Legal
Privacy policy - Swapwise
For the website arnoldschreiner.de, the site privacy policy applies. The following section is intended for the Swapwise iOS app.
Last updated: April 9, 2026
1. Data Controller
Arnold Schreiner
Wümmering 28
21629 Neu Wulmstorf
Germany
Phone: +49 40 60682201
Email: swapwise@arnoldschreiner.de
Website: www.arnoldschreiner.de
Contact form: www.arnoldschreiner.de/contact
2. Scope
This privacy policy applies to the mobile application "Swapwise" (hereinafter "App") for iOS, iPadOS, and watchOS, including all associated widgets, extensions, and the Apple Watch companion app, as well as the associated website at www.arnoldschreiner.de/swapwise.
3. Data Processing Principles
Swapwise was designed with the principle of data minimization (Art. 5(1)(c) GDPR) in mind. We do not collect personal data such as names, email addresses, phone numbers, location data, or user profiles. We do not use any analytics, tracking, or advertising SDKs. We do not sell, share, or transmit user data to third parties for advertising purposes.
4. Data Collected and Processed
4.1 Device Identifier
To ensure the functionality of our service and to prevent abuse, we collect a pseudonymized device identifier.
- Type of data: A randomly generated UUID (16-character hexadecimal string) stored in your device's Keychain. This ID survives app reinstallation but is deleted when the device is factory reset.
- Purpose: Limiting API requests to 48 requests per 24 hours per device (rate limiting) to ensure fair access for all users and prevent abuse.
- Transmission: The device ID is transmitted with every request to our server in the HTTP header (
X-Device-ID). - Legal basis: Art. 6(1)(f) GDPR (legitimate interest in ensuring the functionality, availability, and integrity of the service). § 25(2)(2) TDDDG (technically necessary access to terminal equipment).
- Retention period: The device ID is stored on the server only for the duration of the rate limiting window (24 hours) and is automatically deleted thereafter.
- Linkability: The device ID is not linked to personal data and does not allow identification of your person.
4.2 Technical Connection Data
When communicating with our servers, technical connection data is automatically transmitted:
- Type of data: IP address, time of request, requested resource.
- Purpose: Technically necessary for establishing the network connection and delivering exchange rate data.
- Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the technical provision of the service).
- Retention period: Connection data is not permanently stored. Within the Cloudflare infrastructure, logs may be temporarily created (see Section 5.3).
4.3 Locally Stored Data (on your device only)
The following data is stored exclusively on your device and is not transmitted to us or third parties:
- Favorite currencies: Your selected currency pairs and favorites list.
- Conversion history: The last 50 currency conversions including amount, currency codes, exchange rate, and timestamp. These can be manually deleted at any time within the app.
- Cached exchange rates: Current and historical rate data for offline use.
- App settings: Number format, decimal places, update mode, and other preferences.
- Widget configurations: Settings for Home Screen, Lock Screen, and Apple Watch widgets.
- Pro status: Your current subscription status (synchronized from RevenueCat, see Section 5.1).
This data is shared between the main app, widget extensions, and the Watch app via the App Group (group.com.arnoldschreiner.swapwise) — but exclusively locally on your device.
4.4 Camera Access (Pro Feature)
The app offers an optional feature for live detection and conversion of currency amounts via the camera (exclusively for Pro subscribers).
- Purpose: Real-time detection of numbers and amounts using Apple's Vision framework (on-device OCR).
- Processing: All image and video data is processed exclusively on your device. No images or video data are stored, transmitted, or sent to any server.
- Legal basis: Art. 6(1)(a) GDPR (consent) — camera access is only activated after your explicit consent via the iOS permission dialog.
- Revocation: Camera permission can be revoked at any time in iOS Settings → Swapwise → Camera.
5. Third-Party Services
5.1 RevenueCat (Subscription Management)
We use RevenueCat, Inc., 633 Tarava St. Suite 101, San Francisco, CA 94116, USA for managing in-app purchases and subscriptions.
