Privacy Policy

1. Introduction & Data Controller

SwiftIn ("we," "our," or "us") operates the SwiftIn browser extension and the website located at swiftin.dev (collectively, the "Service"). This Privacy Policy describes how we collect, use, store, and share information when you use our Service. By using SwiftIn you agree to the practices described in this policy.

The data controller responsible for data processing pursuant to the General Data Protection Regulation (GDPR) and other applicable data protection laws is:

"Personal data" means any information relating to an identified or identifiable natural person, as defined in Art. 4(1) GDPR.

2. Information We Collect

2.1 Account Information

When you create an account we collect your email address and name (optional). Your password is hashed with bcrypt before storage and is never stored in plain text.

2.2 Translation Data

When you use the translation feature we process the source text you submit and the translated result. This includes text from selected text, input fields, and chat messages on supported platforms (e.g., Discord). For users on paid plans (Pro and Team), translation history — including original text, translated text, source and target languages, translation style, and character count — may be stored on our servers if the "Save history to server" option is enabled. Free plan users' translation history is stored exclusively within the browser extension's local storage and is never sent to our servers.

2.3 Usage Data

We track the number of characters translated per billing period to enforce plan usage limits. We also log the number of translation requests for rate-limiting and abuse-prevention purposes. We do not read or analyze the content of your translations for advertising, profiling, or any purpose other than providing the translation.

2.4 Payment Information

Payments are processed by third-party providers: Paddle (card payments) and NOWPayments (cryptocurrency payments). We do not directly store your full payment card numbers. Our payment providers handle all sensitive financial data in accordance with their own privacy policies and PCI DSS requirements. We store only the transaction identifiers and subscription status necessary to manage your account.

2.5 Extension Settings

Your extension preferences — such as target language, translation style, excluded sites, hotkey configuration, and interface language — are stored locally in your browser via the browser's built-in synchronized storage. These settings are not transmitted to our servers.

In addition, the extension stores certain per-component preferences in your browser's localStorage. These include independently selected target languages for the text-selection popup and the input-field translation button, the user's preferred UI theme (light/dark), and temporary snooze or disable states for individual translation components. This data remains on your device, is not transmitted to our servers or any third party, and can be cleared at any time by clearing your browser's site data or uninstalling the extension.

2.6 Account Recovery & Security Data

When you request a password reset, we send a single-use, time-limited recovery link to your registered email address. The recovery process involves short-lived authentication tokens that are exchanged securely on our servers and are not stored beyond the duration of the reset session. We do not log or retain the content of your new password — it is hashed before storage. Email verification codes during registration are also single-use and expire shortly after issuance.

2.7 AI-Generated Content

When you use the translation or text-to-speech features, your source text is sent to third-party AI providers (currently Google AI) for processing. This applies to all translation sources — selected text, input fields, and chat messages from supported platforms. These providers process your text in real time to generate translations or audio and do not retain your content beyond the duration of the request. SwiftIn does not control the behavior, output quality, or accuracy of third-party AI models. AI-generated translations and audio are provided "as is" — see our Terms of Service for full disclaimers regarding AI output.

2.8 What We Do NOT Collect

We believe in radical transparency. Here is what we explicitly do not collect:

• ✕Your general browsing activity or keystrokes — we only process the specific text you intentionally send for translation
• ✕Passwords in plain text — all passwords are hashed with bcrypt before storage
• ✕Financial information beyond what is required for payment processing (handled by Paddle/NOWPayments)
• ✕Location data, GPS coordinates, or geolocation
• ✕Contacts, photos, files, or any data from other apps on your device
• ✕Browsing history or behavior across other websites (except the specific page content you select for translation)
• ✕Any data from minors under 13

We collect only the minimum information necessary to provide and improve the Service.

3. How We Use Your Information

• •Providing the Service: processing translations, generating text-to-speech audio, authenticating your account, and managing your subscription.
• •Usage Enforcement: tracking character usage to apply plan limits and prevent abuse.
• •Service Improvement: aggregated, anonymous metrics (e.g., total translations per day, popular language pairs) to improve performance and reliability.
• •Communication: sending transactional emails related to your account (e.g., password resets, billing receipts).
• •Marketing (opt-in only): if you explicitly consent, we may send promotional emails about product updates, tips, and offers. You can withdraw marketing consent at any time via Dashboard → Settings → Privacy & Cookies or by clicking "Unsubscribe" in any marketing email.

4. Third-Party Services

To deliver the Service we share limited data with the following third-party providers:

Each provider processes data in accordance with their own privacy policy. We encourage you to review those policies independently.

AI-Powered Translation & Audio: Text you submit for translation is sent to Google's Generative Language API for processing. The AI model may apply content safety filters that alter, omit, or refuse to process certain types of content (including profanity, sensitive, or explicit material). We do not control these filters and cannot guarantee the accuracy, completeness, or fidelity of any AI-generated translation or text-to-speech output. You are solely responsible for verifying the suitability of any output before use. Please refer to our Terms of Service for full disclaimer details.

