1. Our Commitment

Holdyy is committed to full compliance with the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (nFADP, effective September 1, 2023). We implement technical and organizational measures to ensure data security, Privacy by Design and Privacy by Default, and respect for data subject rights.

2. Data Subject Rights

Under the GDPR (Art. 15-22) and the nFADP (Art. 25-29), you have the right to: access your personal data, rectify inaccurate data, request erasure ('right to be forgotten'), restrict processing, data portability (JSON/CSV format), object to processing, and not be subject to automated decision-making. To exercise these rights, contact hello@holdyy.app. We respond within 30 days.

3. Data Processing Activities

Account Management: name, email, business information — legal basis: contract performance. Deposit Processing: client names, emails, transaction records — legal basis: contract performance, overriding legitimate interest. Billing: subscription data, payment events — legal basis: contract performance, legal obligation (CO Art. 958f). Security Logs: audit trails, authentication events — legal basis: overriding legitimate interest, legal obligation.

4. Sub-Processors and International Transfers

Stripe (payment processing): USA/EU, PCI-DSS certified, Standard Contractual Clauses (SCCs). Clerk (authentication): USA/EU, SOC 2 Type II, SCCs. Resend (email delivery): USA, SCCs. Neon (database hosting): EU (Frankfurt), GDPR-compliant. Transfers to the USA rely on EU Commission SCCs and the Swiss Federal Council's adequacy assessment. All sub-processors are contractually bound to GDPR and nFADP compliance.

5. Data Breach Notification

In the event of a data breach affecting your personal data, we will notify the FDPIC (Switzerland) and the competent supervisory authorities in the EU/EEA within 72 hours (Art. 33 GDPR, Art. 24 nFADP). Affected individuals will be informed without undue delay if the breach is likely to result in a high risk to their rights.

6. Data Protection Advisor

For data protection inquiries, contact our advisor at hello@holdyy.app. You have the right to lodge a complaint with the supervisory authority of your country (CNIL in France, BfDI in Germany, ICO in the UK, etc.).

7. How to Exercise Your Rights

To exercise your rights, send a request to hello@holdyy.app with the subject "Data Protection Request". Include your account email and specify which rights you wish to exercise. We will verify your identity and respond within 30 days. There is no fee for requests unless they are manifestly unfounded or excessive.