Privacy Policy

Holdyn ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our secure payment protection platform. Funds are held safely by Stripe until the agreed transaction conditions have been satisfied. Please read this policy carefully. By using Holdyn, you consent to the data practices described in this policy.

1. Information We Collect

We collect information in several ways:

1.1 Information You Provide Directly

• Account Information: First name, middle name, last name, email address, password
• Contact Information: Phone number, mailing address (street, city, state, postal code, country)
• Identity Verification: Date of birth, government ID information (for KYC compliance)
• Business Information: Business type (individual or company)
• Profile Data: Profile picture, e-signature
• Transaction Data: Transaction details, milestones, custom terms, attachments
• Communications: Messages between users, support tickets, feedback

1.2 Information from Third-Party Services

• Google Sign-In: If you sign in with Google, we receive your Google account email, name, and profile picture
• Stripe: Payment processing information, bank account verification status, payout details

1.3 Information Collected Automatically

• Device Information: IP address, browser type, operating system
• Usage Data: Pages visited, features used, timestamps, referring URLs
• Location Data: General location based on IP address

2. Cookies and Tracking Technologies

We use cookies and similar technologies to operate our platform:

• Essential Cookies: Required for platform functionality, including:
  • Authentication tokens (to keep you logged in)
  • CSRF tokens (to protect against cross-site request forgery attacks)
  • Session management
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand how users interact with our platform

You can control cookies through your browser settings, but disabling essential cookies may prevent you from using certain features of our platform.

3. How We Use Your Information

We use your information for the following purposes:

• Service Delivery: Process transactions, manage payment protection, facilitate payments
• Account Management: Create and maintain your account, verify your identity
• Communications: Send notifications about transaction updates, milestones, and deadlines
• Notifications: Deliver in-app notifications, emails, and SMS messages based on your preferences
• AI Assistant: Provide personalized help through our Holdyn AI feature (your transaction data is used to generate contextual responses)
• Dispute Resolution: Review evidence and communications to resolve disputes fairly
• Security: Detect and prevent fraud, abuse, and security threats
• Legal Compliance: Comply with KYC/AML regulations and legal obligations
• Platform Improvement: Analyze usage patterns to improve our services
• Customer Support: Respond to your questions and resolve issues

4. Information Sharing and Disclosure

We do not sell your personal information. We may share your data in the following circumstances:

4.1 With Other Users

When you enter into a transaction, certain information is shared with the other party, including your name, email, and transaction-related communications.

4.2 With Service Providers

We share data only with the essential vendors that support specific platform functions. Each provider receives only the data needed to perform its function.

• Stripe, Inc. — payment processing, fund custody, identity verification (KYC), and money transmission. Stripe receives the data needed to verify your identity and execute fund movements.
• Google LLC — OAuth sign-in (only if you choose to sign in with Google). Google receives only what is required to authenticate you.
• Twilio Inc. — SMS verification and one-time passcode (OTP) delivery. Twilio receives your phone number and the OTP message to be delivered.
• Anthropic, PBC — large-language-model inference for the Holdyn AI assistant and AI-assisted transaction drafting. Anthropic receives the conversational input and relevant transaction context for the duration of each AI request, subject to its own no-training, no-retention defaults for the API.
• Amazon Web Services (AWS) — cloud hosting and S3 file storage for attachments, signatures, and contract PDFs.
• Email service providers — transactional email delivery (account verification, notifications, dispute updates).
• Sentry — error tracking and observability. Sentry receives error context including IP and request metadata; sensitive fields (passwords, tokens, secrets) are scrubbed before transmission.
• OpenExchangeRates — foreign-exchange rate data for FX conversion display. OpenExchangeRates does not receive personal data.
• Expo (Push Notification Service) — mobile push notification delivery for the Holdyn iOS and Android apps. Expo receives only your push token and the notification payload.

4.3 For Legal Reasons

We may disclose information if required by law, court order, or government request, or to protect our rights, property, or safety, or that of our users or others.

5. Data Security

We implement robust security measures to protect your data:

• Encryption: Data encrypted in transit (TLS/SSL) and at rest
• Access Controls: Role-based access with authentication requirements
• Password Security: Passwords are hashed using industry-standard algorithms
• CSRF Protection: Token-based protection against cross-site request forgery
• Rate Limiting: Protection against brute-force attacks
• Regular Audits: Ongoing security assessments and updates
• Secure Payments: Payment data handled by PCI-DSS compliant Stripe

While we strive to protect your information, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain your data for as long as necessary to provide our services and comply with legal obligations:

• Account Data: Retained while your account is active and for a reasonable period after deletion
• Transaction Records: Retained for seven (7) years per applicable financial-services regulations and tax-compliance requirements
• Transaction Event Log: Immutable audit record of every state change and money-movement event, retained for seven (7) years
• Communications: Retained for dispute resolution and legal purposes
• Security Logs: Retained for up to 1 year for security analysis
• Guest Sessions: Magic-link guest sessions are pruned 30 days past their chain-expiry so abuse reports can still be investigated; the underlying transaction record is governed by the 7-year retention above
• Webhook & Chargeback Records: Retained for at least 180 days to support chargeback evidence windows (covering the Visa/Mastercard dispute lifecycle); certain records are retained longer where required

7. Your Rights and Choices

Depending on your location, you may have the following rights:

• Access: Request a copy of your personal data
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your data (subject to legal retention requirements)
• Portability: Receive your data in a portable format
• Opt-Out: Unsubscribe from marketing communications
• Notification Preferences: Control in-app, email, and SMS notification settings in your profile
• Disconnect Services: Unlink Google account or Stripe from your profile

To exercise these rights, contact us through the Support section in your dashboard or email support@holdyn.io.

8. International Data Transfers

Your information may be transferred to and processed in countries other than your own. These countries may have different data protection laws. We ensure appropriate safeguards are in place for international transfers, including standard contractual clauses where required.

9. Children's Privacy

Holdyn is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18. If we learn that we have collected data from a child under 18, we will delete that information promptly. If you believe a child has provided us with personal information, please contact us immediately.

10. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information held by businesses
• Right to opt-out of the sale of personal information (we do not sell your data)
• Right to non-discrimination for exercising your CCPA rights

11. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), you have rights under the General Data Protection Regulation:

• Right to access, rectify, or erase your personal data
• Right to restrict or object to processing
• Right to data portability
• Right to withdraw consent at any time
• Right to lodge a complaint with a supervisory authority

Our legal bases for processing include: contract performance, legitimate interests, legal obligations, and consent.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. For significant changes, we may also send you an email notification. We encourage you to review this policy periodically.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

• Through the Support Tickets section in your dashboard
• Via our Contact page at holdyn.io/contact
• By email at support@holdyn.io

We will respond to your inquiry within 30 days.