Hola Privacy Policy
Effective date: 28 September 2025
Last updated: 28 September 2025
This Privacy Policy explains how Hola Finance ("Hola Finance", "we", "us", "our") processes personal data.We wrote this to be thorough so that it covers common and edge‑case scenarios, including support and engineering access for incident resolution. If anything here conflicts with mandatory law, the law prevails.
Quick summary (non‑binding)
We are based in Spain and comply with the EU GDPR.
We act as Controller for our website, account admin, billing, support, security, and marketing. We act as Processor for workspace data you upload/connect (invoices, expenses, files, mailbox imports, accounting/banking connections).
We store data in the EU (preference for Germany) and may use EU subprocessors; when transfers occur outside the EEA, we use Standard Contractual Clauses (SCCs) and safeguards.
We encrypt data in transit; passwords, API keys, and tokens are encrypted at rest. Other business records may not be encrypted at rest but are protected by access controls and infrastructure security.
After account closure, we anonymize workspace data where possible and keep the minimum identifiers needed to meet legal/audit/suppression obligations (first name, last name, email).
Controller: Harrison Spink (Tax ID: Y8624202K)
Trading name: Hola Finance
Address: Calle Granada 7, Vélez Rubio, 04820, Spain
Email: hello@hola.money
Table of contents
Scope & roles
What we collect
Purposes & legal bases
Sources of data
Special cases (accountants & tax authorities)
Subprocessors (register)
Where we process data & international transfers
Security measures
Access by support & engineering (break‑glass)
Data retention & deletion
Your rights
Children
Cookies & tracking
Mobile & local connectors
Integrations & API
Automated decision‑making
Business transfers
Complaints & contact
Changes to this policy
Key definitions
1) Scope & roles
Scope. This policy applies to our website, apps (including NativePHP mobile apps), APIs, and related services.
Roles.
Controller. We are Controller for account creation, billing and collections, security monitoring, abuse prevention, service communications, and our marketing.
Processor. For the content you upload or connect to your workspace (e.g., invoices, expenses, files, mailbox imports, accounting and banking data), we process as your Processor under Art. 28 GDPR. A summary DPA is in §16, and a signed DPA is available on request.
Your responsibilities as Controller. When you process personal data about your clients, suppliers, payers, and employees in Hola Finance, you (not Hola Finance) determine the purposes and means for that dataset. You are responsible for: providing notices to those data subjects, choosing a lawful basis, and responding to their rights requests; we will assist where proportionate.
2) What we collect
We only collect what is necessary to deliver and secure the service; some data is optional or collected only when you enable an integration.
2.1 Identity & account
First name, last name, email (minimum set we may retain post‑deletion for compliance logs and suppression lists)
Phone (optional), company name, role/title, country
Password (hashed), MFA/2FA secrets, session identifiers, API tokens
Billing profile, subscription plan, invoices/statements, payment status
2.2 Workspace/business content (you provide or connect)
Invoices & expenses (line items, amounts, taxes, currencies, dates) and attachments (images/PDFs)
Shared folders you connect and the files within those specific paths
Mailbox access you enable (designated folders/filters) to fetch invoices/receipts
Local folder connector/desktop agent (if enabled): we access only the specific folder you choose
Accounting: Xero, QuickBooks, FreeAgent connections and data you authorize
Open banking: transactions/balances via Plaid, as authorized by you
Payments: access tokens for Stripe, PayPal, GoCardless (we do not see card/PIN details)
Exchange rates: lookups via OpenExchange
2.3 Communications & support
Emails (headers/body), inbound/outbound processing logs (Postmark)
Live chat transcripts and metadata (Crisp), support tickets, call notes
WhatsApp/SMS messages you send us (through WhatsApp/Vonage/Nexmo), timestamps and metadata
2.4 Device, technical & usage
IP address, country/city approximations from IP, device & browser attributes, language, app version
Authentication and security events (success/failure, risk signals)
Error and performance telemetry, API usage metrics
2.5 Free tools on our website
For the free invoice tool: IP address, name, email, invoice amount (for delivery and anti‑abuse)
2.6 Avoid special categories
We do not intentionally collect special category data (e.g., health, beliefs). Please avoid uploading it unless it is strictly contained in business records (e.g., a receipt) and necessary for your processing.
3) Purposes & legal bases
We map each purpose to a lawful basis under the GDPR (Art. 6). Where multiple bases may apply, we rely on the most appropriate one for the context.
