HomePricingDocsBlog
Get the app
Log in
Log in
Legal

Privacy Policy

Last updated: 25 June 2026

Contents

  1. 1. Introduction
  2. 2. Definitions
  3. 3. Data We Collect
  4. 4. Data Sharing
  5. 5. Sub-processors
  6. 6. Data Retention
  7. 7. Int'l Transfers
  8. 8. Your Rights
  9. 9. Cookies
  10. 10. Security
  11. 11. Policy Changes
  12. 12. Contact
Contents
  1. 1. Introduction
  2. 2. Definitions
  3. 3. Data We Collect
  4. 4. Data Sharing
  5. 5. Sub-processors
  6. 6. Data Retention
  7. 7. Int'l Transfers
  8. 8. Your Rights
  9. 9. Cookies
  10. 10. Security
  11. 11. Policy Changes
  12. 12. Contact
Terms & Conditions

1. Introduction

Welcome to Sway. This Privacy Policy explains how Sway ("we", "our", or "us") collects, uses, discloses, and protects your personal data when you use our mobile application, website, and related services (collectively, the "Platform"). By accessing or using Sway, you agree to the terms of this Privacy Policy. If you do not agree, please do not use our Platform.

Sway SRL is a company based in Belgium, under enterprise number BE1037531992, Clos des Colombes 23, 1342 Limelette, Belgium.

2. Definitions

Term Definition
Personal Data Any information relating to an identified or identifiable natural person.
User Any individual who accesses or uses the Platform, including event attendees, page holders, Artists, and Venues.
Page holder Any natural or legal person using the Platform to organize an Event and sell Tickets, or to manage a page.
Client / Attendee Any natural person purchasing a Ticket on the Platform for private, non-professional purposes.
Platform The Sway mobile application, website, and any related services.
Account The personalized digital environment provided by Sway to registered Users.
Legal Basis The basis on which we process personal data under the GDPR (consent, contract performance, legal obligation, or legitimate interest).
Data Processor A third-party company processing personal data on behalf of Sway.

3. Data We Collect and How We Process It

3.1 Types of data we collect

We may collect and process the following categories of personal data:

  • Account information: name, email address, date of birth, username, profile picture, biography, contact details provided during registration.
  • Event data: events browsed, attended, or organized; ticket purchase history; event preferences; interest and attendance status.
  • Payment data: payment method details (processed by Stripe), billing information, transaction history. We never store card numbers.
  • Usage data: IP address, device information, browser type, session data, browsing behavior on the Platform, collected via cookies and similar technologies.
  • Location data (GPS / shared location): approximate device location collected only when you explicitly grant permission via your device settings (iOS or Android), to enable the interactive map and proximity search. If you turn on location sharing, an approximate location point (and its source) is stored server-side so that nearby and social features can show your approximate area to other Users. You can disable location sharing at any time via the in-app toggle ("ghost mode"), which stops sharing and removes the stored point. See section 3.3.
  • Location data (IP): we derive your approximate country and city from your IP address via ipinfo.io, in order to display nearby events and venues and personalize the interface. This data is stored server-side for a rolling period of 30 days, then automatically deleted. See section 3.3 for the legal basis.
  • Chat data: content of private, group, and community messages; sender and recipient identity; timestamps.
  • Content uploaded: images, visuals, and other media uploaded by Users to their profile or pages, which are screened for inappropriate content via SightEngine.
  • AI feature data (page holders only): when a page holder uses the AI-powered page analytics feature, selected page data is transmitted to the Google Gemini API for processing. See section 3.5 for details.
  • Social-boundary relationships: when a User blocks, restricts, hides, or mutes another User, we store that relationship to enforce the chosen boundary.
  • Privacy and visibility settings: your account privacy mode (public or private), the audience chosen for each profile section (profile, statistics, attended and upcoming events, followed artists/venues/promoters/genres, followers list, XP league), your who-can-message preference, follow requests and message requests, and your leaderboard / attendee-list opt-outs.
  • Gamification data: experience points (XP) derived from your activity, your level and league, streaks and check-ins, used to operate leaderboards and engagement features.
  • Personalization data: in-app activity (events browsed, pages followed, attendance) used to tailor event, artist, and venue recommendations.
  • Support data: any information you provide when contacting our support team.

