Holyheld Privacy Policy

Holyheld Labs AG, registered in Switzerland under company identification number CHE-207.939.735, with its registered office at Bahnhofstrasse 20, 6300 Zug, Switzerland, is the data controller responsible for the collection of your personal data.

This privacy policy (“Privacy Policy”) provides an insight into how Holyheld (“Holyheld”, “We”, “us”, “our”) and all platforms affiliated with Holyheld, including but not limited to the Holyheld Websites, and Applications (collectively “Platform”) collect, share or use personal data about you (“user(s)”, “You”, “your”) with connection to the Platforms. It describes how the Company collects, uses, and discloses Personal Data that we obtain from users of the Platform and any account by services provided through the Platform as well as other collected personal data, and how we use and disclose that information.

For purposes of this Policy, “Personal Data” refers to any information relating to an identified or identifiable natural person, from whom the identity of such person may be directly or indirectly determined. The Privacy Policy, together with our Terms and Conditions (“Terms”) governs the processing of your personal data and is applicable to all the information collected through the Platforms, upon the use of such Platforms, (collectively, the “Services”).

By registering for and using the Platform, you confirm that you are aware that your Personal Data will be handled as described in this Policy and the Terms and Conditions applicable to the Platform (the “Service Agreement”).

Capitalized terms used herein shall have the same meaning as set forth in the Service Agreement.

This Policy supplements the other notices and is not intended to override them. Terms used within it shall have the meaning(s) given in the Swiss Federal Act on Data Protection of 25 September 2020 (“FADP”) and the Ordinance to the Federal Act on Data Protection (“FADPO”), as applicable.

This Policy describes how we collect, use, share, retain and safeguard Personal Data. This Policy also helps you to understand your legal rights to your Personal Data and explains the grounds on which we process Personal Data and who to contact should you have a query on the collection and use of your Personal Data.

What Personal Data we collect and how we collect it?

We collect and process Personal Data about you directly from you when you contact us, register to use the Platform, or submit such information as a part of the Know-Your-Client (“KYC”), as well as automatically through your use of the Platform. We may also collect or receive Personal Data from third party service providers, state institutions or other persons that may have a legal ground to provide the Personal Data to us.

Personal Data that you provide to us. This includes Personal Data about you that you provide to us, for instance when you open an account (the “Account”) with us. The nature of the services you are requesting will determine the kind of Personal Data we might ask for, though such information may include (by way of a non-exhaustive list):

• Identification Information: Full name, date of birth, nationality, gender, signature, utility bills, photo verification, telephone number, home address, and email address.
• Formal Identification Information: Government issued identity documents such as passport, driver’s license, national identity card, taxpayer identification number, passport number, and/or any other information deemed necessary to comply with our legal obligations under financial or anti-money laundering laws.
• Financial Information: Bank account information, payment method information, transaction history, and tax identification.
• Biometric Data: includes a scan of face geometry, which we use for your identification.
• Employment Information: includes your employment history, education background and income levels.
• Other Personal Data: Any information that you choose to share on a Platform which may be considered Personal Data.

Personal Data that we collect or generate about you. This includes (by way of non-exhaustive list):

• any information regarding the services purchased and/or used on the Website and our interactions with you;
• information about the transactions you make on our Services, such as the name of the recipient, your name, the amount, type of currency, and timestamp;
• online identifiers, IP (internet protocol) address, computer and connection information, device type and unique device identification numbers (e.g. IMEI number, MAC address), bandwidth, mobile network information, mobile operating system and type of mobile browser, and other technical data collected through cookies and other similar technologies that uniquely identifies your browser;
• usage data such as authentication data and security questions; and
• any information you choose to provide to us, for example, through support messages, and emails.

Information we obtain from other sources. This includes the Personal Data provided to us by third-party service providers, agencies or other publicly available sources where applicable. The main types of third parties we receive your Personal Data from are:

• Public Databases, ID Verification Partners in order to verify your identity in accordance with applicable law. ID verification partners like Sumsub and Idenfy use a combination of government records and publicly available information about you to verify your identity. Such information may include your name, address, job role, public employment profile, government-issued ID, credit history, status on any sanctions lists maintained by public authorities, and other relevant data.
• Blockchain Data, including through the use of third party transaction and wallet screening service providers, to ensure parties using our Services are not engaged in illegal or prohibited activity and to analyse transaction trends for research and development purposes.

