1. Who We Are and How to Contact Us
Plain English Summary
- We collect only what we need: email, account info, transaction data, and technical logs.
- We never sell your personal data — ever. We share it only to operate the platform or when legally required.
- GDPR rights apply to EEA/UK users: access, correction, erasure, portability, and more.
- You can withdraw marketing consent or exercise any right by emailing [email protected].
- Data is retained for 5 years after account closure to meet our AML obligations.
- Cookies: we use essential cookies only. You can disable non-essential cookies in your browser.
- Supervisory authority: EEA users may complain to their national DPA; UK users to the ICO (ico.org.uk).
↓ Full legal text below
Hodlex Ltd. (Marshall Islands company, business number 89220) is the data controller responsible for your personal data collected through the Hodl Hodl and Lend at Hodl Hodl platforms. Our data protection contact:
| Data Protection Officer | |
|---|---|
| General support | [email protected] |
| Postal address | Hodlex Ltd, Trust Company Complex, Ajeltake Road, Ajeltake Island, Majuro, Marshall Islands MH96960 |
Any provision of this Privacy Policy may be revised at any time. Continued use of the Platform constitutes acceptance of the revised version. We will notify users of material changes by email where practicable.
2. What Personal Data We Collect
The data we collect depends on how you use our Platform:
Data you provide to us
| Account data | Email address, username/nickname, timezone, password (stored in hashed/encrypted form), historical password hashes (bcrypt) retained to prevent password reuse, profile picture (optional), profile bio/about text (optional, publicly visible), and any other information you add to your profile. |
|---|---|
| Identity data | In disputes: full name, date of birth, country of residence/citizenship, government-issued ID, and bank/payment account statements. For verified accounts (legacy): full identity documents provided voluntarily prior to suspension of voluntary verification. |
| Trading data | Trade advertisements, Bitcoin wallet addresses (public keys only), trade amounts in cryptocurrency and fiat, timestamps, chat logs, payment method, trade IDs, encrypted wallet seed (AES-128-GCM encrypted, used to access your contract escrow address), merchant invoice information, and counterparty nicknames. |
| Lending data | Loan terms, collateral amounts, LTV ratios, repayment history, encrypted wallet seed (AES-128-GCM encrypted, used to access your contract escrow address), and related contract data. |
| Communications | Messages and file attachments in contract chats, support tickets, dispute correspondence, and any other communications with Hodlex Ltd or with counterparties through our platform. |
Data collected automatically
| Log and usage data | Features used, offer creation, API activity, contract participation, login times and frequency, platform settings, performance logs, crash diagnostics. |
|---|---|
| Technical/connection data | IP address, MAC address, browser type and version, operating system, hardware model, and related connection metadata. |
| Location data | Approximate location derived from IP address, used to filter offer lists. We do not collect precise GPS location. |
Data received from third parties
| User-provided | Other users may share information about you (nickname, email, feedback) in the context of trades or reports. |
|---|---|
| Third-party services | Our operational partners may provide data necessary to deliver the Platform (see Section 5 for the full list of third parties). |
3. Why We Process Your Data — Lawful Basis (GDPR Art. 6)
We process your personal data only where we have a valid lawful basis:
| Account creation and management | Contract performance (Art. 6(1)(b)) — necessary to provide you access to the Platform. |
|---|---|
| Executing trades and lending contracts | Contract performance (Art. 6(1)(b)) — core to the service. |
| Sanctions screening and fraud prevention | Legal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)) — required by AML/CFT regulations and to protect users. |
| Dispute resolution | Contract performance (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)). |
| Security monitoring and abuse prevention | Legitimate interests (Art. 6(1)(f)) — to protect the Platform and its users. Our interests do not override your fundamental rights. |
| Service notifications (contract status, account alerts) | Contract performance (Art. 6(1)(b)) — essential operational communications. |
| Marketing and promotional communications | Consent (Art. 6(1)(a)) — only where you have opted in. You may withdraw consent at any time by emailing [email protected] or using the unsubscribe link in any marketing email. |
| Platform analytics and improvement | Legitimate interests (Art. 6(1)(f)) — to understand usage patterns and improve the service. Anonymized or aggregated where possible. |
| Public offer listing | Legitimate interests (Art. 6(1)(f)) and your explicit action in publishing an offer. By publishing a public offer, you grant Hodlex Ltd a non-exclusive, worldwide licence to display and distribute that offer on the Platform. |
| Legal obligation compliance | Legal obligation (Art. 6(1)(c)). |
4. How We Use Your Data
- To create, verify, and manage your account.