3.2 Purposes and legal bases for processing

# Processing Purpose Legal Basis
1 Account creation and management Create and maintain your Account Performance of the contract (art. 6(1)(b))
2 User authentication Identify Users when they log in Performance of the contract (art. 6(1)(b))
3 Ticketing and payment processing Process ticket purchases, issue tickets, manage orders Performance of the contract (art. 6(1)(b))
4 Sharing attendee data with page holders Enable access control, event management, and, with your consent, page holder marketing Contract performance + joint controllership (art. 26 GDPR)
5 IP-based location personalization Derive approximate country and city from IP to display nearby events and personalize the interface Legitimate interest (art. 6(1)(f))
6 GPS-based location Enable interactive map and proximity search Consent (art. 6(1)(a))
7 Product analytics (PostHog) Analyze Platform usage to improve features and user experience Consent (art. 6(1)(a))
8 Error monitoring (Sentry) Detect and resolve technical bugs Legitimate interest (art. 6(1)(f))
9 Content moderation (SightEngine) Automatically detect illegal or inappropriate images upon upload Legal obligation / Legitimate interest (art. 6(1)(f))
10 Chat and messaging Enable private, group, and community messaging between Users Performance of the contract (art. 6(1)(b))
11 AI page analytics (Google Gemini) Enable page holders to query their page data through a conversational AI interface Explicit consent of the page holder (art. 6(1)(a))
12 Sway marketing communications Send updates, newsletters, and promotional content about the Platform Consent (art. 6(1)(a))
13 Accounting and tax compliance Fulfill accounting and tax obligations; archive transaction records Legal obligation (art. 6(1)(c))
14 Fraud prevention Detect and prevent fraudulent use of the Platform Legitimate interest (art. 6(1)(f))
15 Social boundaries (block, restrict, hide, mute) Enforce the social boundaries a User chooses against another User Legitimate interest (art. 6(1)(f))
16 Platform security Protect the Platform against unauthorized access and attacks Legitimate interest (art. 6(1)(f))
17 Legal defense Organize Sway's defense in case of litigation or pre-litigation Legitimate interest (art. 6(1)(f))
18 Personalized recommendations Tailor event, artist, and venue recommendations to your in-app activity Consent (art. 6(1)(a))
19 Gamification and engagement Award XP and operate leagues, leaderboards, streaks, and check-ins Legitimate interest (art. 6(1)(f))
20 Privacy and visibility controls Apply your account privacy mode, per-section visibility, messaging, and leaderboard preferences Performance of the contract (art. 6(1)(b)) + consent where applicable

3.3 Location data — details

GPS / shared location (consent-based):
When you use the map or proximity search features, Sway may request access to your GPS location via your device's permission system. This access is entirely optional and subject to your explicit authorization. You can withdraw this permission at any time in your device settings. Separately, if you turn on location sharing in the app, Sway stores an approximate location point (and its source) server-side so that nearby and social features can display your approximate area to other Users. You can disable location sharing at any time using the in-app toggle ("ghost mode"); disabling it stops further sharing and removes the stored point. Read access to these location fields is restricted server-side. Legal basis: consent (art. 6(1)(a)).

IP-based location (automatic):
We use your IP address to derive an approximate country and city via our service provider ipinfo.io. This allows us to display nearby events and venues and adapt the interface language and content. IP-based geolocation data is stored server-side for a rolling period of 30 days, then automatically deleted. It is never used for advertising purposes and is not shared with third parties beyond the processing necessary for this purpose. You may object to this processing at any time by contacting [email protected]. Legal basis: legitimate interest (art. 6(1)(f) GDPR) for service personalization and fraud prevention.

