Privacy Policy

1. About this Policy

1.1. This Privacy Policy explains how WebInstal, trading as Holdy ("Holdy", "we", "us", "our"), registered in the Netherlands under Chamber of Commerce number 78581672, collects, uses, stores, shares, and protects your personal data in connection with the Services at www.getholdy.com, app.getholdy.com, and related apps and APIs.

1.2. Holdy is the controller of your personal data for most processing activities described below. Where we act as a processor (for example, when you submit Content for a specific counterparty), we do so on your instructions.

1.3. This Policy should be read together with our Terms of Service, which define capitalised terms used here ("Services", "Platform", "User", "Buyer", "Seller", "Deal", "Content", "Payment Processor", etc.).

1.4. This Policy is provided in English. Translations may be made available for convenience; the English version prevails in the event of conflict, except where mandatory local law requires the local-language version to prevail.

1.5. Business-only Service. Holdy is currently offered to Business Users only (see Clause 5.2 of the Terms). However, the personal data of individuals associated with a Business User — founders, employees, sole traders, beneficial owners — remains personal data under the GDPR and UK GDPR; the rights described in this Policy apply to those individuals in full.

2. The personal data we collect

2.1 Data you provide to us

• Account data: email address, password (hashed), display name, avatar.
• Profile data: optional biography, preferences, notification settings, language, time zone.
• User-status declaration: whether you use the Services as a Consumer or a Business User.
• Tax and identification data (Sellers, required by law. see Clause 5.4 of the Terms and Clause 6 of this Policy): first and last name, address, country of residence, date of birth, tax identification number (TIN) or equivalent, bank or financial account identifier, business registration number, VAT number. Collected and validated by our Payment Processor (Stripe); we receive a subset via API.
• Transaction data: Deal titles, descriptions, deliverables, amounts, currencies, categories, deadlines, delivery notes, uploaded delivery files, and metadata including SHA-256 hashes and timestamps.
• Dispute data: reason, category, written submissions, evidence files, hashes, and the outcome of our adjudication.
• Messaging and review data: chat messages between you and counterparties, attachments, ratings, and comments.
• Communication data: support emails, complaint correspondence, DSA notices and complaints you submit.
• Marketing preferences: if and how you have consented to receive marketing email.

2.2 Data we collect automatically

• Technical data: IP address, user-agent, device type, operating system, browser version, language, coarse geolocation derived from IP.
• Usage data: pages viewed, actions taken, timestamps, referrer, feature interactions.
• Security and audit logs: login attempts, password changes, suspicious activity signals, rate-limiter events.
• Cookies and similar technologies: see Clause 9.

2.3 Data from third parties

• Payment Processor (Stripe): payment status, Stripe account ID, KYC/KYB verification outcomes, billing address, tax IDs (validated against VIES for EU VAT), Stripe's fraud scores, and chargeback and payout information. We do not receive or store full payment card numbers; Stripe handles payment card data subject to PCI-DSS.
• OAuth providers (if used): email address and display name from providers you choose to sign in with.
• Public sanctions and PEP lists: we or our sub-processors screen User data against public sanctions and politically-exposed-persons lists under applicable law.

2.5 AI-assisted features

Some features of the Services use third-party large language models to help with non-decisional tasks: (a) Deliverable suggestion — when you ask for help structuring your Deliverables list, your project brief (capped at 2,000 characters) is sent to Anthropic via OpenRouter and the suggested deliverables are returned. (b) Abuse-review pre-classification — when a rejection or upload is flagged as potentially abusive, the relevant text and metadata are sent to Anthropic via OpenRouter to pre-classify the signal for our human reviewer. The Anthropic / OpenRouter contracts include zero-data-retention terms; inputs and outputs are not used to train the providers' models. We rate-limit AI calls to 10 requests per hour per User. Logs of AI requests (input length, timestamp, decision token count) are retained for 90 days for cost and abuse auditing. AI never makes final decisions affecting you; see Clause 4.

2.4 Sensitive personal data

We do not intentionally collect special-category data under Article 9 GDPR (e.g. health, religious, political data) or similar categories under other laws. Please do not submit such data in Deal descriptions, messages, or evidence. If you do, you are doing so under Article 9(2)(e) GDPR (manifestly made public by you) or Article 9(2)(f) GDPR (establishment, exercise, or defence of legal claims).

