, and provide the core functionalities of the Swoopp application.
• To manage your user account and provide customer support.
• Market Analysis and Aggregation: Based on our legitimate interest, aggregated and anonymized statistical information may be used for market analysis and business intelligence. This data does not allow for user re-identification.
• Targeted Offers (Subject to Consent): Based on your explicit consent, we may share the requested currency pair, approximate location area, and requested amount with selected exchange partners solely for the purpose of obtaining quotes. Your name, email address, and other direct identifiers are not shared unless you expressly authorize such disclosure.
• Compliance: Where required by applicable law or where necessary to comply with the requirements of regulated financial partners.

4. Legal Basis for Processing (GDPR)

In accordance with Article 6 of the General Data Protection Regulation (GDPR), our processing is based on:

• Contractual Necessity: Processing is necessary to provide the services requested by you.
• Consent: Your explicit consent is required for GPS location tracking, targeted marketing, and non-essential analytics.
• Legal Obligation: Compliance with anti-money laundering (AML), know-your-customer (KYC), know-your-business (KYB), and other applicable regulatory requirements.
• Legitimate Interest: To detect fraud, secure our systems, prevent abuse, and improve the functionality and reliability of our services, as well as to conduct anonymized market analysis.

5. Data Sharing and Disclosure

We do not sell your personally identifiable information. We only share data with:

• Commercial Partners: Associated exchange offices (only where you have provided consent). Important: Exchange partners act as independent data controllers with respect to any personal data subsequently provided directly by users to such partners.
• Service Providers: Third-party vendors who assist us (e.g., AWS, Google Cloud, Firebase, and Sumsub). These providers may process limited technical or verification information on our behalf under strict Data Processing Agreements.
• Legal Authorities: When required by law, legal process, or to establish, exercise, or defend legal claims.

6. Automated Decision-Making

SWOOPP does not make decisions producing legal or similarly significant effects solely through automated processing or profiling.

7. Cookies and Analytics

Our platform utilizes tracking technologies and third-party SDKs (such as Google Analytics and Firebase) to monitor performance. Non-essential tracking is subject to your explicit consent via our consent management interface/settings within the app. For detailed information, refer to our separate Cookie Policy.

8. International Data Transfers

Your data is primarily stored on servers located within the European Economic Area (EEA). If we transfer data to service providers outside the EEA, we ensure adequate safeguards (e.g., Standard Contractual Clauses) are in place.

9. Data Retention and Account Deletion

We retain your personal data based on the following criteria:

• Active Account Data: Retained for the duration of your active relationship with us.
• Identity Verification Records (B2B): Retained for the period required by applicable legal and regulatory AML obligations (typically up to 10 years under European law).
• Support and Technical Logs: Retained for 12 to 24 months.
• Marketing Data: Retained until you withdraw your consent. When data is no longer needed, it is securely deleted or anonymized.

Account Deletion: Users may request account deletion at any time through the application settings or by contacting privacy@swooppapp.com. Upon deletion, personal data will be erased unless retention is required by law, regulatory obligations, fraud prevention requirements, or the establishment, exercise, or defense of legal claims.

10. Data Security Measures

We implement appropriate technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption in transit, access controls, secure authentication mechanisms, and regular monitoring of our systems.

11. Your Data Protection Rights

Under the GDPR, you have the following rights:

• Access, Rectify, and Erase:You may request access to, correction, or deletion of your data (“Right to be forgotten”).
• Restrict or Object: You may restrict or object to certain processing activities.
• Data Portability: You have the right to receive your data in a structured format.
• Withdrawal of Consent: You may withdraw consent at any time through the application settings or by contacting privacy@swooppapp.com.
• Right to Complain: You have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD — Agencia Española de Protección de Datos) or with the supervisory authority in your country of residence.

To exercise any of these rights, please email privacy@swooppapp.com.

12. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy periodically. Significant changes will be communicated via the app or email.