## 1. Purpose
The purpose of this *Privacy Policy* is to inform Users about the nature of the personal data collected and processed by Sway, as well as the purpose of such processing and Users' rights with respect to the personal data collected.
## 2. In general
1. ***Definition***. As a general rule, terms starting with an upper-case letter convey the meaning attributed to them in our general terms and conditions or otherwise in this *Privacy Policy*.
2. This *Privacy Policy* applies in addition to the Terms and Conditions and other documents included in the Contractual Documentation. In the event of any discrepancy between the general terms and conditions and this *Privacy Policy*, the latter shall prevail.
3. In case of disagreement with this *Privacy Policy*, the User is invited not to use the Site or the Platform and not to communicate his/her/its personal data.
4. A summary table of the data processed (the **Data Table**) is attached to this *Privacy Policy*.
## 3. Collected data
1. ***Information collected automatically.*** When consulting the Site or using the Platform, certain data concerning the User is collected automatically (IP address, location, pages consulted, date and time of consultation, cookies or similar technologies, browser preference, operating system, access data, etc.). In addition to the data collected directly by Sway, certain data may be collected by other service providers referred to in Table 2 in Appendix. Only the privacy policies of these service providers apply when they collect data and Sway cannot be held responsible for their treatment. To learn more about the use of cookies, please see the Cookie Management Policy.
2. ***Information freely provided by Users and Companies.*** The User and the Companies may be asked to provide personal data in order to benefit the Services offered by Sway. The data required for use is, in particular:
1. for all Users : first name, last name, title and date of birth; and
2. for Companies: company name, country, zip code of location, street and number, country of origin, foundation date, number of employees and banking information (art. 3.3) in order to connect at least one bank account via bLink.
These data are mandatory and their absence may make it impossible to provide the Services.
On the Website and the Platform, where data is required, the mandatory data required for use are mentioned in the forms by the impossibility to validate the form without filling in the dedicated field.
1. ***Information freely provided by the Users when connecting their bank account via bLink.*** After creating or joining a workspace, Users with sufficient rights over the workspace may select a banking service provider to connect their account. Users are automatically redirected to the selected bank and log in with the Bank Service Provider credentials (i.e. the contract number and the relevant password). Other data may be provided by the User, which are not mandatory for use, based on the agreement of the User.
2. ***Information related to the use.*** When using Sway's Services, certain data is collected through the use of the Services. The Data collected is listed in the Data Table.
3. ***Responsibility of the Users.*** A User may have linked s Company bank account with his/her personal bank accounts. In order to prevent Sway, Users or third parties from having access to their personal information, it is the User's responsibility (representing the Company) to select when connecting the bank via bLink only those accounts to be integrated to the Platform to the exclusion of the others. Sway may not be held responsible for access by Users to banking information of the Company or a User that was not intended to be shared with all authorized Users of a Company.
4. ***Hosting of data.*** To the best effort of Sway, the collected data are stored in Switzerland in order to have everything operated in Switzerland (i.e. storage, hosting/runtime and execution). Data controlled by Sway is managed to the best effort of the Company and to the extent possible in Switzerland but may be managed on servers outside Switzerland such as in European Union territories (as further detailed in the Table attached to the present privacy policy).
## 4. Use of collected data
1. ***Data collected automatically.*** Automatically collected data allows Sway to analyze User behavior on the Site and Platform, traffic, and preferences, in particular to optimize and improve the quality of its Services.
2. ***Data provided by Users and Companies and data collected during the use of the Services.*** Sway processes and uses the necessary data in order to fulfill its contractual or legal obligations and to verify compliance with the terms of use. The processing of this data also makes it possible to provide personalized content to better meet the User's expectations. Some of this data may also be used for the promotion of Sway services to these Users and Companies directly. Personal data may be processed for this purpose. These data may not be shared with third parties.
