Privacy Policy
Last updated: 15 April 2026
Holdy — een product van WebInstal
p/a Groenvelderweg 16, 1746EE Dirkshorn, Nederland
KvK: 78581672 · BTW: NL003349213B03
Data Protection Contact: privacy@getholdy.com
1. Introduction
This Privacy Policy explains how Holdy ("we", "us", "our"), a product of WebInstal, collects, uses, stores, and protects your personal data when you use our platform at app.getholdy.com and www.getholdy.com (the "Platform").
We process personal data in accordance with the General Data Protection Regulation (GDPR/AVG), the Dutch GDPR Implementation Act (UAVG), and the UK GDPR where applicable.
2. What Data We Collect
2.1 Data you provide directly
- Account data: Full name, email address, password (hashed)
- Transaction data: Deal titles, descriptions, deliverables, amounts, delivery notes, uploaded files
- Dispute data: Dispute reasons, descriptions, evidence files
- Review data: Ratings, comments
- Communication data: Support emails, dispute correspondence
2.2 Data collected automatically
- Technical data: IP address, browser type, device type, operating system
- Usage data: Pages visited, actions taken, timestamps
- Cookies: Authentication session cookies (essential, no tracking cookies)
2.3 Data from third parties
- Stripe: Payment status, Stripe account ID, KYC verification status (we do not receive or store payment card details)
3. Why We Process Your Data (Legal Basis)
| Purpose | Legal Basis |
|---|---|
| Account creation and authentication | Contract performance (Art. 6(1)(b) GDPR) |
| Processing transactions and disputes | Contract performance (Art. 6(1)(b) GDPR) |
| Sending transactional emails (payment, delivery, disputes) | Contract performance (Art. 6(1)(b) GDPR) |
| Fraud prevention and platform security | Legitimate interest (Art. 6(1)(f) GDPR) |
| Legal compliance (AML/Wwft, tax) | Legal obligation (Art. 6(1)(c) GDPR) |
| Displaying public profiles and reviews | Legitimate interest (Art. 6(1)(f) GDPR) |
4. Data Sharing
We share personal data only with the following parties, and only to the extent necessary:
4.1 Sub-processors
| Service | Provider | Purpose | Location |
|---|---|---|---|
| Payment processing | Stripe | Payments, KYC, payouts | Ireland/US |
| Database & auth | Supabase | Data storage, authentication | EU (AWS Frankfurt) |
| Email delivery | Resend | Transactional emails | US |
| Hosting | Vercel | Website hosting, serverless functions | EU/US |
Data Processing Agreements (DPA's) are in place with all sub-processors. Where data is transferred outside the EU/EEA, appropriate safeguards are in place (Standard Contractual Clauses or adequacy decisions).
4.2 Other parties
- Transaction counterparties: Your display name, trust profile, and reviews are visible to other users.
- Law enforcement: If required by law or court order.
We do not sell personal data to third parties. We do not use personal data for advertising or profiling.
5. Data Retention
| Data type | Retention period |
|---|---|
| Account data | Until account deletion + 30 days |
| Transaction data | 7 years (Dutch tax law, Art. 52 AWR) |
| Dispute evidence & activity logs | 7 years |
| Uploaded files (deliveries, evidence) | 1 year after transaction completion |
| Reviews | Until account deletion |
| Technical/usage data | 90 days |
6. Your Rights
Under the GDPR, you have the following rights:
- Access — Request a copy of your personal data
- Rectification — Correct inaccurate personal data
- Erasure — Request deletion of your personal data ("right to be forgotten")
- Restriction — Restrict how we process your data
- Portability — Receive your data in a structured, machine-readable format
- Objection — Object to processing based on legitimate interest
To exercise your rights, email privacy@getholdy.com. We will respond within 30 days.
You also have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
7. Cookies
Holdy uses only essential cookies required for the platform to function:
- Authentication session cookie — Keeps you logged in (set by Supabase)
We do not use analytics cookies, tracking cookies, or advertising cookies. No cookie consent banner is required for essential cookies under the ePrivacy Directive.
8. Security
We implement appropriate technical and organizational measures to protect your data:
- All data transmitted over HTTPS/TLS encryption
- Passwords hashed with bcrypt (via Supabase Auth)
- Row-Level Security (RLS) on all database tables
- Delivery files hashed with SHA-256 for integrity verification
- Rate limiting on all API endpoints
- Security headers (CSP, X-Frame-Options, etc.)
- Stripe PCI-DSS compliance for payment data
9. International Transfers
Some of our sub-processors are located in the United States. Where personal data is transferred outside the EU/EEA, we rely on:
- EU-US Data Privacy Framework (Stripe, Vercel)
- Standard Contractual Clauses (Resend)
10. Children
Holdy is not intended for users under 18 years of age. We do not knowingly collect data from minors.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email at least 30 days before they take effect.
12. Contact
For privacy-related questions or to exercise your rights:
- Email: privacy@getholdy.com
- Post: WebInstal, p/a Groenvelderweg 16, 1746EE Dirkshorn, Nederland