3.4 Chat and messaging — details

Sway offers messaging features between Users (private messages, group chats, and community discussions around pages and events). Data processed includes: message content, timestamps, and the identity of the sender and recipient(s). This data is hosted on our own infrastructure (Hetzner, Germany). Sway does not access the content of private messages except when required by law or in response to a validated report. Chat messages are retained for the lifetime of the conversation. When a user deletes a conversation, all related messages are permanently deleted within 30 days. You control who can message you (everyone, people you follow, or nobody); messages from senders you have not approved are quarantined as message requests until you accept them. See section 6 for retention periods.

3.5 AI-powered page analytics — details

Sway offers page holders a conversational analytics feature powered by the Google Gemini AI model (accessed via the Vercel AI SDK). When a page holder uses this feature, selected page data (sales statistics, audience data, event performance) is transmitted to the Google Gemini API for processing. Google processes this data solely to generate the response and does not use it to train its models under the API terms. The data is not retained by Google beyond the processing of the request. This feature is available on Studio tier and above. Page holders provide explicit consent at first use and may disable the feature at any time in their settings. Transfers to Google and Vercel servers located outside the EEA are governed by standard contractual clauses (see section 7).

3.6 Content moderation — details

When a User uploads an image (profile picture, event visual, page content), it is automatically submitted to SightEngine, a content moderation service, which returns a content safety score. SightEngine does not retain the image after analysis. This processing is necessary to comply with our obligations under the Digital Services Act and to protect Users from illegal or inappropriate content. Transfers to SightEngine servers located in the United States are governed by standard contractual clauses (see section 7).

3.7 Sharing attendee data with page holders — joint controllership

When you purchase a ticket, Sway shares the following information with the page holder of the event: your email address, order status, and, if you have given your consent, your marketing opt-in for that page holder's communications.

Sway and the page holder act as joint controllers within the meaning of article 26 GDPR for these processing operations. The page holder undertakes contractually to use this data solely for event management and, where applicable, marketing communications, and not to transfer it to any third party.

Stripe acts as a data processor for both Sway and the page holder for payment data. Sway does not store any payment card data.

3.8 Tracking pixels configured by organizers — joint controllership

Pages hosted on Sway may include third-party tracking pixels (Meta Pixel, Google Analytics 4, TikTok Pixel) configured by their respective page holders. These pixels send data to the page holder's own accounts on those platforms.

For the processing performed via these pixels on Sway, the page holder and Sway act as joint controllers within the meaning of article 26 GDPR. The respective responsibilities are as follows:

  • Sway: provides the technical means for pixel integration, manages user consent via its cookie consent platform (CMP), ensures that pixels are not triggered without consent
  • Page holder: configures the pixels with their own credentials, declares this processing in their own privacy policy, ensures the lawfulness of the data collected, responds to data subject requests concerning data sent to their accounts

The page holder is responsible for declaring these processing operations in their own privacy notice and for the lawfulness of the data collected via their pixels. User consent for page holder-configured pixels is managed through Sway's cookie consent platform. Users can refuse or withdraw their consent at any time via the cookie preferences interface.

3.9 Your privacy controls

Sway gives you granular control over your visibility and interactions:

  • Private account: you can switch your account to private, so that following you requires your approval via follow requests.
  • Per-section visibility: you can choose the audience (everyone / followers / nobody) for each section of your profile — profile details, statistics, attended and upcoming events, followed artists, venues, promoters and genres, your followers list, and your XP league.
  • Messaging controls: you can choose who may message you (everyone / people you follow / nobody). Messages from senders you have not approved are placed in a separate message-requests area.
  • Leaderboards and lists: you can opt out of appearing on public leaderboards and on event attendee lists.
  • Social boundaries: you can block, restrict, hide, or mute other Users (see section 3.1).

3.10 Gamification — XP, leagues, and leaderboards

Your engagement on the Platform (such as attending events, check-ins, and streaks) generates experience points (XP), which determine your level and league and may appear on public leaderboards. This processing supports the Platform's engagement features. Legal basis: legitimate interest (art. 6(1)(f)). You can opt out of public leaderboards and hide your XP league at any time in your settings.

