Privacy Policy

Last updated: April 3, 2026

1. Introduction

This privacy policy explains how Swipcall collects, uses, and protects information when you use the Swipcall Android application and this website. Swipcall is a local-first customer management app built for tradespeople such as plumbers, electricians, and locksmiths. We designed Swipcall so that your personal and business data stays on your device. This policy is written in plain language so you can understand exactly what happens with your data.

This policy describes how we process your data when you use Swipcall, and the legal bases we rely on for each processing activity, as detailed in Section 4 below.

2. Data controller

The data controller responsible for your data is:

Swipcall
Operated by Cadvix, an unregistered partnership based in Israel
Email: eitaymcc@gmail.com

Given the nature and scale of our processing activities, we are not required to appoint a Data Protection Officer under Article 37 of the GDPR. For all privacy-related matters, contact us at eitaymcc@gmail.com.

For all privacy-related requests, including exercising your rights under the GDPR, please contact us at the email above. We aim to respond within 30 days.

3. Categories of personal data we process

Swipcall is a local-first app. The vast majority of data never leaves your device. Below is a complete list of data categories, where they are processed, and who can access them.

3.1 Data stored only on your device (never sent to us)

Customer records - names, phone numbers, addresses, notes, and any other details you enter.
Call history - incoming and outgoing call metadata (phone number, time, duration) read from your Android call log.
Contact data - names and phone numbers read from your device contacts to match callers.
Appointments and reminders - scheduling data you create within the app.
App settings and preferences - your configuration choices.

This data is stored in a local SQLite database on your Android device. Swipcall has no server that receives this data. We cannot access, read, or recover it.

3.2 Data processed by third-party services

Data	Service	Purpose
Email address, display name	Google Sign-In	Authentication (creating and signing into your account)
Anonymous crash reports (stack traces, device model, OS version - no personal data)	Firebase Crashlytics (Google)	Identifying and fixing bugs
Anonymous usage events (feature tap counts, screen views - no personal data)	Firebase Analytics (Google)	Understanding which features are used so we can improve the app
Anonymous user ID, purchase receipts	RevenueCat	Managing subscriptions and verifying purchases

3.3 Data processed only when you choose to use a Pro feature

Data	Service	Purpose
Encrypted backup file (AES-256-GCM encrypted copy of your local database)	Google Drive (your personal account)	Backup and restore, initiated by you
Appointment details you choose to sync	Google Calendar (your personal account)	Two-way calendar sync, initiated by you

4. Purposes and legal basis for processing

Under Article 6 of the GDPR, every type of data processing must have a legal basis. Here is the legal basis for each processing activity in Swipcall:

Processing activity	Legal basis (Art. 6 GDPR)	Explanation
On-device processing of call logs, contacts, and customer records	Art. 6(1)(b) - Performance of a contract	This processing is necessary to provide the core service you downloaded the app to use (caller identification and customer management).
Google Sign-In (email, name)	Art. 6(1)(b) - Performance of a contract	Authentication is necessary to provide the service and manage your account.
Firebase Crashlytics (anonymous crash reports)	Art. 6(1)(f) - Legitimate interest	Our legitimate interest is maintaining app stability and fixing bugs. The data is anonymous and the impact on your privacy is minimal.
Firebase Analytics (anonymous usage counts)	Art. 6(1)(a) - Consent	Firebase Analytics is only initialized after you opt in within the app settings. You can withdraw consent at any time by disabling analytics in the app settings.
RevenueCat (subscription management)	Art. 6(1)(b) - Performance of a contract	Necessary to process and verify your subscription purchase.
Google Drive backup (encrypted)	Art. 6(1)(a) - Consent	You choose to enable this feature. You can stop at any time.
Google Calendar sync	Art. 6(1)(a) - Consent	You choose to enable this feature. You can disconnect at any time.

5. Android permissions

Swipcall requests the following Android permissions. Each is required for a specific feature:

READ_PHONE_STATE / READ_CALL_LOG - To detect when calls start and end and to show caller information in the popup overlay. This data is processed entirely on your device.
SYSTEM_ALERT_WINDOW - To display the floating popup overlay on top of other apps during calls.
READ_CONTACTS - To match incoming phone numbers with contact names stored on your device. Contact data is read locally and never transmitted.
POST_NOTIFICATIONS - To send you callback reminders and service notifications.