Purpose | Examples | Legal basis |
|---|---|---|
Provide & operate the service | Create workspaces; process invoices/expenses; connectors; search; export; notifications | Contract (Art. 6(1)(b)) |
Payments & billing | Manage subscriptions; issue invoices to you; handle late payments | Contract; Legal obligation (tax) |
Security & fraud | MFA, anomaly detection, rate‑limiting, abuse prevention; audit logs | Legitimate interests; Legal obligation |
Support & incident response | Read minimum necessary logs/records to reproduce or fix an issue | Legitimate interests; Contract |
Integrations you enable | Plaid, Xero, QuickBooks, FreeAgent; payment processors; OpenExchange | Contract; Consent where required by the integration |
Analytics (privacy‑preserving) | Aggregated/anonymous metrics, service health; we may share raw numbers across customers without demographics | Legitimate interests |
Legal & compliance | Accounting/tax record‑keeping; regulatory submissions (e.g., systems like Veri*factu if you request) | Legal obligation |
Marketing & product updates | Customer emails about features; newsletters if opted in | Legitimate interests (soft opt‑in) or Consent |
We do not carry out automated decision‑making with legal or similarly significant effects (§16).
4) Sources of data
You: data you enter or upload; folders/mailboxes you explicitly connect.
Your systems & providers: accounting/banking/payment services you authorize.
Your users & counterparties: your clients/suppliers/payers who appear on invoices or who contact support.
Automatically: logs/telemetry created by your use of the service.
5) Special cases (accountants & tax authorities)
At your request, we will share or submit data to:
Your accountant (or a firm you link in the dashboard). Your accountant acts as an independent Controller under their agreement with you. If an accountant requests data via our dashboard, they must attest they have authority; they are responsible for the truthfulness of that attestation.
Tax authorities/platforms (e.g., systems like Veri*factu, depending on your country). We transmit only the data you instruct us to submit.
6) Subprocessors (register)
We do not sell personal data. We use vetted providers under Art. 28 agreements. Processing locations are in the EEA unless noted, with SCCs and safeguards for extra‑EEA processing.
Provider | Role / data processed | Typical location |
Laravel Cloud (incl. AWS, Cloudflare object storage sold via Laravel Cloud) | App hosting, databases, object storage, CDN | EU regions (preference: Germany) or SCCs if outside |
Hetzner | Object storage, backups, failover infrastructure | EU (primarily Germany) |
Backblaze | Encrypted off‑site backups; replication to our local facility | EU/EEA; SCCs where applicable |
OpenAI (API) | Assistive extraction/classification of receipts/expenses; prompts minimized/redacted where feasible; no model training on your data per our instructions | EEA/US with SCCs |
Postmark | Inbound/outbound email processing and delivery | EU/US with SCCs |
Microsoft 365 | Support/CS email, docs and spreadsheets | EU/US with SCCs |
Crisp | Live chat widget and helpdesk | EU/EEA |
Vonage/Nexmo; WhatsApp (Meta) | SMS/WhatsApp transport if you contact us | EEA/US with SCCs |
Stripe, PayPal, GoCardless | Your customers’ payments to you; we store tokens, not full card data | EEA/US/UK with SCCs/adequacy |
Plaid | Open banking (transactions/balances) when enabled | EU/US/UK with SCCs/adequacy |
Xero, QuickBooks, FreeAgent | Accounting integrations you enable | EEA/US/UK/NZ with SCCs/adequacy |
OpenExchange | Exchange‑rate lookups | EEA/US with SCCs |
Changes. We may update subprocessors. For material changes/additions, we will provide at least 30 days’ notice in‑app and/or by email, so you can object or disable the affected integration. Where an objection cannot be resolved, your remedy is to disable the integration or terminate the affected service.
7) Where we process data & international transfers
We store data in the EEA (preference: Germany). Some providers may process data outside the EEA. When that happens, we use SCCs (and additional measures if needed). You may request copies of relevant SCCs (redacted for confidentiality).
8) Security measures
We maintain administrative, technical, and organizational measures appropriate to risk, including:
Transport security: TLS, HSTS; modern ciphers; certificate management.
Encryption at rest: passwords, API keys, OAuth tokens, and other secrets. Business records (e.g., invoice PDFs) may not be encrypted at rest but are protected by access controls.
Access controls: role‑based access, least privilege, periodic access reviews, mandatory staff MFA/SSO.
Network security: segmentation, firewalls, WAF/CDN, DDoS protections.
Vulnerability & patch management: regular patching, dependency monitoring, third‑party vulnerability intel.
Backups: encrypted backups; restore testing; geographically separate storage.
Secure development: code review, secret scanning, CI checks; synthetic/masked data in lower environments.
Monitoring & logging: security event logging and anomaly detection; tamper‑resistant logs.
Incident response: runbooks, on‑call rotation, breach notification procedures (see §18).
9) Access by support & engineering (break‑glass)
Sometimes we must access limited data to reproduce, diagnose, or fix an issue you report, or to investigate security incidents. We apply:
Just‑in‑time, least‑privilege access with time‑bound approvals.
Ticket‑linked access: access requires a support ticket/incident reference specifying scope and purpose.
Audit logging of privileged actions; periodic review.
Confidentiality: staff and contractors are bound by confidentiality and complete security training.
Data minimization: we prefer masked/synthetic data; if production samples are strictly necessary, they are minimized, separately stored, and promptly deleted after use.