Please note that if you are acting as an authorized individual on behalf of a User and are providing Personal Data for such User, you are responsible for ensuring that you have all required permissions and consents to provide such Personal Data to us for use in connection with the Platform and that our use of such Personal Data you provide to the Platform does not violate any applicable law, rule, regulation or order.

We use different methods to collect Personal Data from and about you including through:

• Direct interactions. You may provide us with your Personal Data by filling in forms or by corresponding with us via our Website or by post, phone, email or otherwise. This includes Personal Data you provide when you:
  • apply to use our services;
  • create an Account on our Platform;
  • log into the User’s account on the Platform and / or make transactions;
  • lodge a support query.

We may receive Personal Data about you from various third parties and public sources as set out below:

• Our partner who shares your Personal Data with us so that (a) you can use our services on their behalf; and (b) they can pay money to you (for example, your salary if you are their employee or payment for goods and/or services if you are their supplier);
• Electronic Identity Verification providers from data brokers or aggregators based inside or outside Switzerland;
• We may also record and verify personal identity documents such as passports electronically;
• Identity data and contact data from publicly available sources;
• In order to provide contracted services, we may need to verify details with Credit Reference agencies, anti-Fraud agencies, Sanction screening and politically exposed persons (PEP) listings.

Data We Collect Automatically

When you use the Platform, our servers automatically record information using cookies and other tracking technologies, including information that your browser sends whenever you visit the Platform or your mobile application sends when you’re using it. This log data may include your Internet Protocol address, the address of the web page you visited before coming to the Platform, your browser type and settings, the date and time of your request, information about your browser configuration and plug-ins, language preferences, and cookie data.

In addition to log data, we may also collect information about the device you use for the Platform, including what type of device it is, what operating system you’re using, device settings, unique device identifiers, and crash data. Whether we collect some or all of this information may depend on what type of device you’re using and its settings.

We may combine this information with other information that we have collected about you, including, where applicable, your full name, username, email address, and other Personal Data.

Geolocation. If you have provided permission through your mobile device to allow us to collect location information through a mobile application, we may obtain your physical location information in terms of latitude and longitude from technologies like GPS, Wi-Fi, or cell tower proximity. You are able to withdraw your permission for us to acquire such physical location information from your mobile device through your mobile device settings, although we do not control this process. If you have questions about how to disable your mobile device’s location services, we recommend you contact your mobile device service provider or the mobile device manufacturer.

Grounds for processing Personal Data

We process your Personal Data on one or more of the following grounds:

• Performance of a contract – processing that is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract;
• Overriding interest – the legitimate interest of our business in conducting and managing our business so as to provide you with the best service/product and the most secure experience. Where a justification is required, we consider and balance any potential impact on you (both positive and negative) and your rights before we process your Personal Data on the ground of an overriding private interest. You can obtain further information about how we assess our overriding interests against any potential impact on you in respect of specific activities by contacting us;
• Legal requirement – processing that is necessary for compliance with a legal or regulatory obligation that we are subject to;
• Consent – processing your Personal Data on the basis of your consent.

Note that we may process your Personal Data on more than one ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific ground we are relying on to process your Personal Data.

Generally, we do not rely on consent as a ground for processing your Personal Data other than in relation to sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.

How is the information used?

We may use the collected Personal Data for the following purposes:

• Providing services to you, which include, but are not limited to open an account, operating and managing the services; performing services requested by you such as responding to your comments, questions, and requests, and providing information support; sending you technical notices, updates, security alerts, information regarding changes to our policies, and support and administrative messages; detecting, preventing, and addressing fraud, breach of Terms, and threats, or harm; and compliance with legal and regulatory requirements.
• Process payments. We use your Personal Data to make payments and/or receive funds through your payment devices and by the Platform. We use and share your Personal Data with Electronic Money Institutions, banks, and financial service partners, such as banking intermediaries, international payment service providers and regulated distribution agents.
• Direct marketing and business activities in relation to our services, including but not limited to newsletters sending, updates, marketing communications and other information that may be of interest to you;
• complying with legal and regulatory obligations, including KYC/AML requirements, e.g. to verify your identity we may use and share your Personal Data with credit-checking/reference agencies and fraud prevention agencies;
• monitoring the use of Platforms for business purposes which may include analysis of usage, measurement of site performance and generation of marketing reports;
• for legitimate business interests, such as business research and analysis, managing our Platforms and Services, asset protection, debt management;
• looking into any complaints or queries;
• preventing and responding to actual or potential fraud or illegal activities;
• operating our Platforms, customer support, marketing and research services related to the Platforms;
• Cookies used are strictly necessary for the safe and secure functioning of the Platforms and Services;
• Protecting the security and integrity of the Services; improving the Services and other websites, apps, products and services;
• exercising or defending any legal rights.