You can revoke any permission at any time through your Android device settings. Revoking a permission will disable the feature that depends on it, but the rest of the app will continue to work.

6. Third-party data processors

The following third parties process data on our behalf or as part of the services you use through Swipcall:

Processor	Role	Data processed	Privacy policy
Google LLC (Firebase Crashlytics)	Sub-processor	Anonymous crash data	Google Privacy Policy
Google LLC (Firebase Analytics)	Sub-processor	Anonymous usage events	Google Privacy Policy
Google LLC (Sign-In, Drive, Calendar)	Independent controller / processor	Email, name, backup files, calendar events	Google Privacy Policy
RevenueCat Inc.	Sub-processor	Anonymous user ID, purchase receipts	RevenueCat Privacy Policy
Google LLC (Google Play)	Processor	Payment and subscription data	Google Privacy Policy

We do not sell, rent, or share your personal data with any other third parties. We do not use advertising networks or tracking services.

7. International data transfers

Swipcall is operated from Israel, which has an adequacy decision from the European Commission, meaning the Commission recognizes Israel as providing an adequate level of data protection.

Some third-party processors listed above (Google LLC and RevenueCat Inc.) are based in the United States. Data transferred to these US-based processors is protected by the following safeguards:

EU-US Data Privacy Framework - Both Google and RevenueCat are certified under the EU-US Data Privacy Framework, which the European Commission has recognized as providing adequate protection for transfers to certified US organizations.
Standard Contractual Clauses (SCCs) - Google and RevenueCat also incorporate the European Commission's Standard Contractual Clauses into their data processing agreements as a supplementary safeguard.
Minimal data exposure - The data sent to these services is either anonymous (crash reports, analytics events) or limited to what is strictly necessary (email for authentication, anonymous IDs for subscriptions).

8. Data retention

We apply the following retention periods:

Data	Retention period	How to delete
On-device data (customers, calls, appointments, settings)	Kept until you delete it or uninstall the app	Use "Delete all data" in Settings, or uninstall the app
Google Drive backups	Kept in your personal Google Drive until you delete them	Delete the backup files from your Google Drive, or disconnect backup in the app
Google Sign-In data (email, name)	Stored locally on your device; kept by Google as part of your Google account	Local copy is deleted when you uninstall the app or use "Delete all data" in Settings. To remove from Google, revoke Swipcall's access in your Google account security settings
Firebase Crashlytics data	90 days (Google's default retention)	Automatically deleted by Google after the retention period
Firebase Analytics data	14 months (Google's default retention)	Automatically deleted by Google after the retention period
RevenueCat subscription data	Subscription duration plus up to 7 years as required by Israeli tax law	Contact us at eitaymcc@gmail.com to request deletion after subscription ends and the tax retention period has elapsed

9. Your rights under the GDPR

If you are in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights regarding your personal data:

Right of access (Art. 15) - You can request a copy of all personal data we hold about you.
Right to rectification (Art. 16) - You can ask us to correct any inaccurate data we hold about you.
Right to erasure (Art. 17) - You can ask us to delete your personal data. Since most data is on your device, you can delete it directly. For data held by third-party processors, contact us and we will coordinate deletion.
Right to restriction of processing (Art. 18) - You can ask us to temporarily stop processing your data while a concern is resolved.
Right to data portability (Art. 20) - You can request your data in a structured, commonly used, machine-readable format. The app's built-in export feature in Settings provides this.
Right to object (Art. 21) - You can object to processing based on legitimate interest (Firebase Crashlytics and Analytics). We will stop unless we have compelling legitimate grounds.

How to exercise your rights

For data stored on your device, you can exercise your rights directly through the app:

Access and portability - Use the data export feature in Settings.
Erasure - Use "Delete all data" in Settings, or uninstall the app.

For data held by third-party processors (Firebase, RevenueCat, Google), email us at eitaymcc@gmail.com with the subject line "GDPR Data Request". Please include your email address so we can identify your account. We will respond within 30 days. There is no fee for exercising your rights. If your request is complex or you make multiple requests, we may extend the response period by up to 60 additional days and will inform you of the extension.

10. Right to withdraw consent

Where we rely on your consent as the legal basis for processing (Firebase Analytics, Google Drive backup, and Google Calendar sync), you have the right to withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of any processing we carried out before you withdrew it.

