Privacy Policy

Posted on March 16, 2018 and updated on September 26, 2019

This Privacy Policy sets out the basis on which we protect the privacy of your communications and collect, process, use and store your Personal Data through your interaction with HOLD Platform Limited (HOLD/we/us/our). Please read it carefully, along with our Cookie Policy and Terms and Conditions.

If you have any questions, please contact us at support@hold.io.

About HOLD

HOLD is bound by the General Data Protection Regulation (Regulation EU 2016/679) and the Maltese Data Protection Act (Chapter 586 of the Laws of Malta). We protect your personal information and respect your privacy in accordance with best business practices and applicable laws at all times.

For the purposes of the Data Protection Regulation, the data controller is Hold Platform Limited of Level G, (Office 1/1005) Quantum House, 75 Abate Rigord Street, Ta' Xbiex, Malta with company registration number C85377.

Proposition

HOLD allows you to manage your funds of both state issued currencies (‘fiat currencies’) and digital assets (‘crypto currencies’). And allows you to spend your funds online and in-store with the HOLD card. This functionality is made available through the HOLD Mobile App (‘HOLD App/app’), once you have a user account.

HOLD also offers a website (the ‘Website’) at https://hold.io/ and https://hold.io/. The Website provides additional information about HOLD and our products and will enable its visitors to either subscribe to email updates about the new Mobile App (prior to launch) or download the new Mobile App (post launch).

Collected data

Only necessary data for our data usage is collected, which is:

• Data you provide us with – name; date of birth; place of birth; phone number; source of wealth; occupation; source of funds; reason for acquiring; selling and investing in cryptocurrencies; political exposure; nationality; country of residence; resident address; proof of your identification; proof of your residence; email address; bank details; cryptocurrency wallet addresses;
• Data we collect when you use the Website and the Mobile App – your device IDs, your IP address, geographical location, information about your visit and how you interact with us;
• Data we receive from third parties – We may process additional personal data on you, which we receive from our partner service providers, such as advertising networks, search engine providers, analytics and social networking sites, in order to help us understand visitor behaviour patterns, which we use to help us improve our services and platforms;
• Any other personally identifiable information directly provided by you during interaction with our social media channels.
  (the ’Personal Data’)

Data usage and processing

Personal Data is processed by us pursuant to Article 6(1)(b) of the GDPR (‘Performance of Contract’) for the following purposes:

• Administration and development of the Website and the Mobile App;
• Enhancement of user experience, including the provision of personalized services available on the Website and the Mobile App and improvement of the Website and Mobile App;
• Development of new products, utilities and offerings;
• Detection, investigation and prevention of fraudulent transactions and other illegal activities and protection of your rights and rights of HOLD;
• Collection, processing and performing statistical and other research and analysis of information for enhancement of the Website and Mobile App;
• Verifying compliance with the Terms and Conditions of the Website and the Mobile App.

We may process Personal Data only with your lawful consent for the following purposes:

• Commercial communication, marketing and advertising of our services or third-party services via SMS, telephone, email, internet, fax, mail, social media and/or any other appropriate communication channels;
• Personalised market research and/or analysis purposes to better understand your needs, preferences, interests, experiences and/or habits as a consumer.

You have the right to withdraw your consent at any time by writing to support@hold.io. Withdrawal of your consent does not affect the lawfulness of the treatment of your data prior to its revocation. Your consent is also revoked in the same manner as provided.

Data Sharing

We share your personal data with third party service providers who are entrusted to perform certain data processing activities on our behalf. Whenever we engage our service providers, we do our utmost to ensure that these process your data in compliance with all data protection laws, and in a secure and confidential manner, following the best business practice standards.

We currently use the following service providers:

MailChimp

We use MailChimp to manage our marketing communications. Once you sign up for updates, they will hold your email address for this stated purpose alone.

Their privacy policy is available here.

SendGrid

We use SendGrid to send transactional and marketing emails. Once you sign up in our platform, they will hold your email address for this stated purpose alone.

Their privacy policy is available here.

Google Firebase

We use Google Firebase to send transactional and marketing push notifications. Once you interact with our apps, they will hold your device data for this stated purpose alone.

Their privacy policy is available here.

SurveyMonkey

We use SurveyMonkey to build our user surveys. Once you answer one of our surveys, they will hold your email address and your replies for this stated purpose alone.

Their privacy policy is available here.

Onfido

We use Onfido services to perform the required identity verification. Once you proceed with an identity verification process, Onfido will hold the shared documents and information for this stated purpose alone.

Their privacy policy is available here.

Segment

We use Segments services to capture user behaviour across the HOLD Website and Mobile App in order that HOLD can provide a better customer experience. This user behaviour data is then access via Mixpanel and other tools to analyse the data. Once you use the Website and Mobile App, Segment will track your usage for this stated purpose alone.

Their privacy policy is available here.

Mixpanel

We use Mixpanel services to analyse and manage users in order to improve the user experience. Once you use the Website or Mobile App, Mixpanel will receive your user behaviour data for this stated purpose alone.

Their privacy policy is available here.

IBAN.com

We use IBAN.com services to validate the IBANs users provide. Once you provide an IBAN in the Mobile App for a fiat withdrawal, IBAN.com may hold it for improvement of validations purposes.

