Data Privacy Policy

1. Controller Identity and Contact Details

• Controller: SWAPTO GmbH, Fulerumer Strasse 164, 45149 Essen, Germany, HRB 31422 (Essen), VAT ID: DE334583088.

• General privacy contact: legal@swapto.tech; operational contact: info@swapto.tech.

• Data Protection Officer (DPO): Roland Ballus, roland.ballus@swapto.tech.

​

2. Scope and Application

• This Privacy Policy explains how SWAPTO processes personal data in connection with:

• Provision and operation of our real-time tele‑translation services and related support.

• Our websites, customer portals, integrations, and communication channels.

• Business development and marketing to corporate clients and contacts in a B2B context.

• Separate Data Processing Agreements (DPAs) apply when SWAPTO acts as a processor to customers; this Privacy Policy primarily covers SWAPTO’s controller activities and transparency obligations.

​

3. Categories of Personal Data We Process

Depending on your interactions with us and the services you use, we may process:

• Identification and contact data: name, business email, business phone, employer, job title, postal address.

• Account and authentication data: login credentials, role assignments, audit logs related to account access.

• Communication and call metadata: call records (date/time/duration), language selections, numbers connected, session identifiers; user‑generated support communications.

• Service content data: speech/voice data or transcriptions if technically necessary for service delivery and only under contractual instructions (processor context).

• Usage and device data: IP address, device type/OS, browser type, pages viewed, events, performance telemetry; approximate location when enabled.

• Billing and transaction data: invoicing details, bank/payment references, tax/VAT information.

• Marketing and preferences: consents, subscription status, communication preferences.

​

4. Sources of Personal Data

• Directly from you or your employer (account setup, service use, support requests).

• Automatically through our services (metadata, device/usage data).

• From third‑party providers acting on our behalf (e.g., hosting, telecommunications carriers) or from publicly available business sources in a B2B context.

​

5. Purposes and Lawful Bases for Processing

We process personal data for the following purposes under the lawful bases set out in Article 6 GDPR:

• Service provision and operation: to provide, administer, secure, and monitor our tele‑translation services, troubleshoot issues, and fulfil contractual obligations to customers. Lawful basis: performance of a contract or steps prior to entering into a contract (Article 6(1)(b)); for non-essential operations, legitimate interests (Article 6(1)(f)) in ensuring service quality and security.

• Account management and customer communications: creating and managing user accounts; sending service notices, updates, and support responses. Lawful basis: contract necessity (Article 6(1)(b)); legitimate interests (Article 6(1)(f)) in effective customer engagement and support.

• Security, fraud prevention, and compliance: protecting systems, investigating misuse, ensuring compliance with legal obligations. Lawful basis: legitimate interests (Article 6(1)(f)); legal obligation (Article 6(1)(c)) where applicable.

• Billing and finance: invoicing, payment processing, financial/accounting records, tax compliance. Lawful basis: contract necessity (Article 6(1)(b)); legal obligation (Article 6(1)(c)) for accounting/tax.

• Business development and B2B marketing: informing corporate contacts about SWAPTO services, events, and updates, consistent with EU/national rules. Lawful basis: consent (Article 6(1)(a)) where required; legitimate interests (Article 6(1)(f)) for B2B outreach to existing customers/contacts subject to opt‑out.

• Analytics and service improvement: understanding usage to improve performance and user experience, using aggregated/pseudonymized data where possible. Lawful basis: legitimate interests (Article 6(1)(f)) with data minimization and opt‑out mechanisms for non‑essential analytics; consent for non‑essential cookies/SDKs under TTDSG/ePrivacy.

• Legal claims and defense: establishment, exercise, or defense of legal claims. Lawful basis: legitimate interests (Article 6(1)(f)).

​

6. Special Categories of Data and Prohibited Content

• SWAPTO does not seek to process special categories of personal data under Article 9 GDPR (e.g., health, biometrics for identification, religious beliefs).

