Privacy Policy.

Swiftaw SAS is the data controller for all personal data processed on Fortized. We determine the purposes and means of data processing.

For data-protection inquiries, requests to access your data, or complaints, contact Fortized Support and mark your message Data Protection Request. We respond within 30 days (or up to 90 days for complex requests, as permitted by GDPR).

When you sign up and use Fortized, you provide us with:

• Email address: for account creation, recovery, and login
• Password: hashed and encrypted; we never see it in readable form
• Username and display name: public profile identifiers
• Date of birth: used to determine age tier (child, teen, adult) and enforce age-gating
• Profile picture: optional image you upload
• Bio and profile information: text you choose to display
• Custom status: emoji and text you set
• Pronouns: optional information you provide
• Social links: optional links to external profiles

As you use Fortized, we automatically collect:

• Messages and content: every message, image, video, emoji, file you post (for display and moderation)
• Activity metadata: timestamps, bastion memberships, friends list, channel access, game detection
• Voice and video metadata: participant lists, join/leave timestamps, duration (not recordings themselves)
• Account activity: login times, device information, IP address, browser type, operating system
• Onyx balance and transaction history: how much you earned, spent, and when
• Fortshop purchases: what you bought, when, and at what price
• Settings and preferences: notification settings, theme choices, language, accessibility preferences
• Logging data: we log actions for security and debugging (login attempts, content moderation actions, account changes)

If you connect Spotify to Fortized, we receive:

• Your currently playing track and album art (refreshed every 10-15 seconds)
• Your Spotify display name and profile picture
• A Spotify refresh token (stored server-side, never shared with anyone)

We do not access your Spotify password. Spotify's Privacy Policy applies to Spotify data.

We collect and process your data for these legal purposes:

• Service provision: to deliver Fortized (messages, voice, storage, profiles, etc.)
• Contractual performance: to manage your account, purchases, subscriptions, and Onyx transactions
• Legal compliance: to obey laws, respond to legal requests, enforce these Terms
• Safety and security: to prevent abuse, fraud, harassment, and illegal activity
• Moderation: to detect and remove content that violates these Terms (via automated systems and human review)
• Legitimate interest: to improve Fortized, analyze usage patterns, debug bugs, and optimize performance
• Your consent: if you opt in to marketing emails or beta features

Your data is stored on encrypted, secure servers located at Swiftaw's datacenter in Orleans, France and Supabase's datacenter in Paris, France. All data is encrypted in transit (TLS/HTTPS) and at rest (AES-256 or equivalent). Passwords are hashed using industry-standard algorithms (bcrypt or similar) and are never stored in readable form.

Access to your data is restricted to Swiftaw employees and contractors who need it to provide the Service. These employees are subject to confidentiality agreements and Data Protection Impact Assessments. Swiftaw's staff cannot read your private messages or raw data without going through proper authorization channels (e.g., responding to a law enforcement request).

We maintain redundant backups to prevent data loss. Backups are encrypted and stored in secure facilities. In the event of a disaster, we can restore your account and data from backups.

Active accounts: Your data is retained for as long as your account exists and for as long as needed to comply with legal obligations or resolve disputes.

Deleted accounts: When you delete your account, we remove your data from live systems within 30 days. Backups are purged within 90 days. Some data may be retained longer if required by law or to resolve ongoing legal disputes (e.g., if your content is subject to a lawsuit).

Law enforcement holds: If law enforcement requests preservation of your data, we may retain it for the duration of the hold, even after you delete your account.

Swiftaw is based in France and processes and stores all user data exclusively within the European Union. Our infrastructure is located at Swiftaw's datacenter in Orleans, France and Supabase's datacenter in Paris, France. We do not transfer personal data outside the EU as part of our standard operations.

If, in the future, any data transfer outside the EU becomes necessary to provide the Service, we will rely on Standard Contractual Clauses (SCCs) and other mechanisms approved by the European Commission to ensure your data is protected at a level equivalent to GDPR, and we will update this policy accordingly.

If you are in the EU or a country with similar data protection laws, you have the right to:

• Access: Request a copy of all your personal data we hold. We will provide it in a machine-readable format.
• Rectification: Correct or update inaccurate data (e.g., change your display name).
• Erasure: Request deletion of your data ("right to be forgotten"), subject to legal and operational limits.
• Restriction: Ask us to limit how we process your data (e.g., suspend automated moderation while you appeal).
• Portability: Get your data in a structured, portable format and transfer it to another service.
• Object: Refuse processing of your data for certain purposes (e.g., opt out of analytics).
• Withdraw consent: If we rely on your consent, you can withdraw it at any time (though this won't affect prior processing).

To exercise any of these rights, contact Fortized Support and clearly state your request. We respond within 30 days (or up to 90 days for complex requests).

Fortized does not use cookies for tracking or advertising. We may use essential cookies for:

• Session management (keeping you logged in)
• Security (preventing CSRF attacks)
• Remembering user preferences (theme, language)

You can disable cookies in your browser, but some Fortized features may not work correctly. We do not use third-party analytics tools that track you across other websites.

In the event of a data breach that compromises your personal data, we will:

• Notify you and affected users without undue delay (as required by GDPR, within 72 hours of discovery)
• Describe the nature and scope of the breach
• Provide advice on how to protect yourself
• Notify relevant authorities as required by law

We maintain cyber insurance and incident response procedures to minimize risk.

Swiftaw may update this Privacy Policy. If we make a material change, we will notify you in-app or by email at least 30 days before the change takes effect. Continued use after the notice period means you accept the updated policy.