Last updated: April 10, 2026
Privacy Policy
This privacy policy describes how HoldTrakr B.V. (in formation) processes your personal data in accordance with the General Data Protection Regulation (GDPR).
1. Data controller
The data controller for your personal data is:
HoldTrakr B.V. (i.o.)
Amsterdam, Nederland
privacy@holdtrakr.com
2. What personal data do we collect?
Account data
- Email address (required)
- Name / display name
- Profile picture (optional)
- Password (hashed with bcrypt — never stored in readable form)
Financial data (creators only)
- Uploaded broker CSV files (transaction history)
- Calculated portfolio returns and statistics
- Stripe Connect account ID (for payouts)
Usage data
- IP address (for rate limiting and fraud prevention)
- Device and browser type
- Pages visited and time of visit
3. Purpose and legal basis for processing
| Purpose | Data | Legal basis |
|---|---|---|
| Account creation and management | Email, name, password | Contract performance |
| Payment processing | Stripe customer ID, subscription data | Contract performance |
| Broker data verification | CSV uploads, transactions | Contract performance |
| Fraud and abuse prevention | IP-adres, gebruikspatroon | Legitimate interest |
| Marketing (newsletter) | E-mailadres | Consent |
4. Retention periods
- Account data: until 30 days after deletion request (then permanently deleted)
- Financial transaction data: 7 years (statutory retention obligation)
- Log files / IP addresses: maximum 90 days
- Email consent: until withdrawal via unsubscribe link
5. Who do we share your data with?
We share your personal data only with the following sub-processors, under data processing agreements:
- Stripe — payment processing (US, EU Standard Contractual Clauses)
- Resend — email delivery (US, EU SCC)
- Supabase / PostgreSQL — database hosting (EU Frankfurt)
- Cloudflare R2 — file storage (EU)
- Vercel — hosting platform (US, EU SCC)
We never sell your personal data to third parties.
6. Your rights
Under the GDPR you have the following rights:
- Access — you can request what data we hold about you
- Rectification — you can have incorrect data corrected
- Erasure — you can have your account and all data permanently deleted
- Portability — you can request your data in a machine-readable format
- Objection — you can object to processing based on legitimate interest
- Withdrawal of consent — you can withdraw marketing consent at any time via the unsubscribe link in our emails
You also have the right to lodge a complaint with the Dutch Data Protection Authority (AP): www.autoriteitpersoonsgegevens.nl.
7. Contact
For questions about your personal data or to exercise your rights: privacy@holdtrakr.com
8. Cookie policy
HoldTrakr uses the following cookies:
- next-auth.session-token — authentication cookie, strictly necessary, session duration
- theme — stored theme preference (light/dark), functional, 1 year
We do not use third-party tracking or advertising cookies.
How do we verify transaction data?
Want to know how HoldTrakr checks broker data for reliability? We use five layers of verification — from basic checks to manual review.
Read how verification works →Related documents: