Privacy Policy

Swoots — swoots.io · Last updated: April 20, 2026 · Effective date: April 20, 2026

1. Who We Are

Swoots is a B2B SaaS analytics platform operated by MB Kram Tech, a company registered in Lithuania, European Union.

Legal name	MB Kram Tech
Trading name	Swoots
Address	Meldų st. 14, 47222, Kaunas, Lithuania
Email	info@kramtech.lt
Website	https://swoots.io

As a company based in the EU, we are subject to the General Data Protection Regulation (GDPR) and act as the data controller for all personal data processed through Swoots.

2. What Swoots Does

Swoots connects to your e-commerce stores (Shopify, WooCommerce) and advertising platforms (Meta Ads, Google Ads, TikTok Ads) to display profit analytics in a single dashboard. You see your revenue, cost of goods, ad spend, and net profit — all in one place.

Swoots is a read-only analytics tool. It does not run ads, modify campaigns, create audiences, or make any changes to your store or ad accounts. It does not sell data. It does not use your data for any purpose other than displaying it back to you.

3. Who This Policy Applies To

Swoots is designed exclusively for business owners and their authorized team members. This is a business-to-business (B2B) service. We do not offer Swoots to individual consumers, and we do not knowingly collect data from persons under the age of 18.

If you are accessing Swoots on behalf of a business, you represent that you have the authority to accept this policy on that business's behalf.

4. Data We Collect

4.1 Account Data

When you register for Swoots, we collect:

Email address — used to identify your account and send service-related communications
Password — stored as a one-way hash (bcrypt); we never store or see your plain-text password
Name — optional; used to personalize your dashboard

4.2 Store Data

When you connect a Shopify or WooCommerce store via OAuth, we read order records (order amounts, dates, statuses), product data (product names, cost of goods where provided), and revenue figures. This data is synced to your Swoots dashboard and stored solely to display your analytics. We do not sell, share, or use store data for any purpose beyond rendering your dashboard.

4.3 Ad Spend Data

When you connect an advertising platform (Meta Ads, Google Ads, or TikTok Ads) via OAuth, we read campaign-level ad spend figures in a read-only capacity. We request only the minimum permissions necessary (for example, ads_read for Meta). We do not read audience data, creative assets, targeting parameters, or any personally identifiable information about your ad audiences.

How we handle Meta API data specifically is described in detail in Section 7.

4.4 Session Data

We use a single HTTP-only JWT cookie to maintain your authenticated session. This cookie is HTTP-only (not accessible to JavaScript), is scoped to swoots.io, expires when you log out, and is not used for tracking or advertising. We do not use Google Analytics, Meta Pixel, tracking pixels, or any third-party analytics or advertising scripts.

4.5 Technical Data

We may automatically collect minimal technical data including IP address (for security and rate-limiting), browser type and version (from HTTP headers), and timestamps of API requests. This data is retained in server logs for up to 90 days and is not linked to user profiles for any purpose beyond security and error diagnosis.

5. Legal Bases for Processing (GDPR)

Data Type	Legal Basis
Account data	Contract — necessary to provide the service you signed up for (Art. 6(1)(b))
Store data	Contract — necessary to display the analytics you requested (Art. 6(1)(b))
Ad spend data	Contract — necessary to display the analytics you requested (Art. 6(1)(b))
Session cookie	Legitimate interest — essential for secure authentication (Art. 6(1)(f))
Technical/log data	Legitimate interest — security and service stability (Art. 6(1)(f))
Marketing emails (if any)	Consent — only sent if you explicitly opt in (Art. 6(1)(a))

6. How We Use Your Data

We use your data only to: provide the analytics service, authenticate your session, maintain service reliability, and send essential service communications.

We do not use your data to sell or rent to third parties, build advertising profiles, conduct behavioral tracking, train AI/ML models, or send unsolicited marketing.

7. Meta Marketing API — Special Disclosure

This section is required by Meta's Platform Terms and is specifically intended to satisfy Meta's App Review requirements.

7.1 What We Access

Swoots connects to the Meta Marketing API using OAuth authorization with the ads_read permission scope. This allows us to read aggregated ad spend data at the campaign level.