5. Lawful Basis for Processing

We process your personal data under the following legal bases as defined by the GDPR:

Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

6. Data Storage & Security

Your account data and server-side translation history are stored on Supabase-hosted infrastructure with encryption at rest and in transit (TLS). Passwords are hashed using bcrypt with a cost factor of 12. Authentication tokens (JWT) expire after a short period, and refresh tokens are rotated on every use and expire after 7 days.

While we take commercially reasonable measures to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Cross-border Data Transfers

To provide the Service, your data may be transferred to and processed in countries outside your country of residence. In particular:

• •Supabase (database & authentication) — United States
• •Google AI (translation & text-to-speech) — United States
• •Paddle (payments) — United Kingdom
• •Resend (transactional email delivery) — Ireland (EU). As our email processor, Resend receives your email address, email content, and delivery metadata (timestamps, delivery status) solely to deliver account-related emails on our behalf. Resend does not use this data for their own purposes. See Resend Privacy Policy.
• •PostHog (analytics) — European Union
• •NOWPayments (cryptocurrency payments) — Netherlands / Seychelles

These providers maintain their own data protection measures. Where required by law, transfers are covered by Standard Contractual Clauses (SCCs) or equivalent safeguards.

8. Data Retention

• •Account data is retained for as long as your account is active. If you delete your account, we will remove your personal data within 30 days.
• •Inactive accounts: Free plan accounts with no activity for 12 months and no transaction history may be automatically deleted. You will not receive prior notice; to prevent deletion, simply use the Service at least once within any 12-month period.
• •Translation history (server-side) retention depends on your plan:

• •Usage data (character counts) is retained for the current billing period and one prior period for billing accuracy.
• •Local extension data (settings, local history) is controlled entirely by you and can be cleared at any time through the extension settings or by uninstalling the extension. The extension stores up to 5,000 translation entries locally; older entries are automatically removed, with favorited translations protected from deletion.
• •Team data: When a Team plan is deactivated (cancelled, expired, or downgraded), all team-related records — including member associations, team usage statistics, pending invitations, and team translation history — are permanently deleted 30 days after deactivation.

9. Your Rights

Under the GDPR and similar data protection laws, you have the following rights regarding your personal data:

• •Right of access (Art. 15 GDPR) — request confirmation of whether we process your data and obtain a copy.
• •Right to rectification (Art. 16 GDPR) — request correction of inaccurate or incomplete personal data.
• •Right to erasure (Art. 17 GDPR) — request deletion of your personal data. You can request account deletion at any time by contacting support@swiftin.dev.
• •Right to restriction of processing (Art. 18 GDPR) — request that we limit the processing of your data in certain circumstances.
• •Right to data portability (Art. 20 GDPR) — request an export of your data in a structured, machine-readable format.
• •Right to withdraw consent (Art. 7(3) GDPR) — where processing is based on your consent (e.g., analytics cookies, marketing emails, server-side history), you may withdraw consent at any time without affecting the lawfulness of prior processing.
• •Right to object (Art. 21 GDPR) — you may object to processing based on legitimate interest. If we process your data for direct marketing, you have an unconditional right to object.
• •Right to lodge a complaint — you have the right to lodge a complaint with a supervisory data protection authority in your country of residence.

California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• •Right to know — you may request that we disclose the categories and specific pieces of personal information we have collected, the categories of sources, the business purpose for collecting, and the categories of third parties with whom we share it.
• •Right to delete — you may request deletion of your personal information, subject to certain exceptions (e.g., completing a transaction, security, legal obligations).
• •Right to correct — you may request correction of inaccurate personal information.
• •Right to opt-out of sale/sharing — SwiftIn does not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary.
• •Right to non-discrimination — we will not discriminate against you for exercising any of your privacy rights.

To exercise any of these rights (GDPR or CCPA), please contact us at legal@swiftin.dev. We will respond within 30 days (GDPR) or 45 days (CCPA).

10. Cookies & Tracking

The SwiftIn website uses essential cookies required for authentication and session management. These cookies are strictly necessary and do not require consent.

We also use local browser storage (localStorage) to store authentication tokens and user preferences. On the website this data remains on your device, is not transmitted to third parties, and is fully cleared when you log out. The browser extension also uses localStorage to persist per-component settings such as independently chosen target languages and temporary disable/snooze states; this data stays on your device and is never sent to our servers.

We also use optional analytics cookies (via PostHog) to understand how the Service is used and to improve the user experience. Analytics cookies are only activated after you give explicit consent through the cookie banner shown on your first visit.

You can withdraw your analytics cookie consent at any time from Dashboard → Settings → Privacy & Cookies. The browser extension stores authentication tokens locally on your device and does not set or read website cookies.

11. Data Breach Notification

In the unlikely event of a personal data breach, we are committed to acting swiftly and transparently:

• •Within 72 hours of becoming aware of a breach, we will notify the relevant supervisory authority as required by GDPR.
• •Affected users will be notified without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
• •Notifications will include a description of the breach, the data affected, likely consequences, and the measures we are taking to address it.
• •We will provide a dedicated point of contact to answer any questions related to the breach.

If you believe you have identified a security vulnerability, please contact us immediately at legal@swiftin.dev.

12. Children's Privacy

SwiftIn is not directed to children under the age of 13 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or through the Service. Your continued use of SwiftIn after changes become effective constitutes acceptance of the revised policy.