To withdraw consent:

Firebase Analytics - Disable analytics in the app settings. Analytics data collection will stop immediately.
Google Drive backup - Disable backup in the app settings. You can also revoke Swipcall's access to Google Drive in your Google account settings.
Google Calendar sync - Disconnect calendar sync in the app settings. You can also revoke Swipcall's access to Google Calendar in your Google account settings.

11. Right to lodge a complaint

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. You can do this in the EU/EEA member state where you live, where you work, or where the alleged violation took place.

A list of EU/EEA data protection authorities is available on the European Data Protection Board website.

If you are in Israel, you may also lodge a complaint with the Israeli Privacy Protection Authority (PPA).

We encourage you to contact us first at eitaymcc@gmail.com so we can try to resolve your concern directly.

12. Obligation to provide data

Providing your data to Swipcall is not a statutory or contractual requirement. However:

Google Sign-In (email, name) is required to create an account and use the app. If you choose not to sign in, you cannot use Swipcall.
Android permissions (call log, contacts, etc.) are needed for specific features. Denying them will disable those features but will not prevent you from using the rest of the app.
Pro features (backup, calendar sync) are entirely optional. There are no consequences for choosing not to use them.

13. Automated decision-making and profiling

Swipcall does not use automated decision-making or profiling as defined in Article 22 of the GDPR. No decisions with legal or similarly significant effects are made about you based on automated processing.

14. WhatsApp integration

When you tap "Send WhatsApp" in the app, Swipcall opens the WhatsApp application using a standard Android intent (deep link) with the customer's phone number. This is a direct device-to-app communication. No data passes through any Swipcall server. The phone number is sent directly from your device to WhatsApp on your device. WhatsApp's own privacy policy governs how WhatsApp handles that data.

15. Website and cookies

The Swipcall website (this site) uses only essential local storage (localStorage) to remember basic preferences such as your language selection and accessibility widget settings (font size, contrast, and display preferences). We do not use tracking cookies, advertising cookies, or any third-party cookies. A localStorage notice banner is displayed to inform you about this storage. localStorage does not track you across sites.

16. Children's privacy

Swipcall is a business tool designed for professionals. It is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children under 16. If you believe that a child under 16 has provided us with personal data, please contact us at eitaymcc@gmail.com and we will take steps to delete that data.

17. Data security

We take the following measures to protect your data:

Local-first architecture - Your data stays on your device and is protected by your device's own security (screen lock, encryption).
Encrypted backups - Google Drive backups are encrypted with AES-256-GCM before they leave your device. Swipcall does not have access to the encryption key.
Minimal data collection - We only transmit anonymous crash and usage data to third-party services. No customer data, phone numbers, call details, or business information is ever transmitted.
HTTPS - All network communication uses HTTPS encryption.

18. Israeli Privacy Protection Law

Swipcall is operated from Israel and is subject to the Israeli Protection of Privacy Law, 5741-1981. In addition to the GDPR rights described above, all users have the following rights under Israeli law:

Right of access (Section 13) - You have the right to review any personal data about you held by us or our third-party processors.
Right to correction (Section 14) - You can request correction of inaccurate personal data.
Right to object to direct marketing (Section 30) - You can object to the use of your data for direct marketing purposes. Swipcall does not currently engage in direct marketing.

To exercise these rights, contact us at eitaymcc@gmail.com.

If you believe your privacy rights under Israeli law have been violated, you may lodge a complaint with the Israeli Privacy Protection Authority (PPA).

Under the Israeli Protection of Privacy Law, database registration with the Registrar of Databases is required when a database contains personal data of more than 10,000 individuals. Swipcall will complete this registration if and when this threshold is reached.

19. Changes to this privacy policy

We may update this privacy policy from time to time to reflect changes in the app, the law, or our practices. When we make changes:

We will update the "Last updated" date at the top of this page.
For significant changes that affect your rights or how your data is processed, we will notify you through an in-app notification before the changes take effect.
If a change requires your consent under the GDPR, we will ask for it before applying the new processing.

We encourage you to review this page periodically.

20. Contact us

If you have questions about this privacy policy, want to exercise your data rights, or have a concern about how your data is handled, please contact us:

Email: eitaymcc@gmail.com
Subject line for data requests: "GDPR Data Request"

We aim to respond to all inquiries within 30 days.

Swipcall