- Purpose: Processing and managing in-app purchases (Swapwise Pro: monthly subscription and one-time Lifetime purchase) and providing and verifying entitlements.
- Data processed: RevenueCat receives transaction-related data from Apple, including:
- An anonymous user ID (generated by the RevenueCat SDK, prefix
$RCAnonymousID:) - Purchase receipts (Apple StoreKit transaction data)
- Subscription status and entitlements
- Product and offering queries
- An anonymous user ID (generated by the RevenueCat SDK, prefix
- Not transmitted: RevenueCat does not receive any personal data such as names, email addresses, phone numbers, or location data from us.
- Legal basis: Art. 6(1)(b) GDPR (performance of contract — provision of the subscribed service).
- RevenueCat Privacy Policy: https://www.revenuecat.com/privacy
- Data transfer to the USA: Data transfer to the USA is based on EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) and the EU-U.S. Data Privacy Framework (Art. 45 GDPR).
5.2 ExchangeRate API (Exchange Rate Data)
We use the ExchangeRate-API (https://www.exchangerate-api.com) to provide current exchange rates.
- Purpose: Retrieval of current and historical exchange rate data for over 160 currencies.
- Data processed: Technically necessary connection data (server IP address, not the end user's) when querying exchange rates. Queries are made exclusively through our Cloudflare Worker (see 5.3) — there is no direct connection between your device and ExchangeRate-API.
- Legal basis: Art. 6(1)(b) GDPR (performance of contract — provision of the app's core functionality).
- Privacy Policy: https://www.exchangerate-api.com/terms
5.3 Cloudflare (Infrastructure and Caching)
We use Cloudflare Workers (Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA) as a caching proxy for API requests.
- Purpose: Caching of exchange rates to improve response times and reduce server load, as well as server-side enforcement of rate limiting.
- Data processed:
- Technically necessary connection data (IP address)
- Pseudonymized device ID for rate limiting (see 4.1)
- Requested currency codes
- Storage (KV Storage):
- Cached EUR exchange rates (TTL: 1 hour)
- Historical rate data in monthly blocks (permanent for past months, 2-hour TTL for current month)
- Rate limit counters per device (TTL: 24 hours)
- Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the efficient and stable provision of the service).
- Cloudflare Privacy Policy: https://www.cloudflare.com/privacypolicy/
- Data transfer to the USA: Data transfer is based on EU Standard Contractual Clauses and the EU-U.S. Data Privacy Framework.
5.4 Apple Services
Apple services are used for certain features:
- Apple StoreKit: Processing of in-app purchases. The Apple Privacy Policy applies.
- WatchConnectivity (WCSession): Synchronization of exchange rates and settings between iPhone and Apple Watch. Communication occurs locally via Bluetooth/Wi-Fi between your own devices — no data is transmitted to Apple servers or the internet.
6. No Use of Tracking or Analytics
Swapwise does not use any analytics, tracking, or advertising SDKs. In particular, we do not use:
- Google Analytics / Firebase Analytics
- Facebook SDK / Meta SDK
- Advertising networks or retargeting services
- Fingerprinting technologies
- Third-party push notification services
The app explicitly declares in its Apple Privacy Manifest file (PrivacyInfo.xcprivacy): NSPrivacyTracking = false.
7. Data Transfers to Third Countries
Where data is transferred to services in the USA (RevenueCat, Cloudflare), this is done on the basis of:
- EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR
- EU-U.S. Data Privacy Framework pursuant to Art. 45 GDPR (where the respective provider is certified)
- UK Extension to the EU-U.S. Data Privacy Framework (for users in the United Kingdom)
These safeguards ensure that an adequate level of data protection is maintained even when data is transferred to the USA.
