Privacy Policy

• Account info. Your email address (verified via Supabase Auth) and the username you choose.
• User Content. Listings, wants, photos, and direct messages you send to counterparties, plus any accept/pass actions you take on deal proposals.
• Embeddings.A 1,536-dimensional vector generated from each listing/want's text, used for semantic matching.
• Operational data. IP addresses, user agent strings, timestamps, error logs — used for security, abuse prevention, and debugging. Standard server-log data.
• Auth cookies. A Supabase-managed session cookie that keeps you logged in across requests. No third-party advertising or analytics cookies.

• Matching. When you post a listing or want, we use its embedding and structured fields (price, location) to surface candidate matches.
• Communication. Direct messages you send to a counterparty are stored and shown to that counterparty in their thread on the same deal.
• Account security. Detecting abuse, spam, fraud, and unauthorized access.
• Service improvement. Aggregate usage data, error rates, and product analytics. We do not train AI models on your private content.
• Legal compliance. Responding to lawful requests from authorities and enforcing our Terms of Service.

We use a small number of third-party services to operate the Service. We share only what each needs to do its job:

• Supabase (database + auth + storage). Stores your account, listings, wants, deals, messages, embeddings, and uploaded photos.
• OpenAI(embeddings only). The text of each listing and want title + description is sent to OpenAI's text-embedding-3-small endpoint to generate a vector for semantic matching. Per OpenAI's API terms in effect at the time of writing, API content is not used to train their models.
• Anthropic(LLM for the chat intake agent and the match validation step). Your chat-intake messages, draft listings, and sometimes counterparty content are included in prompts to Claude. Per Anthropic's API terms, API content is not used to train their models.
• Vercel (hosting). Standard server-log data is processed for delivery of the Service.
• Federated ChatSwap instances. If you post a listing here, its public fields (title, description, price, location, photos, sourceUrl) may be replicated to approved instances of the federation network for cross-instance discovery. Your email, walk-away price, and direct messages are never federated.

Your username is visible to anyone you have a deal with, and to anyone who clicks a listing you posted while signed in. Your emailis hidden from counterparties until both parties accept a deal — at which point it's revealed so you can coordinate the exchange. Your walk-away price is never revealed to anyone. Your direct messages are visible only to you and the counterparty on that deal.

We use a single Supabase-managed auth-session cookie. We do not use third-party advertising cookies, behavioral tracking cookies, or marketing analytics cookies. You can clear cookies at any time from your browser; doing so will sign you out.

We keep your account and User Content while your account is active. When you delete an item via the Service, the row and any uploaded photos are removed from our database and storage bucket. Federated copies on other instances may persist independently per their own retention policies. When you delete your account entirely, we remove your User Content within 30 days. Server logs containing IP addresses are rotated within 90 days.

Data is encrypted in transit (TLS) and at rest (provider defaults at Supabase and Vercel). Auth tokens are stored in HTTP-only cookies. We follow standard practices for managing service-account credentials. No system is perfectly secure; if you become aware of a vulnerability please email security@chatswap.ai.

Our infrastructure is hosted in the United States. By using the Service from outside the U.S., you consent to your data being transferred to and processed in the U.S.

Depending on your jurisdiction (e.g., EU/UK GDPR, California CCPA/CPRA), you may have rights to access, correct, delete, or port your personal data, and to object to or limit certain processing. To exercise any of these rights, email privacy@chatswap.ai from the address on your account. We will respond within the timeframe required by applicable law.

Specific GDPR/CCPA disclosures (legal basis for processing, data-broker registrations, “Do Not Sell” mechanisms) should be reviewed and adapted with counsel based on where you operate.

The Service is not intended for and may not be used by anyone under 18. We do not knowingly collect personal information from children under 13. If you believe a child has used the Service, contact us and we will delete the data.

We may update this Privacy Policy. Material changes will be announced via the homepage and/or by email to the address on file. The effective date at the top of this page reflects the most recent revision.

Questions about this policy or your data? Email privacy@chatswap.ai.