Legal

Privacy Policy

Last updated: 18 April 2026

Your privacy matters

SwayQ ApS ("SwayQ", "we", "us") operates swayq.com. This policy explains what data we collect, why, and your rights under the EU General Data Protection Regulation (GDPR).

Who we are

SwayQ ApS (CVR 46300661), Copenhagen, Denmark. Data Protection contact: Janusch Häring, privacy@swayq.com.

Registered office: Sundkaj 11, 2150 Copenhagen, Denmark.

What we collect

Account signup

When you create an account, we collect your display name, email address, role (creator or brand), and — for creators — themes, primary platform, and audience size. These fields are required to set up your account.

Cookies and consent

We use strictly necessary cookies at all times: a language preference cookie (swayq_locale) and authentication session cookies managed by our auth provider. Optional analytics cookies load only if you accept them in our cookie banner — see the "Third-party processors" section for details. We do not run advertising cookies.

Bot protection

We use Cloudflare Turnstile to protect forms from automated abuse. Turnstile may process your IP address and browser metadata. See Cloudflare's privacy policy for details.

Authentication and email verification

Authentication is handled by Better Auth running on our own servers, backed by Neon Auth. When you sign up with email and password we store a one-way hash of your password (never the password itself) and send a verification email. Session state is held in a secure, HTTP-only cookie. We also send transactional emails — verification, password reset, and account notifications — through Resend. We do not send marketing emails today; if that changes we will ask for consent first.

Social login and creator profiles

When you sign in or connect an account through a social login provider (Google, Microsoft, TikTok, Instagram, LinkedIn, Snapchat), we receive your display name, profile picture URL, provider user ID, and — where the provider shares it — your email address. For creator accounts we may also fetch public profile metrics such as follower count to help with matching. Some providers do not share an email address; in those cases we generate an internal placeholder so the account can still be managed. We link to the provider's image URL directly; we do not copy or cache OAuth profile images on our servers.

Profile images and media

If you upload a profile image or other media, we store the file in Cloudflare R2 in the EU and associate it with your account. When you connect a social account we link to the provider's profile image URL directly; we do not copy OAuth profile images to our own storage.

Technical logs

We collect error logs and performance telemetry (via BetterStack Logtail) to keep the service running. We intentionally avoid putting personal data into log messages. Server logs may include truncated IP addresses and request metadata for security and debugging.

Legal basis

We process your data based on: consent (cookie banner choices, optional fields you fill in), contract performance (operating your account and any campaign you participate in), legitimate interest (service security, fraud prevention, and service improvement), and legal obligation (tax, accounting, and record-keeping where required).

Third-party processors

Your data is processed on our behalf by the following providers. Each has a data processing agreement (DPA) in place and transfers outside the EEA rely on EU Standard Contractual Clauses where applicable:

  • Cloudflare — hosting, CDN, Workers, R2 object storage, and security (DPA in place)
  • Neon — Postgres database hosting in the EU (Frankfurt), SOC 2 compliant, DPA in place
  • HubSpot — when enabled and with your consent, we use HubSpot for support and CRM workflows.
  • Stripe — payment facilitation and fund custody for campaign transactions (rolls out with campaign payments)
  • Google — social login
  • Microsoft — social login
  • ByteDance (TikTok) — social login and creator profile verification
  • Meta (Instagram Business Login) — social login and creator profile verification
  • LinkedIn (Microsoft) — social login
  • Snap Inc. (Snapchat) — social login
  • Resend — transactional email delivery (verification, password reset, account notifications)
  • Cloudflare R2 — object storage for profile images you upload and, in future, presentation videos
  • BetterStack (Logtail) — error logs and uptime monitoring. We avoid writing personal data into log messages.

Links to each provider's privacy policy are available on their websites.

Data retention

Financial and transactional records are kept for five years, as required by Danish bookkeeping law. Other personal data is retained only as long as your account is active and is deleted on request.

Social profile data is retained until you disconnect your account or request deletion. You can remove a social connection at any time from your account settings, or request full data deletion by contacting privacy@swayq.com.

Your rights

Under GDPR, you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion of your data
  • Receive your data in a portable format
  • Object to processing based on legitimate interest
  • Withdraw consent at any time

To exercise any of these rights, email privacy@swayq.com. We will respond within 30 days.

Complaints

If you believe your data protection rights have been violated, you may lodge a complaint with the Danish Data Protection Agency (Datatilsynet) at datatilsynet.dk.

Changes to this policy

We may update this policy as our services evolve. Significant changes will be communicated via email or a notice on our website.