3.11 Personalized recommendations

When personalization is enabled, Sway uses your in-app activity (events you browse, pages you follow, events you attend) to tailor the event, artist, and venue recommendations shown to you. Personalization is enabled by default and recorded as a per-user preference. Legal basis: consent (art. 6(1)(a)).

4. Data Sharing, Transfers, and Processors

We do not sell your personal data to third parties.

We share your personal data only with the following categories of recipients:

  • Data Processors acting on our behalf (see section 5 for the full list)
  • The page holder of an event you purchased a ticket for (see section 3.7)
  • Legal authorities when required by law or necessary to protect our rights
  • Acquirer or successor entity in the event of a merger, acquisition, or asset transfer, provided Users are informed in advance

5. Sub-processors and Third-party Service Providers

The following sub-processors may process personal data on behalf of Sway. All transfers outside the European Economic Area (EEA) are governed by standard contractual clauses (SCC) adopted by the European Commission.

Provider Role Data Concerned Location EEA Transfer Safeguard
Supabase Database, authentication All user data EU (Frankfurt) N/A
Hetzner VPS hosting (website, self-hosted apps) All hosted data EU (Germany) N/A
Cloudflare CDN, reverse proxy, DDoS protection IP addresses, HTTP requests US / EU SCC
Cloudflare R2 File storage, media CDN Uploaded images and assets EU (per bucket) N/A
Stripe Subscription billing (Starter, Studio, Roster plans) Billing data, payment method, invoicing US / EU SCC
Stripe Connect Ticketing payment processing Transaction data, page holder KYC US / EU SCC
RevenueCat In-app purchase management (iOS/Android) Purchase data, user identifier US SCC
PostHog Product analytics User behavior, events EU or US (per config) SCC if US
Sentry Error monitoring Technical logs, session traces US SCC
SightEngine Image content moderation User-uploaded images US SCC
ipinfo.io IP geolocation IP address, derived country and city US SCC
Google (Gemini API) AI page analytics Page data submitted by page holders US / EU SCC
Vercel AI SDK (Gemini API proxy) AI requests and submitted data US SCC

6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Beyond the applicable period, data is either anonymized or permanently deleted.

Category Retention Period Justification
Account data (profile, email, preferences) Duration of account + 2 years of inactivity Contract performance
Order data (tickets, purchases) Duration of account + 3 years after last purchase Legal obligation
Accounting and tax records 10 years (pseudonymized after account deletion) Art. III.86 Belgian Companies Code
IP-based location (country/city) 30 days rolling period, then automatically deleted Legitimate interest
GPS location (device permission) Session only (not stored server-side) Consent
Shared location point Stored while location sharing is on; deleted when sharing is turned off (ghost mode) or account deleted Consent
Chat messages Retained for the lifetime of the conversation; deleted within 30 days after conversation deletion Contract performance
Sentry error logs 90 days Legitimate interest
Analytics data (PostHog) 13 months Consent
Images analyzed by SightEngine Not retained by SightEngine after analysis SightEngine contract
Data submitted to AI (Gemini) Not used for training by Google under API terms Google API contract
Social-boundary relationships (block, restrict, hide, mute) Until removed or account deleted Legitimate interest
Gamification data (XP, leagues, streaks, check-ins) Duration of account Legitimate interest
Personalization activity Duration of account, or until personalization is disabled Consent
Privacy and visibility settings Duration of account Contract performance
Marketing preferences (opt-in/out) Until consent withdrawn Consent
Fraud prevention data (IP, user-agent) 5 years after case resolution Legitimate interest

Account deletion: when you delete your Sway account, all personal data linked to your profile (follows, preferences, images, etc.) is permanently erased. However, European and Belgian accounting law (Code des Sociétés et des Associations, art. III.86 §1) requires us to retain transactional records for 10 years. To comply with both this obligation and article 17 §3(b) GDPR, we retain order records but pseudonymize all personal identifiers (your user ID and email are replaced with an irreversible hash). These records cannot be linked back to you.

