Privacy Policy

I. Introduction

This Privacy Policy ("Policy") explains how TrueHold ("TrueHold," "we," "us," "our") collects, uses, discloses, and protects personal data when you use our websites, mobile apps, application programming interfaces, and other online services that link to this Policy (collectively, the "Platform"), and when you use our products and services, including our non-custodial crypto card and related features (the "Services").

By using the Platform or Services, you agree to this Policy. Please read it carefully. We update this Policy from time to time and will notify you of material changes where required. Your continued use of the Services after an update means you accept the revised Policy.

Non-custodial by design: We do not request or store seed phrases or private keys. Prior to spend, your digital assets remain in wallets you control. We may process public wallet addresses and on-chain allowances/permits that you authorize.

This Policy should be read together with our Terms of Service and Cookies Policy.

II. Definitions

  • Controller — the TrueHold entity that determines the purposes and means of processing personal data for the Platform/Services in your region.
  • Processor — a vendor that processes personal data on our behalf under a data processing agreement.
  • Personal Data — any information relating to an identified or identifiable natural person.
  • Processing — any operation performed on Personal Data (e.g., collection, use, storage, disclosure).
  • Privacy Laws — applicable data protection laws (e.g., GDPR/UK GDPR, ePrivacy, CCPA/CPRA, LGPD, etc.).

III. Information We Collect

1) Information you provide

  • Identity & KYC (where required): full name, date of birth, nationality/country of residence, ID document details and images, liveness checks/biometrics (used only for identity verification via approved providers), sanctions/PEP status.
  • Contact: email, phone, mailing country/region, language, support messages.
  • Wallet & spend settings: public wallet addresses you control, on-chain allowance/permit settings, asset preferences.
  • Payments & compliance: card/network-related metadata (tokenized where possible), dispute information, declarations (e.g., source of funds if applicable).
  • Marketing preferences: subscriptions/opt-ins/opt-outs.

2) Information collected automatically

  • Device & log data: IP address and coarse geolocation derived from IP, device identifiers, browser/OS type and version, time zone, page views, clicks, session duration, crash/error diagnostics, referral URLs, consent records.
  • In-app events: feature usage, settings, notification tokens.

3) Information from third parties

KYC/AML & sanctions providers, fraud/risk tools, payment/issuer partners, analytics and cloud hosting may provide/confirm data to meet legal, security, and operational needs. We do not receive data from data brokers for the purpose of selling it.

Important: We do not collect or store your seed phrases or private keys. We do not enable staff access to sign transactions on your behalf.

If you decline to provide information we need by law or to enter into/perform a contract (e.g., KYC), we may be unable to provide some or all Services.

IV. How We Use Personal Data (Purposes)

  • Provide the Services: account creation, wallet connection, card issuance workflows, just-in-time conversion and authorization, notifications, customer support.
  • Security & abuse prevention: fraud detection, rate-limiting, anomaly and sanctions screening, incident response.
  • Legal & compliance: KYC/AML, record-keeping, audits, responding to lawful requests.
  • Improve the Platform: analytics, debugging, A/B testing, performance and UX improvements.
  • Preferences & personalization: language, region, content choices.
  • Communications: service messages, policy updates, transactional notifications.
  • Marketing (with your consent where required): news, product updates, and offers; you can opt out anytime.
  • Consent-based features: we will seek your consent for any purpose that requires it and allow withdrawal at any time (going forward).

V. Legal Bases (GDPR/UK GDPR where applicable)

We process Personal Data based on:

  • Contract — to provide and support the Services you request.
  • Legal obligation — to meet KYC/AML, accounting, and regulatory duties.
  • Legitimate interests — to secure, improve, and operate the Platform, prevent fraud/abuse, and support customer queries (balanced against your rights).
  • Consent — for non-essential cookies/analytics/ads and specific optional features.

VI. Automated Decisions & Profiling

We may use automated checks (e.g., fraud or sanctions screening, device risk assessments) to protect users and comply with laws. Where required, you may request human review of a decision that produces legal or similarly significant effects.

