Privacy Policy

1. Who we are and how to reach us

The data controller is Stan SAS, the company that operates Hodlr: registered office 60 rue François 1er, 75008 Paris, France; share capital €1,000; registered with the RCS of Paris under number 944 823 020. Full details are in our Legal Notice.

For any question about this policy, to exercise your rights, or to reach our data protection contact, write to us at admin@stan-friends.com.

Hodlr is available only to people aged 18 or over, and only in the United States, the United Kingdom and France. Sign-up from other countries is blocked.

2. The data we collect

From your LinkedIn sign-in. You sign in with LinkedIn. Through LinkedIn's official sign-in (OAuth, via Auth.js), we receive your name, email address, profile photo and LinkedIn ID. We never scrape LinkedIn; we only receive what LinkedIn passes to us when you sign in, and LinkedIn is used solely as a sign-in and identity provider.

Profile details you add. Information you choose to add to your profile, such as your job title, company, industry, a short bio, and any images you upload.

Your collection and activity. The Cards you hold, the Card that represents you (where you are the Subject), the Upvotes (endorsements) you give and receive, the inputs that make up your HodlScore, and other activity such as listings, bids and notifications.

Usage, technical and log data. Basic information generated when you use the Service, such as device and browser type, IP address, pages and actions, and session and error logs. We use this to run, secure and improve the Service. See our Cookie Policy for details on cookies and similar technologies.

Payment and verification data (only when real payments are live). Today, real payments are not enabled, and we collect no payment or government-ID data. When we enable real payments, payment details and identity-verification data (including a government-issued ID, requested only when needed and just before your first cash-out) will be collected and handled by our regulated payment provider, Mangopay, and an identity-verification provider. We do not store your full card number or your ID document ourselves.

3. How and why we use your data

To provide the Service. To create and run your account, sign you in, display your profile and Card, let you collect free Common Cards, and (when real payments are live) let you buy and sell higher-tier Cards on the Market.

To build the public side of the Service. To show your Card, display name, title, company and HodlScore, and to record and display Upvotes. See "What is public by design" below.

To keep the Service safe and working. To secure accounts, prevent fraud and abuse, debug problems, and improve features.

To communicate with you. To send service messages, notifications and invites related to your account and activity.

To meet our legal obligations. Including, when real payments are live, anti-money-laundering checks, identity verification before cash-out, and accounting and tax record-keeping.

Your HodlScore is calculated automatically from Upvotes and other activity. It is a public reputation score and is not used to make decisions that produce legal or similarly significant effects for you without human involvement. We do not carry out automated decision-making of that kind.

4. Legal bases under the GDPR

Contract (Article 6(1)(b)). To create and run your account, show your profile and Card, record Cards you hold and Upvotes, and (when live) process Market transactions you ask for.

Consent (Article 6(1)(a)). For optional cookies and analytics, and for any marketing messages. You can withdraw consent at any time, with no effect on processing already carried out.

Legitimate interests (Article 6(1)(f)). To secure the Service, prevent fraud and abuse, understand and improve how Hodlr is used, and run the public reputation features (the HodlScore and Upvotes) that are core to the Service. Where we rely on legitimate interests, you can object (see "Your rights").

Legal obligation (Article 6(1)(c)). To keep records we are required to keep and, when real payments are live, to carry out anti-money-laundering and identity checks and meet accounting and tax duties.

5. What is public by design

Hodlr is a public reputation and collecting platform, so some information is visible to other Members and visitors by design. This includes your Card, your display name, title and company, your HodlScore, and the Upvotes you give and receive. We rely on our legitimate interest in running these public reputation features as the legal basis for displaying this information.

Because Upvotes are public, who upvoted whom is visible. An Upvote you give is your personal data as the upvoter, and it is shown alongside the person you upvoted.

If you are the Subject of a Card, you control that Card: you can set or withdraw its utilities, and you can retire it at any time. A retired Card loses its utilities but keeps its ownership history, because that history is needed as a record of past trades.

Your email address is never made public. We use it to run your account and to contact you, not to display it to others.

6. Who we share data with

We use a small number of service providers (processors) who handle data on our behalf, under contracts that require them to protect it and use it only for the services we ask of them:

LinkedIn — sign-in and identity provider (through Auth.js). Vercel Inc. — website hosting. Neon — managed PostgreSQL database, hosted in the EU (Frankfurt region). Cloudflare R2 — image storage.

Mangopay and an identity-verification provider — only when real payments are live, to process payments and verify identity before a first cash-out. These are not used while real payments are off, and we collect no payment or ID data today.

We may also disclose data where we are legally required to do so, for example to comply with a valid legal request from a court, regulator or tax or law-enforcement authority, or to protect the rights, safety and security of Members and the Service.

