Swarlipi Privacy Policy

Swarlipi is a global service. For privacy laws such as the GDPR/UK GDPR, Swarlipi generally acts as the data controller for personal information processed to provide the Service.

We collect information in three ways: (a) you provide it, (b) we collect it automatically, and (c) we receive it from third parties you use to access the Service.

A. Information You Provide

Account and profile

• email address, display name/username, profile photo (if provided), language preference;
• authentication data necessary to sign in (via Google sign-in or email sign-in).

User Content

• notations and related content you create/upload (titles, tags, descriptions);
• comments and interactions you post.

Social and sharing

• followers/subscriptions, invitations you send/accept, sharing settings and permissions.

Support and communications

• information you provide to support, feedback, and any attachments.

Payments (Marketplace, if enabled)

If Swarlipi enables selling, Swarlipi may collect information required to process transactions and payouts (for example, payment processor tokens, transaction records, and tax or identity information where required by law). Swarlipi aims to minimize what it stores and rely on payment processors where possible.

B. Information We Collect Automatically

Device and usage

• device type/model, OS version, app version, IP address, time zone, language;
• usage events (views/plays/searches/follows/shares), session duration, feature usage.

Diagnostics

• crash reports, performance logs, and error logs.

Safety and integrity

• logs used to prevent abuse, spam, fraud, and to enforce the Terms of Service and Community Rules.

C. Information from Third Parties

• authentication providers (for example, Google) for sign-in;
• service providers that help operate the Service (for example, hosting, analytics, crash reporting, email delivery, and payment processors if enabled);
• advertising and marketing partners if Swarlipi introduces advertising or targeted marketing features (see Section 12).

Under the Australian Privacy Act 1988 (Cth), personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable. This is commonly referred to as PII.

Sensitive information (also under the Privacy Act) includes information about an individual's health, biometric information/biometric templates, genetic information, race or ethnic origin, religious or philosophical beliefs, political opinions, sexual orientation or practices, trade union membership, and criminal record.

Swarlipi is designed to minimise collection and exposure of personal information and to reduce the chance that sensitive information is collected at all.

A) Privacy by Design and Default

• Data minimisation: collect only what is needed to provide the Service (account creation, storing notations, sharing controls, security, and support).
• Default privacy controls: provide visibility settings (Public, Unlisted/Link-Only, Subscribers/Followers, Invited/Private) so users can limit exposure.
• Separation of public vs private data: keep account/contact information (for example, your email) separate from public profile information wherever possible.
• Least privilege access: restrict internal access to personal information to what is required for a role and task.

B) Controls Applied to Personal Information

• Role-based access controls (RBAC): limit access for staff/contractors to authorised roles; access is granted on a need-to-know basis.
• Authentication and logging: administrative access is authenticated and logged; Swarlipi uses monitoring to detect suspicious activity.
• Encryption in transit: Swarlipi uses TLS to protect data as it moves between your device and Swarlipi services.
• Encryption at rest: Swarlipi uses encryption at rest where provided by hosting providers and security architecture.
• Vendor due diligence: Swarlipi uses service providers under confidentiality and security obligations and limits their processing to what is needed for the Service.

C) Public Sharing and PII in User Content

If you publish content as Public, your display name/username and any information you include in public profiles, notation titles/descriptions/notes, comments, or other public fields becomes visible globally.

You must not upload or share sensitive information (or personal information you are not authorised to share) in public or shared fields. Swarlipi may remove such content and take enforcement action under the Terms of Service and Community Rules.

D) Data Breaches and Incident Response

Swarlipi maintains incident response processes designed to assess, contain, remediate, and learn from security incidents. Where the Australian Notifiable Data Breaches (NDB) scheme or other laws apply, Swarlipi will notify affected users and regulators where required.

Swarlipi uses personal information to:

1. provide the Service (accounts, saving content, playback, sharing, social features, search/discovery);
2. personalise and improve your experience (language settings, usability);
3. maintain safety, security, and integrity (abuse prevention, enforcement, incident response);
4. respond to support requests and communicate service/policy updates;
5. comply with legal obligations and handle disputes (including copyright notices).

Depending on your location, Swarlipi processes personal information under:

• contract (to provide the Service you request);
• legitimate interests (security, abuse prevention, and service improvement);
• consent (where required for certain analytics/marketing or optional features);
• legal obligation (compliance and lawful requests).

Swarlipi may disclose personal information as follows:

A. With Other Users (Public Sharing)

If you publish content as Public, your profile information (display name/username, profile photo if provided) and User Content may be visible globally and discoverable through search within the Service. You control sharing settings for your content.

B. With Service Providers

Swarlipi uses service providers for hosting, authentication, analytics, crash reporting, email delivery, and (if enabled) payment processing and advertising measurement. Providers process information under confidentiality and security obligations, and only as needed to provide their services to Swarlipi.

C. Legal and Safety

Swarlipi may disclose information where necessary to:

• comply with law or lawful requests;
• enforce the Terms of Service and protect rights, safety, and security; and
• respond to copyright notices and disputes.

D. Business Transfers

If Swarlipi undergoes a merger, acquisition, or asset sale, personal information may be transferred as part of that transaction, subject to appropriate safeguards.

If you submit a copyright report, Swarlipi may share the notice contents (including your contact details and statements) with the uploader and relevant parties to process the claim and enable dispute resolution/counter-notice where applicable.

Personal information may be processed in countries other than where you live. Where required, Swarlipi uses appropriate safeguards (such as contractual protections) to support lawful transfers.

Swarlipi retains personal information only as long as necessary for the purposes described above.

Account data: retained while your account is active.

User Content: retained until you delete it or delete your account, subject to the exceptions below.

Deleted content: removed from active systems within a reasonable period (typically within 30 days), then removed from backups on a rolling schedule (typically within 90 days), unless retention is required for legal compliance, disputes, copyright enforcement, fraud/abuse investigations, security, or operational continuity.

Logs and security records: retained for security, abuse prevention, and auditing typically up to 12 months, unless a longer period is necessary for an ongoing investigation or a legal requirement.

Support records: typically retained up to 24 months to maintain continuity and improve support, unless you request deletion and Swarlipi is not required to retain them.

Where local laws require different retention periods, those laws apply.

Swarlipi applies reasonable technical and organisational measures designed to protect personal information, including encryption in transit (TLS), access controls, least privilege, logging/monitoring, and secure development practices. No system is perfectly secure.

Depending on your location, you may have rights to access, correct, delete, or export your information, and to object or restrict certain processing. You can adjust privacy/sharing settings in the app.

To request privacy action, contact privacy@swarlipi.com (subject line: "Privacy Request - Swarlipi"). Swarlipi may verify your identity.

Swarlipi is not intended for children under 13 (or the minimum age required by local law). If Swarlipi learns it collected personal information unlawfully from a child, Swarlipi will delete it.

Swarlipi may introduce advertising or targeted marketing features, which may involve the use of advertising identifiers, cookies (web), SDKs (mobile), and sharing certain information with advertising/marketing partners for measurement, personalization, and fraud prevention.

When these features are used, Swarlipi will:

• provide appropriate notices and choices required by applicable law (including consent where required in the EU/UK);
• provide opt-outs where required (including for California residents under the CCPA/CPRA); and
• publish and maintain the Swarlipi Cookie Notice (website) and Do Not Sell or Share My Personal Information page (California notice), and honour valid requests.

Swarlipi may update this policy. If changes are material, Swarlipi will provide notice within the Service or by other reasonable means.

Privacy: privacy@swarlipi.com

Macloud Labs Pty Ltd

19 Adam Avenue, Wheelers Hill, VIC 3150, Australia