How do we share the Personal Data?

Affiliates. We may disclose the information we collect from you to our affiliates or subsidiaries solely for the purpose of providing the Platform to you; however, if we do so, their use and disclosure of your personally identifiable information will be maintained by such affiliates and subsidiaries in accordance with this Policy.

Service Providers. We may disclose the information we collect from you to third-party vendors, service providers, contractors or agents who perform functions on our behalf (e.g. auditors, accountants, lawyers, credit-checking/reference agencies and fraud prevention agencies, banking institutions), provided such third parties have agreed to only use such information to provide services to us. These third parties will be subject to appropriate data protection obligations and they will only use your Personal Data as described in this Privacy Policy;

Business Transfers. If we are in negotiations with, or are acquired by or merged with another company or entity, if substantially all of our assets are transferred to another company or entity, or as part of a bankruptcy proceeding, we may transfer the information we have collected from you to the other company or entity.

In Response to Legal Process. We also may disclose the information we collect from you in order to comply with the law, a judicial proceeding, court order, or other legal process, such as in response to a subpoena.

To Protect Us and Others. We also may disclose the information we collect from you if we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of our Service Agreement or this Policy, or as evidence in litigation in which we are involved.

Aggregate and De-Identified Data. We may collect, process, analyse and share aggregate or de-identified information about Users with third parties and publicly for product development, marketing, advertising, research or similar purposes.

How is your information secure?

We ensure that your Personal Data collected by us is subject to appropriate technical and organizational security measures to help protect your Personal Data from unauthorised access, use, disclosure, alteration or destruction consistent with applicable data protection laws. Nevertheless, you are responsible for using the secure internet connection and the transmission of information via third party networks.

As per the PCI DSS security standard requirements we regularly conduct external vulnerability scanning services operated by an Approved Scanning Vendor (ASV) duly qualified by the PCI DSS, that uses specialist security tools to find any weaknesses or holes in our systems that hackers may attempt to exploit.

Professional Advisors – we share information for audits and legal compliances with our professional advisors.

Security and Compelled Disclosure – Information stored by us is shared with public officials for legal compliance enforcement and authorised security concerns.

We only store your information for a limited period of time and strictly only for as long as is necessary for the relevant purpose and/or for as long as it is necessary to comply with legal obligations, laws or regulations.

Fulfilling your Requests – we may share your information with you with your consent at your request or direction.

Notwithstanding the above, we may share information that does not identify you (including information that has been aggregated or de-identified) except as prohibited by applicable law.

We have put in place procedures to deal with any suspected Personal Data breach and will notify the Federal Data Protection and Information Commissioner (FDPIC) and, where required, you, of a breach of data security where we are legally required to do so.

How do we use cookies?

We employ cookies on our platform solely and strictly as necessary to facilitate the secure provision of our services to you, ensuring essential functionality such as session management, authentication, and data integrity on our Platform.

Our Platform may contain links to third-party websites. Any access to and use of such linked websites is not governed by this Policy, but instead is governed by the privacy policies of those third-party websites. We are not responsible for the information practices of such third-party websites.

You may instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use our Service.

How do we store or transfer information?

The Personal Data collected by us is primarily processed in Switzerland. Where we transfer your Personal Data abroad, we will take all necessary steps to ensure that your Personal Data is treated securely and in accordance with this Privacy Policy and the FADP.

Where we transfer Personal Data to a country that does not ensure an adequate level of data protection, we rely on standard contractual clauses or other safeguards permitted under the FADP.

For how long do we keep your data?

We retain your Personal Data as long as you maintain an Account on the Platform. We will cease to retain your Personal Data, or remove the means by which the Personal Data can be associated with particular individuals, as soon as it is reasonable to assume that:

• the purpose for which that Personal Data was collected is no longer being served by its retention; and
• retention is no longer necessary for legal, accounting or business purposes.

