Privacy Policy

1. Who we are

Heldby is a digital product developed and operated by a Swedish registered business, operating under Swedish and EU law. As the operator of Heldby, we act as the data controller for your personal data under the EU General Data Protection Regulation (GDPR).

2. What we collect and why

We collect only what is necessary to provide the Heldby service:

• Your name and email address — Collected when you create an account. Used solely to identify your account and communicate with you about your subscription.

• Your pillar data — Yours alone. Heldby provides a structured set of categories — insurance, accounts, medical details, documents, and more — designed to help you think through what might matter in an unexpected situation. What you add, how much detail you include, and what you leave blank is entirely your decision. No one at Heldby can read, access, or view what you enter. Not us. Not anyone.

• Payment information — Processed entirely by Stripe, our payment provider. Heldby never sees, stores, or has access to your card details.

• Session data — Essential cookies required to keep you logged in. We use no tracking cookies, no advertising cookies, and no analytics that identify you personally.

3. How your data is stored and protected

Your data is stored on EU-based servers operated by Supabase (Frankfurt, Germany) — one of the most trusted infrastructure providers in the industry.

We have implemented the following protections:

• Encryption at rest and in transit — All data is encrypted when stored and when transmitted between your device and our servers.

• Row-level security — Your pillar data is protected by row-level security (RLS). This means that at the database level, your data is mathematically isolated from every other user's data. No Heldby employee, system, or process can read your pillar content. Not us. Not anyone.

• Two-factor authentication — Available on your account to add an additional layer of security to your login.

• Zero data sharing — We do not sell, license, share, or use your data for any purpose other than providing the Heldby service. Your information is never used for advertising, profiling, or any third-party purpose.

4. Trusted person access

Heldby includes an optional trusted person feature. This is entirely your choice — you are not required to set one up.

If you choose to use this feature:

• —You select one person and grant them access to your account. Access is read-only — they can view your information but cannot edit or delete anything.
• —Access is protected by a private security key that you generate and share with your trusted person directly, in person or by secure means of your choosing. This key is never stored in readable form — we store only a cryptographic hash.
• —You receive an email notification every time your trusted person accesses your account.
• —You can remove your trusted person's access at any time, immediately, from your account settings.
• —All trusted person access is logged and available for you to review.

5. Your rights under GDPR

As a user of Heldby, you have the following rights under the EU General Data Protection Regulation:

• Right of access — You can request a copy of all personal data we hold about you at any time.

• Right to rectification — You can correct any inaccurate information in your account at any time.

• Right to erasure — You can request the permanent deletion of your account and all associated data. We will complete this within 30 days. During a 30-day grace period your account is suspended but not deleted, giving you the opportunity to cancel the request if you change your mind.

• Right to data portability — You can request an export of your data in a readable format.

• Right to restrict processing — You can ask us to restrict how we use your data while a complaint is being investigated.

• Right to object — You can object to any processing of your data that you believe is not justified.

To exercise any of these rights, contact us at hello@heldby.app. We will respond within 30 days.

6. Legal basis for processing

We process your personal data on the following legal bases under GDPR:

• Contract — Processing your name, email, and subscription information is necessary to provide the Heldby service you have paid for.

• Legitimate interests — Maintaining security access logs (such as login timestamps and trusted person access events) to protect your account and detect unauthorised access. These logs record when your account was accessed and by whom — they contain no pillar data whatsoever.

We do not process your data on the basis of consent, meaning you do not need to opt in or out of anything beyond your account registration.

7. Data retention

We retain your data for as long as your account is active. If you cancel your subscription, your data remains accessible until the end of your billing period. If you request account deletion, all data is permanently removed within 30 days.

We do not retain any data beyond what is necessary for the provision of the service.

8. Cookies

Heldby uses only essential session cookies — the minimum required to keep you securely logged in. We do not use tracking cookies, advertising cookies, or any cookies that identify you across other websites.

9. Changes to this policy

If we make material changes to this privacy policy, we will notify you by email before the changes take effect. The date at the top of this page will always reflect when it was last updated.

10. Contact and complaints

For any privacy-related questions or to exercise your rights, contact us at hello@heldby.app.

If you are not satisfied with our response, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at www.imy.se, or with the data protection authority in your country of residence.