3. ***Invoice data collection***. Sway may collect invoice by uploading invoices and bills manually or via scan from a smartphone, extracting data from QR bill, learning from processing and usage to improve algorithms, set-up processing automation rules for bills, collecting invoices and bills via dedicated inboxes, extracting data from PDF/image bill or invoice (computer vision), extracting invoice data from e-mail body (pure e-mail invoice), extracting metadata from e-mail enclosures, from e-mail content, from PDF/image invoices or bills, review, modify and submit invoice or bill, collecting invoices from e-mail solution automatically, collecting data from POS payment solution, invoicing solution, accounting solution, retrieving all past invoices from e-mail automatically and display and filter the list of all invoices.
4. ***Banking functions***. When using the banking functions provided by Sway and in particular when connecting the client's Sway Account with a bank (art. 3.3), data is exchanged between Sway and the bank concerned. The Banking Interfaces can be provided directly in cooperation with the bank concerned or via bLink. The data processed includes bank and payment information such as IBAN, transaction and account information. For reliability and availability purposes, Sway stores the collected banking data for as long as the Company owning the bank accounts has an active contractual agreement with Sway, and for a given duration after the termination of the contract. Sway can send notifications to Users related to a Company’s Workspace about updates in banking data (such as, and not limited to new transactions or payments for instance) or related to said Workspace. . Personal data may be processed for this purpose. Some functional notifications may be sent by e-mail and may not be unsubscribed from. Push notifications can be revoked on User level via the dedicated toggle in the Platform.
5. The Data Table details the timing and use of the types of data collected.
## 5. Communication and data transmission
1. The User's personal data is not passed on to third parties with the intention of using it for direct marketing purposes, unless the User has given his or her consent to the contrary.
2. The User's personal data may be transmitted or communicated to third parties in the following cases:
1. when opening an account with financial partners to allow payments;
2. in connection with the provision of services on behalf of Sway;
3. when the User has given its consent to it (by filling forms on the Platform for instance);
4. during joint promotions or programs with partners;
5. where required by law or where disclosure is reasonably necessary to comply with a court order or to respond to a legal claim; and
6. in the event of a merger, acquisition of the company or shares of the company by another company.
The Data Table specifies the purpose for which the collected data is processed.
1. You are reminded that the processing of data by third parties to whom Sway may be required to communicate data is governed exclusively by the privacy policy of said third parties. Sway cannot be held responsible for their use.
2. Sway reserves the right to anonymize certain data for the purpose of using it or passing it on to third parties for research, statistical or marketing purposes.
## 6. User rights
1. ***Access right and right to data portability.*** The User may at any time request that the personal data stored by Sway concerning him/her/it be transmitted to him/her/it in a structured, commonly used and machine-readable format. In addition, the User may request Sway to transmit the said personal data directly to another data controller, which Sway will undertake within a reasonable period of time and to the extent technically possible.
2. ***Right of rectification.*** Users whose data is inaccurate or incomplete have the right to obtain it for rectification.
3. ***Right to withdraw and/or object.*** The User may at any time object to the collection or processing of certain data concerning him/her/it (*opting out)*. This objection may prompt the termination of use of the Site or the Platform.
4. ***Right to erasure.*** The User has the right to request the erasure of personal data concerning him/her when their use is no longer necessary or when the User no longer agrees with the processing of his/her data. Such data will be erased as soon as possible, unless otherwise provided by law.
5. ***Exercise of rights.*** To exercise the above rights, the User can make a request at any time to the following address: [support@swayapp.io](mailto:support@swayapp.io).
## 7. Security
1. Sway takes the protection of its Users' data very seriously and is committed to treating their personal data confidentially and with the utmost care. In particular, Sway takes appropriate security measures to prevent unauthorized access, disclosure, modification or destruction of the data collected. However, although some personal data is encrypted, Sway cannot guarantee full and complete protection of the data against unauthorized processing due to the risks associated with the use of the Internet and electronic means of communication.
## 8. Data retention
1. Data collected by Sway is retained for as long as required for the purpose for which it was collected, subject to legal provisions that provide for longer data retention periods. After this period, personal data is deleted.