Please note that certain laws may require us to retain records of transactions or accounts for a certain period of time.

To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements and recommendations.

How do we protect and ensure your rights?

You are entitled to a certain number of legal rights concerning the Personal Data we may hold about you under the FADP. These rights can be exercised at any time by contacting us. The following rights apply regarding the collection of your Personal Data:

Right to Information / Access: you have the right to obtain information as to whether we process Personal Data about you, to access that Personal Data, and to be informed of how we use it and who we share it with.

Right to Data Portability: you have the right to receive the Personal Data that you have disclosed to us, and which we process by automated means on the basis of your consent or in connection with a contract, in a commonly used electronic format, and/or to request transfer of the same to a third party, in certain circumstances and with certain exceptions.

Right to Rectification: you have the right to correct any inaccurate Personal Data.

Right to Deletion of Data: in certain circumstances, you have the right to request the deletion or destruction of your Personal Data stored with us. There may be circumstances where you ask us to erase Personal Data, but we are legally entitled to retain it; in such circumstances, the same shall not be erased.

Right to Restrict / Object to processing: you have the right to object to our processing of your Personal Data and to require us to restrict the processing of, or to stop processing, the Personal Data we hold about you, other than for storage purposes, in certain circumstances. There may be circumstances where you object to or ask us to restrict the processing of Personal Data, but we are legally entitled to refuse that request.

Withdrawal of consent: Where we rely on consent to process your Personal Data, you have the right to withdraw this consent at any time. In certain circumstances it may be lawful for us to continue processing without consent if we have a legitimate reason (other than consent) for doing so.

Rights in relation to automated individual decisions: you have the right not to be subject to a decision based solely on automated processing, including profiling; you may request that such processing be reviewed by a natural person and object to a decision made by automated means.

Right to lodge a report with the supervisory authority: you have the right to report the actions or inactions of us, related to the implementation of your data protection rights, to the Federal Data Protection and Information Commissioner (FDPIC), and to pursue any civil-law remedies available to you under the FADP.

The aforementioned rights are not absolute and may be limited by law.

Please note that notwithstanding the foregoing, there may be circumstances in which we are unable to accommodate a request to edit, update, access, or delete an account profile or Personal Data. This includes but is not limited to:

• any basis where such request can be denied under applicable law;
• where we need to retain the information to comply with international or national laws or for accounting or tax purposes;
• where we need to comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by state, or local authorities;
• where we need to cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate laws;
• where we need to retain information to exercise or defend legal claims;
• where the information contains legal privilege or proprietary information of another party; or where complying with the request would compromise others’ privacy or other legitimate rights.

We try to respond to all legitimate requests without undue delay, and in any event within 30 days of receipt of the request. Occasionally it could take us longer than 30 days if your request is particularly complex or you have made a number of requests, in which case we will inform you of the reasons for the delay and of the period within which we expect to respond.

If we determine that we cannot respond to any request in any particular instance, we will provide you with an explanation of why that determination has been made and a contact point for any further inquiries. To protect your privacy, we will take commercially reasonable steps to verify your identity before responding to any request under this provision, including complying with any applicable legal requirement for verifying your identity.

If a representative wishes to exercise data subject rights on behalf of a data subject, they must provide a valid authorization document (e.g. Power of Attorney) as proof of authorization.

Children under 18

Our Platform is not designed for children under 18. If we discover that a child under 18 has provided us with Personal Data, we will delete such information from our systems.

Contact Us

For further information on the collection, use, disclosure, transfer or processing of Personal Data or the exercise of any of the rights listed above, please contact Holyheld by sending an email to privacy@holyheld.com.

If you have complaints about how we process your Personal Data, please contact us and we will respond to your request as soon as possible.

Changes to this Policy

This Policy is current as of the Last Update set forth in the beginning of the Policy. We may change this Policy from time to time, so please be sure to check back periodically. We will post any changes to this Policy on the Platform. If we make any changes to this Policy that materially affect our practices with regard to the Personal Data we have previously collected from you, we will endeavor to provide you with notice in advance of such change by highlighting the change on our Platform or providing a push notification through the Website (you should make sure your Website settings allow for such push notifications) or sending an email that you have provided in your Account, (for this reason you should make sure to update your account information promptly if it changes).