Privacy Policy

Swap-Pam ("we", "our", "us") operates a gadget exchange marketplace. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you visit our website or use our platform.

We are committed to protecting your privacy in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) where applicable, the California Consumer Privacy Act (CCPA), and other relevant regulations.

By using Swap-Pam, you consent to the practices described in this Privacy Policy.

We collect the following categories of personal data:

Account Information

• Full name, username, and email address
• Password (stored as a bcrypt hash — never in plain text)
• Phone number and location (optional, provided by you)
• Profile bio and avatar colour preference

Transaction Data

• Gadgets you list, including photos, descriptions, and estimated value
• Swap requests sent and received
• Messages exchanged with other users
• Swap completion history

Technical Data

• IP address and approximate geographic location
• Browser type, operating system, and device type
• Pages visited, time on site, and referring URLs
• Session tokens and authentication data

Store Account Data (if applicable)

• Business name, description, and address
• KYC/identity verification documents (stored securely)
• Store approval status and audit history

Communications

• Support messages and contact form submissions
• Notification preferences and read status

We use your personal data for the following purposes:

• Account management — Creating and maintaining your account, verifying your identity, and authenticating logins.
• Platform operation — Facilitating gadget listings, swap requests, and user-to-user messaging.
• Security — Detecting fraud, abuse, and unauthorised access. Logging security events to protect you and the platform.
• Communications — Sending transactional emails (password resets, swap notifications, verification links) and important platform updates.
• Customer support — Responding to your enquiries and resolving disputes.
• Legal compliance — Meeting obligations under applicable laws, including record-keeping and responding to lawful requests from authorities.
• Analytics — Understanding how users interact with the platform to improve features and performance (using anonymised or aggregated data where possible).

We rely on the following legal bases for processing (GDPR Art. 6): contract performance, legitimate interests, legal obligation, and consent (where explicitly given).

We do not sell, rent, or trade your personal data. We may share data in the following limited circumstances:

• With other users — Your public profile (username, avatar, rating, listings) is visible to other users. Private messages are visible only to sender and recipient.
• Service providers — We may share data with trusted third-party vendors who help us operate the platform (e.g., email delivery, hosting, analytics). These providers are contractually bound to protect your data.
• Legal requirements — We may disclose your data if required by law, court order, or to protect the rights, property, or safety of Swap-Pam, our users, or the public.
• Business transfers — In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you via email and/or a prominent notice on our platform.

Swap-Pam uses cookies and similar tracking technologies to operate the platform and improve your experience.

Types of cookies we use:

• Essential cookies — Required for the platform to function (session management, CSRF protection, login state). Cannot be disabled.
• Preference cookies — Store your settings such as dark/light theme preference.
• Analytics cookies — Help us understand site usage patterns (anonymised). You may opt out.

You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent you from using certain platform features.

We retain your personal data for as long as necessary to provide our services and comply with legal obligations:

• Active accounts — Data retained for the duration of your account.
• Closed accounts — Data anonymised or deleted within 90 days of account closure, except where retention is required by law.
• Security logs — Retained for up to 12 months to investigate incidents.
• Legal holds — Data subject to legal proceedings may be retained until resolution.

KYC and identity documents are retained for the minimum period required by applicable law, after which they are securely deleted.

We implement industry-standard security measures to protect your personal data, including:

• TLS/HTTPS encryption for all data in transit.
• bcrypt hashing for all stored passwords.
• CSRF token protection on all forms.
• Rate limiting on authentication and sensitive endpoints.
• Prepared statements (PDO) to prevent SQL injection.
• Regular security audits and access controls.
• Session management with IP binding and token rotation.

Despite these measures, no system is 100% secure. If you believe your account has been compromised, contact us immediately at malum.herman@gmail.com.

Depending on your location, you may have the following rights regarding your personal data:

• Access — Request a copy of the personal data we hold about you.
• Rectification — Request correction of inaccurate or incomplete data.
• Erasure — Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
• Restriction — Request that we restrict processing of your data in certain circumstances.
• Portability — Receive your data in a structured, commonly used, machine-readable format.
• Objection — Object to processing based on legitimate interests or direct marketing.
• Withdraw consent — Where processing is based on consent, withdraw it at any time without affecting prior processing.
• Opt out of sale (CCPA) — California residents may opt out of the sale of personal information. We do not sell personal information.

To exercise any of these rights, contact us at malum.herman@gmail.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

Swap-Pam is not directed at, and we do not knowingly collect personal data from, individuals under the age of 18.

If we become aware that we have collected personal data from a child under 18 without verifiable parental consent, we will take steps to delete that data promptly.

If you believe a child has provided us with personal data, please contact us at malum.herman@gmail.com and we will investigate immediately.

If you are accessing Swap-Pam from outside the country where our servers are located, your data may be transferred internationally.

Where we transfer data outside the European Economic Area (EEA) or other regions with data protection laws, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Transfers to countries with an adequacy decision.
• Other legally approved transfer mechanisms.

The Platform may contain links to third-party websites, services, or resources. This Privacy Policy applies only to Swap-Pam and we are not responsible for the privacy practices of any third-party sites.

We encourage you to review the privacy policies of any third-party services you access through our platform.

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page.
• Send an email notification to registered users for significant changes.
• Display a notice in the platform dashboard.

Your continued use of Swap-Pam after any changes constitutes your acceptance of the updated Privacy Policy. We recommend reviewing this page periodically.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority (e.g., the ICO in the UK, or the CNIL in France).