Privacy Policy

Last Updated: March 2026

At Hodlr., we believe privacy is a fundamental human right. This Privacy Policy explains how we collect, use, and protect your data in compliance with the General Data Protection Regulation (GDPR) and other applicable laws. Hodlr. is operated from Germany and subject to German and European data protection law.

1. Data Controller

The data controller responsible for the processing of your personal data is the operator of Hodlr. as identified in our Imprint. For all data protection inquiries, please contact us at support@hodlrbtc.com.

2. Data We Collect

To provide our services, we collect the following information:

• Profile Data: Email address, Full Name, Username, Date of Birth, and profile images. Authentication is handled via Firebase Authentication, including Google Sign-In. When you use Google Sign-In, Google shares your name, email address, and profile picture with us to create your account.
• Portfolio Data: Bitcoin addresses and balances. Note: Your wallet addresses are encrypted before storage. However, numeric fiat and BTC balances are stored unencrypted in our database (Firebase Firestore) to ensure cross-device synchronization and prevent data loss. We do not store your private keys or seed phrases.
• Device Tokens: We collect Firebase Cloud Messaging (FCM) tokens from your device to deliver push notifications such as price alerts and messenger notifications.
• Device & Analytics: We use Firebase Analytics to track app usage events (e.g., screens visited, milestones achieved, feature usage) to improve the app experience. Analytics data is collected using non-advertising device identifiers to help us fix bugs and improve performance.
• Location Data: With your explicit permission, we access your device's location to show nearby Bitcoin merchants on our map feature. Your coordinates are sent to the Overpass API (OpenStreetMap) to query merchant data. Location access can be revoked at any time through your device settings.
• Media & Files: Voice messages (microphone access), document uploads such as images and PDFs (storage access), and in-app contact sharing within the Nexus Messenger. In-app contact sharing only transmits Nexus user profiles between Nexus users within the app — no data from your device's phone contacts or external address book is accessed or transmitted.

3. Legal Basis for Processing

Under GDPR Article 6, we process your personal data based on the following legal grounds:

• Contractual Necessity (Art. 6(1)(b) GDPR): Processing of your profile data, portfolio data, and messenger data is necessary to provide you with the Hodlr. service as agreed upon when you create an account.
• Consent (Art. 6(1)(a) GDPR): Location data is only processed with your explicit consent, which you grant via the device permission prompt. You may withdraw consent at any time by disabling location access in your device settings. Analytics tracking is based on your consent, which you can withdraw in the app settings.
• Legitimate Interest (Art. 6(1)(f) GDPR): We process device tokens for push notifications and anonymized usage data to maintain, secure, and improve the app. Our legitimate interest is ensuring reliable service delivery and ongoing product improvement. You may object to this processing at any time by contacting us.

4. Nexus Messenger & Encryption

Our Nexus Messenger utilizes AES-256 encryption for text messages. Each chat has its own unique encryption key that is derived deterministically — messages are encrypted before transmission and can only be decrypted by chat participants. We cannot read your private text conversations. However, group metadata, profile pictures, shared in-app contacts, and uploaded files (images, PDFs, and voice notes) are processed and stored through Firebase Storage and are not end-to-end encrypted.

5. Third-Party Services

We share strictly necessary data with trusted third parties to operate the app:

• Google Gemini (Pheus AI): Anonymized chat prompts, user focus metrics, and profile summaries are sent to Google to generate AI mentoring responses. Google's data processing terms apply.
• RevenueCat: Processes in-app purchases and manages your "Hodlr Prime" subscription status. RevenueCat receives your anonymous app user ID and purchase data.
• Firebase (Google): Hosts our database (Firestore), user authentication (including Google Sign-In), push notifications (Cloud Messaging), file storage (Firebase Storage), and app analytics (Firebase Analytics).
• Financial APIs: Mempool.space, CoinGecko, CryptoCompare, and Frankfurter API are queried to provide live market data. These services receive API requests from your device but no personal user data.
• OpenStreetMap / Overpass API: When you use the Bitcoin Merchant Map, your approximate location coordinates are sent to the Overpass API to query nearby merchants. OpenStreetMap's privacy policy applies.
• EmailJS: Processes your in-app feedback submissions. Your email address and feedback message are transmitted to EmailJS for delivery.

6. International Data Transfers

Some of our third-party service providers (including Google/Firebase, RevenueCat, and EmailJS) process data on servers located outside the European Economic Area (EEA), primarily in the United States. These transfers are safeguarded by EU Standard Contractual Clauses (SCCs) as adopted by the European Commission, or by the EU-U.S. Data Privacy Framework where applicable. By using Hodlr., you acknowledge that your data may be transferred to and processed in countries outside the EEA under these safeguards. You may request further details about these safeguards by contacting us.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy:

• Account Data: Your profile and portfolio data are retained for as long as your account is active. When you delete your account, your data is deleted from our systems within 30 days.
• Messenger Data: Chat messages and shared files are retained for as long as the respective conversation exists. You can delete individual messages or entire chat histories at any time.
• Analytics Data: Anonymized analytics data is retained for up to 14 months in line with Firebase Analytics defaults.
• Feedback Submissions: Feedback sent via EmailJS is retained for as long as needed to address your inquiry, typically no longer than 12 months.

8. Non-Custodial Nature

Hodlr. is a non-custodial tracking and education application. We do not have access to your private keys or seed phrases. Local app access is secured by your device PIN or Biometrics. We cannot recover your local data if you lose your PIN.

9. Minimum Age

Hodlr. is intended for users aged 16 and older in accordance with GDPR Article 8 and German data protection law. If you are under 16, you may only use Hodlr. with the consent of your parent or legal guardian. We do not knowingly collect personal data from children under 16 without parental consent. If we become aware that we have collected data from a child under 16 without appropriate consent, we will delete that data promptly.

10. Your GDPR Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of Access (Art. 15): You have the right to request a copy of the personal data we hold about you.
• Right to Rectification (Art. 16): You can request correction of inaccurate personal data.
• Right to Erasure (Art. 17): You can request deletion of your personal data. You can delete your account, clear chat histories, and delete synced portfolio data directly within the app settings.
• Right to Restriction of Processing (Art. 18): You can request that we restrict the processing of your data in certain circumstances.
• Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
• Right to Object (Art. 21): You can object to processing based on legitimate interests at any time.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out before the withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority. The competent authority for Rhineland-Palatinate is the Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz (LfDI), Hintere Bleiche 34, 55116 Mainz, Germany (www.datenschutz.rlp.de).

For complete data deletion requests or to exercise any of the above rights, contact us below.

11. Contact Us

If you have questions about this policy or wish to exercise your data rights, please contact us at support@hodlrbtc.com.