Privacy Policy — SmartSwap

SmartSwap is built on a simple principle: your health data belongs to you. We collect the minimum necessary to run the service, we never sell it to anyone, and you can permanently delete everything at any time.

1. Who we are

SmartSwap ("we", "us", "our") operates the website and web application at smartswap.site. We are a health and wellness education platform providing breathwork tools, meditation sessions, gut health tracking, mood logging, and science-based health content.

For privacy matters: privacy@smartswap.site

2. What data we collect

Account data. When you register, we collect your name, email address, and a securely hashed password. We never store your password in plain text — it is run through bcrypt before touching our database.

Health and practice data. When you use the app, we store the data you actively enter: breathing sessions, meditation sessions, mood logs (mood, stress, energy, focus scores and optional notes), gut health daily check-ins, breath hold records, and any session notes you choose to write. This data is stored exclusively to provide you with progress tracking, streaks, and personalised insights within the app.

Subscription and payment data. If you subscribe, payments are processed entirely by Stripe. We store your subscription plan, status, and renewal date. We never see, handle, or store your card number — Stripe is PCI-DSS Level 1 certified and manages all payment data under their own privacy policy.

Technical data. We log your last login date and your chosen timezone. We do not run advertising trackers, analytics pixels, heatmapping scripts, or session recording tools.

3. What we do not collect

Biometric data (heart rate, HRV, SpO2) — those stay on your wearable device
Location data beyond the timezone you set in Settings
Device contacts, camera, or microphone access
Advertising identifiers or cross-site tracking cookies
Google Analytics, Facebook Pixel, or any third-party tracking scripts

We do not sell, rent, trade, or share your personal data with third parties for marketing or advertising purposes, ever.

4. How we use your data

To run the service — authenticate you, save your sessions, display your progress dashboard and streaks
To process your subscription — manage billing events via Stripe webhooks
To send transactional emails — receipts, password reset links, and critical account notices. We will not send marketing emails without your explicit opt-in
To improve the product — we may analyse aggregate, anonymised usage patterns (e.g. "which breathing technique is used most") but we never inspect individual user sessions for this purpose

5. Legal basis for processing (GDPR)

If you are in the European Economic Area, our legal bases are:

Contract — processing necessary to provide the service you signed up for
Legitimate interests — security, fraud prevention, product improvement (aggregate data only)
Consent — any optional marketing communications (you can withdraw at any time)
Legal obligation — retaining financial records as required by applicable law

6. Data storage and security

Your data is stored on servers with EU-adequate protection. We apply industry-standard security measures including HTTPS encryption for all data in transit, bcrypt password hashing at cost factor 12, CSRF tokens on all forms, prepared SQL statements to prevent injection attacks, and HTTP-only SameSite session cookies.

No system is perfectly secure. If we ever become aware of a breach affecting your personal data, we will notify you within 72 hours.

7. Cookies

We use a single session cookie to keep you logged in. It is HTTP-only (inaccessible to JavaScript), SameSite=Lax, and expires after 30 days or when you log out. We do not use advertising cookies, third-party tracking cookies, or persistent identifiers beyond this one session token.

8. Third-party services

Stripe — payment processing. Card data goes directly to Stripe's servers under their PCI-DSS Level 1 environment and never passes through ours. See stripe.com/privacy.

Google Fonts — typography. Loading fonts from Google means your IP address is sent to Google's servers when the page loads. See policies.google.com/privacy. If you prefer, you can use the service with fonts blocked — it remains fully functional.

No other third parties receive your personal data.

9. Your rights

Depending on where you are located, you may have the following rights:

Access — request a copy of all personal data we hold about you
Correction — update your name, email, or timezone any time in Settings
Deletion — permanently delete your account and all associated data. Request via Settings → Danger zone, or email privacy@smartswap.site. We will complete deletion within 14 days
Portability — request a JSON or CSV export of your session history, mood logs, and health data
Restriction — ask us to stop processing your data while a dispute is resolved
Objection — object to processing based on legitimate interests
Withdraw consent — for any processing based on consent, withdraw at any time without affecting prior processing

Email privacy@smartswap.site to exercise any right. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

10. Data retention

We retain your account and health data for as long as your account is active. If you delete your account, all personal data is permanently and irreversibly deleted within 14 days. The only exception is billing records (invoice amounts, dates, plan history) which we are required to retain for up to 7 years under applicable tax law — but this contains no health data.

11. Children

SmartSwap is not directed at anyone under 16. If you believe a child under 16 has registered an account, please contact privacy@smartswap.site and we will delete the account promptly.

12. Changes to this policy

If we make material changes to this policy, we will notify registered users by email at least 14 days before the changes take effect, and update the date at the top of this page. Continued use after the effective date constitutes acceptance. If you do not agree with a material change, you may delete your account before it takes effect.

13. Medical disclaimer

SmartSwap provides health and wellness education only. Nothing on this platform constitutes medical advice, diagnosis, or treatment. The breathing techniques, meditation practices, and health information are for general educational purposes. Always consult a qualified healthcare provider before making changes to your health routine, particularly if you have a pre-existing medical condition, are pregnant, or are taking medication.