Privacy Policy
Last updated: 2026-05-07 · Version: 1.0
This Privacy Policy explains how StickerSwap ("we", "us", "our") collects, uses, shares, and protects personal data when you use our Service. We aim to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), the Brazilian Lei Geral de Proteção de Dados (LGPD), and other applicable privacy laws.
1. Who is the controller of your data
StickerSwap is operated by an individual developer as a non-commercial personal project. For the purposes of GDPR, UK GDPR, and LGPD, the operator is the data controller. You can contact the controller at legal@stickerswap.club.
We have not appointed a Data Protection Officer (DPO) because the scale of processing does not require one under applicable law. For privacy questions, please use the contact above.
2. The principle: we collect as little as possible
We have designed the Service to minimise the personal data we collect. We only collect what we need to operate the Service and to keep it safe.
3. What data we collect
| Category | Examples | Why we collect it | Legal basis (GDPR) |
|---|---|---|---|
| Account data | Email address, username, hashed password | To create and authenticate your account | Performance of a contract (Art. 6(1)(b)) |
| Profile data | Display name, avatar (optional), country/region (optional) | So other users can identify potential trade partners | Performance of a contract |
| Collection data | Albums you collect, stickers you have/want, photos you upload | Core function of the Service | Performance of a contract |
| Communications | Messages you send to other users, support emails | To enable user-to-user trade conversations and support | Performance of a contract |
| Technical data | IP address, browser/device info, language, timestamps, pages visited | Security, fraud prevention, service operation | Legitimate interests (Art. 6(1)(f)) |
| Cookies (essential only) | Session/auth cookies, CSRF token | Keeping you logged in, security | Strictly necessary (no consent required) |
| Consent records | Timestamp, version of Terms/Privacy accepted, IP at time of consent | Proof of consent under GDPR/LGPD | Legal obligation (Art. 6(1)(c)) |
We do not collect: phone numbers, government IDs, payment data, precise geolocation, biometric data, health data, or any other special-category data. We do not run third-party advertising trackers, behavioural-advertising pixels, or fingerprinting scripts.
4. How we use your data
We use your data to:
- Create, operate, and maintain your account.
- Match you with other collectors who might want to trade.
- Enable messaging between users.
- Keep the Service secure and prevent fraud, abuse, and rate-limit violations.
- Notify you of important changes (security, legal, account status). These are not marketing emails.
- Comply with our legal obligations and respond to lawful requests.
We do not sell your personal data, and we do not share it with advertisers. We do not use your data to train AI models.
5. With whom we share your data
We share data only with the following categories of recipients, each acting under a written agreement that protects your data:
| Recipient | Purpose | Location | Safeguards |
|---|---|---|---|
| Vercel | Application hosting, analytics (privacy-friendly, no cookies) | United States, EU regions | Data Processing Agreement; Standard Contractual Clauses |
| Supabase | Database, authentication, file storage | EU / United States | Data Processing Agreement; Standard Contractual Clauses |
| Resend | Sending account-related emails (verification, password reset, important account notices) | United States / EU regions | Data Processing Agreement; Standard Contractual Clauses |
We may also disclose data: (a) to comply with a lawful legal request, (b) to protect the rights, property, or safety of users or the public, (c) to enforce these Terms, or (d) in connection with the discontinuation of the Service.
Other users can see the public parts of your profile (username, avatar, the albums you collect, items you mark for trade) and the messages you send them. Do not share information with another user that you do not want them to have.
6. International transfers
The Service uses providers located in the United States and the European Union. When personal data is transferred from the European Economic Area, the United Kingdom, or Brazil to a country that has not been recognised as providing an adequate level of protection, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, the UK Information Commissioner's Office, or equivalent mechanisms under LGPD.
You may request a copy of the safeguards in place by contacting legal@stickerswap.club.
7. How long we keep your data
| Data | Retention |
|---|---|
| Account and profile data | While your account is active |
| Collection and trade data | While your account is active |
| Messages | While your account is active, or until you delete the conversation |
| Technical/security logs | Up to 12 months |
| Consent records | 5 years after the related processing ends, for legal-defence purposes |
| Backups | Up to 30 days after deletion from the live system |
When you delete your account, we delete or anonymise your personal data within 30 days, except where retention is required by law or for the establishment, exercise, or defence of legal claims.
8. Your rights
Subject to applicable law, you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate or incomplete data.
- Erase your data ("right to be forgotten").
- Restrict or object to processing in certain circumstances.
- Data portability: receive your data in a structured, commonly used, machine-readable format (we provide a JSON export).
- Withdraw consent at any time, where processing is based on consent.
- Lodge a complaint with a supervisory authority.
For California residents (CCPA/CPRA): you also have the right to know what categories of personal information we collect, the right to opt-out of "sale" or "sharing" of personal information (we do not sell or share for cross-context behavioural advertising), the right to limit use of sensitive personal information (we do not collect any), and the right to non-discrimination for exercising your rights.
You can exercise most rights directly from your account settings:
- Export your data: Account → Export my data (delivers a JSON file).
- Delete your account: Account → Delete account (irreversible after a short grace period).
For any other requests, email legal@stickerswap.club with the subject "Privacy request". We will respond within 30 days.
9. Security
We use reasonable technical and organisational measures to protect your data, including encryption in transit (HTTPS), hashed passwords, row-level security on the database, rate limiting on authentication endpoints, and access controls. However, no method of transmission or storage is perfectly secure, and we cannot guarantee absolute security. In the event of a data breach affecting your personal data, we will notify the relevant supervisory authority within 72 hours where required, and we will notify affected users without undue delay where required by law.
10. Cookies
We use only strictly necessary cookies (session/authentication and CSRF protection). These cookies do not require consent under EU and UK law. We do not use advertising, marketing, or third-party analytics cookies. For details, see our Cookie Policy.
11. Children
The Service is not intended for individuals under 18 years of age, and we do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please contact legal@stickerswap.club and we will delete the data promptly.
12. Automated decision-making
We do not engage in automated decision-making, including profiling, that produces legal effects or similarly significantly affects you.
13. Changes to this Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to registered users by email or an in-app notice.
14. Contact
Questions or privacy requests: legal@stickerswap.club.