Privacy Policy

We collect only what we need. Collection happens progressively across the onboarding steps:

• Creator signup (step 1)Email (single-use sign-in code) or OAuth token (Discord), the public pseudonym you choose, preferred language, terms acceptance with timestamp and IP address. Goal: open your account, authenticate you. No password is stored; no fiscal or banking data at this stage.
• Creator fiscal and billing data (collected progressively during onboarding)Collected progressively during onboarding, and at the latest before your first payout: first and last name, date of birth, fiscal residence country, then place of birth, nationality, full address, phone, tax identification number (TIN / SIRET / foreign equivalent), VAT number if applicable, and bank details (IBAN/BIC or local equivalent). Goal: DAC7 fiscal reporting (Directive 2021/514), invoice generation (Article 242 nonies A of French Tax Code Annex II).
• Creator Stripe onboarding (step 3)Identity document (KYC collected and held directly by Stripe, not by Swiplay), selfie, full address, tax status. Goal: open your Stripe Connect Express account so we can pay you.
• Studio onboardingLegal name, commercial name, SIRET / registration number / VAT number, country, full address, billing email, legal representative (name, role, business contact details), which our team may complete from the official public registers. Goal: business verification against the official public registers, invoice generation.
• Technical dataIP address, user agent, session logs, consent timestamps, security events. Goal: account security, fraud prevention, proof of consent (article 7.1 GDPR).
• Social platform statistics (creators)When you link a social account, we collect the username you provide, the account's public identifier and its public statistics (followers, profile picture). Swiplay then reads the public statistics (views, likes, comments) of the videos you publish as part of campaigns, via the public APIs made available by the social platforms or via internal tracking tools. No private account data is consulted. See section 4 for the detail.
• Submitted campaign contentThe videos you submit to campaigns and their metadata (link, title, description, public statistics) along with a text transcription derived from the audio, generated by an internal tool to verify the brief is respected. Transcription takes place within the European Union. The text may then be machine-translated through a specialised translation service (see section 4).

• Operating the platform (account, authentication, campaign participation, earnings calculation): performance of contract (article 6.1.b GDPR).
• Payment processing and self-billing mandate: performance of contract + legal obligation (article 6.1.b and 6.1.c GDPR; Article 242 nonies A of French Tax Code Annex II).
• Mandatory tax reporting (DAC7, DAS2 and related VAT filings): legal obligation (Directive EU 2021/514, Articles 1649 ter A and 240 of the French Tax Code).
• Identity verification of Creators (performed by our payment provider), verification of partner studios and screening against international sanctions: performance of contract, legal obligation (EU sanctions regulations) and legitimate interest (articles 6.1.b, 6.1.c and 6.1.f GDPR).
• Fraud prevention and platform security: legitimate interest (article 6.1.f GDPR).
• Product newsletters and marketing emails: consent (article 6.1.a GDPR), opt-in only, revocable at any time from your settings.
• Verification and translation of submitted campaign content (transcription and analysis of the videos you submit, to check the brief is respected): performance of contract and legitimate interest (articles 6.1.b and 6.1.f GDPR).

Different categories have different retention rules:

• Fiscal / DAC7 data5 years from the reporting reference year (DAC7 obligation), even after account deletion. This retention overrides the right to erasure.
• Accounting / invoicing data10 years (Article L123-22 of French Commercial Code).
• Marketing dataYour marketing preference is an opt-in setting on your account: on opt-out, sending stops immediately. Email delivery events (delivered, opened, clicked) are kept for deliverability monitoring for the duration of the account.
• Logs and security eventsOperational logs: 90 days. Security events: 5 years (forensic reconstruction). Financial events: 6 to 10 years (statutory accounting and tax obligations).
• Consent ledgerKept for the duration of the contractual relationship, then for the applicable limitation period, as proof of consent (article 7.1 GDPR).

