Privacy Policy

1. Introduction

At SWAP SARL, the protection of your personal data is an absolute priority. This Privacy Policy aims to explain, in a clear, simple, and transparent manner, how we collect, use, share, store, and secure your personal data when you use our services via our mobile application, website, or any other associated channel.

Our commitment to data protection is part of a strengthened regulatory framework, notably Law No. 001/2011 on the protection of personal data in the Republic of Gabon. We also comply with the requirements of the Bank of Central African States (BEAC), the prudential rules of COBAC, and international best practices, including the fundamental principles of the General Data Protection Regulation (GDPR).

As part of our mission to provide accessible, secure, and innovative financial services, SWAP SARL operates as a distributor of prepaid Visa cards through a strategic BIN sponsorship partnership with Ecobank Gabon. In addition, SWAP is interconnected with the regional GIMACPAY platform, facilitating financial transactions between CEMAC member countries and ensuring seamless integration of payment services at the sub-regional level.

This framework ensures that your personal data is processed with the highest level of security and in strict compliance with the legal and contractual obligations binding us.

2. Data Controller

The controller of personal data is the company:

  • Company name: SWAP SARL

  • Share capital: 50,000,000 FCFA

  • RCCM: GA-LBV-01-2022-B12-0057

  • Address: BP 9434, Libreville, Gabon

  • Email: [email protected]

We remain available to answer any questions regarding this policy or the exercise of your rights.

3. Data Collected

As part of the identity verification process (KYC – Know Your Customer), the SWAP application uses Apple’s TrueDepth camera system in collaboration with our identity verification provider, Smile ID.

a. Data Collected

During the verification process, the application may access the following data:

  • User facial image

  • Facial mapping data

  • Depth data captured by the TrueDepth camera

  • Data required for “liveness detection”

This data is collected exclusively to verify the user’s identity and prevent fraud attempts.

b. Purpose of Processing

Facial data is used solely for:

  • Identity verification (KYC compliance)

  • Fraud prevention

  • Anti-money laundering and counter-terrorism financing

Facial data is never used for:

  • Marketing

  • Advertising

  • Profiling

  • Behavioral analysis

  • User tracking

  • Facial recognition for identification outside the KYC process

  • Creation of a biometric database

c. Storage and Retention

SWAP does not store any facial mapping or depth data on its servers.

Facial data is securely processed by Smile ID solely to complete the identity verification process.

No biometric model, facial template (“faceprint”), or depth map is stored by SWAP.

All facial data is deleted immediately after completion of the verification process.

If the session is interrupted or the application is closed, the data is automatically deleted.

d. Data Sharing

Facial data is transmitted only to Smile ID, as an identity verification service provider, strictly within the KYC procedure.

It is neither sold, rented, nor shared with third parties for commercial or advertising purposes.

e. Behavioral Data

We collect this data to better understand how you use our services:

  • Frequency and type of application usage

  • Responses to our marketing campaigns

  • Payment habits and usage preferences

f. Data Collected Indirectly or via Third Parties

We may also obtain information about you through:

  • Business partners (for example, during KYC verification)

  • Publicly accessible databases (official directories, social networks)

  • Other users or legal representatives within the scope of their own relationship with SWAP

This indirect data is always collected in strict compliance with applicable regulations.

4. Purposes of Data Processing

The personal data we collect is used for the following purposes:

  • Creating and managing your user account

  • Authenticating your identity and securing your access (PIN, OTP, biometrics)

  • Providing the services you request (payments, transfers, deposits, and withdrawals)

  • Preventing fraud, money laundering, and terrorist financing

  • Improving our products and services through market studies and statistics

  • Complying with legal and regulatory obligations

  • Ensuring personalized and effective communication with you

5. Legal Basis for Processing

The processing of your data is based on several legal grounds, depending on the context:

  • Your explicit consent, particularly for biometric data or personalized offers

  • Performance of a contract, to provide SWAP services in accordance with our Terms and Conditions

  • Our legal obligations, including fraud prevention, taxation, and regulatory compliance

  • Our legitimate interest, particularly to secure our platform and improve user experience

6. Sharing of Your Personal Data

To ensure optimal service, some of your data may be shared with:

a. SWAP Group Entities (current or future)

As part of our operations and regulatory obligations, your data may be shared with other group companies, particularly for compliance, fraud prevention, or service improvement.

b. Service Providers and Subcontractors

We work with technical service providers (hosting, customer support, identity verification, KYC, etc.) who process your data on our behalf, under strict contractual instructions.

c. Banking, Insurance, and Financial Partners

We may exchange data with our partners where necessary to deliver a service you have subscribed to (card issuance, money transfer, insurance, etc.).

d. Regulatory or Judicial Authorities

Where legally required, we transmit certain data to competent authorities (BEAC, COBAC, DGI, CNPDCP) within the limits provided by law.

e. Regulated Professionals

In certain cases, your data may be shared with lawyers, notaries, or auditors as part of an audit or legal dispute.

f. Third Parties with Your Consent

Finally, we may share your data with commercial partners for specific projects or dedicated offers, only after clearly informing you and obtaining your explicit consent.

7. International Data Transfers

We ensure that your data is primarily hosted within the CEMAC region. However, if a transfer outside this area is required, we commit to implementing appropriate contractual safeguards (standard protection clauses), informing you in advance, and obtaining your explicit consent where required.

8. Data Retention Period

Your personal data is retained for the entire duration of your contractual relationship with SWAP. Once this relationship ends, the data is archived for a period of 10 years for legal, tax, and regulatory purposes.

Certain non-personal or anonymized data may be retained for a longer period for statistical purposes, without making it possible to identify you.

9. Data Security

We apply robust security measures to protect your data against unauthorized access, alteration, loss, or disclosure, including:

  • Encryption of sensitive data (SSL/TLS protocol, AES-256 standard)

  • Two-factor authentication (2FA) for account access

  • Connection logging and automatic anomaly detection

  • Regular system audits and security updates

10. Your Data Protection Rights

In accordance with applicable regulations, you have the following rights:

  • Right of access: to know what personal data we hold about you

  • Right to rectification: to correct inaccurate or incomplete data

  • Right to erasure (right to be forgotten), under certain conditions

  • Right to restrict processing, in certain circumstances

  • Right to object, particularly to processing for marketing purposes

  • Right to data portability: to receive your data in a structured format

  • Right to withdraw consent at any time, without affecting the lawfulness of prior processing

To exercise any of these rights, you may contact us:

We commit to responding within a maximum of 30 days.

11. Protection of Minors

Our services are strictly intended for persons aged 18 and over. Any attempt by a minor to register will be blocked, and the account may be deactivated if necessary.

12. Use of Cookies and Trackers

Our application and website may use cookies and other trackers to:

  • Ensure the security of your session

  • Improve the technical performance of our services

  • Conduct anonymous usage analysis for statistical purposes

An information banner is displayed during your first visit to obtain your consent for the use of these cookies.

13. Complaints and DPO Contact

If you believe your rights are not being respected, you may:

  • Contact our Data Protection Officer (DPO) at: [email protected]

  • File a complaint with the National Commission for the Protection of Personal Data (CNPDCP) of Gabon

14. Changes to the Privacy Policy

This Privacy Policy may be updated at any time to reflect regulatory, technological, or organizational developments. In the event of significant changes, we will inform you through the usual channels (in-app notification, email, website).

If you want, I can also:

  • simplify this into plain English,

  • adapt it for Apple App Store privacy requirements, or

  • format it as a legal-ready Privacy Policy PDF / web page.