UniSwipe — Student Marketplace
Last Updated: 13 April 2026 · Effective Date: 13 April 2026
Operated by: Serendipity Inc., registered in Japan
UniSwipe ("we," "us," "our") is a student marketplace platform developed and operated by Serendipity Inc., a company incorporated in Japan. The Service is available as a web application and mobile application (collectively, the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, and your rights regarding your data.
We are committed to protecting your privacy and complying with applicable data protection law. The Service is currently offered to users in the United Kingdom. The primary legal framework governing our processing of your personal data is:
By creating an account or using the Service, you agree to the collection and use of your data as described in this policy. If you do not agree, please do not use the Service.
This policy is provided for transparency. It is not legal advice. If you need advice about your specific situation (for example tax, immigration, or regulatory compliance), consult a qualified professional.
The data controller responsible for your personal data is:
Serendipity Inc.
Nishi-Shinjuku Mizuma Building 6F, 3-3-13 Nishi-Shinjuku, Shinjuku-ku, Tokyo 160-0023, Japan
Email: cwtros@gmail.com
As we are not established in the United Kingdom but process personal data of UK residents, we have appointed a representative in the UK in accordance with Article 27 of the UK General Data Protection Regulation (UK GDPR).
UK residents may contact our representative for any matters relating to the processing of their personal data, including Subject Access Requests and other data subject rights under UK GDPR:
Data Protection Representative (UK) Limited (trading as DataRep)
107–111 Fleet Street, London, EC4A 2AB, United Kingdom
Email: datarequest@datarep.com (quote “UniSwipe” in the subject line)
Online form: www.datarep.com/data-request
When contacting by post, please address your letter to “DataRep”(not “UniSwipe”) and refer clearly to UniSwipe in your correspondence. DataRep acts as our representative point of contact and does not have independent decision-making authority over data processing activities.
When you create an account, we collect:
| Data | Purpose |
|---|---|
| Email address | Account creation, sign-in links, and login via Supabase Auth (any reachable email you choose; we do not require a specific school domain) |
| OAuth profile data (Google / Apple) | Optional sign-in: name and email supplied by the provider to Supabase Auth per their policies |
| Full name | Display on your profile and listings |
| Profile photo | Display on your profile, listings, and messages |
| Institution name and type (e.g. university or school) | Profile trust signal and feed filters (e.g. same institution) |
| Course / programme of study | Display on your profile for trust and context |
| Year of study | Display on your profile |
| Age | Collected at signup to confirm eligibility (18+) |
| Phone number (optional) | Stored on your profile if you provide it; visibility controlled in Settings |
| Bio and languages (optional) | Display on your profile |
| Notification preferences | In-app / email-style notification categories (bookings, messages, etc.) |
| Password (hashed) | Email/password sign-in only — stored by Supabase; we never see your plaintext password |
When you create a listing, we collect:
| Data | Purpose |
|---|---|
| Listing title and description | Display in the marketplace feed |
| Listing type (Time, Experience, Item) | Categorisation and filtering |
| Price | Display to bookers and payment processing |
| Location label and meeting type (in person / online) | Display to bookers; in-person meetups may include a text address |
| Map coordinates (optional, in-person listings) | If you drop a pin on the map, we store latitude/longitude to show the listing on the map and compute distances when bookers opt in |
| Online meeting URL (optional) | Shared when the listing is online |
| Event timezone and event date/time (experiences) | Correct scheduling and display for bookers |
| Availability / calendar slots (time-based listings) | Allow bookers to select a time |
| Listing images (if uploaded) | Display in listing detail (including gallery photos) |
| Data | Purpose |
|---|---|
| Booking details (listing, date, time, participants) | Manage the booking lifecycle |
| Booking status (pending, confirmed, checked-in, completed, cancelled, disputed, expired) | Track booking progress and moderation states |
| Completion PIN and handover deadline | In-person completion: Booker shows PIN; Provider enters it to trigger payment capture (paid) or completion (free) as implemented |
| Service fee, platform fee, provider payout amounts | Checkout display, Stripe application fee, and earnings records |
| Reviews (1–5 stars + text, booker → provider) | Public reputation after completed bookings |
| Transaction amount and commission | Payment processing and platform revenue |
We use Stripe (including Stripe Connect) to process all payments. We do not store your full card number, CVV, or bank account details on our servers. Stripe handles this data directly under their own privacy policy.
