1) Who we are

• Swaparoo Pty Ltd (ABN 72 676 102 613; ACN 676 102 613).

• Contact: support@swaparoo.app

• This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our website, app and services (the “Services”).

• We operate in Australia and serve customers globally, subject to KYC/KYB and local legal restrictions.

2) The laws that apply

• We handle personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

• Where applicable to your location, we also consider other privacy regimes such as the EU/UK GDPR and other local rules for international transfers and data subject rights.

• If there is any conflict, we apply the stricter standard to your personal information where required by law.

3) Personal information we collect

• Identification data: full name, date/place of birth, nationality, residential address, tax identifiers (e.g., TFN — optional), and copies of identity documents (e.g., passport, driver’s licence).

• Contact data: email address and in-app communication details.

• Account and transaction data: account numbers, payment details, wallet addresses, payees/beneficiaries, transfers, balances, statements, device identifiers, and logs.

• Compliance data: sanctions and PEP screening results, adverse media, source of funds/source of wealth information, occupation/employer, and risk ratings.

• Business/KYB data (for Business accounts): company legal name, ACN/ABN, registered/principal addresses, directors, officers, ultimate beneficial owners (UBOs), corporate structure, ASIC extracts and other registry records, trust deeds/partnership agreements, financial statements, and trading history.

• Technical and usage data: IP address, device and browser type, app usage analytics, cookies and similar technologies.

• Support data: communications with our support team and any information you volunteer.

4) How we collect personal information

• Through third‑party applications we use to verify identity and prevent fraud (including but not limited to Sumsub) and other onboarding/compliance vendors.

• Directly from you during onboarding, profile updates, and when you use the Services.

• From your device through our website/app (e.g., cookies, analytics).

• From third parties where lawful: identity verification vendors, sanctions/PEP screening providers, banks and payment partners, blockchain analytics providers, public registries (e.g., ASIC), and fraud prevention services.

• From publicly available sources where relevant for due diligence and fraud prevention.

5) Purposes for use and disclosure

• To provide and operate the Services (e.g., payments, remittance, digital currency exchange).

• To verify your identity and conduct KYC/KYB, AML/CTF checks, sanctions/PEP screening, and ongoing monitoring.

• To process transactions, manage accounts and provide customer support.

• To prevent and detect fraud, financial crime, and misuse of our Services.

• To meet our legal/regulatory obligations (e.g., AUSTRAC reporting such as IFTI-E and SMRs, record-keeping, audit).

• To manage risk, set transaction limits, and perform internal reporting and analytics.

• To send important service communications (e.g., policy updates, security alerts).

• With your consent where required (e.g., certain marketing communications).

6) Legal bases we rely on (where GDPR/UK GDPR applies)

• Performance of a contract: to provide the Services you request.

• Legal obligation: to meet AML/CTF, sanctions, tax, and other regulatory requirements.

• Legitimate interests: to secure our Services, prevent fraud and abuse, improve our products, and support customers.

• Consent: for specific uses where required by law (e.g., certain marketing or cookies). You may withdraw consent at any time.

7) Sharing your personal information

• With overseas payout/correspondent partners and service providers to perform our Services, which may be located in Brazil, Argentina, Colombia, Mexico, the United States, and countries in Europe.

• With our cloud and productivity providers used to store and process information (for example, Google Drive for certain personal and business records), subject to appropriate contractual and security safeguards.

• With service providers acting on our behalf (processors), such as identity verification vendors, sanctions screening providers, fraud-prevention and analytics vendors, cloud hosting providers, and customer support tools.

• With banks, payment schemes, correspondent partners, blockchain analytics firms, and payout partners to process transactions and combat fraud/financial crime.

• With regulators, law enforcement, and competent authorities where required by law (e.g., AUSTRAC reporting) or to protect rights, property, and safety.

• Within our corporate group and with professional advisers (legal, tax, compliance, audit) under confidentiality obligations.

• With third parties in a business transfer (e.g., merger, acquisition), subject to appropriate safeguards.

• We do not sell your personal information.

8) International data transfers

• Some processing and access may occur in Brazil, Argentina, Colombia, Mexico, the United States, and countries in Europe, depending on the corridor and partners involved.

• We may employ staff located overseas who, under strict access controls and confidentiality obligations, may access your personal information (including staff in the Philippines and Brazil) to provide support and operate the Services.

• Your information may be transferred to, stored in, and processed in countries outside your own (including outside Australia, the EU/UK).

• Where required, we implement safeguards for cross-border transfers (e.g., standard contractual clauses, vendor due diligence, and technical/organisational measures).

9) Cookies and tracking technologies

• We use cookies and similar technologies to operate the site/app, keep you signed in, secure your session, and understand how the Services are used.

• You can control cookies through your browser/app settings. Some features may not work properly without essential cookies.

• See our Cookies Notice (if available) for more details.

10) Retention

• We keep personal information for as long as necessary for the purposes described in this policy, including to comply with record-keeping obligations under AML/CTF and other laws.

• After the applicable retention period, we securely delete or de-identify the information unless we need to keep it to resolve disputes or for legal/regulatory reasons.

11) Security

• We apply access controls on a need‑to‑know basis for our personnel and contractors, including those located overseas, and require confidentiality and data protection commitments.

• We assess third‑party vendors (including cloud storage such as Google Drive) for appropriate security controls and implement contractual safeguards where required.

• We use technical and organisational security measures appropriate to the risk (e.g., encryption in transit and at rest where appropriate, access controls, monitoring, and incident response).

• You are responsible for keeping your account credentials secure and enabling available security features (e.g., 2FA).

12) Your privacy rights

• Access and correction: you can request access to the personal information we hold about you and ask us to correct inaccuracies.

• Deletion/erasure: you can ask us to delete personal information, subject to legal and contractual limitations (e.g., AML/CTF record-keeping obligations).

• Objection/restriction: where GDPR applies, you may object to or request restriction of certain processing based on our legitimate interests.

• Portability: where GDPR applies and technically feasible, you can request a machine-readable copy of certain information you provided to us.

• Consent withdrawal: where we rely on consent, you can withdraw it at any time without affecting prior processing.

• To exercise rights, contact: support@swaparoo.app. We may need to verify your identity.

13) Children

• Our Services are intended for users aged 18+. We do not knowingly collect personal information from children.

14) Automated decision-making

• We may use automated tools to help detect fraud, manage risk, and meet regulatory obligations (e.g., sanctions screening).

• Where required by law, you can request human review of certain decisions that significantly affect you.

15) Third-party links and services

• Our Services may link to third-party websites or services. Their privacy practices are governed by their own policies, not this one.

16) Changes to this Privacy Policy

• We may update this Policy to reflect changes to our practices or legal requirements. We will post the updated version with its effective date, and if changes are material, we will provide prominent notice.

17) Complaints and contact

• If you have a question or complaint about how we handle your personal information, contact us at support@swaparoo.app.

• If you are not satisfied with our response, you may have the right to contact your local data protection authority. In Australia, this is the Office of the Australian Information Commissioner (OAIC).

18) Definitions (summary)

• “Personal information” means information about an identified individual or an individual who is reasonably identifiable.

• “KYB/KYC” refers to Know Your Business/Know Your Customer checks (including identity verification, sanctions/PEP screening, source of funds/source of wealth).

• “UBO” means ultimate beneficial owner (generally 25% or more ownership or control).

Questions about this Policy? Contact: support@swaparoo.app