2. The duration data are kept is specified for each type of data in the Data Table.
## 9. Modifications
1. Sway reserves the right to change its *Privacy Policy* at any time. Changes will be posted on the Site and Platform and will be effective from the date of publishing.
2. The online *Privacy Policy* is applicable. By continuing to browse the Site or the Platform, the User accepts the *Privacy Policy* in force.
## Appendix to the Privacy Policy
### Table 1: Summary table of data collected by Sway
| Data Category | Personal data | Purpose of the treatment | Transmission to third party | Retention period |
|------------------------------|-----------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|
| User data | Name | Identification and management of contact with service providers | No | The data is retained for 24 months after the end of the agreement with the Employer or 12 months after the departure of the Employee. |
| User data | First Name | Identification and management of contact with service providers | No | The data is retained for 24 months after the end of the agreement with the Employer or 12 months after the departure of the Employee. |
| User data | E-mail Address | Identification and management of contact with service providers | No | The data is retained for 24 months after the end of the agreement with the Employer or 12 months after the departure of the Employee. |
| User data | Phone number | Identification and management of contact with service providers | No | The data is retained for 24 months after the end of the agreement with the Employer or 12 months after the departure of the Employee. |
| User data | Avatar picture uploaded by the user | Display user's chosen avatar picture (to them and their coworkers) | No | The data is retained for 24 months after the end of the agreement with the Employer or 12 months after the departure of the Employee. |
| User data | Type, version and dates of accepted usage agreements | Historicization purposes | No | indefinitely |
| User data | Position in registered company | Audience measurement and analysis | No | Until end of service contract and requested deletion from client administrator |
| Subscription to Sway Finance | Currently subscribed plan and start date | Inform user about their subscription and collect payment | Potentially to payment collection provider | indefinitely |
| Subscription to Sway Finance | Past subscribed plans (incl. start and end date) | Inform user about their subscription and collect payment | Potentially to payment collection provider | indefinitely |
| Subscription to Sway Finance | Billing account information | Inform user about their subscription and collect payment | Potentially to payment collection provider | indefinitely |
| Subscription to Sway Finance | Sway Finance finances | Inform user about their subscription and collect payment | Potentially to payment collection provider | indefinitely |
| Subscription to Sway Finance | Potential discounts applied and related data (start, end date, …) | Inform user and apply discount to subscribed plans | Potentially to payment collection provider | indefinitely |
| Banking data | Access tokens and related metadata (validity, provider, ...) | Access and update banking data, according to the user’s requests | Generated by third party | Defined by third party |
| Banking data | Payment initiation tokens and related metadata (validity, provider, ...) | Submit payments upon user's request | Generated by third party | Defined by third party |
| Banking data | Bank account number and/or IBAN | Display data of connected account into single or consolidated views | Possibly to connected bank providers and/or open banking platforms providers approved by the user | Until end of service contract and requested deletion from client administrator |
| Banking data | Balance history | Display data of connected account into single or consolidated views | Possibly to connected bank providers and/or open banking platforms providers approved by the user | Until end of service contract and requested deletion from client administrator |
| Transaction data | Transaction history (ie. transaction identifier and date) | Display data of connected account into single or consolidated views | Possibly to connected bank providers and/or open banking platforms providers approved by the user | Until end of service contract and requested deletion from client administrator |
| Transaction data | Account numbers (Eg. IBAN, BIC, ...) | Display or submit transaction from and to connected banking providers | Possibly to connected bank providers and/or open banking platforms providers approved by the user | Until end of service contract and requested deletion from client administrator |
| Transaction data | Account holder first name and last name | Display or submit transaction from and to connected banking providers | Possibly to connected bank providers and/or open banking platforms providers approved by the user | Until end of service contract and requested deletion from client administrator |
| Transaction data | Account holder address | Display or submit transaction from and to connected banking providers | Possibly to connected bank providers and/or open banking platforms providers approved by the user | Until end of service contract and requested deletion from client administrator |