• In line with our contractual terms, we prohibit processing data classified as hate speech, sexually explicit content, illegal activities, or otherwise not permitted by EU law. If processing of special categories becomes necessary, we will require explicit written instructions and appropriate safeguards.

​

7. Recipients and Disclosure

We may share personal data with:

• Service providers and subprocessors supporting our services (e.g., telecommunications carriers, cloud hosting, support tooling, payment processors).

• Professional advisors (legal, accounting), insurers, and auditors.

• Public authorities and courts where required by law.

• In corporate transactions (merger, acquisition, asset sale), subject to appropriate safeguards.

​

8. International Data Transfers

• Where personal data is transferred outside the EEA (or EU) and the destination does not have an adequacy decision, we will implement appropriate safeguards, typically the European Commission’s Standard Contractual Clauses (SCCs), and, where required, supplementary technical/organizational measures following a transfer impact assessment.

• Information on locations and transfer mechanisms is available on request via legal@swapto.tech.

​

9. Retention Periods

We retain personal data only as long as necessary for the purposes described or as required to meet legal obligations:

• Account and service data: for the duration of the contract and a reasonable period thereafter to manage deprovisioning and support (typically 24 months post‑termination unless legal holds apply).

• Call metadata and logs: for operational and security purposes (typically 12–24 months), unless a longer period is necessary for legal obligations or incident investigations.

• Billing and financial records: per statutory requirements (typically 6–10 years under applicable tax/commercial laws).

• Marketing contact data: until you withdraw consent or opt‑out; we periodically refresh marketing lists and honour preferences.

​

10. Your Rights Under GDPR

Subject to conditions and applicable law, you have:

• Right to access (Article 15), rectification (Article 16), erasure (Article 17), restriction (Article 18), data portability (Article 20), and objection (Article 21).

• Right to withdraw consent at any time (Article 7(3)) where processing is based on consent.

• Right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects (Article 22), unless permitted by law and subject to safeguards.

• Right to lodge a complaint with a supervisory authority. Our lead authority in Germany is typically the competent Landesdatenschutzbehörde; you may also contact your local authority.

How to exercise rights: contact legal@swapto.tech, specifying your request and providing sufficient information to verify identity. We will respond within one month (extendable by two months for complex requests) and explain any denial with reasons.

​

11. Security Measures

We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, proportionate to risks:

• Access management and role‑based access; multi‑factor authentication for privileged accounts.

• Encryption in transit; encryption at rest where applicable.

• Network segmentation, logging/monitoring, and incident response procedures.

• Vulnerability management and periodic penetration testing.

• Staff confidentiality commitments and privacy/security training.

• Business continuity and disaster recovery with defined RTO/RPO.

While no system can guarantee absolute security, we continually improve our controls and review supplier assurances.

​

12. Cookies, SDKs, and TTDSG/ePrivacy

• Our websites and services may use cookies and similar technologies. We obtain consent for non‑essential cookies/SDKs as required by the German Telecommunications‑Telemedia Data Protection Act (TTDSG) and ePrivacy rules.

• You can manage preferences via our consent banner and browser/device settings. Strictly necessary cookies do not require consent. Analytics/marketing cookies are opt‑in and can be withdrawn at any time.

​

13. Children’s Privacy

• Our services are intended for business users and not directed to children. We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact legal@swapto.tech and we will delete such data.

​

14. Processor Role and Customer Instructions

• For customer data processed within our services under a DPA, SWAPTO acts as a processor and processes personal data only on documented instructions from the customer.

• We ensure processor obligations under Article 28 GDPR, including confidentiality, security measures, subprocessor controls, assistance with rights and DPIAs, breach notification without undue delay, and deletion/return at end of services per the contract.

​

15. Changes to This Privacy Policy

• We may update this Privacy Policy to reflect changes in law or our practices. We will post updates on our website and, where material, provide notice via email or service notifications.

• The “Effective Date” will be updated with each revision.

​

16. Effective Date

Effective Date: 15.11.2025