VII. How We Share Personal Data

We may share Personal Data with:

  • Issuers/payment networks/financial partners (to issue cards, authorize transactions, settle payments).
  • KYC/AML and fraud-prevention providers (to verify identity and comply with sanctions/AML rules).
  • Cloud, infrastructure, analytics, logging, error monitoring, and security vendors (to host and secure the Platform).
  • Customer support and communication tools (to handle inquiries and deliver notifications).
  • Professional advisers and auditors (under confidentiality).
  • Authorities and regulators when required by law or to protect rights, safety, and security.
  • Corporate transactions (e.g., merger or acquisition), subject to appropriate protections.

We do not sell your Personal Data. For regions that define "share" for cross-context behavioral advertising, we obtain consent where required and honor your choices.

Third-party websites and services linked from our Platform have their own privacy terms. Review those before using them.

VIII. International Transfers

We may process and store data outside your country. Where required, we use appropriate safeguards (e.g., EU Standard Contractual Clauses/UK IDTA, adequacy decisions) and implement technical/organizational measures to protect your data.

IX. Cookies & Similar Technologies

We use cookies, local storage, pixels, and SDKs to run and improve the Platform. Except for strictly necessary cookies, we set them only with your consent. See ourCookies Policyfor details and controls.

X. Data Security

We implement technical and organizational measures appropriate to the risk, including encryption in transit and at rest, access controls, monitoring, and vendor due diligence. No system is 100% secure; we maintain incident response processes and will notify you and/or regulators of data breaches as required by law.

Help protect your account: use strong authentication, secure your devices, and never share wallet seed phrases or private keys with anyone—including TrueHold.

XI. Retention

We retain Personal Data only as long as necessary for the purposes in this Policy, including:

  • Transactional/Service data — for the life of your account and a reasonable period thereafter for support, dispute handling, and compliance.
  • KYC/AML records — typically 5 years or longer where local law requires.
  • Marketing preferences — until you opt out or request deletion (we may retain a suppression record).
  • Logs/analytics — for operational and security needs, typically on rolling schedules.

When data is no longer needed, we delete or irreversibly anonymize it, subject to legal holds.

XII. Your Rights

Depending on your location, you may have the right to:

  • Access your Personal Data and obtain a copy.
  • Rectify inaccurate or incomplete data.
  • Delete/erase data (subject to legal/contractual limits).
  • Restrict or object to certain processing.
  • Portability — receive data in a machine-readable format and have it transmitted to another controller where technically feasible.
  • Withdraw consent at any time (does not affect prior processing).
  • Opt-out of marketing and certain analytics/ads cookies.
  • Appeal certain automated decisions where applicable.
  • Complain to a supervisory authority (e.g., your local data protection authority).

We will verify your identity before acting on a request. We may decline or charge a reasonable fee for manifestly unfounded, excessive, or repetitive requests as allowed by law.

XIII. Children's Privacy

The Services are not directed to individuals under 18. We do not knowingly collect Personal Data from children. If you believe a child has provided data to us, contact us and we will take appropriate action.

XIV. Region-Specific Notices

EU/EEA & UK

We rely on the legal bases in Section V and use SCCs/IDTA or adequacy for international transfers. You may contact your supervisory authority if you believe your rights were infringed.

California (CPRA)

We do not sell Personal Data. Where "sharing" for cross-context behavioral advertising applies, we do so only with consent and provide opt-out controls. You have rights to know, delete, correct, and limit use of sensitive Personal Data (where applicable).

Brazil (LGPD)

We process based on contract, legal obligation, and legitimate interest, and honor LGPD data subject rights.

(If we publish more detailed local addenda, they will supplement this Policy.)

XV. Changes to This Policy

We may update this Policy to reflect changes in our practices, technologies, or laws. We will post the updated Policy with a new "Last updated" date and notify you of material changes where required.

XVI. Contact Us

Questions, requests, or complaints about this Policy or your Personal Data?

Please include: your full name, country/region, the right you wish to exercise, and details of your request. We'll respond within applicable statutory deadlines (e.g., 30 days under GDPR, extendable where permitted).