Are Digital Deposits Legal?
Legal framework for digital deposits in France and Europe: consent, customer disclosure, GDPR compliance, and best legal practices.
The question comes up regularly from property owners and managers considering digitizing their deposit management: is a deposit via card pre-authorization legal? The answer is yes. But like any process involving personal and financial data, it operates within a specific legal framework that must be respected.
Here is what the law says, what you need to know, and how Holdyy keeps you compliant effortlessly.
What Does the Legal Framework Say in France and Europe?
Pre-authorization is a recognized mechanism governed by European payment services regulations. It is based on the Payment Services Directive 2 (PSD2), which has regulated all electronic transactions within the European Union since its transposition in 2018.
In France, the rental deposit, whether physical or digital, is governed by the Civil Code and lease-related provisions. The law does not impose any specific format for security deposits in vacation rentals. A check, a bank transfer, or a pre-authorization on the card networks (Visa, Mastercard) are all legally valid means to secure a deposit. The choice of method falls under the freedom of contract between the professional and their client.
Pre-authorization is a payment instrument recognized by European regulations. It offers the same legal guarantees as a deposit check, with superior traceability.
Is Customer Consent Mandatory?
The central point of a digital deposit's legality is informed customer consent. Before any pre-authorization, the tenant must be explicitly informed of:
- The exact amount reserved on their card
- The duration for which the pre-authorization remains active
- The capture conditions : under what circumstances the amount may be charged
- The release conditions : when and how the pre-authorization will be lifted
This consent does not require a handwritten signature. Digital acceptance, the act of entering card information after reading the terms, constitutes valid consent under both French and European law.
Is a Signature Required?
No. Under French law, a signature is not required to validate a deposit for vacation rentals. Voluntarily entering card details on a secure form, after acknowledging the displayed conditions, constitutes acceptance. This logic is identical to any online purchase, where entering payment information seals the contract. The European eIDAS regulation also recognizes electronic acceptance as legally equivalent to a paper signature. In practice, the professional therefore keeps no paper records, which eliminates lost checks and disputes over the authenticity of a handwritten signature.
Is a Digital Deposit GDPR Compliant?
Any digital deposit involves processing personal data: name, email, payment information. The General Data Protection Regulation (GDPR) imposes strict obligations.
- Legal basis : the processing is based on the performance of a contract (the reservation) and the explicit consent of the customer
- Data minimization : only the data strictly necessary for the pre-authorization is collected
- Right of access and deletion : the tenant can request access to their data or its deletion at any time
- Retention period : data is only kept for the time necessary to manage the deposit and meet legal retention requirements
GDPR does not prohibit digital deposits. It simply requires that data processing is transparent, proportionate, and secure.
How Is Card Data Secured?
Card data is the most sensitive information in the deposit process. That is why Holdyy never handles it directly. All card data processing is delegated to Stripe, certified PCI-DSS Level 1 : the highest security level in the payment industry.
In practice, this means:
- Card numbers never pass through Holdyy servers
- Every transaction is protected by AES-256 encryption and the 3D Secure 2 protocol, which adds the strong customer authentication required by PSD2
- Independent security audits are regularly conducted on Stripe infrastructure
- AI-powered fraud detection (Stripe Radar) blocks suspicious transactions in real time
PCI-DSS Level 1 is the standard applied to operators handling more than six million transactions per year. By delegating this processing to Stripe, the professional steps out of almost the entire PCI compliance scope that would otherwise fall on them.
What Are the Legal Best Practices to Follow?
To ensure flawless compliance, we recommend the following practices:
- Display your terms clearly : the amount, duration, and capture conditions must be visible before validation
- Maintain written proof : every pre-authorization should be documented with a timestamp and the accepted conditions
- Communicate transparently : inform the tenant at every step: creation, authorization, release, or capture
- Justify every capture : in case of damage, document the evidence (photos, inspection report) before capturing the amount
- Respect timelines : release the pre-authorization as soon as the checkout inspection is complete
How Holdyy Ensures Compliance by Design
Holdyy was built so that legal compliance is integrated into every step of the process, with no additional effort on your part.
- Terms automatically displayed : every deposit link presents the amount, duration, and conditions to the tenant before any validation
- Consent tracked : the tenant's acceptance is timestamped and recorded in an immutable audit log
- No card data stored : Stripe handles all card data processing
- Complete history : every operation (creation, authorization, capture, release) is documented with date, time, and details
- Automatic notifications : the tenant is notified at every status change of their deposit
Compliance is not optional. It is a requirement built into the very architecture of Holdyy
Set up your Holdyy account and manage your deposits in full legal compliance, without compromising on simplicity.