We only share data with carefully selected processors or public authorities:

• Stripe Technology Europe Limited (Ireland)Payment processing, safeguarding, KYC, creator payouts, and collection of Studio campaign funds by bank transfer. Ireland is an EU member state (RGPD applies directly). Part of the identity verification may be processed in the United States by Stripe Inc. under the EU-US Data Privacy Framework (DPF).
• Hosting (EU)Application and database hosting in the EU. The hosting provider is identified on the legal-notice page.
• File storage (EU)Storage of studio logos, campaign assets, billing documents (invoices and self-billing invoices) and GDPR export archives on infrastructure located in the EU and operated by Swiplay. No transfer outside the EU.
• Email delivery (EU region)Transactional email is handled by a specialised provider operating in the EU region.
• Discord Inc. (United States) : OAuth sign-in (creators)Alternative OAuth sign-in for creator accounts; when signing in with Discord, your account may be automatically added to the Swiplay community server. Internal operational alerts (no banking data or identity documents) also transit through the team’s Discord channels. United States; transfer basis: EU-US Data Privacy Framework with Standard Contractual Clauses as subsidiary safeguard.
• Public video statistics collectionSwiplay automatically retrieves the public statistics (views, likes, comments) of the videos you publish as part of campaigns, via the public APIs made available by the social platforms or via internal tracking tools. No private data from your account is consulted.
• Error monitoring (United States)Server- and client-side error monitoring by a specialised provider. United States; transfer basis: EU-US Data Privacy Framework and EU Standard Contractual Clauses. PII is scrubbed before any payload leaves the browser; no cookie is set.
• Accounting platform (France)French accounting platform used for studio invoices, self-billing mandates (« 2 du I de l'article 289 du CGI ») and ledger entries. Data transferred: business name, SIREN, invoice amounts, partial bank details. France is an EU member state: GDPR applies directly.
• Appointment booking tool (United States)Booking tool used for studio onboarding calls. United States; transfer basis: EU-US Data Privacy Framework. The provider only receives data once you click through to its website.
• Machine-translation service (United States)The text transcription of submitted videos, and texts you ask to translate in the interface, may be machine-translated by a specialised translation provider. No account identifier or financial data is transmitted with the text. United States; transfer basis: EU-US Data Privacy Framework.
• TikTok Technology Limited (Ireland) : connected creator accountWhen you connect your TikTok account by OAuth, TikTok provides Swiplay with your public profile (display name, handle, avatar, follower count) and the list of your public videos with their public statistics (views, likes, engagement), under the scopes user.info.basic, user.info.profile and video.list. This data source is used only to measure the performance of your campaign submissions. Ireland is an EU member state (GDPR applies directly); part of the processing may take place in the United States under EU Standard Contractual Clauses.
• Meta Platforms Ireland Ltd (Ireland) : connected Instagram accountWhen you connect your Instagram business or creator account by OAuth, Meta provides Swiplay with your public business profile and the public insights of your account, under the scopes instagram_business_basic and instagram_business_manage_insights. This data source is used only to measure the performance of your campaign submissions. Ireland is an EU member state (GDPR applies directly); transfer basis for any US processing: EU-US Data Privacy Framework with Standard Contractual Clauses as subsidiary safeguard.
• Google Ireland Ltd (Ireland) : connected YouTube channelWhen you connect your YouTube channel by OAuth, Google provides Swiplay with your channel information and the analytics of your own channel, under the scopes youtube.readonly and yt-analytics.readonly. This data source is used only to measure the performance of your campaign submissions. Ireland is an EU member state (GDPR applies directly); transfer basis for any US processing: EU-US Data Privacy Framework with Standard Contractual Clauses as subsidiary safeguard.
• French public authoritiesAnnual DAC7 report to the French tax administration. SIRET/SIREN validation during studio onboarding is performed against the official public registers.

Non-EU transfers: when we transfer personal data outside the EU we rely either on an adequacy decision (EU-US Data Privacy Framework) or on standard contractual clauses approved by the European Commission. The full list of processors with their transfer basis is available on request at contact@swiplay.com.

