Skip to content
Swiva wordmark

Legal

Privacy Policy

This privacy policy explains which personal data we process when you use the swiva.app website and the Swiva mobile app, on what legal basis, and which rights you have. It applies in addition to any product-specific notices within the app.

Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG) is:

Daniel Studera, Schröttergasse 41/4/5, 1100 Vienna, Austria

Email: daniel.studera@swiva.app

A data protection officer is not required by law and has not been appointed.

Scope

This policy applies to the swiva.app website and to the Swiva mobile app (iOS and Android). Points that apply only to the app are labelled accordingly.

Rights of data subjects

Under Articles 15 to 22 GDPR you have the right of access, rectification, erasure, restriction of processing, data portability and objection to processing based on Art. 6(1)(f) GDPR. You may withdraw any consent you have given at any time with effect for the future.

Requests can be submitted informally by email to daniel.studera@swiva.app. We usually acknowledge receipt within a few days and respond no later than one month. We may ask for additional information if necessary to verify your identity.

Without prejudice to other remedies, you have the right to lodge a complaint with a data protection supervisory authority. The competent authority is in particular the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna (dsb.gv.at). Users in Germany can contact the state data protection authority of their place of residence; users in Switzerland can contact the Federal Data Protection and Information Commissioner (FDPIC, edoeb.admin.ch).

Website hosting (Cloudflare Pages)

The website is served as a static site through Cloudflare Pages, operated by Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA. When the site is accessed, technically necessary server log data is processed (IP address, date and time, requested resource, transferred data volume, browser type and version, operating system, referrer, status code, security events).

The legal basis is Art. 6(1)(f) GDPR. The legitimate interest is the secure, stable and abuse-free delivery of the website. Cloudflare may also process data in the USA; according to its own statements, Cloudflare relies on EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR for such transfers.

For shared content (e.g. profile links at swiva.app/u/<username> as well as list and activity share links), the website additionally runs server-side functions at Cloudflare. These process the requested path and link parameters (e.g. the profile username, the share token or the list identifier of the shared content) as well as the browser's language preference (Accept-Language) and retrieve the publicly visible preview data server-side from the Swiva API in order to generate link previews. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in functional link previews).

Cloudflare Web Analytics

The website may use Cloudflare Web Analytics to collect aggregated usage and performance statistics (page views, Web Vitals, referrers, approximate country-level location). According to Cloudflare, the product does not use cookies or fingerprinting mechanisms, is not intended to track visitors across sites, and does not identify individuals.

The legal basis is Art. 6(1)(f) GDPR; the legitimate interest is the data-minimising measurement of reach and technical quality.

Language preference (local storage)

The language you select is stored only locally in your browser (LocalStorage) so that the choice is re-applied on a subsequent visit. This is a technically required value with no tracking purpose. The legal basis is Art. 6(1)(f) GDPR and § 165(3) of the Austrian Telecommunications Act 2021 (storage strictly necessary for the requested service).

Account and authentication (app)

Using the app requires a personal account. Depending on the chosen method, we process your email address, password (stored only as a hash), display name, language preference and technical session tokens during registration. Profile attributes such as age range, gender and region are optional and voluntary.

Alternatively, you can sign in via third-party providers (Sign in with Apple or Sign in with Google). These providers transmit a pseudonymous identifier and, where available, your name and email address to Swiva. The exact scope depends on the settings you have configured with the respective provider.

To secure and manage your session, we also process a randomly generated device identifier, user-agent information, login timestamps, token versions and session status. Sessions are issued as signed tokens with a limited lifetime that you can revoke in the device settings. The legal basis is Art. 6(1)(b) GDPR (performance of a contract and pre-contractual measures).

Profile, avatars and uploads (app)

You can upload an avatar image or choose a pre-built avatar preset. Uploaded images are re-encoded server-side to reduce metadata – EXIF data is removed in the process – and stored in the backend provider's object storage. Avatar images are accessible via a pseudonymised URL.

