Privacy Policy

We collect only what we need. Collection happens progressively across the onboarding steps:

• Creator signup (step 1)Email, password or OAuth token (Discord), preferred language, terms acceptance with timestamp and IP address. Goal: open your account, authenticate you. No fiscal or banking data at this stage.
• Creator DAC7 data (step 2, on first earning)First and last name, date of birth, place of birth, nationality, fiscal residence country, full address, phone, tax identification number (TIN / SIRET / foreign equivalent), VAT number if applicable, IBAN. Goal: DAC7 fiscal reporting (Directive 2021/514), invoice generation (Article 242 nonies A of French Tax Code Annex II).
• Creator Stripe onboarding (step 3)Identity document (KYC collected and held directly by Stripe, not by Swiplay), selfie, full address, tax status. Goal: open your Stripe Connect Express account so we can pay you.
• Studio onboardingLegal name, commercial name, SIRET / registration number / VAT number, country, full address, website, legal representative (name, role, email, phone, LinkedIn). Goal: KYB verification via SIRENE and VIES, compliance with Anti-Money Laundering Directive (AMLD), invoice generation.
• Technical dataIP address, user agent, session logs, consent timestamps, security events. Goal: account security, fraud prevention, proof of consent (article 7.1 GDPR).
• Social platform statistics (creators)Swiplay reads the public statistics (views, likes, comments) of the videos you publish as part of campaigns, via the public APIs made available by the social platforms or via internal tracking tools. No private account data is consulted. See section 4 for the detail.

• Operating the platform (account, authentication, campaign participation, earnings calculation): performance of contract (article 6.1.b GDPR).
• Payment processing and self-billing mandate: performance of contract + legal obligation (article 6.1.b and 6.1.c GDPR; Article 242 nonies A of French Tax Code Annex II).
• DAC7 fiscal reporting: legal obligation (Directive EU 2021/514, Article 1649 ter A of French Tax Code).
• Anti-money laundering (KYC / KYB verification, suspicious transaction monitoring): legal obligation (Directive EU 2015/849 AMLD).
• Fraud prevention and platform security: legitimate interest (article 6.1.f GDPR).
• Product newsletters and marketing emails: consent (article 6.1.a GDPR), opt-in only, revocable at any time from your settings.

Different categories have different retention rules:

• Fiscal / DAC7 data5 years from the reporting reference year (DAC7 obligation), even after account deletion. This retention overrides the right to erasure.
• Accounting / invoicing data10 years (Article L123-22 of French Commercial Code).
• Marketing data3 years from the last interaction (opening, click, login) if you have opted in, erased immediately on opt-out.
• Logs and security events1 year.
• Consent ledgerKept for 3 years after the last consent event, to demonstrate compliance with article 7.1 GDPR.

We only share data with carefully selected processors or public authorities:

• Stripe Technology Europe Limited (Ireland)Payment processing, safeguarding, KYC. Ireland is an EU member state (RGPD applies directly). Part of the identity verification may be processed in the United States by Stripe Inc. under the EU-US Data Privacy Framework (DPF).
• Hosting: Netcup GmbH (Germany)Application and database hosting in the EU.
• Media storage: MinIO (self-hosted, Germany)Object storage (S3-compatible) for studio logos, campaign assets, video thumbnails, GDPR export archives. Self-hosted on Netcup GmbH infrastructure (Germany). No transfer outside the EU; no third-party processor : operated internally by Swiplay.
• Email delivery: Resend (EU region) and Discord Inc. (United States)Resend handles transactional email in the EU region. Discord (OAuth) transfers data to the United States under the EU-US Data Privacy Framework.
• Discord Inc. (United States) : OAuth sign-in (creators, studios, admins)Discord OAuth is offered as an alternative sign-in method for all account types (creators, studios, admins). Data transferred: Discord user ID, email address, avatar URL, verified-email flag. Transfer basis: EU-US Data Privacy Framework (DPF) with Standard Contractual Clauses (Commission Implementing Decision 2021/914 of 4 June 2021) as subsidiary safeguard. DPA: Discord Developer Terms of Service.
• Public video statistics collectionSwiplay automatically retrieves the public statistics (views, likes, comments) of the videos you publish as part of campaigns, via the public APIs made available by the social platforms or via internal tracking tools. No private data from your account is consulted.
• Functional Software Inc. / Sentry (United States), error monitoringBrowser error monitoring (opt-in only via consent banner). Server-side monitoring runs on legitimate interest (Art. 6.1.f GDPR). May capture stack traces and browser environment data; PII scrubbing is enabled. Transfer basis: Standard Contractual Clauses (EU 2021/914) + supplementary measures. DPA: sentry.io/legal.
• Pennylane SAS (France), accountingAccounting platform used for studio invoices, self-billing mandates (« 2 du I de l'article 289 du CGI »), and ledger entries. Data transferred: business name, SIREN, invoice amounts, partial bank details. Transfer basis: France is an EU member state, GDPR applies directly. DPA: art. 28 DPA signed.
• Calendly LLC (United States), studio onboarding booking widgetCalendly's inline widget is embedded on the studio waiting page (/studio/pending) to allow pending studios to book an onboarding call. The studio's email address is pre-filled in the widget. Data transferred: email address, booking slot data, browser/timezone metadata. Transfer basis: EU-US Data Privacy Framework (DPF), Calendly is certified. DPA: available at calendly.com/pages/dpa, must be signed before go-live.
• French public authoritiesAnnual DAC7 XML (DPI format) report to impots.gouv.fr by 31 January each year. SIRET/SIREN validation during studio onboarding is performed via the INSEE/SIRENE public API (recherche-entreprises.api.gouv.fr), this is a French government public API; no art. 28 DPA is required, but SIRET constitutes personal data for sole traders (auto-entrepreneurs).

Non-EU transfers: when we transfer personal data outside the EU we rely either on an adequacy decision (EU-US Data Privacy Framework) or on standard contractual clauses approved by the European Commission. The full list of processors with their transfer basis is available on request at contact@swiplay.com.

Under the GDPR you have the following rights, exercisable at contact@swiplay.com:

• Access: a copy of the data we hold about you.
• Rectification: correction of inaccurate data.
• Erasure: deletion of your account and the data we still hold; limited by the DAC7 and accounting retention obligations listed in section 3 (we keep the legally required minimum for the legally required duration).
• Portability: a structured export of the data you provided.
• Objection: to processing based on our legitimate interest.
• Restriction: temporary freeze of processing while a dispute is resolved.
• Complaint: you may file a complaint with the French data protection authority (CNIL, www.cnil.fr) or the supervisory authority of your country of residence.

We respond to rights requests within one month, extendable once by two months for complex requests (article 12.3 GDPR).

The site uses only the minimum cookies strictly required for the service to function: authentication session cookie (NextAuth), CSRF protection, locale preference. No advertising, analytics, or tracking cookies are set.

Cookies and tracking

Essential cookies (no consent required): authentication session, CSRF token, locale preference. These cookies are necessary for the service to operate and cannot be disabled.

Analytics cookies (Sentry, opt-in): when you accept on the consent banner, Sentry captures uncaught browser errors so we can fix bugs faster. Server-side error monitoring runs unconditionally on legitimate-interest grounds (Art. 6.1.f GDPR) because it monitors the platform, not the visitor.

You can change your decision at any time by clearing the swiplay-cookie-consent cookie or contacting contact@swiplay.com.

We may update this Privacy Policy. Any material change is announced by email and requires fresh consent on your next login.