HB HeldBy
Sign in Start free trial
Legal · Privacy policy

Privacy policy.

Controller
Solid Code Studio
Regulation
GDPR + French law
Updated
15 Apr 2026
00 / Preamble

This Privacy Policy explains how Solid Code Studio ("we", "us") collects, uses, and protects your personal data when you use HeldBy (the "Service"). We comply with the EU General Data Protection Regulation (GDPR) and the French Data Protection Act.

01 / Data controller

Fabien Dumont, operating as Solid Code Studio, 16 rue du petit tour, 86000 Poitiers, France. Contact: [email protected].

02 / Data we collect
  • ·Account data: first name, last name, email, hashed password.
  • ·Organization data: organization name, members, roles, assets.
  • ·Billing data: billing address, payment method token (handled by Stripe; we never store full card numbers).
  • ·Technical data: IP address, user agent, session tokens, security timestamps, login attempts.
  • ·Support data: any information you provide when contacting us.
03 / Purposes and legal basis
  • · Providing the Service (contract performance, GDPR art. 6(1)(b)): account creation, authentication, organization and asset management.
  • · Billing and payments (contract performance and legal obligation, GDPR art. 6(1)(b)(c)): processing subscriptions, issuing invoices, complying with accounting law.
  • · Security (legitimate interest, GDPR art. 6(1)(f)): preventing abuse, rate limiting, account lockout, fraud detection.
  • ·Service improvement (legitimate interest): diagnosing errors via logs.
  • · Transactional emails (contract performance): verification, password reset, invitations, billing notifications.
04 / Retention
  • · Account data: kept while your account is active. Deleted within 30 days of account closure.
  • ·Billing and invoice data: retained for 10 years (French accounting law).
  • ·Security logs and refresh tokens: up to 12 months.
  • ·Email delivery records: up to 90 days.
05 / Recipients and sub-processors

We share data only with service providers strictly necessary to operate the Service:

  • ·Stripe, Inc. (USA), payment processing and billing portal.
  • ·Cloudflare, Inc. (USA), frontend hosting, CDN, and DDoS protection.
  • ·Fly.io, Inc. (USA), backend application hosting and database.
  • ·Resend, Inc. (USA), transactional email delivery.

We do not sell, rent, or trade your personal data.

06 / International transfers

Our sub-processors Stripe, Cloudflare, Fly.io, and Resend are established in the United States and may process data outside the European Economic Area. Such transfers are covered by Standard Contractual Clauses approved by the European Commission, together with any supplementary technical and organizational measures required.

07 / Your rights

Under GDPR, you have the right to:

  • ·Access your personal data.
  • ·Request correction or deletion.
  • ·Restrict or object to processing.
  • ·Data portability.
  • ·Withdraw consent at any time (where processing is based on consent).
  • ·Define instructions regarding the fate of your data after death.

Exercise these rights by emailing [email protected]. You may also lodge a complaint with the French data protection authority (CNIL, www.cnil.fr).

08 / Security

We implement technical and organizational measures including password hashing, encrypted transport (HTTPS), session invalidation on security-sensitive changes, rate limiting, and least-privilege database access.

09 / Cookies

We use only strictly necessary storage (authentication tokens in local storage) required to operate the Service. We do not use analytics or advertising cookies. If this changes, we will update this policy and request consent where required.

10 / Changes

We may update this Privacy Policy. Material changes will be communicated by email or in-app notice before they take effect.