Public profiles may show your username, display name, profile picture, pronouns, short bio and the profile interest you selected.

The legal basis is Art. 6(1)(b) GDPR.

Activities, lists and sharing (app)

The app's core feature is creating and organising activities and lists. We process the content you enter (title, description, categories, tags, stored links), timestamps, visibility status (private or public) and, where applicable, editing rights shared with other accounts.

If you make lists publicly available, the items in the list as well as public profile details such as your username, display name, profile picture, pronouns and profile interest are visible to other users. The legal basis is Art. 6(1)(b) GDPR.

If you share an individual activity by link, its title may be visible in a link preview (for example in messaging apps), even if the associated list is private. Signed-in persons with that link can view the individual activity, including its contents, as well as the name and category of the associated private list in the app; the link does not provide access to the remaining contents of the private list. The legal basis is Art. 6(1)(b) GDPR.

Profile links and public profile view

Every profile can be reached via a public profile link (swiva.app/u/<username>). Anyone with this link – including people without a Swiva account – can see the public profile details: username, display name, profile picture, pronouns, short bio, profile interest and the number of your publicly visible lists and activities. Pronouns and the short bio are voluntary details that you can change or remove in your profile at any time. Your email address and other account data are not accessible via the profile link.

Profile links can be shared by you, but also by other users. In link previews (for example in messaging apps), your display name, username and short bio may become visible; messaging and platform providers may cache these previews according to their own rules, which is beyond our control.

As safeguards, profile pages are marked noindex for search engines, the underlying lookup is rate-limited, and accounts pending deletion or suspended accounts cannot be retrieved. The legal basis is Art. 6(1)(b) GDPR (provision of the profile and sharing features) and – for displaying the preview to persons who are not signed in – Art. 6(1)(f) GDPR (legitimate interest in functional shared links).

Link import / Smart Import (app)

If you share content from other apps (e.g. TikTok, Instagram, browsers, maps) into Swiva, we temporarily process the transmitted URL or shared text in order to create the activity. Raw shared content is stored in a staging area (Pending Share) and automatically deleted after 15 minutes unless you confirm it and save it into a list before then.

The legal basis is Art. 6(1)(b) GDPR.

Link enrichment (oEmbed and OpenGraph)

To display previews, Swiva retrieves the shared URLs server-side, evaluates publicly available OpenGraph or oEmbed metadata (title, description, preview image, possibly author) and stores this metadata to display in the context of the activity. At the time of retrieval, the original URL is shared with the third party it points to (e.g. Instagram, TikTok, YouTube). We have no influence on their processing.

The legal basis is Art. 6(1)(b) GDPR.

Google Maps and map short links (app)

Shared Google Maps or map short links are resolved server-side to display the linked location as a title. The current implementation does not use the Google Places API; only publicly available metadata of the target URL is processed. Any future integration of additional map APIs will only take place after this privacy policy has been updated accordingly.

AI-assisted suggestions (app)

During Smart Import, shared texts, descriptions and metadata may be passed to AI models in order to generate structured activity drafts. We use Google Gemini (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) and – where available – Apple Intelligence (Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland).

To our knowledge, the data passed to these providers is not used to train generic models where the respective enterprise or API mode prohibits this. Swiva does not persist the submitted inputs or the raw model responses; only the activity draft you confirm is stored. The legal basis is Art. 6(1)(b) GDPR.

Product analytics (PostHog, opt-in)

If you consent to product analytics, we process usage events (e.g. screens viewed, actions triggered, errors), technical event parameters and a pseudonymous user identifier via PostHog. The provider is PostHog, Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA.

Processing only takes place upon your explicit consent via the in-app banner. The legal basis is Art. 6(1)(a) GDPR. You may withdraw your consent at any time in the privacy settings of the app. The lawfulness of processing prior to withdrawal remains unaffected.

Feedback (website and app)

You can send us feedback via the feedback form on the website and the feedback feature in the app. We process the category, message and platform as well as – voluntarily – your email address for follow-up questions; for feedback sent from the app, additionally your username and the app version.