7. International Data Transfers

Personal data processed by Sway is primarily hosted within the European Economic Area (EEA) on Supabase (Frankfurt) and Hetzner (Germany) infrastructure.

Certain sub-processors (Stripe, Cloudflare, PostHog, Sentry, SightEngine, ipinfo.io, Google Gemini, Vercel, RevenueCat) may process data on servers located in the United States or other countries outside the EEA. In each case, transfers are governed by standard contractual clauses (SCC) adopted by the European Commission under article 46(2)(c) GDPR, ensuring an adequate level of protection.

You may obtain more information about these transfer mechanisms by contacting us at [email protected].

8. Your Rights

Under applicable data protection law, you have the following rights regarding your personal data:

Right Description
Access Request a copy of the personal data we hold about you.
Rectification Request correction of inaccurate or incomplete data.
Erasure Request deletion of your personal data, subject to legal retention obligations.
Restriction Request limitation of processing under certain conditions.
Data portability Receive your data in a structured, commonly used, machine-readable format.
Objection Object to processing based on legitimate interest, including IP geolocation.
Withdrawal of consent Withdraw consent at any time for consent-based processing (GPS location, AI feature, marketing, organizer pixels). Withdrawal does not affect the lawfulness of prior processing.
Complaint Lodge a complaint with the Belgian Data Protection Authority (APD/GBA): www.dataprotectionauthority.be.

To exercise any of these rights, contact us at: [email protected]

We will respond within 30 days. We may ask you to verify your identity before processing your request.

Self-service tools: You can exercise some of these rights directly in the app. "Download my data" lets you export your personal data in a structured, machine-readable format (data portability), and "Deactivate account" temporarily disables your account and hides your profile. Deactivation is reversible — signing in again reactivates the account. Permanent account deletion is immediate (see section 6).

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our website and application.

Strictly necessary cookies (no consent required)

These cookies are essential for the Platform to function and cannot be disabled:

  • Session cookies: maintain your authenticated session.
  • Preference cookies: remember your language and display preferences.
  • Cookie consent cookies: store your cookie preferences.

Analytics and performance cookies

On the website, these cookies are placed in accordance with your choice in the cookie banner. In the mobile app, product analytics and personalization are enabled by default and can be turned off at any time in your privacy settings. The website cookie banner and the in-app analytics setting are separate, independent mechanisms and are not linked: changing one does not change the other.

  • PostHog: product analytics — tracks usage patterns and feature interactions to help us improve the Platform. Data is retained for 13 months.
  • Plausible: privacy-respecting website analytics — no personal data, no cross-site tracking, no cookies in the traditional sense.

Advertising and tracking pixels (consent required)

These pixels are only active if you have given your consent:

  • Meta Pixel: conversion tracking for advertising campaigns on Meta platforms.
  • Google Analytics 4 (GA4): audience analytics and campaign performance measurement.
  • TikTok Pixel: conversion tracking for advertising campaigns on TikTok.

You can manage your cookie preferences at any time via the cookie banner on the Platform or through your browser settings. Disabling certain cookies may affect your experience.

10. Security

We implement appropriate technical, organizational, and physical measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encrypted connections (HTTPS/TLS) for all data in transit.
  • Access controls and authentication for all systems containing personal data.
  • Infrastructure hosted within the European Union (Supabase, Hetzner).
  • Regular security monitoring via Sentry.
  • Automatic image moderation via SightEngine to prevent illegal content.

Despite these measures, no method of transmission over the Internet is completely secure. We cannot guarantee absolute security. In the event of a personal data breach, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by law.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. If material changes are made, we will notify you via the Platform or by email at least 15 days before the changes take effect.

The current version is always available at: sway.events/privacy

12. Contact

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us:

Sway SRL
Enterprise number: BE1037531992
Clos des Colombes 23, 1342 Limelette, Belgium
[email protected]

Sway

Discover events, follow artists, and buy tickets — all in one place.

Explore

HomepageCustomer StoriesGet the AppAdminSupportStatus

Download

Download on the App StoreGet it on Google Play

Language

© 2026 Sway. All rights reserved.

PrivacyTerms