Privacy Policy

How we collect, use, and protect your information

Last updated: 17 June 2026

Holdyn ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our secure payment protection platform. Funds are held safely by Stripe until the agreed transaction conditions have been satisfied. Please read this policy carefully. By using Holdyn, you consent to the data practices described in this policy.

Important Disclosure

Holdyn Inc, a Delaware corporation, is a Payment Facilitation Platform. Holdyn provides technology that facilitates payment transactions between parties and offers dispute resolution services. All funds are held by Stripe, Inc., a licensed money transmitter and payment processor regulated by applicable financial authorities.

Holdyn does not hold or custody user funds. Holdyn administers payment transactions and facilitates dispute resolution. By using our platform, you authorise Holdyn to administer the dispute resolution process and to direct Stripe to execute fund distribution according to the outcome of the resolution path chosen by the parties — direct settlement, Holdyn-facilitated mediation, or external arbitration. Stripe charges processing fees for payment services, in accordance with their Terms of Service.

Disclaimer: Holdyn does not provide legal, tax, or financial advice. Users should consult qualified professionals for advice specific to their circumstances.

1. Information We Collect

We collect information in several ways:

1.1 Information You Provide Directly

  • Account Information: First name, middle name, last name, email address, password
  • Contact Information: Phone number, mailing address (street, city, state, postal code, country)
  • Identity Verification: Date of birth, government ID information (for KYC compliance)
  • Business Information: Business type (individual or company)
  • Beneficial Ownership Information: For business accounts, the name, date of birth, and ownership percentage of any beneficial owner holding 25% or more, where required for KYC/AML compliance
  • AML Declarations: Information you provide in anti-money-laundering declarations, such as source of funds, expected transaction volume, intended use, and any sanctions or politically-exposed-person self-declarations
  • Profile Data: Profile picture, e-signature
  • Transaction Data: Transaction details, milestones, custom terms, attachments
  • Communications: Messages between users, support tickets, feedback
  • Consent and Authorisation Records: A record of your acceptance of platform terms and your authorisation of each payment, including the date and time, the version of the terms shown to you, and associated device and IP information

1.2 Information from Third-Party Services

  • Google Sign-In: If you sign in with Google, we receive your Google account email, name, and profile picture
  • Stripe: Payment processing information, bank account verification status, payout details, and card-authentication results

1.3 Information Collected Automatically

  • Device Information: IP address, browser type, operating system, device identifiers
  • Usage Data: Pages visited, features used, timestamps, referring URLs
  • Location Data: General location based on IP address
  • Risk and Security Signals: Information used to keep the platform secure and to detect and prevent fraud — including transaction patterns and history, funding method, velocity of activity, device and IP signals, and account history. How this information is used in automated processing is described in Section 12.

2. Cookies and Tracking Technologies

We use cookies and similar technologies to operate our platform:

  • Essential Cookies: Required for platform functionality, including:
    • Authentication tokens (to keep you logged in)
    • CSRF tokens (to protect against cross-site request forgery attacks)
    • Session management
  • Functional Cookies: Remember your preferences and settings
  • Analytics Cookies: Help us understand how users interact with our platform

You can control cookies through your browser settings, but disabling essential cookies may prevent you from using certain features of our platform.

3. How We Use Your Information

We use your information for the following purposes:

  • Service Delivery: Process transactions, manage payment protection, facilitate payments
  • Account Management: Create and maintain your account, verify your identity
  • Communications: Send notifications about transaction updates, milestones, and deadlines
  • Notifications: Deliver in-app notifications, emails, and SMS messages based on your preferences
  • AI Assistant: Provide personalised help through our Holdyn AI feature (your transaction data is used to generate contextual responses)
  • Dispute Resolution: Review evidence and communications to resolve disputes fairly
  • Dispute and Chargeback Handling: Process, submit, and respond to disputes, chargebacks, and payment reversals, including preparing and exchanging evidence with payment partners
  • Consent and Authorisation Records: Record and rely on your acceptance of terms and authorisation of payments, including as evidence in disputes, chargebacks, and reversals, and to demonstrate that a payment was authorised for compliance purposes
  • Security and Fraud Prevention: Detect and prevent fraud, abuse, money laundering, and security threats
  • Risk Assessment and Automated Decision-Making: Assess the risk of transactions, funding, and withdrawals and decide whether to flag, hold, delay, limit, decline, or restrict them, as described in Section 12
  • Legal Compliance: Comply with KYC/AML regulations and legal obligations
  • Platform Improvement: Analyse usage patterns to improve our services
  • Customer Support: Respond to your questions and resolve issues

