Privacy Policy

Introduction

Ahava Labs LLC, operating as SwapFlow (together with our affiliates, the "Company," "we," "us," or "our") respects your privacy and is strongly committed to keeping secure any information we obtain from you or about you.

This Privacy Policy ("Policy") describes our practices with respect to, and the legal basis on which we handle, personal data which we collect from or about you when you use our AI-powered character swap and social media publishing platform, including its associated websites and applications (collectively, the "Services" or "Platform").

In this Policy, "you" or "your" refers to any person who accesses, uses, or purchases any of the Services. "Personal Data" refers to any information that can be used to identify you, either directly or in combination with other information.

By using the Services, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, disclosure, and processing of your Personal Data in accordance with this Policy.

1. Data We Collect

We collect different categories of information depending on how you interact with our Services:

1.1 Information You Provide

Registration Information

When you create an account using Google Sign-In, we collect:

• Your name and email address
• Google account identifier
• Profile picture (if provided)
• Language and locale preferences

User Content

When you use our AI-powered features, we process the media content you provide, including:

• Photos and videos uploaded for character swapping or transformation
• Reference images used for AI processing (e.g., faces for swapping)
• Processed output files and AI-generated content
• Audio files and music you upload or add to content
• Captions, descriptions, and metadata you create

Note: For character swapping features, our AI systems may analyze facial features, expressions, and biometric data solely for the purpose of providing the character swap functionality. This data is processed transiently and is not used to create facial recognition databases or identify individuals.

Financial Information

When you purchase a subscription, we collect billing information including:

• Name and billing address
• Payment method details (processed securely by Stripe)
• Transaction history and subscription status

Note: We do not store complete credit card numbers. Payment processing is handled by Stripe in accordance with PCI-DSS standards.

API Keys and Credentials

To enable third-party integrations, you may provide:

• AI service API keys (encrypted at rest)
• Social media OAuth tokens (encrypted at rest)
• Google Drive access tokens (encrypted at rest)

Communications

We collect information from your communications with us, including:

• Support requests and correspondence
• Survey responses and feedback
• Feature requests and bug reports

1.2 Information Collected Automatically

Device and Log Data

When you access our Services, we automatically collect:

• IP address and approximate geographic location (city/region level)
• Device type, operating system, and browser type
• Unique device identifiers
• Referring URLs and pages visited
• Date and time of access
• Error logs and crash reports

Usage Information

We collect information about how you use the Services:

• Features used and actions taken
• Processing jobs initiated and completed
• Session duration and frequency of use
• Content publishing history and schedules

Cookies and Similar Technologies

We use cookies and similar technologies to maintain sessions and remember your preferences. See Section 9 for more details.

2. How We Use Your Data

We use the data we collect for the following purposes:

2.1 Providing and Operating the Services

• Authenticating your identity and maintaining your account
• Processing your AI transformation and character swap requests
• Publishing content to your connected social media accounts
• Storing and managing your media in Google Drive
• Processing payments and managing subscriptions

2.2 Safety and Security

• Scanning content for harmful, illegal, or policy-violating material
• Detecting and preventing fraud, abuse, and unauthorized access
• Enforcing our Terms of Service and Community Guidelines
• Protecting the rights and safety of our users and third parties

2.3 Improvement and Development

• Analyzing usage patterns to improve user experience
• Developing new features and functionalities
• Conducting research and analytics
• Troubleshooting technical issues

2.4 Communication

• Sending service announcements and updates
• Responding to your inquiries and support requests
• Sending marketing communications (with your consent where required)

2.5 Legal Compliance

• Complying with applicable laws and regulations
• Responding to legal requests and court orders
• Establishing, exercising, or defending legal claims

3. Our Legal Basis for Processing Data

We process your Personal Data based on the following legal grounds:

3.1 Contractual Necessity

Processing is necessary to perform our contract with you (the Terms of Service) and to provide the Services you have requested.

3.2 Consent

Where we process data based on your consent (e.g., marketing communications), you may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

3.3 Legal Obligations

Processing is necessary to comply with legal obligations to which we are subject, such as tax laws, anti-money laundering regulations, and law enforcement requests.

3.4 Legitimate Interests

Processing is necessary for our legitimate business interests, provided such interests are not overridden by your rights and freedoms. Our legitimate interests include fraud prevention, network security, and service improvement.

4. Data Storage and Retention

4.1 Storage Location

Your data is stored on servers located in the United States, operated by our infrastructure provider Supabase. Media files you store are kept in your own Google Drive account.

4.2 Retention Periods

We retain your Personal Data for as long as necessary to fulfill the purposes for which it was collected:

• Account Information: Retained while your account is active and for up to 3 years after account deletion for legal and compliance purposes.
• User Content: Media files are stored in your Google Drive and remain under your control. Processing job metadata is retained for 1 year for troubleshooting purposes.
• Transaction Data: Retained for 7 years as required by financial regulations.
• Logs and Analytics: Retained for up to 2 years for security and service improvement purposes.

