1. Introduction
Welcome to Sway. This Privacy Policy explains how Sway ("we", "our", or "us") collects, uses, discloses, and protects your personal data when you use our mobile application, website, and related services (collectively, the "Platform"). By accessing or using Sway, you agree to the terms of this Privacy Policy. If you do not agree, please do not use our Platform.
Sway SRL is a company based in Belgium, under enterprise number BE1037531992, Clos des Colombes 23, 1342 Limelette, Belgium.
2. Definitions
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person. |
| User | Any individual who accesses or uses the Platform, including event attendees, Organizers, Artists, and Venues. |
| Organizer | Any natural or legal person using the Platform to organize an Event and sell Tickets. |
| Client / Attendee | Any natural person purchasing a Ticket on the Platform for private, non-professional purposes. |
| Platform | The Sway mobile application, website, and any related services. |
| Account | The personalized digital environment provided by Sway to registered Users. |
| Legal Basis | The basis on which we process personal data under the GDPR (consent, contract performance, legal obligation, or legitimate interest). |
| Data Processor | A third-party company processing personal data on behalf of Sway. |
3. Data We Collect and How We Process It
3.1 Types of data we collect
We may collect and process the following categories of personal data:
- Account information: name, email address, date of birth, username, profile picture, biography, contact details provided during registration.
- Event data: events browsed, attended, or organized; ticket purchase history; event preferences; interest and attendance status.
- Payment data: payment method details (processed by Stripe), billing information, transaction history. We never store card numbers.
- Usage data: IP address, device information, browser type, session data, browsing behavior on the Platform, collected via cookies and similar technologies.
- Location data (GPS): approximate device location collected only when you explicitly grant permission via your device settings (iOS or Android), to enable the interactive map and proximity search. This data is not stored server-side.
- Location data (IP): we derive your approximate country and city from your IP address via ipinfo.io, in order to display nearby events and venues and personalize the interface. This data is stored server-side for a limited period (see section 6). See section 3.2 for the legal basis.
- Chat data: content of private, group, and community messages; sender and recipient identity; timestamps.
- Content uploaded: images, visuals, and other media uploaded by Users to their profile or pages, which are screened for inappropriate content via SightEngine.
- AI feature data (Organizers only): when an Organizer uses the AI-powered page analytics feature, selected page data is transmitted to the Google Gemini API for processing. See section 3.2 for details.
- Blocking relationships: when a User blocks another User, we store that relationship to enforce the block.
- Support data: any information you provide when contacting our support team.
3.2 Purposes and legal bases for processing
| # | Processing | Purpose | Legal Basis |
|---|---|---|---|
| 1 | Account creation and management | Create and maintain your Account | Performance of the contract (art. 6(1)(b)) |
| 2 | User authentication | Identify Users when they log in | Performance of the contract (art. 6(1)(b)) |
| 3 | Ticketing and payment processing | Process ticket purchases, issue tickets, manage orders | Performance of the contract (art. 6(1)(b)) |
| 4 | Sharing attendee data with Organizers | Enable access control, event management, and, with your consent, Organizer marketing | Contract performance + joint controllership (art. 26 GDPR) |
| 5 | IP-based location personalization | Derive approximate country and city from IP to display nearby events and personalize the interface | Legitimate interest (art. 6(1)(f)) |
| 6 | GPS-based location | Enable interactive map and proximity search | Consent (art. 6(1)(a)) |
| 7 | Product analytics (PostHog) | Analyze Platform usage to improve features and user experience | Legitimate interest (art. 6(1)(f)) |
| 8 | Error monitoring (Sentry) | Detect and resolve technical bugs | Legitimate interest (art. 6(1)(f)) |
| 9 | Content moderation (SightEngine) | Automatically detect illegal or inappropriate images upon upload | Legal obligation / Legitimate interest (art. 6(1)(f)) |
| 10 | Chat and messaging | Enable private, group, and community messaging between Users | Performance of the contract (art. 6(1)(b)) |
| 11 | AI page analytics (Google Gemini) | Enable Organizers to query their page data through a conversational AI interface | Explicit consent of the Organizer (art. 6(1)(a)) |
| 12 | Sway marketing communications | Send updates, newsletters, and promotional content about the Platform | Consent (art. 6(1)(a)) |
| 13 | Accounting and tax compliance | Fulfill accounting and tax obligations; archive transaction records | Legal obligation (art. 6(1)(c)) |
| 14 | Fraud prevention | Detect and prevent fraudulent use of the Platform | Legitimate interest (art. 6(1)(f)) |
| 15 | User blocking | Enforce blocking relationships between Users | Legitimate interest (art. 6(1)(f)) |
| 16 | Platform security | Protect the Platform against unauthorized access and attacks | Legitimate interest (art. 6(1)(f)) |
| 17 | Legal defense | Organize Sway's defense in case of litigation or pre-litigation | Legitimate interest (art. 6(1)(f)) |
3.3 Location data — details
GPS location (consent-based):
When you use the map or proximity search features, Sway may request access to your GPS location via your device's permission system. This access is entirely optional and subject to your explicit authorization. You can withdraw this permission at any time in your device settings. GPS data is not stored server-side.