Security of your data (article 32 GDPR): we apply technical and organisational measures appropriate to the risk, including TLS encryption of data in transit, encryption at rest of the most sensitive data (in particular your bank details used for payouts), strict access controls, and an immutable audit log of sensitive operations.

Under the GDPR you have the following rights, exercisable at contact@swiplay.com:

• Access: a copy of the data we hold about you.
• Rectification: correction of inaccurate data.
• Erasure: deletion of your account and the data we still hold. A deletion request is confirmed by a one-time code sent to your email, then opens a 14-day grace period during which any remaining balance is automatically paid out (provided an active payment account allows the transfer) before the account is closed; the request can be cancelled during this period. Erasure is limited by the DAC7 and accounting retention obligations listed in section 3 (we keep the legally required minimum for the legally required duration).
• Portability: a structured export of the data you provided.
• Objection: to processing based on our legitimate interest.
• Restriction: temporary freeze of processing while a dispute is resolved.
• Complaint: you may file a complaint with the French data protection authority (CNIL, www.cnil.fr) or the supervisory authority of your country of residence.

We respond to rights requests within one month, extendable once by two months for complex requests (article 12.3 GDPR).

The site uses only the minimum cookies strictly required for the service to function: authentication session cookie, CSRF protection, locale preference. No advertising, analytics, or tracking cookies are set.

Cookies and tracking

Essential cookies (no consent required): authentication session, CSRF token, locale preference (swiplay-locale). Multi-account switcher: `swiplay_wallet` stores the list of accounts you have previously signed into on this browser so you can switch quickly, and one `sp_sess_<userId>` cookie per account holds the encrypted session for that account (7-day lifetime, aligned with the session). If you arrive via a campaign invite link, a `swiplay_campaign_invite` cookie stores the invite reference for 7 days so it can be applied automatically to your account when you sign in. These cookies are strictly necessary for the service to operate and cannot be disabled.

No analytics or tracking cookie is set. Error monitoring (see section 4) runs on legitimate-interest grounds without dropping any cookie in your browser, so no consent banner is required.

No consent banner is shown because only strictly necessary cookies are set; you can clear these cookies from your browser at any time.

• What we accessWhen you connect a social account by OAuth, Swiplay accesses, with your consent, your public profile (display name, handle, avatar, follower count), the list of the videos you have published and their statistics (views, likes, engagement), and the aggregated, anonymized audience demographics your platform makes available to you about your own account and your own videos (audience age ranges, gender and geography). These demographics are aggregated viewer statistics; they never identify individual viewers. By platform: on TikTok, your basic profile, profile details and the list of your public videos with their public statistics (scopes user.info.basic, user.info.profile, video.list); on Instagram, your business or creator profile, its insights and your account-level audience demographics (scopes instagram_business_basic, instagram_business_manage_insights); on YouTube, your channel information and your channel and per-video analytics including viewer demographics (scopes youtube.readonly, yt-analytics.readonly). We never access private messages or private account data.
• Why we access itThis data is used solely to measure the performance of your campaign submissions and to display your statistics. It is never sold, never used for advertising, and never shared except with the studio of a campaign you joined (aggregate performance only) and our processors listed in section 4.
• Legal basisPerformance of the creator contract (article 6.1.b GDPR) and your consent (article 6.1.a GDPR): you explicitly connect each account and can disconnect it at any time from your settings.
• Retention and deletionThe access tokens and stored statistics are kept encrypted only while the connection is active. They are deleted when you disconnect the platform or when you delete your account (see the account-deletion flow described in section 5); for the connection itself, deletion is immediate. For Instagram and other Meta products, you can also trigger removal of your data through the data-deletion request mechanism Meta provides, which Swiplay honours via a dedicated data-deletion callback.
• Google API Services User Data Policy (Limited Use)Swiplay's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. When using YouTube API Services, you are also subject to the YouTube Terms of Service (https://www.youtube.com/t/terms) and the Google Privacy Policy (https://policies.google.com/privacy).

We may update this Privacy Policy. Any material change will be notified to you and is subject to a new explicit acceptance before you continue using the service.