Privacy Policy — PLAIDRY

1. Introduction

PLAIDRY (accessible at plaidry.com) is a digital marketplace platform operated by HSU HOLDING LLC, a Wyoming limited liability company. This Privacy Policy describes how we collect, use, store, share, and protect your personal data when you access or use the PLAIDRY platform, including our website, applications, and all related services.

We are committed to protecting your privacy and ensuring that your personal data is handled responsibly and in compliance with applicable data protection laws, including but not limited to:

General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679 of the European Parliament and of the Council
California Consumer Privacy Act (CCPA) — California Civil Code Section 1798.100 et seq., as amended by the California Privacy Rights Act (CPRA)
Other applicable state and federal privacy laws of the United States

By accessing or using PLAIDRY, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, you should discontinue use of the platform immediately.

2. Data Controller

The data controller responsible for the processing of your personal data is:

Entity	HSU HOLDING LLC
Address	30 N Gould St, Ste N, Sheridan, WY 82801, United States
EIN	35-2903221
Sole Member	Erik Cenador Hsu
Contact Email	soporte@plaidry.com

For all inquiries related to data protection, privacy rights, or this policy, please contact us at soporte@plaidry.com. We will respond to your request within 30 days in accordance with applicable law.

3. What Data We Collect and Why

3.1 Purposes of Data Processing

We process personal data for the following purposes:

Account creation, authentication, and management on the PLAIDRY platform
Facilitation of transactions between buyers and sellers (creators) on the marketplace
Payment processing, invoicing, and financial record-keeping
Communication with users regarding their accounts, orders, and platform updates
Customer support and dispute resolution
Platform improvement, analytics, and performance optimization
Fraud prevention, security monitoring, and abuse detection
Compliance with legal and regulatory obligations
Marketing and promotional communications (with your consent where required)

3.2 Categories of Personal Data

We collect and process the following categories of personal data:

Category	Data Types	Purpose
Identification Data	Full name, date of birth, government-issued ID (when required for verification), taxpayer identification number	Account creation, identity verification, legal compliance (KYC/AML)
Online Profile Data	Username, profile picture, bio/description, portfolio links, social media handles, skills and categories	Public profile display, marketplace functionality, search and discovery
Contact Data	Email address, phone number, physical address (when required for invoicing or shipping)	Communications, invoicing, customer support, account recovery
Technical Data	IP address, browser type and version, operating system, device identifiers, screen resolution, referral URLs, session duration	Platform security, analytics, performance optimization, fraud detection
Transaction Data	Order history, payment amounts, payment method details (tokenized), billing information, refund records, payout history	Payment processing, financial record-keeping, dispute resolution, tax compliance
Usage Statistics	Pages visited, features used, click patterns, search queries, time spent on pages, interaction frequency	Product improvement, UX optimization, analytics, personalized recommendations
Preferences	Language settings, notification preferences, communication opt-ins, display settings, saved searches and favorites	Personalization, user experience customization, marketing preferences
Security Records	Login timestamps, authentication logs, password change history (hashed), two-factor authentication status, suspicious activity flags	Account security, fraud prevention, audit trails, incident investigation

4. Recipients of Personal Data

Your personal data may be shared with the following categories of recipients:

4.1 Data Processors

We engage third-party service providers who process personal data on our behalf, under our instructions and in accordance with written data processing agreements. These processors include infrastructure providers, payment processors, email service providers, analytics platforms, and customer support tools.

4.2 Independent Controllers

In certain circumstances, your data may be shared with entities that act as independent data controllers, including:

Payment providers — to process payments and comply with financial regulations
Government authorities — when required by law, regulation, or valid legal process
Professional advisors — legal counsel, auditors, and accountants where necessary

4.3 Social Networks

If you choose to link your PLAIDRY account to social media platforms (such as connecting your Instagram, TikTok, YouTube, or X/Twitter account for profile verification or portfolio display), limited profile data may be shared with or received from those platforms in accordance with their respective privacy policies and your authorization settings.