| Data | Where Stored | Purpose |
|---|---|---|
| Stripe Connect Account ID | Our database (Supabase) | Link your provider account to receive payouts |
| Stripe PaymentIntent ID (per paid booking) | Our database (Supabase) + Stripe | Authorise, capture, cancel, or refund the correct charge |
| Transaction IDs and amounts | Our database + Stripe | Record of transactions, earnings tracking |
| Bank account details (for payouts) | Stripe only | Provider payouts — we never see full bank details |
For Stripe's data handling practices, see: stripe.com/privacy
| Data | Purpose |
|---|---|
| Message content (text) | In-app communication via Supabase Realtime |
| Message timestamps | Display in chat interface |
| Read receipts | Show whether messages have been read |
We store message content in our database for as long as the conversation and accounts exist, or as required for safety, disputes, or law. We do not sell message content to third parties. We may review message content if a user reports a safety concern, or if required by law.
Reports and blocks: If you submit a report (listing, message, or profile) or block another user, we store the identifiers, reasons, and details you provide, plus related metadata, for moderation and safety.
| Data | Purpose |
|---|---|
| IP address | Security, fraud prevention, approximate location |
| Browser type and version | Compatibility and debugging |
| Device type (mobile/desktop) | Responsive design and analytics |
| Operating system | Compatibility and debugging |
| Approximate location you opt into (browser geolocation) | Only if you enable location for "nearest" sorting or the map view: coordinates may be sent with feed requests to sort or display distance—not stored as a permanent profile field |
| Pages visited and actions taken | Product improvement (limited to normal server logs where applicable) |
| Crash reports and error logs | Debugging and stability (if you or we attach them to support) |
In the United Kingdom, cookies and similar tracking technologies are governed by the Privacy and Electronic Communications Regulations 2003 (PECR) as well as UK GDPR. The rules are:
| Type | Purpose | Required? |
|---|---|---|
| Essential | Supabase auth session cookies / storage | Yes — required to stay signed in |
We currently use essential cookies only. We do not use advertising cookies, third-party tracking pixels, or behavioural profiling cookies. We do not share cookie data with advertisers. If we introduce non-essential cookies in future, we will implement a PECR-compliant consent banner that blocks those cookies until you actively accept them.
We send service-related communications (for example booking confirmations, payment receipts, account security notices, and policy updates) which do not require your separate consent as they are part of the service you signed up for.
We do not send marketing emails or push notifications without your explicit, separate consent. Under UK GDPR and PECR:
| Data | Purpose |
|---|---|
| Device push token (if you enable push on a supported client) | May be stored on your profile for future mobile push delivery |
| In-app notification records | Notification inbox in the Service (bookings, messages, etc.) |
| Notification preferences | Respect your settings on your profile |
To provide the Service: Create and manage your account, display your profile and listings, process bookings and payments via Stripe, enable in-app messaging, send notifications, and display reviews and ratings.
To maintain trust and safety: Use profile and institution information you provide, investigate reports, enforce our Terms and Community Guidelines, and prevent fraud.
To improve the Service: Analyse usage patterns, debug errors, and understand which features are most used.
To comply with legal obligations: Respond to lawful requests, comply with tax reporting obligations, and maintain legally required records.
Communications: We send service-related emails or in-app messages (for example account security, bookings, payments, and policy updates). We do not use your data to run third-party behavioural advertising. If we introduce optional marketing messages where consent is required, we will describe that separately.
Automated decisions: We do not use solely automated processing to make decisions about you that produce legal or similarly significant effects without human involvement.
