Privacy Policy

1. Introduction and Scope

SWIRL ("we," "our," or "us") is a swipe-based fashion discovery platform that helps users explore, save, and purchase fashion products curated from Indian and global brands. This Privacy Policy explains in detail how SWIRL accesses, collects, uses, stores, shares, and protects your personal and sensitive information when you use the SWIRL mobile application ("App") and any associated services ("Services").

This Policy applies to all users of the SWIRL App, including visitors, registered users, and purchasers. By downloading, installing, or using the App, you acknowledge that you have read, understood, and agree to the practices described herein.

This Privacy Policy is publicly available, non-geofenced, and accessible at https://swirl.style/privacy-policy.

2. Who We Are

Company Name	SWIRL
Developer / Data Controller	Tarun Krishna Mahajan, Founder, SWIRL
Founder & DPO	Tarun Krishna Mahajan
App Name	SWIRL - Fashion Discovery
Platform	Android (Google Play)
Registered Address	Hyderabad, Telangana, India
Privacy Contact	privacy@swirl.app
Support Email	support@swirl.app
Website	https://swirl.style

For all privacy-related inquiries, requests, or complaints, please contact our Privacy Point of Contact at privacy@swirl.app. We will respond to all privacy requests within 30 days.

3. Data We Collect

We collect data in three ways: (a) data you provide directly, (b) data collected automatically when you use the App, and (c) data received from third-party services integrated into the App.

3.1 Data You Provide Directly

Data Type	Examples	Purpose
Account Information	Name, email address, phone number, gender, date of birth	Create and manage your SWIRL account
Profile Information	Username, profile photo, style preferences, size information, fashion interests	Personalize your fashion discovery feed
Authentication Credentials	Password (hashed), social login tokens (Google, Apple)	Secure login and authentication
Payment Information	Billing address, payment method metadata processed via Razorpay. We do not store full card numbers.	Process in-app purchases and transactions
Shipping Information	Delivery address, pin code, recipient name, phone number	Fulfil product orders via Shiprocket
User-Generated Content	Saved items ("swipes"), wishlists, collections, reviews, photos uploaded by you	Enable core app functionality
Communications	Messages sent to our support team, feedback forms	Customer support and product improvement

3.2 Data Collected Automatically

When you use the SWIRL App, we automatically collect certain technical and usage data:

Data Type	Examples	Purpose
Device Information	Device model, OS version, unique device identifiers such as Android Advertising ID / AAID, screen resolution	App performance, compatibility, and analytics
Usage Data	Swipe interactions, products viewed, time spent per item, features accessed, scroll behavior	Improve recommendation engine and personalise feed
Session Data	App open/close times, session duration, crash logs, ANR reports	Diagnose bugs and improve stability
Network Information	IP address with approximate city-level geolocation, network type, ISP	Security, fraud prevention, and regional content delivery
Inferred Preferences	Style categories, colour preferences, brand affinities derived from swipe behavior	Personalised product discovery
App Set ID	Android App Set ID	Analytics and fraud prevention only. Never used for ads personalisation or ads measurement.

3.3 Data from Third-Party Integrations

SWIRL integrates with the following third-party services, each of which may share data with us as part of their functionality:

Third Party	Data Received	Purpose
Shopify	Product catalog data, order status, inventory updates	Power product listings and checkout
Razorpay	Payment status, transaction IDs, masked card/UPI metadata	Process payments securely
Shiprocket	Shipping status, delivery tracking	Order fulfilment and delivery tracking
Google Sign-In / Firebase	Basic Google profile such as name, email, profile photo	Social login; Firebase for analytics, crashlytics, and push notifications
AWS / Google Cloud	Infrastructure hosting; no independent data collection	Secure data storage and app infrastructure

4. How We Use Your Data

We use the data we collect strictly for the following purposes, limited to what is reasonably expected by users of a fashion discovery and e-commerce application:

4.1 Core App Functionality

Creating and managing your SWIRL account
Personalising your swipe-based fashion feed based on your stated and inferred style preferences
Enabling product saving, wishlisting, sharing, and purchasing
Processing and fulfilling orders and managing returns or refunds
Sending order confirmations, shipping updates, and delivery notifications

4.2 Improving the App

Analysing aggregate, anonymised usage patterns to improve UI/UX, recommendation algorithms, and product curation
Running A/B tests on app features to enhance user experience
Diagnosing and fixing bugs, crashes, and performance issues

4.3 Safety and Security

Detecting, preventing, and responding to fraud, abuse, or security threats
Verifying your identity for account authentication
Complying with applicable laws, court orders, or law enforcement requests

4.4 Communication

Sending transactional emails and push notifications, such as order updates and price drops on saved items
Sending marketing communications only if you have explicitly opted in. You can withdraw consent at any time.
Responding to your support queries and feedback

4.5 Legal Compliance

Meeting our obligations under Indian data protection laws, including the Digital Personal Data Protection Act, 2023, and applicable international regulations such as GDPR for EU users and UK GDPR for UK users.