3. How we use your data, and why (legal bases)

For processing based on legitimate interests, we have carried out a balancing test and can share the outcome on request.

4. Automated decision-making and profiling

4.1. We use automated systems to help operate the Platform, including: (a) fraud-score calculation to decide whether to hold a payout or require additional verification; (b) risk signals used to escalate disputes; (c) content filters that may hide or limit Content that looks abusive or illegal; (d) message-notification logic; and (e) AI-assisted pre-classification of abuse-review signals (see Clause 2.5).

4.2. We do not make solely automated decisions that produce legal or similarly significant effects on you (GDPR Article 22). Significant decisions affecting you — extended payout holds, abuse-review confirmations that remove or restore a strike, account suspensions, sanctions-related refusals, and any change to a Deal's outcome — are reviewed and signed off by a human Holdy team member before they take effect, even where AI assistance has been used to surface or pre-classify the signal. The rule-based outcome engine that decides Deal settlement and refunds (see Clause 10 of the Terms) is fully deterministic; no AI is involved in those decisions and they apply objective rules to recorded facts.

4.3. You have the right to: (a) request human review of automated decisions, (b) express your point of view, and (c) contest decisions by emailing privacy@getholdy.com.

5. Who we share your data with

5.1. We do not sell your personal data. We do not share or disclose personal data for cross-context behavioural advertising. We do not use your data for personalised advertising. California rights: see Clause 12.

5.2. We share personal data only as follows and only as necessary:

• Counterparties to your Deals: your display name, avatar, country, trust metrics, ratings and reviews, Deal messages and delivery Content are visible to the counterparty of a Deal (and, where relevant, to our administrators).
• Our sub-processors: see Clause 6.
• Our professional advisers: lawyers, accountants, auditors, under duty of confidentiality.
• Tax authorities: as required by DAC7 (NL Tax Authority annually), UK MRDP, OECD model rules, and equivalent regimes for Sellers above reportable thresholds.
• Law enforcement, courts, and regulators: when required by valid legal process or to protect our rights, users, or third parties against fraud or harm.
• Corporate transactions: in a merger, acquisition, reorganisation, or sale of assets, in which case the acquirer will be bound by this Policy or a materially similar policy.

6. Sub-processors

6.1. We engage the following sub-processors. A Data Processing Agreement (DPA) is in place with each.

6.2. Updates to this list. We keep this list current and republish it when we add or change a sub-processor. Material changes (new sub-processor with broader access to personal data) are announced at least 14 days before they take effect.

7. International transfers of personal data

7.1. Our primary data storage is in the EU. However, some sub-processors (particularly Stripe, Vercel, Resend) process personal data in the United States or other countries outside the European Economic Area.

7.2. Safeguards. For transfers outside the EEA, we rely on one or more of the following:

• Adequacy decisions of the European Commission, including the EU–US Data Privacy Framework for certified US recipients.
• Standard Contractual Clauses (2021) with the recipient, supplemented by a Transfer Impact Assessment (TIA) per Schrems II.
• UK International Data Transfer Addendum or UK-approved equivalents for UK personal data.
• Specific derogations under Article 49 GDPR where necessary (e.g., performance of a contract in your interest).

7.3. You may request a copy of the relevant safeguards by emailing privacy@getholdy.com.

8. How long we keep your data

We retain personal data only as long as necessary for the purposes for which it was collected, to comply with our legal obligations, to resolve disputes, and to enforce our agreements.

After retention periods expire, we delete or anonymise the relevant personal data. Where deletion is technically difficult (e.g., data in encrypted backups), we isolate the data until the backup is overwritten.

9. Cookies and similar technologies

9.1. We use the minimum cookies needed to run the Platform.

9.2. We do not use analytics, tracking, or advertising cookies on the Platform. No cookie consent banner is presented for strictly necessary and functional cookies. If this changes in future, we will obtain your prior consent where required by the ePrivacy Directive, national implementation, and equivalent laws.