4. Information Sharing and Disclosure

We do not sell your personal information. We may share your data in the following circumstances:

4.1 With Other Users

When you enter into a transaction, certain information is shared with the other party, including your name, email, and transaction-related communications.

4.2 With Service Providers

We share data only with the essential vendors that support specific platform functions. Each provider receives only the data needed to perform its function.

  • Stripe, Inc. — payment processing, fund custody, identity verification (KYC), card authentication, and money transmission. Stripe receives the data needed to verify your identity and execute fund movements.
  • Google LLC — OAuth sign-in (only if you choose to sign in with Google). Google receives only what is required to authenticate you.
  • Twilio Inc. — SMS verification and one-time passcode (OTP) delivery. Twilio receives your phone number and the OTP message to be delivered.
  • Anthropic, PBC — large-language-model inference for the Holdyn AI assistant and AI-assisted transaction drafting. Anthropic receives the conversational input and relevant transaction context for the duration of each AI request, subject to its own no-training, no-retention defaults for the API.
  • Amazon Web Services (AWS) — cloud hosting and S3 file storage for attachments, signatures, and contract PDFs.
  • Email service providers — transactional email delivery (account verification, notifications, dispute updates).
  • Sentry — error tracking and observability. Sentry receives error context including IP and request metadata; sensitive fields (passwords, tokens, secrets) are scrubbed before transmission.
  • OpenExchangeRates — foreign-exchange rate data for FX conversion display. OpenExchangeRates does not receive personal data.
  • Expo (Push Notification Service) — mobile push notification delivery for the Holdyn iOS and Android apps. Expo receives only your push token and the notification payload.

4.3 For Legal Reasons

We may disclose information if required by law, court order, or government request, or to protect our rights, property, or safety, or that of our users or others.

4.4 For Payments, Disputes, and Fraud Prevention

To process payments, resolve disputes, and prevent fraud and financial crime, we may share transaction and related information with Stripe, card networks, and the financial institutions involved in a payment — for example, to authenticate a card payment (3D Secure / SCA), to submit or respond to chargeback and dispute evidence, and to investigate or prevent fraudulent or unlawful activity. We may also share information with financial institutions and authorities where required to meet anti-money-laundering and other legal obligations.

5. Data Security

We implement robust security measures to protect your data:

  • Encryption: Data encrypted in transit (TLS/SSL) and at rest
  • Access Controls: Role-based access with authentication requirements
  • Password Security: Passwords are hashed using industry-standard algorithms
  • CSRF Protection: Token-based protection against cross-site request forgery
  • Rate Limiting: Protection against brute-force attacks
  • Regular Audits: Ongoing security assessments and updates
  • Secure Payments: Payment data handled by PCI-DSS compliant Stripe

While we strive to protect your information, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain your data for as long as necessary to provide our services and comply with legal obligations:

  • Account Data: Retained while your account is active and for a reasonable period after deletion
  • Transaction Records: Retained for seven (7) years per applicable financial-services regulations and tax-compliance requirements
  • Transaction Event Log: Immutable audit record of every state change and money-movement event, retained for seven (7) years
  • Consent and Authorisation Records: Retained with the related transaction for seven (7) years, consistent with the Transaction Event Log, to evidence your authorisation and acceptance of terms
  • Communications: Retained for dispute resolution and legal purposes
  • Security Logs: Retained for up to 1 year for security analysis
  • Risk and Fraud Signals: Retained as needed for fraud prevention, security analysis, and financial-crime compliance
  • Guest Sessions: Magic-link guest sessions are pruned 30 days past their chain-expiry so abuse reports can still be investigated; the underlying transaction record is governed by the 7-year retention above
  • Webhook & Chargeback Records: Retained for at least 180 days to support chargeback evidence windows (covering the Visa/Mastercard dispute lifecycle); certain records are retained longer where required