8. Retention Periods and Deletion
| Data | Location | Retention Period |
|---|---|---|
| Device ID (rate limiting) | Cloudflare KV | 24 hours (automatic deletion) |
| Device ID (Keychain) | Your device | Until factory reset |
| Conversion history | Your device | Last 50 entries, manually deletable |
| Cached rates | Your device | Until next update or app deletion |
| App settings | Your device | Until app deletion |
| RevenueCat subscription data | RevenueCat servers | Per RevenueCat Privacy Policy |
9. Your Rights (EU/EEA — GDPR)
Under the GDPR, you have the following rights:
- Right of access (Art. 15 GDPR): You have the right to obtain information about the personal data we process about you.
- Right to rectification (Art. 16 GDPR): You have the right to request the correction of inaccurate data.
- Right to erasure (Art. 17 GDPR): You have the right to request the deletion of your data.
- Right to restriction of processing (Art. 18 GDPR): You have the right to request the restriction of processing.
- Right to data portability (Art. 20 GDPR): You have the right to receive your data in a structured, commonly used, and machine-readable format.
- Right to object (Art. 21 GDPR): You have the right to object to the processing of your data based on Art. 6(1)(f) GDPR. In this case, we will cease processing unless we can demonstrate compelling legitimate grounds.
- Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on consent (e.g., camera access), you may withdraw it at any time with effect for the future.
To exercise your rights, please contact: swapwise@arnoldschreiner.de
We will respond to your request within one month (Art. 12(3) GDPR).
10. Rights for Users in the United Kingdom (UK GDPR)
For users in the United Kingdom, comparable rights apply under the UK GDPR (Data Protection Act 2018 in conjunction with the UK General Data Protection Regulation). The competent supervisory authority is the Information Commissioner's Office (ICO): https://ico.org.uk.
11. Rights for Users in California (CCPA/CPRA)
Although Swapwise as a solo developer app is unlikely to meet the California Consumer Privacy Act (CCPA) thresholds, we provide the following information for transparency:
- No sale or sharing of data: We do not sell or share personal information of California users within the meaning of the CCPA/CPRA.
- No targeted advertising: We do not use data for behavioral advertising.
- Categories of data collected: Device identifiers (pseudonymized device ID solely for rate limiting), technical connection data. We do not collect names, email addresses, location data, or other directly personal data.
- Right to know and delete: California users may request information about the data processed or request its deletion at swapwise@arnoldschreiner.de.
12. Notice for Users in Other Jurisdictions
Swapwise is available worldwide on the Apple App Store. We are committed to respecting the privacy rights of all users, regardless of their location. Should your country provide additional privacy rights, we will endeavor to comply with your requests under applicable law. Please contact us at swapwise@arnoldschreiner.de.
13. Right to Lodge a Complaint with a Supervisory Authority
You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for us is:
Die Landesbeauftragte für den Datenschutz Niedersachsen
Prinzenstraße 5
30159 Hannover, Germany
Website: https://www.lfd.niedersachsen.de
Alternatively, you may also contact the supervisory authority in your country of residence (Art. 77 GDPR).
14. Data Security
We implement appropriate technical and organizational measures pursuant to Art. 32 GDPR to protect your data:
- Encrypted communication via HTTPS/TLS for all API requests
- Bearer token authentication for server requests
- Keychain storage of the device ID with security level
kSecAttrAccessibleAfterFirstUnlock - Local data storage on the device without cloud synchronization of sensitive data
- Pseudonymization of the device ID (no association with individuals possible)
- Rate limiting to prevent abuse
- Regular review of security measures
15. Children's Privacy
Swapwise is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16 (or under 13 in the USA under COPPA). If we become aware that data from a child has been collected, we will promptly delete it.
16. Changes to This Privacy Policy
We reserve the right to update this privacy policy as needed to reflect changes in the law, technical developments, or changes to the app. The current version is always available at:
- In the app: Settings → Privacy Policy
- Online: https://www.arnoldschreiner.de/swapwise/privacy
In the event of material changes, we will notify you within the app. The date of the last update can be found at the beginning of this document.
17. Contact
For questions about privacy, please contact:
Arnold Schreiner
Phone: +49 40 60682201
Email: swapwise@arnoldschreiner.de
Contact form: www.arnoldschreiner.de/contact