- To facilitate and record trades, lending contracts, and smart contract interactions.
- To screen for sanctions compliance and detect fraud, money laundering, or abuse.
- To resolve disputes and respond to support requests.
- To send essential service notifications (contract updates, security alerts, account changes).
- To send marketing communications where you have consented (opt-out available at any time).
- To comply with legal and regulatory obligations, including AML/CFT record-keeping.
- To improve platform security, performance, and features using aggregated analytics.
- To display your public offers in the offer list and, with your consent, to promote the Platform.
5. Who We Share Your Data With
We never sell, rent, or trade your personal data to any third party for their commercial or marketing purposes.
5.1 Your Counterparties
When you are in an active contract, your payment details are visible to your direct counterparty only after the contract reaches "In Progress" status. After contract completion or cancellation, your counterparty can no longer access your payment details through the Platform.
5.2 Operational Third-Party Service Providers
We work with the following third parties under data processing agreements that restrict them from using your data for any purpose other than delivering their service to us. All transfers to non-EEA/UK recipients are subject to appropriate safeguards (see Section 7):
| Sentry | Error monitoring and crash reporting. Your IP address may be included in error logs. Data processed in the USA under Standard Contractual Clauses. |
|---|---|
| Google Analytics | Behavioural and usage analytics. We use IP anonymization (IP masking enabled). Data processed under Google's DPA with SCCs. Opt out via: tools.google.com/dlpage/gaoptout. |
| Amazon Web Services (AWS) | Cloud infrastructure and storage for your personal data. Data stored within the EU/EEA region (eu-west-1 / eu-central-1) where technically feasible. |
| ProtonMail | Encrypted email for support and compliance communications. We may share your email address and nickname for this purpose. |
| SendGrid (Twilio) | Transactional and marketing email delivery. We share your email address and notification preferences. |
| X (formerly Twitter) | Platform promotion only — we may share public offer information (not personal account data) for promotional posts. No personal data (name, email, IP) is shared with X for advertising purposes. |
5.3 Legal Disclosures
We may disclose your personal data to law enforcement, regulatory authorities, courts, or other public bodies where required by applicable law, a valid legal order, or to protect the rights, property, or safety of Hodlex Ltd, our users, or the public.
5.4 Public Information
The following is publicly visible to all visitors including unauthenticated users:
- Your public offer listings (currency, amount, payment method, price, working hours).
- Your profile page: username, reputation score, trade statistics, account status.
- Whether you are currently online (green/yellow/grey indicator).
You can reduce public visibility by making offers private and adjusting profile settings.
6. Data Retention
| Account and trading/lending data | 5 years after account closure or last activity (whichever is later), to satisfy AML record-keeping obligations under applicable law. |
|---|---|
| Dispute and support records | 5 years after the matter is closed. |
| Identity documents (disputes/verification) | 5 years after the relevant dispute or account closure, unless a longer period is required by law. |
| Technical access logs | 12 months, unless extended for an active security investigation. |
| Marketing consent records | Until consent is withdrawn, plus 1 year for accountability purposes. |
| Anonymized analytics data | Indefinitely (no personal data retained). |
After the applicable retention period, data is securely deleted or irreversibly anonymized. Legal or regulatory requirements may require us to retain data for a longer period; in such cases, the longer period applies.
7. International Data Transfers
Hodlex Ltd. stores and processes data primarily within the European Economic Area (EEA). Where transfers to third countries are necessary, we rely on one or more of the following mechanisms:
- European Commission Standard Contractual Clauses (SCCs) — the 2021 modular SCCs for controller-to-processor transfers.
- UK International Data Transfer Agreements (IDTAs) — for transfers from the UK following Brexit.
- European Commission adequacy decisions — for transfers to countries deemed to provide adequate protection.
You may request a copy of the applicable transfer safeguard documentation by contacting [email protected].