10) Data retention & deletion
We keep data only as long as necessary for the purposes described above or as required by law. Typical schedules:
10.1 Operational
Active customers: retained for the life of the account.
Closed accounts: we start deletion/anonymization within 30 days unless legal retention requires longer.
Backups: point‑in‑time backups are retained on rolling schedules (typically up to 90 days) and then overwritten.
10.2 Legal retention (Spain/EU)
Accounting/business records: 6 years from the last entry (Spanish Commercial Code, Art. 30).
Tax/VAT invoices & supporting docs: generally 4 years (General Tax Law statute of limitations).
Anti‑money laundering (if applicable in the future): up to 10 years for AML records.
If two periods apply, we keep the longer one for that record type. Where possible, we anonymize data while retaining what is strictly required to demonstrate compliance.
10.3 Post‑deletion minimal identifiers
After account deletion, we retain the minimum necessary identifiers (first name, last name, email) in:
Audit and payment records we are legally required to keep.
Suppression lists to ensure we honor marketing opt‑outs.
Security logs for fraud/abuse detection for a limited period (typically up to 12 months).
10.4 Destruction
When retention periods expire, we securely delete or anonymize data. Media‑level destruction follows provider practices; logical deletion removes records from active systems and, over time, from backups as they roll off.
11) Your rights (GDPR)
You can contact us at hello@hola.money to:
Access or export your data.
Correct inaccuracies. (We cannot change already‑issued invoices except via lawful adjustments/credit notes.)
Delete data (subject to the retention above).
Object to or restrict processing (e.g., marketing).
Port data to another provider.
We will respond within one month (extendable by two further months for complex requests, with notice). We will verify your identity and may ask for additional details to locate the data.
12) Children
Our services are designed for businesses and professional users. While anyone can technically sign up, we do not knowingly collect data from children under 16 without appropriate consent. If we learn that such data was provided without proper consent, we will delete it.
13) Cookies & tracking
Strictly necessary: session/authentication, CSRF, load‑balancing.
Support/communications: live‑chat cookies if you open the widget.
Analytics: aggregated, privacy‑preserving metrics; no cross‑site advertising cookies.
You can control cookies in your browser; essential cookies are required for core functionality.
14) Mobile & local connectors
Camera: optional, to scan/attach receipts.
Local folder connector: scope is limited to the path you specify; you can revoke it at any time.
15) Integrations & API
You choose which integrations to connect (Plaid, Xero, QuickBooks, FreeAgent, Stripe, PayPal, GoCardless, OpenExchange, etc.).
Our API requires your own token and does not expose your personal data to third parties unless you authorize them.
When you instruct us to send data to an accountant or tax authority, we act as your Processor for that operation. The recipient (e.g., your accountant) is a separate Controller under their own terms with you.
16) Automated decision‑making
We do not perform automated decision‑making that produces legal or similarly significant effects about you. Some features (e.g., assistive extraction/classification of receipts) involve automated processing to help classify data, but final decisions remain with you.
17) Business transfers
If we undergo a merger, acquisition, reorganization, or asset sale, personal data may be transferred to the acquiring entity subject to contractual guarantees and continuity of this policy (or a policy that offers materially similar protections). You will be notified of material changes and given options consistent with the law.
18) Complaints & contact
Contact us: hello@hola.money; postal address in the header.
Supervisory authority: You can lodge a complaint with the Agencia Española de Protección de Datos (AEPD) or with your local EU authority. We prefer you contact us first so we can try to resolve your concern quickly.
Breach notifications. If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the AEPD within 72 hours where required and inform affected users without undue delay, including steps you can take to mitigate harm.
19) Changes to this policy
We may update this policy to reflect changes in our practices or the law. We will update the “Last updated” date and, for material changes (e.g., new subprocessors or purposes), provide advance notice in‑app and/or by email.
20) Key definitions
Controller: the person or entity that determines the purposes and means of processing.
Processor: the person or entity that processes personal data on behalf of the Controller.
Personal data: any information relating to an identified or identifiable natural person.
SCCs: Standard Contractual Clauses approved by the European Commission for data transfers outside the EEA.
Data Processing Addendum (DPA) — summary
When we act as Processor for your workspace data:
Instructions: we process only on your documented instructions (your settings, API calls, written requests).
Confidentiality: staff are under confidentiality obligations.
Security: measures described in §§8–9.
Subprocessors: listed in §6; we’ll notify material changes and allow objection/disablement.
Assistance: we help you with data subject requests and DPIAs to a proportionate extent.
Breach notice: we will notify you without undue delay after becoming aware of a personal data breach affecting your data.
Return/Deletion: upon termination, we delete or return personal data per your choice, subject to legal retention.
Audits: we provide security summaries/certifications and reasonable audit cooperation under confidentiality, without revealing other customers’ data or trade secrets.
If you need a signed DPA, please email hello@hola.money.