IP-based location (automatic):
We use your IP address to derive an approximate country and city via our service provider ipinfo.io. This allows us to display nearby events and venues and adapt the interface language and content. This derived location is stored server-side for a limited period. It is never used for advertising purposes and is not shared with third parties beyond the processing necessary for this purpose. You may object to this processing at any time by contacting [email protected]. Legal basis: legitimate interest (art. 6(1)(f) GDPR).
3.4 Chat and messaging — details
Sway offers messaging features between Users (private messages, group chats, and community discussions around pages and events). Data processed includes: message content, timestamps, and the identity of the sender and recipient(s). This data is hosted on our own infrastructure (Hetzner, Germany). Sway does not access the content of private messages except when required by law or in response to a validated report. See section 6 for retention periods.
3.5 AI-powered page analytics — details
Sway offers Organizers a conversational analytics feature powered by the Google Gemini AI model (accessed via the Vercel AI SDK). When an Organizer uses this feature, selected page data (sales statistics, audience data, event performance) is transmitted to the Google Gemini API for processing. Google processes this data solely to generate the response and does not use it to train its models under the API terms. The data is not retained by Google beyond the processing of the request. This feature is available on Studio tier and above. Organizers provide explicit consent at first use and may disable the feature at any time in their settings. Transfers to Google and Vercel servers located outside the EEA are governed by standard contractual clauses (see section 7).
3.6 Content moderation — details
When a User uploads an image (profile picture, event visual, page content), it is automatically submitted to SightEngine, a content moderation service, which returns a content safety score. SightEngine does not retain the image after analysis. This processing is necessary to comply with our obligations under the Digital Services Act and to protect Users from illegal or inappropriate content. Transfers to SightEngine servers located in the United States are governed by standard contractual clauses (see section 7).
3.7 Sharing attendee data with Organizers — joint controllership
When you purchase a ticket, Sway shares the following information with the Organizer of the event: your email address, order status, and — if you have given your consent — your marketing opt-in for that Organizer's communications.
Sway and the Organizer act as joint controllers within the meaning of article 26 GDPR for these processing operations. The Organizer undertakes contractually to use this data solely for event management and, where applicable, marketing communications, and not to transfer it to any third party.
Stripe acts as a data processor for both Sway and the Organizer for payment data. Sway does not store any payment card data.
4. Data Sharing, Transfers, and Processors
We do not sell your personal data to third parties.
We share your personal data only with the following categories of recipients:
- Data Processors acting on our behalf (see section 5 for the full list)
- The Organizer of an event you purchased a ticket for (see section 3.7)
- Legal authorities when required by law or necessary to protect our rights
- Acquirer or successor entity in the event of a merger, acquisition, or asset transfer, provided Users are informed in advance
5. Sub-processors and Third-party Service Providers
The following sub-processors may process personal data on behalf of Sway. All transfers outside the European Economic Area (EEA) are governed by standard contractual clauses (SCC) adopted by the European Commission.
| Provider | Role | Data Concerned | Location | EEA Transfer Safeguard |
|---|---|---|---|---|
| Supabase | Database, authentication | All user data | EU (Frankfurt) | N/A |
| Hetzner | VPS hosting (website, self-hosted apps) | All hosted data | EU (Germany) | N/A |
| Cloudflare | CDN, reverse proxy, DDoS protection | IP addresses, HTTP requests | US / EU | SCC |
| Cloudflare R2 | File storage, media CDN | Uploaded images and assets | EU (per bucket) | N/A |
| Stripe | Subscription billing (Starter, Studio, Roster plans) | Billing data, payment method, invoicing | US / EU | SCC |
| Stripe Connect | Ticketing payment processing | Transaction data, Organizer KYC | US / EU | SCC |
| PostHog | Product analytics | User behavior, events | EU or US (per config) | SCC if US |
| Sentry | Error monitoring | Technical logs, session traces | US | SCC |
| SightEngine | Image content moderation | User-uploaded images | US | SCC |
| ipinfo.io | IP geolocation | IP address, derived country and city | US | SCC |
| Google (Gemini API) | AI page analytics | Page data submitted by Organizers | US / EU | SCC |
| Vercel | AI SDK (Gemini API proxy) | AI requests and submitted data | US | SCC |
6. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Beyond the applicable period, data is either anonymized or permanently deleted.