4.4 Safeguards for Data Transfers

When we share personal data with third parties, we ensure appropriate safeguards are in place, including:

Written data processing agreements that comply with Article 28 GDPR
Standard Contractual Clauses (SCCs) approved by the European Commission for international transfers
Verification that recipients maintain adequate security measures
Data minimization — we share only the minimum data necessary for the specified purpose

5. Legal Basis for Processing

We process your personal data on the following legal bases under the GDPR:

Legal Basis	GDPR Article	Application
Performance of a Contract	Art. 6(1)(b)	Processing necessary for the performance of the contract between you and PLAIDRY, including account creation, transaction facilitation, payment processing, and service delivery.
Legal Obligation	Art. 6(1)(c)	Processing necessary for compliance with legal obligations to which HSU HOLDING LLC is subject, including tax reporting, financial record-keeping, anti-money laundering (AML) regulations, and responses to lawful requests from governmental authorities.
Legitimate Interests	Art. 6(1)(f)	Processing necessary for our legitimate interests, including platform security, fraud prevention, service improvement, analytics, and the enforcement of our Terms of Service. We conduct balancing tests to ensure our interests do not override your fundamental rights and freedoms.
Consent	Art. 6(1)(a)	Processing based on your freely given, specific, informed, and unambiguous consent, including marketing communications, non-essential cookies, and optional data sharing with third parties. You may withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal.

6. International Transfers

PLAIDRY is operated by HSU HOLDING LLC from the United States. If you are accessing our platform from outside the United States, including from the European Economic Area (EEA), the United Kingdom, or other jurisdictions, please be aware that your personal data will be transferred to, stored, and processed in the United States.

The United States may not provide the same level of data protection as your home jurisdiction. To ensure adequate protection of your personal data when transferred internationally, we implement the following safeguards:

Standard Contractual Clauses (SCCs) — We use the European Commission-approved Standard Contractual Clauses as the primary mechanism for transfers of personal data from the EEA to the United States.
Supplementary Measures — Where necessary, we implement additional technical and organizational measures to ensure the effectiveness of the transfer mechanism, including encryption in transit and at rest, access controls, and data minimization.
Transfer Impact Assessments — We conduct assessments of the legal framework in recipient countries to evaluate whether additional safeguards are required.

By using PLAIDRY, you acknowledge and consent to the transfer of your personal data to the United States, subject to the safeguards described above.

7. Personal Data Security

We take the security of your personal data seriously and implement appropriate technical and organizational measures to protect it against unauthorized access, alteration, disclosure, or destruction.

7.1 Infrastructure Providers

PLAIDRY relies on the following trusted infrastructure and service providers:

Provider	Service	Security Standards
Supabase	Database, authentication, and backend services	SOC 2 Type II compliant, data encryption at rest (AES-256) and in transit (TLS 1.2+), row-level security, regular security audits
Vercel	Frontend hosting and edge network	SOC 2 Type II compliant, global CDN with DDoS protection, automatic HTTPS, isolated build environments
Resend	Transactional email delivery	TLS encryption, SPF/DKIM/DMARC authentication, SOC 2 compliant, minimal data retention
Sentry	Error monitoring and performance tracking	SOC 2 Type II compliant, data scrubbing for PII, encryption at rest and in transit, configurable data retention

7.2 Security Measures

We implement the following security measures across the PLAIDRY platform:

Encryption — All data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. Sensitive data fields (payment tokens, identity documents) receive additional encryption layers.
Authentication — Secure authentication mechanisms including bcrypt password hashing, optional two-factor authentication (2FA), session management with automatic expiration, and OAuth 2.0 integration for social logins.
Access Logs — Comprehensive audit logs of all administrative access, data modifications, and security events. Logs are retained for a minimum of 12 months and are regularly reviewed for anomalies.
Backups — Automated daily backups with point-in-time recovery capability. Backups are encrypted and stored in geographically separate locations. Recovery procedures are tested regularly.
Access Controls — Role-based access control (RBAC) ensuring that employees and contractors access only the minimum data necessary for their role. All access is logged and auditable.
Vulnerability Management — Regular security assessments, dependency scanning, and prompt patching of identified vulnerabilities.

8. Personal Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. We apply the principle of data minimization throughout the data lifecycle.

8.1 Active Accounts

While your PLAIDRY account remains active, we retain all personal data necessary for the operation of your account and the provision of our services. You may request deletion of specific non-essential data at any time by contacting us at soporte@plaidry.com.

