Privacy Policy

1. Introduction

SWAY ("we," "us," or "our") operates the SWAY platform (sway.app). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service. We are committed to protecting your privacy and handling your data transparently.

2. Information We Collect

2.1 Information You Provide

• Account information: Email address, password (hashed — we never store plaintext passwords), and display name.
• Profile information: Name, date of birth, gender, bio, and photos you upload.
• Preferences: Character preferences (gender, age range, ethnicity, personality type), interests, and what you're looking for.
• Conversation content: Messages you send to AI characters.
• Payment information: Processed securely by Stripe. We do not store your credit card number, CVC, or full card details on our servers.

2.2 Information Collected Automatically

• Usage data: Pages visited, features used, conversation activity, timestamps.
• Device data: Browser type, operating system, screen resolution, and timezone.
• Cookies: Essential cookies for authentication and session management. See our Cookie Policy.

2.3 AI-Extracted Memories

For paid subscribers, our AI may extract and store "memories" — key facts and preferences you share in conversations (e.g., "likes hiking," "has a dog named Max"). These memories improve conversation continuity across sessions. You can request deletion of all memories at any time.

3. How We Use Your Information

• To provide the Service: Power AI conversations, maintain conversation history, and personalize your experience.
• To process payments: Manage subscriptions and billing through Stripe.
• To improve the Service: Analyze usage patterns (in aggregate) to improve features and fix issues.
• To communicate with you: Send service-related emails (account verification, password resets, subscription updates, re-engagement nudges).
• To ensure safety: Detect and prevent abuse, fraud, and violations of our Terms of Service.

4. How We Share Your Information

We do not sell your personal information. We share data only with:

• OpenAI: Your messages are sent to OpenAI's API to generate AI responses. OpenAI processes this data under their API data usage policy, which states that API inputs are not used to train their models.
• Stripe: Payment processing. Stripe handles your payment data under their own privacy policy.
• Supabase: Database and authentication hosting. Data is stored on Supabase's infrastructure.
• Resend: Transactional email delivery (account verification, password resets, notifications).
• Vercel: Web application hosting.
• Law enforcement: Only when required by law, subpoena, or court order.

5. Data Retention

• Active accounts: We retain your data for as long as your account is active.
• Deleted accounts: When you delete your account, we permanently delete your profile, conversations, messages, memories, swipes, and stored files. This process is immediate and irreversible.
• Stripe records: Payment records may be retained by Stripe per their retention policy and legal requirements.
• Backups: Deleted data may persist in encrypted database backups for up to 30 days before being purged.

6. Your Rights

Depending on your location, you may have the following rights:

• Access: Request a copy of your personal data. You can export your data from Settings.
• Correction: Update your profile information at any time through your account settings.
• Deletion: Delete your account and all associated data from Settings > Danger Zone.
• Portability: Export your data in a machine-readable format (JSON) from Settings.
• Objection: Opt out of non-essential communications (nudge emails) via the unsubscribe link in any email.
• Withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, visit your account settings or contact us at privacy@sway.app.

7. Data Security

• All data is transmitted over HTTPS/TLS encryption.
• Passwords are hashed using bcrypt — we never store plaintext passwords.
• Database access is restricted through Row Level Security (RLS) policies — users can only access their own data.
• API endpoints require authentication and verify resource ownership.
• Payment data is handled entirely by Stripe (PCI DSS compliant) and never touches our servers.

While we implement industry-standard security measures, no system is 100% secure. If you discover a security vulnerability, please report it to security@sway.app.

8. Children's Privacy

SWAY is not intended for anyone under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected data from a person under 18, we will delete it immediately.

9. International Data Transfers

Your data may be processed in the United States, where our servers and service providers are located. By using SWAY, you consent to the transfer of your data to the United States. We ensure that our service providers maintain appropriate data protection standards.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. The "Last updated" date at the top reflects the most recent revision.

11. Contact Us

For privacy-related questions or to exercise your data rights, contact us at:

• Email: privacy@sway.app
• General: support@sway.app