The submission is handled by a server-side function at Cloudflare; the feedback is stored in a database at Notion (Notion Labs, Inc., 2300 Harrison Street, San Francisco, CA 94110, USA). Notion may process data in the USA; the transfer is based on the EU-US Data Privacy Framework or Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.

The legal basis is Art. 6(1)(f) GDPR (legitimate interest in improving the product and handling feedback) or Art. 6(1)(b) GDPR where your feedback concerns a support request relating to your account. Feedback entries are deleted once they have been handled and are no longer required.

Push notifications

If you enable push notifications, we process device information (device identifier, platform, app version, language, permission status, project identifier and a push token issued by the platform operator) as well as the content, delivery status and delivery timestamp of the notifications.

Delivery takes place via Expo Push (Expo, USA), the Apple Push Notification Service (Apple Inc.) and Firebase Cloud Messaging (Google Ireland Limited). The legal basis is Art. 6(1)(a) GDPR (consent via the operating system dialog).

Backend infrastructure

App data is processed in a MongoDB database, a Redis cache and an object storage service for media files, operated through Railway Corp., 539 W Commerce St #1413, Dallas, TX 75208, USA. All resources are deployed in a Railway EU region, so processing of content data takes place within the EU. To the extent that administrative access or support is provided by Railway from the United States, Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR apply.

Logs and security

For security reasons, technical events and errors are logged server-side, in particular request IDs, timestamps, status codes, error codes and technical context data. We additionally apply standard measures such as HTTP security headers (Helmet), CORS, rate limiting and audit logs for security-relevant operations. Logs are routinely deleted no later than 30 days after creation, unless there are specific indications of misuse, security incidents or legal claims.

The legal basis is Art. 6(1)(f) GDPR (protecting the platform from abuse).

Recipients and third-country transfers

Your data is transmitted only to the extent necessary for the respective purpose. Recipients may include in particular: Cloudflare (hosting / CDN / analytics), Apple and Google (OAuth and push), Expo (push), Microsoft (transactional email delivery), Google Gemini and Apple Intelligence (AI), PostHog (analytics, opt-in), Notion (feedback), Railway, MongoDB and object storage (backend infrastructure).

Where recipients process personal data outside the EU/EEA, transfers are based on adequacy decisions (e.g. the EU-US Data Privacy Framework, where the recipient is certified) or on Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR, supplemented by additional safeguards where necessary.

Retention periods

Personal data is stored only for as long as required for the relevant purposes or as required by statutory retention obligations. The following periods apply in particular:

Pending Shares: 15 minutes. Swipe history: 180 days. Transactional emails: usually 3 to 14 days. In-app notifications and delivery records: usually 30 days. Server logs: usually 30 days. Sessions: until expiry or revocation.

Account, profile, list, activity, report and block data is generally stored until account deletion or until the relevant purpose has been fulfilled. After account deletion, directly attributable account, profile, list and activity data is removed from active systems. Individual security, moderation, abuse-prevention and delivery records may be stored for longer where this is necessary for platform security, processing reports or establishing, exercising or defending legal claims. Technical backup copies are overwritten as part of the applicable backup rotation.

Account deletion and grace period

You can delete your account at any time in the app settings. Once deletion is initiated, a grace period of 7 days begins during which you can reverse the deletion by signing in again. After the period expires the account is permanently deleted; your own lists and activities are removed. Content that other users previously added to their own lists remains there as their independent content.

No automated decisions with legal effect

No automated decision-making within the meaning of Art. 22 GDPR takes place. AI-assisted suggestions are drafts that are only stored after you confirm them.

Changes to this privacy policy

We update this policy when features, providers or the legal framework change. The current version is always available at swiva.app/datenschutz.

Last updated: 2 July 2026.

Swiva wordmark

Collect ideas. Swipe. Just go.

PrivacyTermsImprintDelete data
InstagramTikTok

© 2026 Swiva.