7. Your Rights and Choices

Depending on your location, you may have the following rights:

  • Access: Request a copy of your personal data
  • Correction: Update or correct inaccurate information
  • Deletion: Request deletion of your data (subject to legal retention requirements)
  • Portability: Receive your data in a portable format
  • Opt-Out: Unsubscribe from marketing communications
  • Notification Preferences: Control in-app, email, and SMS notification settings in your profile
  • Disconnect Services: Unlink Google account or Stripe from your profile
  • Automated Decisions: Request human review of, express your view on, or contest a decision made by automated processing (see Section 12)

To exercise these rights, contact us through the Support section in your dashboard or email support@holdyn.io.

8. International Data Transfers

Your information may be transferred to and processed in countries other than your own. These countries may have different data protection laws. We ensure appropriate safeguards are in place for international transfers, including standard contractual clauses where required.

9. Children's Privacy

Holdyn is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18. If we learn that we have collected data from a child under 18, we will delete that information promptly. If you believe a child has provided us with personal information, please contact us immediately.

10. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

  • Right to know what personal information is collected, used, shared, or sold
  • Right to delete personal information held by businesses
  • Right to opt-out of the sale of personal information (we do not sell your data)
  • Right to non-discrimination for exercising your CCPA rights

11. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), you have rights under the General Data Protection Regulation:

  • Right to access, rectify, or erase your personal data
  • Right to restrict or object to processing
  • Right to data portability
  • Right to withdraw consent at any time
  • Rights in relation to automated decision-making and profiling (see Section 12)
  • Right to lodge a complaint with a supervisory authority

Our legal bases for processing include: contract performance, legitimate interests (including fraud prevention, security, and risk management), compliance with legal obligations (including KYC/AML and financial-crime prevention), and consent.

12. Automated Decision-Making and Profiling

To keep the platform secure and to meet our legal obligations, Holdyn uses automated processing — including risk scoring and fraud-detection signals — as part of how we operate. This processing helps us:

  • assess the risk of transactions, funding, and withdrawals;
  • detect and prevent fraud, abuse, money laundering, and other financial crime;
  • decide whether to flag a transaction for review (for example, placing it “In Review”), apply a hold or clearing period, limit a funding method or amount, or decline or restrict a transaction, top-up, or withdrawal.

These decisions may rely on signals such as your account and profile information, KYC/AML declarations, transaction patterns and history, funding method, velocity of activity, device information, and IP address. Card payments may also involve authentication by your card issuer (3D Secure / SCA), handled through Stripe.

We do not publish the detailed logic of our risk and fraud systems, as doing so would undermine their effectiveness. Where automated processing produces a legal or similarly significant effect for you, you have the right to request human review of the decision, to express your point of view, and to contest the outcome. If you are in the EEA or UK, these rights are provided under Article 22 of the GDPR and equivalent UK law. To exercise them, contact us through the Support section or at support@holdyn.io.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. For significant changes, we may also send you an email notification. We encourage you to review this policy periodically.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

  • Through the Support Tickets section in your dashboard
  • Via our Contact page at holdyn.io/contact
  • By email at support@holdyn.io

We will respond to your inquiry within 30 days.

By using Holdyn, you acknowledge that you have read and understood this Privacy Policy. Your privacy is important to us, and we are committed to protecting your personal information while providing you with a secure payment protection platform where funds are held safely until the agreed transaction conditions have been satisfied.

Holdyn Inc. is a Delaware corporation and operates in accordance with applicable U.S. federal and state laws and regulations. Holdyn Inc is a payment facilitation platform with dispute resolution. Funds held by Stripe.