Privacy Policy

1. Who we are

Fipera (“we”, “us”) operates Sticker Swap (the “Service”) and is the controller of personal data processed in connection with it.

2. What data we collect

• Account data: email address, nickname, country and city of residence, account role, account status, age confirmation timestamp.
• Listings: the stickers you mark as Available or Wanted, your duplicate counts, and the timestamps of those changes.
• Swap data:swap requests you send or receive, their status, your acknowledgements (including the “Mark as completed” confirmation), and trust score updates.
• Messages: the text content of messages you exchange inside a swap, the sender, the swap they belong to, and timestamps; an automated flag if our content filter detects a payment pattern.
• Reports and moderation actions: reports you file or receive, moderator notes, warnings, suspensions and bans.
• Technical data: authentication session, browser/device user-agent, IP address (transient, used for security and abuse prevention).
• Notification preferences: whether you opted in to email alerts, the address used for notifications (which may differ from your sign-in email), and timestamps of preference changes.

We do not collect images, audio, video, payment information, biometric data, or precise geolocation. We do not use third-party analytics or advertising trackers.

3. Legal bases (PDPL / GDPR principles)

• Performance of a contract (these Terms) for delivering the Service.
• Legitimate interests in keeping the Service safe and abuse-free (moderation, retention, automated filtering, suspension).
• Consent for the chat terms acknowledgement and the age-confirmation gate.
• Consent for optional notification emails (swap alerts, match digests, listing reminders, and completion reminders). You may withdraw consent anytime via Profile settings or the unsubscribe link in each email.
• Legal obligation for responding to lawful requests by competent authorities.

4. How we use your data

• To operate the Service: authenticate you, show your listings, match you with collectors, deliver and store your messages, update trust scores.
• To keep the Service safe: review reported or auto-flagged content, suspend abusive accounts, comply with our Terms.
• To respond to your requests: support, privacy rights requests, dispute review.
• To send service-related emails you opted into: swap request and acceptance notices, match digests, listing alerts, and swap completion reminders. We do not send marketing or promotional email.
• To comply with the law.

We do not use your data for behavioural advertising or sell it to anyone.

5. Sharing

We share personal data only with:

• Supabase Inc., our hosting and database processor, under a written data processing agreement. Data may be stored on Supabase's EU or US infrastructure; appropriate cross-border safeguards apply.
• Vercel Inc., our application hosting provider, on the same basis.
• Resend (resend.com), our email delivery provider. Resend processes your notification email address and message content solely to deliver emails on our behalf under their data processing terms.
• Competent authorities when legally required to do so.

We do not share personal data with marketing, advertising, or data-broker third parties.

6. International transfers

Where data is transferred outside the country of your residence (for example, to Supabase or Vercel infrastructure in the EU or US), we rely on the processors' contractual safeguards (standard contractual clauses or equivalent) and do not transfer data to jurisdictions without an adequate level of protection.

7. Retention

• Messages: ninety (90) days from creation; one hundred eighty (180) days when associated with a report or automated safety flag; longer when under explicit legal hold.
• Account, listings, swaps, reports: for as long as your account is active. After account deletion, identifying data is removed within thirty (30) days, except where we must retain it for a legal obligation or to defend a legal claim.
• Email send logs: recipient user id, template type, and sent-at timestamp retained for ninety (90) days for abuse prevention and deliverability debugging.

8. Your rights

Subject to applicable law (UAE PDPL, KSA PDPL, GDPR where relevant), you have the right to:

• (a) access the personal data we hold about you;
• (b) request correction of inaccurate data;
• (c) request deletion of your data;
• (d) request a portable copy of your data;
• (e) object to or restrict certain processing;
• (f) withdraw consent (where processing is based on consent);
• (g) lodge a complaint with the supervisory authority in your country.

To exercise these rights, email hello@fipera.com. You may also turn off notification emails from Profile settings or use the unsubscribe link in any notification email. We will respond within thirty (30) days. Identity verification may be required.

9. Security

We protect your data with industry-standard measures, including TLS encryption in transit, encryption at rest, row-level access policies, the principle of least privilege for our staff, and audit logging of administrative actions. We do not provide end-to-end encryption for messages — this is intentional, so that we can moderate and respond to legitimate safety and legal requests. You should not transmit information you wish to keep private from the Service operator.

10. Children

The Service is for users aged eighteen (18) and over. We do not knowingly collect personal data from children. If you believe a child has provided data, please contact us and we will delete it promptly.

11. Cookies

We use only essential cookies required to keep you signed in. We do not use analytics, advertising, or tracking cookies.

12. Changes

We may update this Privacy Policy. Material changes will be notified in-app at least seven (7) days before they take effect.

13. Contact

hello@fipera.com. Please put “Privacy” in the subject line for faster routing.