7.2 What We Do With Meta Data

We read: Campaign-level spend figures (amounts spent on your Meta ad campaigns)
We display: These figures are shown to the authenticated account holder in the Swoots profit dashboard
We store: Only aggregated totals, retained for the duration of your account to power your historical analytics view

7.3 What We Do NOT Do With Meta Data

We do not modify, pause, start, or delete any ad campaigns
We do not read, store, or process audience data, demographic data, or any data about the people who see your ads
We do not share Meta data with any third parties
We do not use Meta data for advertising, targeting, or retargeting of any kind
We do not use Meta data to build profiles on individuals
We do not sell Meta data

7.4 Token Storage

OAuth access tokens issued by Meta are stored securely in our database, encrypted at rest. Tokens are used exclusively to fetch spend data on your behalf. You can revoke access at any time in Swoots Settings or directly in your Meta Business Settings.

7.5 Compliance With Meta Platform Terms

Our use of the Meta Marketing API complies with Meta's Platform Terms and Developer Policies. We do not use Meta Platform Data in any way inconsistent with those terms.

8. Third-Party Integrations

Platform	Scope	What We Do
Shopify	Orders, Products (OAuth)	Read orders and product data to calculate revenue and margin
WooCommerce	Orders, Products (OAuth)	Read orders and product data to calculate revenue and margin
Meta Marketing API	ads_read (OAuth)	Read campaign-level ad spend only
Google Ads API	Read-only (OAuth)	Read campaign-level ad spend only
TikTok Marketing API	Read-only (OAuth)	Read campaign-level ad spend only

No data received from these platforms is shared with any other third party. Each integration uses OAuth — you authorize the connection explicitly and can revoke it at any time.

9. Data Sharing

We do not sell, trade, or rent your personal data or business data to third parties. We may share data only with infrastructure providers (servers in Lithuania, EU, bound by data processing agreements), if required by law or court order, or in the event of a business transfer (with advance notice and option to delete your account).

10. Data Storage and Security

10.1 Location

All data is stored on servers located in Lithuania, European Union. No personal data is transferred outside the EU/EEA unless you explicitly request an integration that routes through a non-EU provider, in which case appropriate safeguards (Standard Contractual Clauses) apply.

10.2 Security Measures

Passwords hashed using bcrypt — never stored in plain text
OAuth tokens encrypted at rest
Session cookies are HTTP-only and scoped to swoots.io
All data in transit encrypted using TLS
Access to production systems restricted to authorized personnel

10.3 Data Retention

Data Type	Retention Period
Account, store, and ad spend data	Active for life of account, deleted within 1 year of account deletion
Server logs	90 days from creation
Session cookies	Duration of session or until logout

After the retention period ends, data is permanently and irreversibly deleted. We do not archive deleted user data.

11. Cookies

Swoots uses a single essential authentication cookie (session, HTTP-only JWT). We do not use Google Analytics, Meta Pixel, advertising cookies, or any third-party tracking cookies. Because our only cookie is strictly necessary for the service to function, no consent banner is required under GDPR and the ePrivacy Directive. If we add non-essential cookies in the future, we will update this policy and add a consent mechanism before doing so.

12. Your Rights Under GDPR

To exercise any of the following rights, email info@kramtech.lt with the subject line "GDPR Request — [Type]". We will respond within 30 days.

Right	What It Means
Access (Art. 15)	Request a copy of all personal data we hold about you
Rectification (Art. 16)	Ask us to correct inaccurate or incomplete data
Erasure (Art. 17)	Request deletion of your account and all associated data
Portability (Art. 20)	Request your data in a structured, machine-readable format
Object (Art. 21)	Object to processing based on legitimate interests
Restrict Processing (Art. 18)	Ask us to limit how we use your data
Withdraw Consent (Art. 7)	Withdraw consent at any time where processing is consent-based

You also have the right to lodge a complaint with the State Data Protection Inspectorate of Lithuania (VDAI): vdai.lrv.lt · ada@ada.lt

13. Children's Privacy

Swoots is a business tool intended for adults operating commercial enterprises. We do not knowingly collect data from persons under the age of 18. If you believe a minor has provided personal data through our service, contact us at info@kramtech.lt and we will delete it promptly.

14. Changes to This Policy

When we make material changes, we will update the "Last updated" date and notify active users by email at least 14 days before changes take effect. Continued use of Swoots after the effective date constitutes acceptance.

15. Contact Us

MB Kram Tech
Meldų st. 14, 47222, Kaunas, Lithuania
info@kramtech.lt
https://swoots.io

We aim to respond to all privacy-related inquiries within 5 business days.

This policy was written in plain English and is intended to be understandable. If you have questions about anything in this document, please reach out — we are happy to explain.