We do not sell your personal or sensitive user data to any third party for monetary consideration.

5. Prominent Disclosure: Background Data Collection

In-App Disclosure Notice displayed at onboarding and first permission request:

"SWIRL collects your usage data (swipes, taps, and product interactions) to enable your personalised fashion feed, even when the app is running in the background. Location data (at city level, derived from IP address) is used to surface regionally relevant products. This data is never shared with advertisers. You can review and manage these settings at any time in the App's Privacy Settings."

We display this notice within the app, before any background data collection begins, and require your affirmative consent (tap to accept) before proceeding.

6. Legal Bases for Processing (GDPR / UK GDPR)

For users in the European Economic Area (EEA) or United Kingdom, our legal bases for processing are:

Processing Activity	Legal Basis
Account creation and management	Contract - necessary to provide the service
Order processing and fulfilment	Contract - necessary to fulfil your purchase
Personalised recommendations (behavioral data)	Consent - obtained at onboarding; withdrawable at any time
Analytics and app improvement	Legitimate interest - to maintain and improve the app, balanced against your privacy rights
Marketing communications	Consent - explicit opt-in; withdrawable at any time
Fraud prevention and security	Legitimate interest - to protect users and the platform
Legal compliance	Legal obligation

7. Data Sharing and Disclosure

We share your data only in the following limited circumstances:

7.1 Service Providers (Data Processors)

We share data with carefully vetted third-party service providers who process data on our behalf and under strict data processing agreements:

Razorpay - payment processing
Shiprocket - order logistics and delivery
Shopify - e-commerce product and order management
Google Firebase - analytics, crash reporting, push notifications
AWS / Google Cloud - secure cloud infrastructure hosting

These providers are contractually prohibited from using your data for their own purposes.

7.2 Legal Requirements

We may disclose your data if required to do so by applicable law, regulation, legal process, or governmental authority, including in response to valid court orders or requests by Indian law enforcement agencies, provided such requests comply with applicable data protection law.

7.3 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of all or a portion of SWIRL's assets, your data may be transferred to the acquiring entity, subject to the same level of protection as described in this Policy. We will provide legally adequate notice to users before any such transfer.

7.4 With Your Consent

We may share your data with any other party where we have obtained your explicit, informed consent to do so.

We do not share your personal and sensitive data with advertising networks, data brokers, or any third party for the purpose of targeted advertising.

8. Data Retention and Deletion

8.1 Retention Periods

Data Category	Retention Period
Account data	Until account deletion, plus 30 days for safety
Transaction and payment records	7 years, as required under Indian taxation law and GST compliance
Usage and analytics data (anonymised)	Up to 24 months rolling
Customer support communications	2 years from last interaction
Crash logs and diagnostic data	90 days
Marketing consent records	Until consent is withdrawn, plus 3 years

8.2 Account Deletion

SWIRL provides users with the ability to delete their account, in accordance with Google Play's Account Deletion policy. You can initiate account deletion:

Within the App: Navigate to Profile → Settings → Account → Delete Account
Outside the App: Submit a deletion request at https://swirl.style/delete-account or email privacy@swirl.app with the subject line "Account Deletion Request"

Upon a valid deletion request:

Your account and associated personal data will be permanently deleted within 30 days
Anonymised, aggregate data that is not linked to your identity may be retained for statistical purposes
Data that we are legally required to retain, such as financial transaction records, will be retained only for the legally mandated period, in a restricted-access environment, and deleted thereafter

Temporary deactivation, suspension, or "freezing" of your account does not constitute deletion. You must explicitly request full deletion.

9. Permissions We Request

SWIRL requests the following Android runtime permissions. Each permission is requested at the time of its first use, preceded by an in-app explanation:

Permission	Why We Need It	Can You Deny?
Camera	To let you take photos for style uploads or profile pictures	Yes - camera features will be unavailable
Photo Library / Storage	To upload images from your gallery for your profile or style boards	Yes - image upload features will be unavailable
Push Notifications	To send order updates, price alerts, and, if opted in, curated fashion recommendations	Yes - you will not receive push notifications
Internet Access	Required for all core app functionality; cannot be denied	No - required for the app to function

We do not request permissions to access your:

Contacts or phonebook
SMS or call logs
Precise GPS location
Microphone
Background location

10. Advertising and Analytics

10.1 Advertising

SWIRL does not currently serve third-party ads. If we introduce advertising in the future, this Policy will be updated, and users will be notified and given the opportunity to manage their ad preferences prior to any ads being served.

10.2 Android Advertising ID (AAID)

If the Android Advertising ID is collected, it is used solely for app analytics (aggregate performance measurement) and fraud prevention. It is never used for cross-app behavioural advertising. Users may reset or opt out of personalised ads through their Android device settings at any time by going to Settings → Google → Ads → Delete advertising ID.

10.3 App Set ID

SWIRL uses the Android App Set ID strictly for analytics and fraud prevention. The App Set ID is not connected to any personally identifiable information or used for advertising personalisation or measurement, in compliance with Google Play Developer Policy.