9.3. Most browsers allow you to control cookies through their settings.

10. Your rights

10.1. Subject to applicable law, you have the following rights:

• Right of access. request a copy of the personal data we hold about you.
• Right to rectification. ask us to correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"). ask us to delete your data, subject to our legal retention obligations.
• Right to restriction. ask us to limit how we use your data in specific situations.
• Right to data portability. receive your data in a structured, commonly used, machine-readable format.
• Right to object. object to processing based on legitimate interests; we will stop unless we have compelling grounds to continue or need the data for legal claims.
• Right to withdraw consent. withdraw consent at any time for processing based on consent (this does not affect processing before withdrawal).
• Right to human review of automated decisions (see Clause 4).
• Right not to be discriminated against for exercising your rights.

10.2. How to exercise your rights. Use the in-product "Privacy" settings, or email privacy@getholdy.com. We may need to verify your identity before acting on a request. We will respond within 30 days (extendable by 2 months for complex requests, with notice).

10.3. Right to complain to a supervisory authority. You can complain to the data-protection authority in your country, including:

• Netherlands: Autoriteit Persoonsgegevens — autoriteitpersoonsgegevens.nl
• UK: Information Commissioner's Office — ico.org.uk
• EU Member States: list at edpb.europa.eu
• California: California Privacy Protection Agency — cppa.ca.gov
• Canada: Office of the Privacy Commissioner — priv.gc.ca
• Quebec: Commission d'accès à l'information — cai.gouv.qc.ca
• Brazil: ANPD — gov.br/anpd
• Australia: OAIC — oaic.gov.au

11. European Economic Area, United Kingdom, and Switzerland

11.1. Holdy is established in the European Union (Netherlands). Under Article 27 GDPR, we are not required to appoint an EU representative; you can reach us directly at the contacts in this Policy.

11.2. UK representative (UK GDPR Article 27). Because Holdy is established in the Netherlands and offers the Services to individuals in the United Kingdom, UK GDPR requires us to designate a UK-based representative. Our UK Article 27 representative is: [UK Representative — name, address, and contact email to be inserted once appointed]. UK data subjects may contact our UK representative directly with any data-protection enquiry, in addition to the contact channels in Clause 23. UK GDPR rights mirror the EU GDPR rights described in this Policy. Complaints in the UK can be lodged with the Information Commissioner's Office (ICO) at ico.org.uk. Holdy is registered with the ICO and pays the annual data-protection fee under the UK Data Protection (Charges and Information) Regulations 2018.

11.2a. EEA → UK transfers. Personal data flowing from the EEA (including the Netherlands) to UK-based recipients (such as our UK representative) is covered by the European Commission's adequacy decision in respect of the United Kingdom (renewed 19 December 2025, sunset 27 December 2031); Standard Contractual Clauses are not required for that route.

11.3. Swiss FADP. For users in Switzerland, this Policy applies with equivalent rights under the Swiss Federal Act on Data Protection (FADP) revised 2023. Complaints: Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch.

12. California residents (CCPA / CPRA)

12.1. If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act gives you specific rights. In the preceding 12 months we collected the categories of personal information described in Clause 2 for the purposes described in Clause 3, disclosed them to the recipients in Clauses 5–6, and retained them for the periods in Clause 8.

12.2. Your California rights are:

• Right to know what personal information we collect, use, disclose, and retain.
• Right to correct inaccurate personal information.
• Right to delete personal information, with statutory exceptions (fraud prevention, legal obligations, etc.).
• Right to opt out of sale or sharing. We do not sell or share personal information for cross-context behavioural advertising. Nothing to opt out of today; if we ever do, we will provide a "Do Not Sell or Share My Personal Information" link.
• Right to limit use of sensitive personal information. We use sensitive PI (e.g., government-issued IDs collected by Stripe for KYC) only for the limited purposes permitted by CPRA, namely providing the Services, fraud prevention, and legal compliance.
• Right to non-discrimination for exercising your rights.
• Right to designate an authorised agent to make requests on your behalf.

12.3. Submit requests via privacy@getholdy.com. We will verify your request consistent with CCPA regulations and respond within 45 days.

12.4. "Shine the Light" (Cal. Civ. Code § 1798.83). We do not disclose personal information to third parties for their direct marketing purposes.