8. Your Privacy Rights
The following rights are available under applicable data protection law. EEA residents have rights under the GDPR; UK residents under the UK GDPR; other jurisdictions may have equivalent rights under local law.
| Right of access (GDPR Art. 15) | Request a copy of the personal data we hold about you, in a human-readable or machine-readable format (e.g., PDF or CSV). |
|---|---|
| Right to rectification (Art. 16) | Request correction of inaccurate or incomplete personal data. |
| Right to erasure / 'right to be forgotten' (Art. 17) | Request deletion of your data where it is no longer necessary, you withdraw consent, or it has been unlawfully processed — subject to legal retention obligations. |
| Right to restriction of processing (Art. 18) | Request that we pause processing of your data in certain circumstances. |
| Right to data portability (Art. 20) | Receive your data in a structured, machine-readable format, and transmit it to another controller — where processing is based on consent or contract and carried out automatically. |
| Right to object (Art. 21) | Object to processing based on legitimate interests or for direct marketing. We will cease marketing processing immediately on request. |
| Right to withdraw consent | Where processing is based on consent, withdraw at any time without affecting the lawfulness of prior processing. |
| Right re: automated decisions (Art. 22) | We do not currently make legally significant decisions about you based solely on automated processing. If this changes, we will update this Policy. |
| California residents (CCPA/CPRA) | Rights to know, delete, correct, and opt-out of the sale/sharing of personal information. We do not sell or share personal information for cross-context behavioural advertising. |
| Other jurisdictions | We respect applicable privacy rights in all jurisdictions where we operate. Contact [email protected]. |
To exercise any right, email [email protected] with your username and a description of your request. We will respond within 30 days (extendable by 2 months for complex requests, with notice). We may ask you to verify your identity. Where we refuse a request, we will explain why.
If you believe we have not handled your personal data lawfully, you have the right to lodge a complaint:
- EEA users: your national Data Protection Authority (list at edpb.europa.eu/about-edpb/board/members_en).
- UK users: the Information Commissioner's Office — ico.org.uk — Tel: 0303 123 1113.
We would appreciate the opportunity to address your concerns directly first — please contact [email protected].
9. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption of data in transit (TLS) and at rest for sensitive fields.
- Strict access controls — only personnel who need access to perform their job have it.
- Regular security assessments and penetration testing.
- Multisignature smart contract architecture — Hodlex Ltd. never holds unilateral control over user funds or private keys.
Exchange chats are encrypted at rest (OpenPGP); Lending chats are not currently encrypted at rest.
No system is completely secure. We will notify affected users and the relevant supervisory authority of any personal data breach within 72 hours of becoming aware, in accordance with GDPR Art. 33 and Art. 34.
We will never share your IP address, MAC address, or other sensitive connection data with any third party except as described in Section 5, or where legally required.
10. Cookies
10.1 Essential / Strictly Necessary Cookies
These cookies are required for the Platform to function. They manage your login session, prevent abuse, remember site preferences, and maintain security. Without them, you cannot use the Platform. These cookies do not require your consent under ePrivacy law because they are strictly necessary.
10.2 Analytics Cookies
We use Google Analytics to understand how users interact with the Platform, with IP masking enabled. You may opt out at any time:
- Install the Google Analytics Opt-Out Browser Add-on: tools.google.com/dlpage/gaoptout
- Or disable cookies in your browser settings (Settings → Privacy → Cookies)
10.3 Third-Party Cookies
| Google Analytics | Analytics and usage statistics. Anonymized IP. Opt-out available (see above). |
|---|---|
| reCAPTCHA (Google) | Bot and abuse prevention on login and registration forms. |
| Sentry | Error monitoring sessions. Used only when a technical error occurs. |
We do not use advertising cookies, retargeting cookies, or third-party tracking cookies for marketing purposes. We no longer use YouTube-embedded content on the Platform; if this changes, we will update this Policy.
10.4 Managing Cookies
You can control cookies through your browser settings. Blocking essential cookies will impair or prevent access to the Platform. Instructions for major browsers: Chrome support.google.com/chrome/answer/95647, Safari support.apple.com/guide/safari/manage-cookies.
11. Children
The Platform is not directed at, and we do not knowingly collect personal data from, persons under the age of 18. If we become aware that we have collected personal data from a minor without appropriate consent, we will delete it promptly. If you believe a minor has registered on our Platform, please contact [email protected].