Privacy Policy
How we handle your data.
Effective 27 April 2026 · Last updated 27 April 2026
Swarm Trading ("SWARM", "we", "us", "our") is an information service operated by Tommy Hayes, an individual based in Ireland. We respect your privacy and are committed to protecting your personal data in line with the EU General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018.
Plain-English summary. We collect the minimum data needed to run the SWARM service — your account details from Whop, a session token to keep you signed in, your device token for notifications, and any messages you post in the chatroom. We do not sell your data. We do not use it for advertising. You can request access, correction, or deletion of your data at any time.
1. Who we are
The data controller is Tommy Hayes, based in Ireland.
Contact: contact@hayesholdings.ie.
For privacy-specific queries, you may contact us at the same address with the subject line "Privacy Request" and we will respond within 30 days.
2. What data we collect
2.1 Information you provide
- Account information — when you subscribe via Whop, we receive from Whop your username, email address, profile avatar, subscription status, and a unique user identifier. We do not see, store, or process your payment card details.
- Chatroom content — any messages you post in the SWARM Pro live chatroom are stored on our backend for up to 7 days for delivery to other connected members, then automatically deleted.
- Email correspondence — if you contact us by email (e.g. for early access or support), we retain that correspondence as long as needed to respond and keep a service record.
2.2 Information we collect automatically
- Session tokens — a 128-bit UUID issued when you sign in, stored in your iOS Keychain and on our backend. Expires 30 days after issuance. Used solely to authenticate API and WebSocket requests.
- Device tokens — if you grant notification permissions, your Apple Push Notification (APNs) device token is stored so we can deliver market reminders. Local notifications (e.g. 9:15 AM market open reminders) do not require this.
- Technical logs — our server records standard request metadata (timestamp, endpoint, status code) for security and reliability. We do not log request bodies or response payloads. Logs are retained for 30 days.
2.3 Information we do NOT collect
- Brokerage account details, holdings, balances, or trade history.
- Real-name identity verification documents.
- Location data, contacts, photos, microphone (except when you actively use Vocal Edge), or any other iOS permission beyond notifications.
- Browsing or tracking cookies on the marketing website (swarmtrading.ie). The site is static HTML and serves no third-party trackers.
3. Why we use your data (lawful basis under GDPR)
| Purpose | Lawful basis (Art. 6 GDPR) |
|---|
| Operating the SWARM app and authenticating sessions | Contract (Art. 6(1)(b)) |
| Verifying your active Whop subscription | Contract (Art. 6(1)(b)) |
| Sending push notifications you have opted in to receive | Consent (Art. 6(1)(a)) |
| Delivering chatroom messages between members | Contract (Art. 6(1)(b)) |
| Security, fraud prevention, abuse detection | Legitimate interests (Art. 6(1)(f)) |
| Responding to your support enquiries | Legitimate interests (Art. 6(1)(f)) |
| Compliance with legal obligations (e.g. tax records) | Legal obligation (Art. 6(1)(c)) |
4. Who we share data with
We do not sell, rent, or trade your personal data. We share only with the following service providers, each engaged under a written data-processing agreement and only to the extent necessary to operate the service:
- Whop Inc. (United States) — subscription management, OAuth authentication, payment processing. Whop's privacy policy: whop.com/privacy.
- Financial Modeling Prep (FMP) (United States) — market data provider. We send ticker symbols only; we do not transmit any user-identifying information to FMP.
- Google Cloud / Linux VM hosting (data centre region: Europe) — backend infrastructure.
- Apple Inc. (United States / Ireland) — push notification delivery via APNs and, where applicable, App Store subscription processing. Apple's privacy policy: apple.com/legal/privacy.
International transfers. Some of the above are based outside the European Economic Area. Where data is transferred to a non-EEA country, we rely on the European Commission's Standard Contractual Clauses (SCCs) or an adequacy decision to ensure equivalent protection.
5. How long we keep your data
| Data type | Retention |
|---|
| Active session tokens | 30 days from issuance, then auto-purged |
| Expired sessions | Deleted nightly at 03:40 ET |
| Chatroom messages | 7 days, then auto-cleaned |
| Server access logs | 30 days |
| Account record (linked to Whop) | For the duration of your active subscription, plus up to 12 months after cancellation for accounting and dispute resolution. Then deleted on request or auto-purged. |
| Email correspondence | Up to 24 months |
| Tax and financial records | As required by Irish Revenue (typically 6 years) |
6. Your rights under GDPR
You have the following rights regarding your personal data. To exercise any of them, email contact@hayesholdings.ie with the subject "Privacy Request":
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — request correction of inaccurate data.
- Right to erasure ("right to be forgotten") — request deletion of your data, subject to legal retention obligations.
- Right to restriction — request that we limit how we use your data.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interests.
- Right to withdraw consent — for any processing based on consent (e.g. push notifications).
We will respond to verified requests within 30 days. There is no charge for reasonable requests.
Right to lodge a complaint. If you believe we have not handled your data lawfully, you have the right to complain to the Irish Data Protection Commission (dataprotection.ie).
7. Security
- All API and WebSocket traffic is encrypted in transit (HTTPS / WSS).
- Session tokens are stored in the iOS Keychain (encrypted, app-sandboxed).
- Backend access is restricted to authorised personnel only.
- Database is sandboxed on a private Linux VM with firewall rules limiting inbound traffic to required ports only.
- We do not store payment card details — these are handled exclusively by Whop and (where applicable) Apple.
No system is perfectly secure. In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify the Irish Data Protection Commission within 72 hours, and notify affected users without undue delay.
8. Children
SWARM is not intended for, and not knowingly offered to, persons under the age of 18. Trading involves substantial financial risk and is unsuitable for minors. If we become aware that we hold data on a person under 18, we will delete it.
9. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be communicated to active subscribers by email or in-app notice at least 14 days before they take effect.
10. Contact
Questions, requests, or complaints regarding this Privacy Policy:
Tommy Hayes Hayes Holdings · contact@hayesholdings.iemiddot; contact@hayesholdings.ie