If Hodlr is ever involved in a merger, acquisition or sale of assets, your data may be transferred to the entity involved, which will remain bound by this policy or one at least as protective; we will give you notice.

We do not sell your personal data, and we do not share it with advertisers for their own advertising.

7. International transfers

Your account and profile data are stored in the EU (our database runs in the Frankfurt region).

Some of our providers are based outside the EU, including in the United States. Where personal data is transferred outside the European Economic Area, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses (SCCs) (and, for UK data, the UK International Data Transfer Addendum), or an adequacy decision where one applies, together with technical measures such as encryption in transit and at rest.

You can ask us at admin@stan-friends.com for more detail about the safeguards that apply to a specific transfer.

8. How long we keep your data

We keep your personal data for as long as your account is active and you use the Service.

When you delete your account, we delete or anonymise your personal data, except for limited records we are required or genuinely need to keep, such as ownership and trade history kept as an audit record of past Card transactions, and any records we must retain to meet legal, accounting or anti-money-laundering obligations (these last ones apply once real payments are live).

As a guide, we typically keep: account and profile data until you delete your account; service access logs for around 15 months; security records (such as login and suspicious-activity data) for up to 5 years; support messages and fraud-prevention records for up to 3 years; and cookies for at most 13 months (see our Cookie Policy).

Records we keep after deletion are kept only for as long as needed for the purpose that justifies keeping them, after which they are deleted or anonymised. Once real payments are live, accounting records are kept for up to 10 years and anti-money-laundering records for 5 years after the end of the relationship, as required by French law. Access to retained records is restricted to staff who need it.

9. Your rights under the GDPR

Subject to the conditions in the GDPR, you have the right to: access a copy of your data; rectify inaccurate or incomplete data; request erasure of your data; request restriction of processing; receive your data in a portable, machine-readable format (portability); object to processing based on our legitimate interests; and withdraw consent at any time where we rely on consent.

Some of these rights have limits. For example, we may keep ownership and trade history as an audit record even after erasure of other data, and retiring a Card removes its utilities but preserves its ownership history (see "What is public by design").

To exercise any of these rights, write to admin@stan-friends.com. We may need to verify your identity before we act, and we will respond within the timeframes required by law.

If you are in France, you can also give us instructions about what should happen to your personal data after your death (French Data Protection Act, Article 40-1).

If you believe we have not handled your data properly, you can complain to the French data protection authority, the CNIL (cnil.fr). If you are in the UK, you may also contact the Information Commissioner's Office (ico.org.uk).

10. Automated decision-making and the HodlScore

Your HodlScore is generated automatically from Upvotes and activity. It is a social-proof signal shown within Hodlr. It does not produce legal or similarly significant effects for you — we do not use it for credit, employment, insurance or any decision of that kind — so it is not the type of solely-automated decision-making restricted by Article 22 of the GDPR.

Even so, if you think your HodlScore is wrong, you can ask us to look into it, contest specific inputs, or give us more context, by writing to admin@stan-friends.com.

11. If you are in the United States

If you are a California resident, in addition to the rights above you have the right to know what personal information we collect, use and share; to request its deletion (subject to limits); and not to be discriminated against for exercising your rights. Hodlr does not sell your personal information. To exercise these rights, contact admin@stan-friends.com.

12. Cookies

We use cookies and similar technologies to run the Service, remember your preferences, and (with your consent) measure how Hodlr is used. You can read the details and manage your choices in our Cookie Policy.

13. Children

Hodlr is for people aged 18 or over only. We do not knowingly collect personal data from anyone under 18. If you believe a minor has used Hodlr, contact us at admin@stan-friends.com and we will remove the data.

14. How we protect your data

We use technical and organisational measures appropriate to the risk, including encryption in transit and at rest, access controls limited to staff who need it, and monitoring and logging. Our database runs in the EU, and sign-in is handled through LinkedIn's official OAuth rather than passwords stored by us.

If a personal-data breach ever occurs that is likely to risk your rights, we will notify the CNIL within 72 hours where the GDPR requires it, and tell affected Members without undue delay.

No system is perfectly secure. Please keep your LinkedIn account secure, since that is how you sign in to Hodlr.

15. Changes to this policy

We may update this Privacy Policy as the Service evolves, for example when we enable real payments. We will update the "last updated" date and, for significant changes, give you notice through the Service or by email. If you keep using Hodlr after a change takes effect, that change applies to you.

16. Contact and data-protection requests

For any privacy question, data-protection request, or general matter, contact us at admin@stan-friends.com.

Our full registration and contact details are in our Legal Notice. You can also read our Terms, Cookie Policy and FAQ.