Privacy Policy — Step Swap

Version: 1.3 · Effective date: 2026-06-27

Step Swap helps people with mismatched shoe sizes find a match and swap shoes. This policy explains what personal data we process and your rights over it.

Data controller: Vitalii Bartashchuk (sole proprietor), registered place of business Za vodou 161/2, 032 03 Liptovský Ján, Slovak Republic, IČO 54225337 (Trade Register of the District Office Liptovský Mikuláš). Contact: info@vaet.sk. We have not appointed a Data Protection Officer; for any privacy matter, contact info@vaet.sk.

1. Data we collect

Data	Examples	Source
Account / identity	Google account email, name, profile picture	Google sign-in (OAuth)
Shoe profile	Left/right EU sizes, preferred styles	You
Contact & shipping	Postal address, phone number	You
Communications	Chat messages with other members	You
Exchange data	Address snapshots and shipping-label records for a swap	You / shipping partner
Payment	That you paid the per-swap fee, the amount, currency and Stripe transaction identifiers — no card numbers (entered on Stripe's checkout, never seen by us)	You / Stripe
Diagnostics	Crash and error reports (no message content or address/phone)	Sentry
Usage analytics	Screen views and key in-app actions — counts only, no message content, address or phone	Vercel Analytics

We do not sell your personal data.

Providing your shoe sizes is needed to be matched; your address and phone are needed to ship a swap. Without them you can use the app but cannot complete an exchange.

2. How we use it

Create your account and authenticate you (Google sign-in).
Match you with other members by shoe size (style is a ranking signal).
Enable chat and the shoe-exchange flow.
Generate shipping labels for an exchange (address + phone shared with our shipping partner only for the swap you initiate).
Take payment for the per-swap shipping fee where applicable (card details are entered on Stripe's hosted checkout and never reach our servers; we store only payment status, amount and Stripe identifiers).
Diagnose crashes (reports are scrubbed of address, phone, names and message text).
Understand aggregate usage to improve the app.
We do not use automated decision-making that produces legal or similarly significant effects about you — matching by size is a non-binding suggestion you choose to act on.

3. Legal bases (GDPR)

We rely on different bases for different purposes (Art. 6 GDPR):

Performance of a contract (Art. 6(1)(b)) — your account, Google sign-in, matching, chat, the exchange flow, shipping labels and the per-swap fee. Google sign-in is how we provide the service, so it rests on contract, not consent.
Consent (Art. 6(1)(a)) — optional crash/error diagnostics and any non-essential analytics or storage (see §10). You can withdraw it at any time.
Legitimate interests (Art. 6(1)(f)) — keeping the service secure, preventing abuse and fraud, and debugging; balanced against your rights.
Legal obligation (Art. 6(1)(c)) — retaining payment and shipping records for tax and accounting (see §5).

4. Who we share it with

Processors acting on our instructions: Supabase (auth, database, hosting), Google (sign-in), Sentry (PII-scrubbed diagnostics), the parcel carrier serving your route (currently Packeta/Zásielkovňa for Slovakia/CEE; Sendcloud with its carrier, e.g. Österreichische Post, for Austria/Western Europe) (recipient name, address, phone, and for home delivery email — to produce the label and deliver the parcel), Stripe (processes the per-swap shipping fee; handles your card data directly as its own controller — we receive only payment status and identifiers), Resend (delivers our internal operational alert emails — e.g. a payment dispute or refund needing review — to our own team; transaction identifiers and amounts only, no name, address, phone or message content), and Vercel (web hosting and privacy-friendly analytics).

Other members see only your display name, avatar, sizes and styles. Your postal address and phone number are not shown to other members — they are used only to generate the shipping label and shared with the carrier to deliver the parcel.

5. Data retention

Profile and general account data — your profile (name, avatar, shoe sizes, style), contact details and push tokens, and any chat that was not part of a swap that reached the payment or shipping-label stage — kept while your account is active and removed promptly when you delete your account (see §7), apart from the limited identity link we keep with the records below.
Payment, shipping and exchange records — we must keep invoicing and transaction records under Slovak tax and accounting law, generally for up to 10 years, even after you delete your account. Because such a record has to identify who it relates to — so a payment can be tied to the person who made it, for accounting, chargebacks and fraud — we keep them with a restricted link to your identity for that period; access is limited to those purposes. Legal bases: legal obligation (Art. 6(1)(c)) and our legitimate interest in a secure, fraud-free service (Art. 6(1)(f)).
Chat for paid/shipped swaps — for a swap that reached the payment or shipping stage we also keep the chat messages exchanged for it, with the restricted identity link, for up to 3 years (the general limitation period under Slovak law) after account deletion — and longer only while a specific dispute, legal claim or authority request is open — then deleted. Held under restricted access and used only to handle reports, disputes, fraud and legal claims. Legal bases: legitimate interest in a safe, fraud-free service (Art. 6(1)(f)) and the establishment, exercise or defence of legal claims (Art. 17(3)(e) GDPR).
Diagnostics — error reports are kept for a limited period (typically up to 90 days) and contain no address, phone, names or message text.

6. Security

Data is encrypted in transit and at rest. Database access uses row-level security so a member can read only their own data and that of people they share a chat with, and access to our systems is limited to what is needed to run the service. If a personal-data breach is likely to risk your rights, we will notify you and the Slovak Data Protection Authority (Úrad na ochranu osobných údajov SR) as required by the GDPR.

7. Your rights & account deletion

You can access and correct your data in the app, and delete your account at any time — we delete your associated data promptly, apart from the limited records we must or may keep as described in §5 (tax/accounting records, and records needed for safety, fraud prevention or legal claims): in the app via Profile → Settings → Delete account, or by request — see account deletion. Depending on your location you may also have rights to portability, objection/restriction, to withdraw consent, and to lodge a complaint with your data protection authority — in Slovakia, the Úrad na ochranu osobných údajov SR (dataprotection.gov.sk).

8. International transfers

Some providers above (e.g. Google, Stripe, Sentry, Vercel, Resend) may process data outside the EEA, including in the United States. Such transfers rely on appropriate safeguards — EU Standard Contractual Clauses and/or the EU–US Data Privacy Framework where the provider is certified. You can request details by emailing info@vaet.sk.

9. Children

Step Swap is not directed to children under 18 and we do not knowingly collect their data.

10. Cookies and local storage

We keep cookies and local storage to a minimum:

Strictly necessary — Supabase sets storage/cookies to keep you signed in and to secure the app. These are required for the service to work and do not need consent.
Diagnostics & analytics (consent) — crash/error reporting (Sentry) and product analytics (Vercel Analytics) are used only with your consent, in line with the Slovak Electronic Communications Act (Act No. 452/2021 Coll.). Where required we ask before any non-essential storage is set, and you can change your choice at any time. We do not use advertising or cross-site tracking cookies.

11. Changes

We may update this policy. The current version number and effective date appear at the top, and we keep prior versions available on request. We will announce material changes in the app or on our website before they take effect. Continued use after the effective date means you accept the updated policy.

12. Contact

Questions or requests: info@vaet.sk.