Privacy Policy

Last updated: 26 June 2026 · Version 2.1

1. About this policy

SVYP ("we", "us", "our") operates the SVYP product-discovery platform. This policy explains what information we collect, how we use it, who we share it with, and what rights you have under the Protection of Personal Information Act, 2013 (POPIA) of South Africa and the EU / UK General Data Protection Regulation (GDPR / UK GDPR) where applicable.

2. Who controls your information

SVYP plays two different roles depending on the type of data.

SVYP is the responsible party / data controller for:

  • The anonymous device identifier set in your browser
  • Session records of your visits to the platform
  • Swipe interactions and the anonymous preference profiles built from them
  • Information you submit to claim a reward, until that information is passed to the brand running the campaign

SVYP acts as an operator / data processor for:

  • Marketing communications sent to you by individual brand partners running campaigns on SVYP
  • Preference data exported into a brand's own marketing tools (e.g. Klaviyo) for that brand's marketing decisions

In short: SVYP controls the platform; brands control how they market to you using the data the platform produces. Each brand running campaigns on SVYP is responsible for its own privacy notice in respect of its marketing activities. To exercise rights against a specific brand's marketing use of your data, contact the brand directly.

3. Information we collect

  • Email address: only if you choose to submit it to claim a reward. Provision is voluntary.
  • Anonymous device identifier: a pseudonymous ID stored in a browser cookie (device_id), set automatically on your first visit. It does not identify you personally; it lets the platform recognise your browser across visits.
  • Session and swipe data: records of your interactions with products (likes, dislikes, views) linked to your device ID. Used to build an anonymous preference profile that personalises the experience.
  • Approximate IP address: logged automatically by our hosting infrastructure as part of standard web-server operations. We do not use IP addresses to identify individuals.
  • Consent records: when you submit your email, we record the fact and version of consent, the timestamp, and your device ID. Required by POPIA s.11 and GDPR Art. 7.

4. Cookies

  • device_id: first-party, essential. Pseudonymous identifier set by our middleware. Persists for the lifetime of your browser session.
  • Supabase authentication cookies: first-party, essential. Set only if you log into the admin interface.

We do not use third-party tracking, advertising, or analytics cookies on consumer-facing pages. Clearing your browser cookies removes the device ID; you will then appear to the platform as a new visitor.

5. Lawful basis for processing

Under GDPR / UK GDPR we rely on:

  • Consent (Art. 6(1)(a)): for processing your email address and for marketing communications sent in conjunction with brand partners.
  • Performance of a contract (Art. 6(1)(b)): to fulfil reward claims you initiate.
  • Legitimate interests (Art. 6(1)(f)): for operating the swipe platform, anonymous analytics, and security / fraud-prevention. We have assessed that these interests do not override your rights and freedoms.

Under POPIA we rely on the s.11 conditions including consent (s.11(1)(a)) and legitimate interest (s.11(1)(d) and (f)).

6. How we use your information

  • Personalised product discovery: your swipe behaviour shapes which products surface for you.
  • Aggregated analytics for brand partners: anonymised, aggregated statistics about campaign performance. Individuals are not identified in these reports.
  • Marketing emails from brand partners: if you provided your email, the brand running the campaign may send you marketing about their products. SVYP acts as a processor for this activity. You can unsubscribe at any time using the link in every email.
  • Reward fulfilment: if you claimed a reward, we use your email to deliver it.

7. Third-party processors

We share your data with the following processors, each operating under their own published privacy policy and applicable data-processing agreements:

  • Supabase, Inc. (USA): database, authentication, and storage. Stores all data described in this policy.
  • Vercel, Inc. (USA): hosting, edge functions, and image storage. Processes web requests including IP addresses and device IDs.
  • Klaviyo, Inc. (USA): email-marketing platform used by brand partners. When a brand uses Klaviyo to communicate with you, your email and preference data are shared with Klaviyo on that brand's instruction. Each brand is the controller of its own Klaviyo audience.
  • Paddle.com Market Limited (United Kingdom / EU): payment processing and Merchant of Record for paid SVYP subscriptions. If you are a brand customer paying for SVYP, Paddle processes your billing details (such as your payment method and billing address) to take payment and handle applicable taxes. We do not store your full card details. Paddle operates under its own privacy policy.

We do not sell your personal information.

8. International data transfers

Our processors are located in the United States, the United Kingdom, and the European Union. When personal information moves outside South Africa (POPIA s.72) or the EEA / UK (GDPR Chapter V), we rely on:

  • Standard Contractual Clauses adopted by each processor under European Commission and UK ICO recognition
  • Any further safeguards required by the South African Information Regulator

You may request a copy of the safeguards in place by emailing info@svyp.io.

9. Profiling

We build an anonymous tag-preference profile of products you have liked or disliked. This profile is used to personalise the products you see next, and, if you submitted your email, to inform the marketing audiences that brand partners build in their email tools.

This profiling does not produce legal or similarly significant effects under GDPR Art. 22. You can ask us, or the relevant brand, to stop using your profile for marketing at any time (see "Your rights" below).

10. Data retention

  • Email address: retained for 12 months from your most recent platform interaction unless you are on a brand's active marketing list. After that, your email is removed automatically.
  • Session records: deleted automatically after 90 days of inactivity.
  • Device ID: persists for the lifetime of your browser session. Clearing browser cookies removes it.
  • Consent records: retained for the duration of your relationship with the platform plus a reasonable period to evidence consent if required.
  • Audit log of data-subject requests: retained indefinitely for accountability. Contains only one-way hashes of email addresses; no raw email is stored.

Retention is enforced automatically by a monthly retention job.

11. Children

SVYP is not intended for use by persons under 18. We do not knowingly collect personal information from anyone under 18. If you believe someone under 18 has provided us information, email info@svyp.io and we will delete it.

12. Your rights

Under POPIA and GDPR / UK GDPR you have the right to:

  • Access the personal information we hold about you
  • Correct information that is inaccurate or out of date
  • Delete your personal information ("right to erasure")
  • Object to processing, including an absolute right to opt out of direct marketing
  • Restrict processing in certain circumstances
  • Portability: receive your data in a structured, commonly used format (GDPR only)
  • Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal

13. How to exercise your rights

Email info@svyp.io with the subject line "Privacy request". Please include the email address you used on the platform and the nature of your request. We will respond within 30 days.

For deletion requests we will: remove your email from our interaction records and consent log; delete your records from any active marketing pipeline; request deletion from Klaviyo on a best-effort basis; and log the request using a one-way hash of your email (no raw email is stored in our audit trail).

14. Complaints to a supervisory authority

If you believe we have not handled your information properly, you have the right to complain:

  • South Africa, Information Regulator: inforegulator.org.za · complaints.IR@justice.gov.za
  • United Kingdom, Information Commissioner's Office: ico.org.uk
  • European Union, the data protection authority of your country of residence: edpb.europa.eu

We would appreciate the opportunity to address your concerns first. Please contact us before escalating.

15. Information Officer

In accordance with POPIA s.17, our designated Information Officer is:

Richard Braithwaite
SVYP
info@svyp.io

16. Changes to this policy

We may update this policy as our practices or the law change. When we make material changes we will update the "Last updated" date and, where appropriate, request renewed consent at your next interaction. The current version is 2.1.