| Transaction data | Bank name and address | Display or submit transaction from and to connected banking providers | Possibly to connected bank providers and/or open banking platforms providers approved by the user | Until end of service contract and requested deletion from client administrator |
| Transaction data | Transaction reference number | Display or submit transaction from and to connected banking providers | Possibly to connected bank providers and/or open banking platforms providers approved by the user | Until end of service contract and requested deletion from client administrator |
| Transaction data | Transaction amount and currency | Display or submit transaction from and to connected banking providers | Possibly to connected bank providers and/or open banking platforms providers approved by the user | Until end of service contract and requested deletion from client administrator |
| Transaction data | Transaction status (e.g. Draft, completed, ...) | Display or submit transaction from and to connected banking providers | Possibly to connected bank providers and/or open banking platforms providers approved by the user | Until end of service contract and requested deletion from client administrator |
| Transaction data | Transaction dates (of submission, execution, etc.) | Display or submit transaction from and to connected banking providers | Possibly to connected bank providers and/or open banking platforms providers approved by the user | Until end of service contract and requested deletion from client administrator |
| Transaction data | Recipient/emitter type (individual or company) | Display or submit transaction from and to connected banking providers | Possibly to connected bank providers and/or open banking platforms providers approved by the user | Until end of service contract and requested deletion from client administrator |
| Transaction data | Other transaction metadata provided by user and/or the approved providers (e.g. note, communication, ...) | Display or submit transaction from and to connected banking providers | Possibly to connected bank providers and/or open banking platforms providers approved by the user | Until end of service contract and requested deletion from client administrator |
| Workspace information | Billing address (company name and postal address) | Conclude contract and collect invoices | Potentially to payment collection provider | Indefinitely |
| Workspace information | Company contact info (email address of workspace creator, Company address and phone number) | Conclude contract and contact client in case of need | Potentially to payment collection provider | Indefinitely |
| Workspace information | Company foundation date | Audience measurement and analysis | No | Until requested deletion from client administrator |
| Workspace information | Company size | Audience measurement and analysis | No | Until requested deletion from client administrator |
| Workspace information | Contact person information (First and Last Name, email address, phone number, position) | Conclude contract and contact client in case of need | Potentially to payment collection provider | Until end of service contract and requested deletion from client administrator |
| Workspace information | Associated users (link to user data) and roles | Connect individual users within the same Workspace and/or Company, allowing them to collaborate over selected common data | No | Until end of service contract and requested deletion from client administrator |
| Workspace information | Invited user email address and role | Connect individual users within the same workspace and/or company, allowing them to collaborate over selected common data | No | Until end of service contract and requested deletion from client administrator |
| Workspace information | For Company accounts | Setting account mode as B2B (no other at the moment) | No | indefinitely |
| Transverse | Timestamp of events (such as user invitation, account connection, transaction submission etc.) | Historicization and auditing | Only in potential cases of auditing, bug investigation, or legal concerns | indefinitely |
### Table 2: Summary table of Sway providers
| Provider | Location | Services | Link to privacy policies |
|-----------------------|--------------|---------------------------------|-------------------------------------------------------------------------|
| Google Cloud Platform | Switzerland | Cloud computing services | <https://cloud.google.com/security/compliance> |
| bLink | Switzerland | Open Banking Services | <https://www.six-group.com/en/services/legal/privacy-statement.html> |
| Google Analytics | Europe / USA | Anonymized usage analytics | <https://support.google.com/analytics/topic/2919631> |
| Webflow | Europe | Website building and hosting | <https://webflow.com/legal/privacy> |
| Hubspot | Europe | Client acquisition and support | <https://legal.hubspot.com/privacy-policy> |
| Notion | USA | Talent acquisition and pipeline | <https://www.notion.so/Privacy-Policy-3468d120cf614d4c9014c09f6adc9091> |
Note: This table is referred to in the Cookie management policy.