Privacy Policy
How we collect, use, and protect your personal information
Privacy Policy
Effective Date: November 3, 2025
Our Commitment to Privacy
At SWIP, we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, and safeguard your data.
1. Information We Collect
Account Information
When you create an account:
- Name: Optional display name
- Email Address: For authentication and notifications
- User ID: Unique identifier (automatically generated)
Biometric Data (via API)
When you submit wellness sessions through our API:
- Heart Rate (HR): Array of heart rate measurements
- RR Intervals: Time between heartbeats
- HRV Metrics: SDNN and RMSSD values
- Emotional State: Self-reported emotion
- Session Duration: Time spent in wellness activity
- Device Info: Wearable type and OS (optional)
Automatically Collected
- IP Address: For rate limiting and security
- User Agent: Browser/device information
- Timestamps: When you access the service
- API Usage: Endpoint calls and request patterns
Cookies
We use minimal cookies for:
- Authentication: Session management
- Preferences: UI settings
- Analytics: Anonymized usage statistics
2. How We Use Your Information
Primary Uses
✅ Service Delivery: Calculate SWIP scores and provide analytics
✅ Leaderboards: Display app rankings (anonymized)
✅ Developer Portal: Manage apps and API keys
✅ Performance: Monitor and improve service quality
We Do NOT:
❌ Sell your data to third parties
❌ Use your data for advertising
❌ Share identifiable info without consent
❌ Track you across other websites
3. Data Sharing & Disclosure
We Never Sell Your Data
Your personal information is never sold, rented, or traded.
Limited Sharing
We may share data only in these cases:
Service Providers:
- Database hosting (Vercel/PostgreSQL)
- Authentication services (Better Auth)
- Email delivery (if applicable)
Legal Requirements:
- Court orders or subpoenas
- Law enforcement requests
- Protection of legal rights
Business Transfers:
- Mergers or acquisitions (with 30 days notice)
Aggregated Data:
- Anonymized analytics for research
- Industry reports (no personal info)
4. Data Security
Security Measures
🔒 Encryption:
- TLS 1.3 for data in transit
- AES-256 for data at rest
- Bcrypt hashing for API keys
🛡️ Access Controls:
- Role-based permissions
- Multi-factor authentication (where available)
- Regular security audits
⚙️ Infrastructure:
- Secure cloud hosting
- Regular backups
- DDoS protection
Breach Notification
In case of a data breach:
- Affected users notified within 72 hours
- Authorities notified as required by law
- Immediate remediation steps taken
5. Your Rights
Data Access & Control
You have the right to:
Access 📥
Request a copy of all your personal data
Rectification ✏️
Correct inaccurate information
Deletion 🗑️
Request deletion of your account and data
Portability 📤
Export data in JSON format
Restriction ⏸️
Limit how we process your data
Objection 🚫
Object to certain data processing
How to Exercise Rights
- Log in to your account
- Go to Profile Settings
- Use data export/deletion tools
- Or contact: privacy@swip.synheart.io
6. Data Retention
Retention Periods
| Data Type | Retention Period |
|---|---|
| Account Information | While account is active |
| Session Data | Until account deletion |
| API Logs | 90 days |
| Security Logs | 1 year |
| Backups | 30 days |
After Account Deletion
- Immediate: Account access disabled
- 7 days: Data marked for deletion
- 30 days: Permanent deletion from live systems
- 90 days: Deletion from backups
7. Compliance
Regulatory Compliance
We comply with:
🇪🇺 GDPR (General Data Protection Regulation)
- Right to be forgotten
- Data portability
- Privacy by design
🇺🇸 CCPA (California Consumer Privacy Act)
- Do not sell personal info
- Right to deletion
- Transparency in data use
🏥 HIPAA Considerations
- Biometric data handled securely
- De-identification where appropriate
- Not a covered entity (consult your compliance)
8. International Transfers
Data Location
Data may be processed in:
- United States (primary)
- European Union (if applicable)
- Other regions with adequate protection
Safeguards
- Standard Contractual Clauses (SCCs)
- Privacy Shield frameworks
- Encryption in transit and at rest
9. Children's Privacy
🚸 Age Requirement: 18+ only
We do not:
- Knowingly collect data from children under 13
- Target children with our services
- Allow account creation by minors
If we learn a child has provided data, we delete it immediately.
10. Third-Party Services
Authentication Providers
We use:
- Google OAuth: For sign-in (governed by Google's privacy policy)
- GitHub OAuth: For sign-in (governed by GitHub's privacy policy)
Data Processors
- Vercel: Hosting and deployment
- PostgreSQL: Database storage
- Redis: Caching (optional)
Each processor has appropriate data protection agreements.
11. Your Choices
Communication Preferences
- Email notifications: Opt-in/opt-out in settings
- Product updates: Unsubscribe anytime
- Security alerts: Cannot opt-out (critical)
Cookie Management
- Essential cookies: Required for service
- Analytics cookies: Optional (disable in browser)
- Third-party cookies: Minimal (auth providers)
Data Deletion
Delete your data by:
- Account Settings → Delete Account
- Email: privacy@swip.synheart.io
- Automatic after 2 years of inactivity
12. Updates to This Policy
Change Notification
We notify you of material changes via:
- ✉️ Email to registered address
- 📢 Dashboard banner notification
- 📄 Updated policy with change log
Effective Date
Changes take effect 30 days after notification. Continued use = acceptance.
13. Contact Us
Privacy Questions
📧 Email: privacy@swip.synheart.io
🌐 Website: https://swip.synheart.io/privacy
📍 Mail: SWIP Privacy Team, 123 Wellness St, San Francisco, CA 94105
Data Protection Officer
For GDPR inquiries: dpo@swip.synheart.io
14. Transparency Report
We publish annual transparency reports detailing:
- Government data requests
- Data breach incidents
- Policy changes
- User rights requests
Last Updated: November 3, 2025
Version: 1.0
Next Review: February 3, 2026