| Category | Retention Period | Justification |
|---|---|---|
| Account data (profile, email, preferences) | Duration of account + 2 years of inactivity | Contract performance |
| Order data (tickets, purchases) | Duration of account + 3 years after last purchase | Legal obligation |
| Accounting and tax records | 10 years (pseudonymized after account deletion) | Art. III.86 Belgian Companies Code |
| IP-based location (country/city) | Limited rolling period | Legitimate interest |
| GPS location | Session only (not stored server-side) | Consent |
| Chat messages | Duration of account | Contract performance |
| Sentry error logs | 90 days | Legitimate interest |
| Analytics data (PostHog) | 13 months | Legitimate interest |
| Images analyzed by SightEngine | Not retained by SightEngine after analysis | SightEngine contract |
| Data submitted to AI (Gemini) | Not used for training by Google under API terms | Google API contract |
| Blocking relationships | Until unblocked or account deleted | Legitimate interest |
| Marketing preferences (opt-in/out) | Until consent withdrawn | Consent |
| Fraud prevention data (IP, user-agent) | 5 years after case resolution | Legitimate interest |
Account deletion: when you delete your Sway account, all personal data linked to your profile (follows, preferences, images, etc.) is permanently erased. However, European and Belgian accounting law (Code des Sociétés et des Associations, art. III.86 §1) requires us to retain transactional records for 10 years. To comply with both this obligation and article 17 §3(b) GDPR, we retain order records but pseudonymize all personal identifiers (your user ID and email are replaced with an irreversible hash). These records cannot be linked back to you.
7. International Data Transfers
Personal data processed by Sway is primarily hosted within the European Economic Area (EEA) on Supabase (Frankfurt) and Hetzner (Germany) infrastructure.
Certain sub-processors (Stripe, Cloudflare, PostHog, Sentry, SightEngine, ipinfo.io, Google Gemini, Vercel) may process data on servers located in the United States or other countries outside the EEA. In each case, transfers are governed by standard contractual clauses (SCC) adopted by the European Commission under article 46(2)(c) GDPR, ensuring an adequate level of protection.
You may obtain more information about these transfer mechanisms by contacting us at [email protected].
8. Your Rights
Under applicable data protection law, you have the following rights regarding your personal data:
| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you. |
| Rectification | Request correction of inaccurate or incomplete data. |
| Erasure | Request deletion of your personal data, subject to legal retention obligations. |
| Restriction | Request limitation of processing under certain conditions. |
| Data portability | Receive your data in a structured, commonly used, machine-readable format. |
| Objection | Object to processing based on legitimate interest, including IP geolocation. |
| Withdrawal of consent | Withdraw consent at any time for consent-based processing (GPS location, AI feature, marketing). Withdrawal does not affect the lawfulness of prior processing. |
| Complaint | Lodge a complaint with the Belgian Data Protection Authority (APD/GBA): www.dataprotectionauthority.be. |
To exercise any of these rights, contact us at: [email protected]
We will respond within 30 days. We may ask you to verify your identity before processing your request.
9. Cookies and Tracking Technologies
We use cookies and similar tracking technologies on our website and application.
Strictly necessary cookies (no consent required)
These cookies are essential for the Platform to function and cannot be disabled:
- Session cookies: maintain your authenticated session.
- Preference cookies: remember your language and display preferences.
- Cookie consent cookies: store your cookie preferences.
Analytics and performance cookies (consent required)
These cookies are only placed if you have given your consent:
- PostHog: product analytics — tracks usage patterns and feature interactions to help us improve the Platform. Data is retained for 13 months.
- Plausible: privacy-respecting website analytics — no personal data, no cross-site tracking, no cookies in the traditional sense.
Advertising and tracking pixels (consent required)
These pixels are only active if you have given your consent:
- Meta Pixel: conversion tracking for advertising campaigns on Meta platforms.
- Google Analytics 4 (GA4): audience analytics and campaign performance measurement.
- TikTok Pixel: conversion tracking for advertising campaigns on TikTok.
You can manage your cookie preferences at any time via the cookie banner on the Platform or through your browser settings. Disabling certain cookies may affect your experience.
10. Security
We implement appropriate technical, organizational, and physical measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encrypted connections (HTTPS/TLS) for all data in transit.
- Access controls and authentication for all systems containing personal data.
- Infrastructure hosted within the European Union (Supabase, Hetzner).
- Regular security monitoring via Sentry.
- Automatic image moderation via SightEngine to prevent illegal content.
Despite these measures, no method of transmission over the Internet is completely secure. We cannot guarantee absolute security. In the event of a personal data breach, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by law.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. If material changes are made, we will notify you via the Platform or by email at least 15 days before the changes take effect.
The current version is always available at: sway.events/privacy
12. Contact
If you have any questions or concerns about this Privacy Policy or our data practices, please contact us:
Sway SRL
Enterprise number: BE1037531992
Clos des Colombes 23, 1342 Limelette, Belgium
[email protected]