Privacy Policy

Effective 8 May 2026 · Version 2026-05-08

1. Who is the data controller?

The controller of your personal data is Marquee Co. N.V., a Curaçao company. Contact: hello@swapmark.io. Privacy contact: markolf@marquee-co.com.

We do not currently have an EU representative under GDPR Article 27. If our EU user base grows past the relevant threshold or we engage a Dutch distribution partner, we will appoint one and update this Policy.

2. What we collect and why

Data	Source	Lawful basis (GDPR Art. 6)	Why
Email, name, password hash	You at signup (or your Google account)	Contract (Art. 6(1)(b))	To create and authenticate your account
Brand, swapmark, variant data and uploaded files	You as you use the Service	Contract	To provide the core Service
AI generation prompts and outputs	You + our AI provider	Contract	To run the AI variation feature
Billing-related correspondence	You via email	Contract	To process upgrades and add-ons during the manual phase
Server logs (IP, user-agent, request path, timestamp)	Automatic	Legitimate interest (Art. 6(1)(f))	Security, abuse prevention, debugging. Retained ≤ 30 days unless investigating an incident.
Rate-limit counters keyed on IP / user	Automatic	Legitimate interest — abuse prevention	To stop credential-stuffing and request-flood attacks
Audit log of admin actions	Automatic	Legitimate interest — accountability	So we can reconstruct who did what to which account
Record of which Terms version you accepted and when	At signup	Legal obligation + legitimate interest	To prove valid consent / contract formation

We do not sell or rent personal data, and we do not run advertising or analytics cookies.

3. Special category data (GDPR Art. 9)

We do not knowingly collect special-category personal data (health, biometric, ethnicity, etc.). Please do not upload special-category data through Swapmark — our Service is not designed to process it.

4. Children

Swapmark is not for users under 16. If we discover an account is held by someone younger, we will close it and delete the data.

5. Sub-processors

We use the following third parties to run the Service. Each has its own privacy policy and data-processing terms.

Sub-processor	Purpose	Region	Policy
Supabase, Inc.	Authentication, PostgreSQL database, file storage (bucket `variants`)	US (us-east-2)	supabase.com/privacy
Vercel Inc.	Application hosting, edge network, serverless functions, CDN at `cdn.swapmark.io`	Global edge (primarily US)	vercel.com/legal/privacy-policy
OpenAI, L.L.C.	AI image-variation generation	US	openai.com/policies/privacy-policy
Google LLC	Optional Sign-In with Google; Workspace SMTP for transactional email from `hello@swapmark.io`	Global	policies.google.com/privacy
GoDaddy	DNS management for swapmark.io	US	godaddy.com/legal/agreements/privacy-policy

When you use AI generation, your prompt and any input image are transmitted to OpenAI under their data-handling commitments. OpenAI does not train on API requests by default. If we add other AI providers we will update this list and, where relevant, ask you to re-accept.

6. International transfers

If you live in the EEA or UK, your data is transferred outside the EEA when we use the sub-processors above. We rely on (i) the European Commission's standard contractual clauses, (ii) the EU-US Data Privacy Framework where the recipient is certified, and/or (iii) other lawful transfer mechanisms made available by each sub-processor. Copies of the relevant transfer mechanisms are available on request.

7. How long we keep data

Account data: while your account is active.
After you close your account: content and personal data deleted within 30 days, except for (a) anonymised aggregated metrics, (b) backups (purged within 90 days from the close date), and (c) data we are legally required to retain (e.g. tax invoices — 7 years).
Server logs: ≤ 30 days unless retained for an active investigation.
Audit log of admin actions: retained indefinitely for accountability; you may request anonymisation of your personal identifiers in it.
Terms-acceptance record: retained as long as your account exists, plus 6 years after closure to evidence contract formation.

8. Your rights (GDPR / equivalent)

If you live in the EEA, UK, or another jurisdiction with similar law, you have the right to:

access the personal data we hold about you;
rectify inaccurate data;
erase (“right to be forgotten”);
restrict or object to processing;
portability — receive your data in a structured, common, machine-readable format;
withdraw consent where processing is based on consent (this does not affect prior processing);
lodge a complaint with a data-protection authority. EU residents may complain to their local DPA; UK residents to the ICO (ico.org.uk).

To exercise any of these, email hello@swapmark.io. We will respond within 30 days. We may need to verify your identity before acting.

9. Cookies and similar technologies

We use only strictly necessary cookies to keep you logged in:

Cookie	Set by	Purpose	Lifetime
`sb-*`	Supabase	Maintain your authenticated session	Session / refresh-token TTL

Because these are strictly necessary for a service you have requested, no consent banner is required under GDPR / ePrivacy. We do not run analytics, advertising, or social-tracking cookies.

10. Security

We use Supabase Row-Level Security to prevent cross-tenant access, rate-limiting on sensitive endpoints, an audit log of admin actions, and HTTPS everywhere. If we learn of a personal-data breach affecting you, we will notify you and, where required, the competent DPA within 72 hours of becoming aware.

11. Curaçao law

Outside the EEA/UK, our processing is also governed by the Curaçao Landsverordening bescherming persoonsgegevens. The same rights of access, rectification, and deletion are available to data subjects under that ordinance via the same email address above.

12. Changes to this Policy

We will notify you of material changes by email and/or in-app prompt. The effective date at the top reflects the latest version.