8.2 Post-Closure Retention

Upon account closure or deletion, we follow these retention practices:

Transaction records — Retained for a minimum of 7 years after the last transaction, as required by tax and financial regulations (IRC Section 6501, Wyoming Business Corporation Act).
Tax-related information — Retained for a minimum of 7 years in compliance with IRS requirements.
Communication records — Retained for 3 years after account closure for dispute resolution and legal compliance purposes.
Security logs — Retained for 12 months after account closure for fraud investigation and audit purposes.
Profile data and content — Deleted or anonymized within 30 days of account closure, unless retention is required for legal purposes.
Marketing data — Deleted immediately upon account closure or upon withdrawal of consent, whichever occurs first.

After the applicable retention period expires, personal data is securely deleted or irreversibly anonymized so that it can no longer be associated with an identified or identifiable individual.

9. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data. We are committed to facilitating the exercise of these rights in a timely and transparent manner.

9.1 Rights Under GDPR (Arts. 15–22)

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the GDPR:

Right of Access (Art. 15) — You have the right to obtain confirmation as to whether your personal data is being processed, and if so, to access that data along with information about the purposes, categories, recipients, retention periods, and your rights.
Right to Rectification (Art. 16) — You have the right to have inaccurate personal data corrected and incomplete data completed without undue delay.
Right to Erasure (Art. 17) — You have the right to request the deletion of your personal data where the data is no longer necessary, you withdraw consent, you object to processing, or the data was unlawfully processed. This right is subject to exceptions for legal compliance and the exercise of legal claims.
Right to Restriction (Art. 18) — You have the right to request the restriction of processing where you contest the accuracy of data, the processing is unlawful, we no longer need the data, or you have objected to processing pending verification.
Right to Object (Art. 21) — You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, processing shall cease immediately.
Right to Data Portability (Art. 20) — You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance.
Right to Withdraw Consent (Art. 7(3)) — Where processing is based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
Right Not to Be Subject to Automated Decision-Making (Art. 22) — You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significant effects concerning you.

9.2 Rights Under CCPA/CPRA

If you are a California resident, you have the following rights under the CCPA as amended by the CPRA:

Right to Know — You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the third parties with whom we share it.
Right to Delete — You have the right to request the deletion of personal information we have collected, subject to certain exceptions.
Right to Correct — You have the right to request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing — PLAIDRY does not sell your personal information. If this practice changes, we will provide a clear opt-out mechanism.
Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA rights.

9.3 Exercising Your Rights

To exercise any of the rights described above, please contact us at:

Email: soporte@plaidry.com

When submitting a request, please include sufficient information to verify your identity (such as your account email address and full name). We may request additional information to verify your identity before processing your request.

We will respond to your request within 30 days (or within 45 days for CCPA requests, with the possibility of a 45-day extension upon notice). If we cannot fulfill your request, we will provide an explanation of the reasons and inform you of your right to lodge a complaint with a supervisory authority.

10. Changes to the Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time to reflect changes in our data processing practices, legal requirements, or platform functionality.

When we make material changes to this policy, we will:

Update the "Last updated" date at the top of this page
Provide prominent notice on the PLAIDRY platform (e.g., banner notification, in-app alert)
Send an email notification to registered users at the email address associated with their account, where required by law or where the changes significantly affect the processing of personal data

Your continued use of PLAIDRY after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree with the updated policy, you should discontinue use of the platform and request the deletion of your account and personal data.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data.

11. Complaints to Supervisory Authorities

If you believe that our processing of your personal data violates applicable data protection laws, you have the right to lodge a complaint with a competent supervisory authority.

11.1 European Union

If you are located in the EEA, you may lodge a complaint with the data protection supervisory authority of your Member State of habitual residence, place of work, or place of the alleged infringement. For users in Spain, the competent authority is:

Agencia Espanola de Proteccion de Datos (AEPD)
C/ Jorge Juan 6, 28001 Madrid, Spain
Website: www.aepd.es
Phone: +34 901 100 099

A full list of EEA supervisory authorities is available on the European Data Protection Board website at edpb.europa.eu.

11.2 United States

If you are located in the United States, you may file a complaint with:

Federal Trade Commission (FTC)
600 Pennsylvania Avenue, NW, Washington, DC 20580
Website: www.ftc.gov
Phone: 1-877-FTC-HELP (1-877-382-4357)

California residents may also file a complaint with the California Attorney General's Office or the California Privacy Protection Agency (CPPA).

PLAIDRY · HSU HOLDING LLC · 30 N Gould St, Ste N, Sheridan, WY 82801 · soporte@plaidry.com