13. Brazil (LGPD)

If you are located in Brazil, the Lei Geral de Proteção de Dados (LGPD) applies. You have rights that are functionally equivalent to those in Clause 10 (confirmation of processing, access, correction, anonymisation/deletion, portability, information on data sharing, consent withdrawal, objection, and review of automated decisions). Our representative for LGPD purposes is the Privacy Officer at privacy@getholdy.com. You may lodge a complaint with ANPD.

14. Canada (PIPEDA and Quebec Law 25)

14.1. If you are in Canada, PIPEDA applies to our processing in the course of commercial activities. You have the right to access and correct your personal information and to withdraw consent.

14.2. Quebec Law 25. If you are resident in Quebec, An Act to modernize legislative provisions as regards the protection of personal information applies. You additionally have the right to be informed of automated decision-making, the right to data portability (since 22 September 2024), and to receive information in French, first.

14.3. Our privacy officer for Canadian purposes: privacy@getholdy.com.

15. Australia (Privacy Act 1988)

If you are in Australia, the Australian Privacy Principles (APPs) and 2024–2025 amendments to the Privacy Act apply, including the new statutory tort for serious invasions of privacy. You have rights of access and correction. Complaints may be made to the Office of the Australian Information Commissioner.

16. Other jurisdictions

For users in other countries (including Japan APPI, Singapore PDPA, South Africa POPIA, and similar regimes), we comply with applicable local data-protection laws. Please contact privacy@getholdy.com for specific information about how local law applies to your data.

17. Security

We implement appropriate technical and organisational measures to protect personal data, including:

• all data transmitted over HTTPS/TLS with modern cipher suites;
• encryption at rest of managed databases and object storage;
• passwords hashed with industry-standard algorithms (via our auth provider);
• row-level security policies on all database tables;
• SHA-256 hashing of delivery and evidence files for integrity verification;
• rate limiting, bot detection, and abuse monitoring on API endpoints;
• security headers (CSP, X-Frame-Options, HSTS);
• principle-of-least-privilege access controls for staff, with MFA;
• periodic security reviews and incident-response procedures;
• contractual security commitments from our sub-processors, including Stripe's PCI-DSS Level 1 certification.

18. Data breach notification

18.1. If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware, as required by Article 33 GDPR and equivalent laws.

18.2. Where a breach is likely to result in a high risk to you, we will notify you directly without undue delay, with information about the nature of the breach, likely consequences, and steps you can take to protect yourself.

18.3. We maintain a breach register as required by Article 33(5) GDPR and equivalent laws.

19. Children

19.1. The Services are not intended for children under 18. We do not knowingly collect personal data from children under 13 (or the minimum age for digital consent in your country). If you believe we have inadvertently collected data from a child under 13, contact privacy@getholdy.com and we will delete it promptly.

19.2. This provision is provided for compliance with the US Children's Online Privacy Protection Act (COPPA), GDPR Article 8 (age of digital consent, 13–16 depending on Member State), the UK Age-Appropriate Design Code, and equivalent laws.

20. Direct marketing

20.1. We send transactional emails (Deal notifications, invoices, account security) as part of providing the Services; you cannot unsubscribe from these while you have an account.

20.2. We send marketing email only with your prior consent. You can withdraw consent at any time via the unsubscribe link in any marketing email or in your notification settings, without affecting the lawfulness of processing before withdrawal.

21. Links to other services

The Platform may contain links to third-party services (including Stripe's own pages, network partners, and our sub-processors). Those services have their own privacy policies. We are not responsible for their practices; please review their policies separately.

22. Changes to this Policy

22.1. We may update this Policy. Material changes (expansion of purposes, new categories of data, new recipients, reduction of your rights, changes to retention) take effect at least 30 days after we notify you by email and in-product notification. Non-material changes (clarifications, corrections, formatting) take effect on posting.

22.2. The "Last updated" date at the top of this Policy shows when it was most recently revised. Prior versions are archived and available on request.

23. Contact us

• Privacy and data subject requests: privacy@getholdy.com
• General support: support@getholdy.com
• Legal notices: legal@getholdy.com
• DSA notices: dsa@getholdy.com
• Registered office: WebInstal, Groenvelderweg 16, 1746 EE Dirkshorn, The Netherlands