10.4 Firebase Analytics

We use Google Firebase Analytics to understand aggregate in-app user behavior, such as which categories are most browsed and session lengths. Firebase data is anonymised and aggregated before analysis. You can opt out of Firebase Analytics collection by emailing privacy@swirl.app or through in-app Privacy Settings.

11. Data Security

We implement industry-standard technical and organisational security measures to protect your personal and sensitive data, including:

Encryption in transit: All data transmitted between the SWIRL App and our servers is encrypted using TLS 1.2 or higher (HTTPS)
Encryption at rest: Sensitive data fields, such as authentication tokens and payment metadata, are encrypted at rest on AWS and Google Cloud infrastructure using AES-256
Access controls: Access to personal data is restricted to authorised SWIRL team members on a need-to-know basis, enforced via role-based access control (RBAC)
No storage of raw payment credentials: Full payment card numbers, CVVs, or banking passwords are never stored or processed by SWIRL directly; all payment data is handled by Razorpay's PCI-DSS compliant systems
Regular security reviews: We conduct periodic security audits and vulnerability assessments of our infrastructure

Despite our best efforts, no data transmission or storage system can be guaranteed to be 100% secure. If you suspect unauthorised access to your account, please contact us immediately at security@swirl.app.

12. Children's Privacy

SWIRL is not directed at children under the age of 13, or 16 in the EEA. We do not knowingly collect personal data from children. If we discover that we have inadvertently collected personal data from a child under the applicable age threshold, we will delete it promptly.

If you believe we have collected data from a child without appropriate consent, please contact us at privacy@swirl.app.

13. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

13.1 Rights Under Indian Law (DPDPA 2023)

Right to Access: Request a summary of personal data we hold about you
Right to Correction: Request correction of inaccurate or incomplete data
Right to Erasure: Request deletion of your personal data, subject to legal retention obligations
Right to Grievance Redressal: Lodge a complaint with our Privacy Contact or with the Data Protection Board of India

13.2 Rights Under GDPR / UK GDPR (EU / UK Users)

Right to Access (Article 15)
Right to Rectification (Article 16)
Right to Erasure / "Right to be Forgotten" (Article 17)
Right to Restriction of Processing (Article 18)
Right to Data Portability (Article 20)
Right to Object to processing based on legitimate interests (Article 21)
Right to Withdraw Consent at any time, without affecting the lawfulness of prior processing
Right to Lodge a Complaint with your local supervisory authority, such as the ICO in the UK or your national DPA in the EU

13.3 How to Exercise Your Rights

Submit any data rights request to privacy@swirl.app with the subject line "Data Rights Request - [Type of Request]". We will verify your identity and respond within 30 days, or 72 hours for urgent security-related requests. All requests are free of charge.

14. International Data Transfers

SWIRL is headquartered in India. Your data may be processed and stored on servers located in India, the United States (AWS/Google Cloud), and potentially other jurisdictions where our infrastructure partners operate.

For users in the EEA or UK, data transfers outside your region are conducted under appropriate legal safeguards, including:

Standard Contractual Clauses (SCCs) approved by the European Commission
UK International Data Transfer Agreements (IDTAs)
Compliance with the EU-U.S. Data Privacy Framework where applicable

SWIRL will not transfer EU personal information in a manner inconsistent with applicable data transfer requirements under GDPR or UK GDPR.

15. Third-Party Links and Services

The SWIRL App may contain links to third-party websites, brand stores, or partner platforms. This Privacy Policy does not apply to those third-party sites. We encourage you to review the privacy policies of any third-party services before sharing your personal information with them. SWIRL is not responsible for the privacy practices of third parties.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

Update the "Last Updated" date at the top of this Policy
Notify you via a prominent in-app notification at least 14 days before the changes take effect for material changes affecting your rights
For significant changes affecting how we use sensitive data, we will seek your renewed consent

Your continued use of the App after the effective date of any updated Policy constitutes your acknowledgment of the changes. If you do not agree to the updated Policy, you must stop using the App and may request account deletion.

17. Grievance Officer

As required under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, SWIRL has appointed the following Grievance Officer:

Name: Tarun Krishna Mahajan

Designation: Founder & Grievance Officer, SWIRL

Email: grievance@swirl.app

Response Time: Within 48 hours of receipt; resolution within 30 days

You may also escalate unresolved grievances to the Data Protection Board of India once constituted under the DPDPA 2023 or, for EU users, to your national Data Protection Authority.

18. Compliance Summary

SWIRL has designed this Privacy Policy to be compliant with the following requirements:

Google Play Developer Program Policy - User Data (Section 4.1)
Google Play Data Safety section requirements
Google Play Account Deletion Policy
India Digital Personal Data Protection Act (DPDPA), 2023
EU General Data Protection Regulation (GDPR)
UK General Data Protection Regulation (UK GDPR)
Information Technology Act, 2000 and IT Rules, 2011/2021 (India)

This privacy policy is the sole and complete privacy disclosure for the SWIRL application. For any questions, please contact privacy@swirl.app.

Privacy Policy.