We process personal data on the following legal bases under UK GDPR:
Your profile information and listing details are visible to other users. You control what you include in your profile and listings.
| Provider | Data Shared | Purpose | Location |
|---|---|---|---|
| Supabase | All account, listing, booking, message data | Database, auth, realtime | United States (AWS) |
| Stripe | Name, email, bank/card details, transactions | Payments, payouts, KYC | United States |
| Vercel | IP address, browser data, request logs | Web hosting (Next.js) | United States (Edge) |
| Account identifiers if you use "Sign in with Google" | Authentication (via Supabase) | United States / global | |
| Apple | Account identifiers if you use "Sign in with Apple" | Authentication (via Supabase) | United States / global |
| Map tile providers (e.g. CARTO / OpenStreetMap) | Standard HTTP requests when maps load (may include IP) | Map images in the browser | Varies (CDN) |
We may be required by law to report provider income data to tax authorities. This includes:
We will notify affected users and provide a copy of any data reported where permitted by law.
We may disclose your data if required by law, regulation, legal process, or governmental request. We will attempt to notify you before disclosure unless prohibited by law.
Our database is hosted by Supabase on AWS infrastructure in the United States. Payments are processed by Stripe in the United States. Our web hosting is provided by Vercel (United States, with edge nodes globally). We are operated by Serendipity Inc., a Japanese entity. Your personal data may therefore be transferred to, stored in, and processed in the United States and Japan.
Japan is not on the UK adequacy list
The UK operates an "adequacy" framework under UK GDPR that allows personal data to flow freely to countries whose data protection standards have been approved. Japan is not currently on the UK's adequacy list. This means that any transfer of your personal data to Japan requires a lawful transfer mechanism. We use the UK International Data Transfer Agreement (IDTA) between our UK-facing operations and our Japanese entity to ensure these transfers are lawful under UK GDPR Article 46.
We protect your data in cross-border transfers as follows:
| Data Type | Retention Period |
|---|---|
| Account and profile data | Until you delete your account (subject to legal retention below) |
| Listings | Until deleted or account deletion |
| Booking records | 3 years after completion |
| Transaction / payment records | 7 years (legal/tax requirements) |
| Messages | While accounts exist; deleted with account or as required by law |
| Reviews and ratings | Until account deletion (then anonymised) |
| Notification history | 12 months |
| Technical / analytics data | 12 months |
Regardless of location, you have the right to:
You also have the right to data portability, restriction of processing, and to lodge a complaint with the UK supervisory authority, the Information Commissioner's Office (ICO), at ico.org.uk.
Contact us at cwtros@gmail.com. We respond within 30 days.
You can delete your account through Settings. The Service first attempts to cancel open bookings and release or refund payments via Stripe, then removes your auth account and cascaded profile data from our database. Some records (for example reviews or bookkeeping) may be retained in anonymised or aggregate form, or longer where the law requires. Stripe may retain payment records under its own policies.
If you discover a vulnerability, report it to cwtros@gmail.com.
No system is perfectly secure. We cannot guarantee that unauthorised access, hacking, data loss, or other breaches will never occur. You use the Service understanding that residual risk remains.
Under UK GDPR Article 33, we are required to notify the UK Information Commissioner's Office (ICO) of a personal data breach within 72 hoursof becoming aware of it, where the breach is likely to result in a risk to individuals' rights and freedoms (for example, exposure of payment data, personal messages, or identity information).
Under UK GDPR Article 34, if the breach is likely to result in a high risk to individuals, we will also notify affected users directly without undue delay.
We have internal procedures in place to identify, assess, and respond to data breaches. If you believe your data has been compromised, contact cwtros@gmail.com immediately. You also have the right to report a concern directly to the ICO at ico.org.uk/make-a-complaint.
UniSwipe is for users aged 18+. We do not knowingly collect data from anyone under 18. If we learn we have, we will delete it promptly.
We may update this policy. Material changes will be communicated via email or in-app notification at least 14 days before taking effect.
Email: cwtros@gmail.com
Address: Serendipity Inc., Nishi-Shinjuku Mizuma Building 6F, 3-3-13 Nishi-Shinjuku, Shinjuku-ku, Tokyo 160-0023, Japan
This Privacy Policy was last reviewed on 13 April 2026.