Their privacy policy is available here.

Chainalysis

We use Chainalysis services to perform anti-money laundering and risk screening on cryptocurrency wallet addresses users provide. This screening occurs on both receiving wallet addresses and destination wallet addresses. Chainalysis stores this information and checks to see if there was any suspicious activity related to any funds that were transacted into the specified wallet address, contributing to the risk level assessment.

Their privacy policy is available here.

Contis

We use Contis’ services to provide VISA Debit cards to HOLD’s customers. This includes all card related features. Once you order a HOLD card, Contis will store the information required to issue a VISA card, namely your date of birth, your full name, your resident address and your identity verification results. Once you use your HOLD card, for top-ups, payments or ATM withdrawals, Contis will also store the information required, namely the date and time, amount and currency, merchant and location.

Their privacy policy is available here.

Intercom

We use Intercom to deliver customer support via email and in-app chat. When contacting HOLD via email or via in-app chat these messages feed into Inbox which has access to additional account level information to allow HOLD’s Customer Support team to provide you with the best experience possible. This account level information will include your email address, name and aggregated account activity information.

Their privacy policy is available here.

In addition to the circumstances described above, we may disclose your financial or personal information if required to do so by law, court order, as requested by other government or law enforcement authority, or when we have reason to believe that disclosing the information is necessary to identify, contact or bring legal action against someone who may be causing interference with our rights or properties, whether intentionally or otherwise, or when anyone else could be harmed by such activities.

Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal data on our instructions, and are subject to a duty of confidentiality.

While we take data protection precautions, no security measures are completely secure, and we cannot fully guarantee the security of user information.

Data Storage

All data we directly store is located on our secure servers located within the European Union.

Nevertheless, it may be transferred to, and stored at a destination outside the European Economic Area (EEA), if our service providers are based in countries which do not form part of the EEA. It may also be processed by employees located outside the EEA who work for us or for one of our suppliers.

All our non-EEA service providers’ servers are located in countries with sufficient personal data protection adequacy, as listed here.

Data Retention

We keep your Personal Data for as long as necessary for the relevant purposes of their processing, in alignment with the ‘Data Minimisation and Storage Limitation’ principles as defined in Article 5 of the GDPR.

We may retain your Personal Data for as long as your user account is active.

We may retain your Personal Data after the expiration of their relevant processing purposes in the following limited cases:

• In case that there is a legal obligation under a relevant statutory provision.
• For research or statistical purposes or for the proper organisation and operation of our business provided that anonymity or pseudonymization of your data takes place.
• In case of any claims against HOLD, for as long as necessary to defend our rights and legitimate interests before any competent court and any other public authority.

After the period of retention, your Personal Data is erased from our databases and systems in accordance with our Privacy Policy and provided that their retention is no longer required for the fulfillment of the purposes we have described above.

For more information about data retention terms in relation to specific Personal Data, please contact us at support@hold.io.

Your Rights

You are entitled to the following rights and remedies:

• Access the data we hold about you and to get a copy of it;
• Rectify any data that is not accurate or not up-to-date;
• Ask us to erase your data (although for legal reasons we might not always be able to do it);
• Restrict us from processing your data, when you don’t want us to use it but it is still needed for legal reasons;
• Object to us using your data for direct marketing and in certain circumstances ‘legitimate interests’, research and statistical reasons;
• Transfer your personal data to you or another third party;
• Withdraw any consent you’ve previously given us on marketing and promotional material (although it will not affect the lawfulness of any processing carried out before you withdraw your consent).
• To object to the processing of your Personal Data in cases explicitly provided for by law.
• To object to a decision taken solely on the basis of automated processing, including profiling, which has an impact on you or significantly affects you.

Please contact us at support@hold.io if you wish to exercise any of these rights.

Complaints

If your rights are infringed, it is your right to file a complaint with the Office of the Information and Data Protection Commissioner at the following website https://idpc.org.mt/en/Pages/contact/complaints.aspx (the ‘Supervisory Authority’).

We would appreciate the chance to deal with any concerns you may have before you approach a Supervisory Authority. Kindly contact us at support@hold.io with any concerns you may have, and we will do our utmost to address your concerns in a satisfactory manner.

We will respond to any of your requests within one (1) month from their receipt. Upon prior notice, this period may be extended by a further two (2) months if necessary, taking into account the complexity of the request and the number of any other pending requests. In case of rejection of your request, we will provide relevant justification.

If your request does not meet the requirements of applicable law, HOLD reserves the right either to: (a) impose a reasonable fee, taking into account the administrative costs of providing the information or communicating or executing the requested action, or (b) reject your request.

In the event of any violation of your Personal Data, which may place your rights and freedoms at a high risk, and provided that it does not fall under one of the exceptions expressly provided for by applicable law, we undertake to inform you without undue delay.

If there are any doubts as to the identity of the individual submitting the request, we reserve the right to request the provision of additional information necessary to confirm your identity.

Changes to the present Privacy Policy

This privacy policy may be amended over time, and changes made to it shall become effective promptly after being announced. The regular review of this Privacy Policy shall ensure that you will always be aware of the type of information we collect, how and for what purpose it is used by us, and under what circumstances (if any) we shall share it with other parties.