4.3 Data Deletion

You may request deletion of your account and associated data at any time through your account settings or by contacting support. Some data may be retained as required by law or for legitimate business purposes.

5. Data Security and Protection

5.1 Security Measures

We implement appropriate technical and organizational measures to protect your Personal Data, including:

• Encryption of sensitive data (API keys, OAuth tokens, passwords) at rest using industry-standard algorithms
• HTTPS/TLS encryption for all data transmitted between your device and our servers
• Secure authentication through Google OAuth 2.0
• Regular security assessments and vulnerability testing
• Access controls limiting employee access to personal data on a need-to-know basis
• Logging and monitoring of system access

5.2 Limitations

While we strive to protect your Personal Data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and API keys.

5.3 Breach Notification

In the event of a data breach that affects your Personal Data, we will notify you in accordance with applicable data protection laws.

6. To Whom We May Share Your Data

6.1 Service Providers

We share data with third-party service providers who perform services on our behalf:

• AI Processing Services: Receive your media content for AI transformation. Processing is performed according to their privacy policies.
• Google: For authentication (Google Sign-In) and cloud storage (Google Drive).
• Supabase: Provides our database and authentication infrastructure.
• Stripe: Processes payment transactions securely.
• Social Media Platforms: Receive content you choose to publish through our Services.

6.2 Affiliates

We may share data with our corporate affiliates and subsidiaries for the purposes described in this Policy.

6.3 Legal and Regulatory

We may disclose your data when required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6.4 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your Personal Data may be transferred to the acquiring entity. We will notify you of any such change and any choices you may have regarding your data.

6.5 With Your Consent

We may share your data with other third parties when you have given us your explicit consent to do so.

7. International Data Transfers

7.1 Your Personal Data may be transferred to, stored, and processed in countries other than your country of residence, including the United States, where our servers are located. These countries may have data protection laws that differ from those in your jurisdiction.

7.2 When we transfer Personal Data across borders, we implement appropriate safeguards to ensure your data remains protected, including:

• Standard Contractual Clauses (SCCs) approved by relevant regulatory authorities
• Data processing agreements with our service providers
• Other lawful transfer mechanisms as required by applicable law

7.3 By using our Services, you acknowledge and consent to the transfer of your Personal Data to countries outside your country of residence.

8. Your Rights Relating to Your Data

Depending on your jurisdiction, you may have the following rights regarding your Personal Data:

8.1 Access

You have the right to request access to the Personal Data we hold about you.

8.2 Rectification

You have the right to request correction of inaccurate or incomplete Personal Data.

8.3 Erasure

You have the right to request deletion of your Personal Data, subject to legal retention requirements.

8.4 Restriction

You have the right to request that we restrict processing of your Personal Data in certain circumstances.

8.5 Portability

You have the right to receive your Personal Data in a structured, commonly used, machine-readable format and to transmit it to another controller.

8.6 Objection

You have the right to object to certain processing activities, including direct marketing.

8.7 Withdrawal of Consent

Where processing is based on consent, you have the right to withdraw your consent at any time.

8.8 Exercising Your Rights

To exercise any of these rights, please contact us at support@swapflow.top. We will respond to your request within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

9. Cookies and Similar Technologies

9.1 What Are Cookies

Cookies are small text files placed on your device when you visit our website. They help us recognize your device and remember your preferences.

9.2 Types of Cookies We Use

• Essential Cookies: Required for the Services to function properly, including authentication and security cookies.
• Preference Cookies: Remember your settings and preferences (language, theme).
• Analytics Cookies: Help us understand how users interact with the Services to improve functionality.

9.3 Third-Party Cookies

We do not use third-party advertising or tracking cookies. Some of our service providers (such as authentication providers) may set their own cookies.

9.4 Managing Cookies

Most web browsers allow you to manage cookie preferences. You can set your browser to refuse cookies or alert you when cookies are being sent. Note that disabling essential cookies may affect the functionality of the Services.

10. Third-Party Applications and Links

10.1 Our Services may contain links to third-party websites, applications, or services. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access.

10.2 We are not responsible for the privacy practices or content of third-party services. Your interactions with third-party services are governed by their terms and privacy policies.

11. Changes to This Policy

11.1 We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

11.2 We will notify you of material changes by posting the updated Policy on our website and updating the "Last Updated" date at the top of this page. For significant changes, we may also notify you via email or through the Services.

11.3 Your continued use of the Services after any changes to this Policy constitutes your acceptance of the updated Policy.

12. Parental and Guardian Consent

12.1 The Services are not intended for children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect Personal Data from children under this age.

12.2 If you are between 13 and 18 years of age, you may only use the Services with the consent and supervision of a parent or legal guardian.

12.3 If we learn that we have collected Personal Data from a child under 13 without parental consent, we will take steps to delete that information promptly. If you believe we have collected such information, please contact us immediately at support@swapflow.top.

13. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: support@swapflow.top

Website: https://www.swapflow.top

We aim to respond to all inquiries within 30 days.

14. Jurisdiction-Specific Terms

If you are located in one of the following jurisdictions, additional terms and disclosures may apply to you: