What is PayHeld and how does it work?

PayHeld is a payment protection platform for freelancers and clients. When a client pays, funds are securely held by Stripe until the work is complete. Both parties approve the release, or payment auto-releases after 7 days. This protects both freelancers (guaranteed payment) and clients (only pay for completed work).

How much does PayHeld cost?

PayHeld charges a 5% platform fee when payments are released. This is significantly lower than Upwork (20% fee) and Fiverr (20% fee). There are no monthly subscriptions, no hidden fees, and no upfront costs. You only pay when you successfully complete a transaction.

Is PayHeld safe and secure?

Yes. PayHeld uses Stripe Connect for all payment processing, providing bank-level security with 256-bit encryption. Funds are held securely by Stripe until work is approved. We never store credit card information, and all transactions are PCI-DSS compliant. Your money is protected by Stripe's fraud detection and dispute resolution systems.

How is PayHeld different from Upwork or Fiverr?

PayHeld has 75% lower fees (5% vs 20%), no forced marketplace (you bring your own clients), payment links that work without accounts, and faster payouts. Unlike Upwork and Fiverr, you keep full control of your client relationships and don't compete in a crowded marketplace. Perfect for freelancers who find their own clients.

Do I need an account to use PayHeld?

Clients don't need an account to pay via payment links. Freelancers need a free account to receive payments and connect their Stripe account. Account setup takes less than 5 minutes with email verification and Stripe Connect onboarding.

When do I get paid as a freelancer?

Funds release when the client approves your work, or automatically after 7 days if there's no dispute. Once released, money transfers to your bank account within 1-2 business days via Stripe. You can also request early release if both parties agree.

What happens if there's a dispute?

If there's a dispute, both parties can submit evidence through PayHeld's dispute resolution system. Our team reviews all evidence and makes a fair decision based on the project agreement, deliverables, and communication. The dispute process typically takes 3-5 business days.

Can I use PayHeld for international payments?

Yes! PayHeld supports global payments in 135+ currencies through Stripe. Both clients and freelancers can be anywhere in the world. Currency conversion is handled automatically, and payouts work in most countries where Stripe is available.

What types of projects can I use PayHeld for?

Any freelance or contractor work: web development, design, writing, marketing, video production, consulting, virtual assistance, and more. PayHeld works for one-time projects, recurring work, milestone-based contracts, and hourly agreements. Both online and local services are supported.

How does PayHeld compare to traditional payment methods?

PayHeld is specifically built for freelance work with lower fees (5%), faster setup, and features like payment links, milestone tracking, and automatic dispute resolution. Unlike direct bank transfers or PayPal, PayHeld holds funds securely until work is approved, protecting both parties. Optimized for $50-$50,000 freelance projects.

Privacy Policy | PayHeld

1. Introduction

This Privacy Policy ("Policy") governs the collection, processing, use, and disclosure of personal information by PayHeld, Inc. ("PayHeld," "we," "our," or "us") in connection with the payment processing and escrow services provided through the PayHeld Platform (as defined in our Terms of Service).

1.1 BINDING AGREEMENT

By accessing or using the PayHeld Platform, creating an Account, or engaging in any Transaction through our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. This Policy forms an integral part of the legally binding agreement between you and PayHeld, as set forth in our Terms of Service (Version 3.0.0).

IF YOU DO NOT AGREE TO THIS PRIVACY POLICY, YOU MUST NOT ACCESS OR USE THE PLATFORM OR SERVICES.

1.2 SCOPE OF APPLICATION

This Policy applies to:

(a) All Users of the PayHeld Platform, including Clients, Freelancers, and Visitors; (b) All personal information collected through the Platform, Website, mobile applications, and related services; (c) Information obtained from third-party sources for identity verification, fraud prevention, and legal compliance; (d) Communications between Users, between Users and PayHeld, and with third-party service providers; and (e) All processing activities conducted by PayHeld and its authorized Data Processors.

1.3 INTEGRATION WITH TERMS OF SERVICE

This Policy must be read in conjunction with:

(a) PayHeld Terms of Service (Version 3.0.0), which governs the contractual relationship between PayHeld and Users; (b) PayHeld Payment Processing Terms, which define specific obligations related to payment transactions; (c) PayHeld Escrow Agreement, which establishes the legal framework for fund holding and disbursement; and (d) Any additional terms applicable to specific services or features.

In the event of conflict between this Policy and the Terms of Service, the Terms of Service shall prevail with respect to service usage rights and obligations, while this Policy shall prevail with respect to data processing and privacy matters.

1.4 ACCEPTANCE AND CONSENT

Your use of the PayHeld Platform constitutes your acknowledgment and acceptance of the data collection, processing, and sharing practices described in this Policy. Specific processing activities requiring explicit consent (including marketing communications, biometric data collection, and automated decision-making) will be identified separately, and you may withdraw such consent at any time through your Account Settings or by contacting our Data Protection Officer.

Continued use of the Platform following the Effective Date of this Policy, or following any material modifications to this Policy, constitutes your acceptance of such changes.

1.5 POLICY MODIFICATIONS

PayHeld reserves the right to modify this Privacy Policy at any time in accordance with applicable law. Material changes to this Policy will be communicated through:

(a) Email notification to the email address associated with your Account; (b) Prominent notice on the Platform homepage and within the Account dashboard; (c) In-app notification requiring acknowledgment for continued use; or (d) Any other method reasonably designed to provide notice under applicable law.

Material modifications will become effective thirty (30) days after notice is provided, unless a longer period is required by law. Non-material modifications (including updates to contact information, clarifications of existing practices, or changes required by law) will become effective immediately upon posting.

You are responsible for reviewing this Policy periodically. PayHeld will maintain a version history of this Policy, which is available upon request to our Data Protection Officer.

1.6 CONTACT INFORMATION

For questions, concerns, or requests regarding this Privacy Policy or PayHeld's data processing practices, please contact:

Data Protection Officer PayHeld, Inc. Email: dpo@payheld.com

For specific privacy rights requests (access, deletion, portability, etc.), please use our Privacy Portal at https://payheld.com/privacy or email privacy@payheld.com. PayHeld will respond to all verified requests within the timeframes required by applicable law (typically thirty (30) days, with possible extension for complex requests).

2. Information We Collect

PayHeld collects, processes, and stores various categories of personal information necessary to provide payment processing and escrow services, ensure legal compliance, prevent fraud, and improve the Platform. The specific information collected depends on your role (Client, Freelancer, or Visitor), the services you use, and applicable regulatory requirements.

2.1 ACCOUNT INFORMATION

When you create an Account or update your profile, PayHeld collects:

(a) Identity Information: Full legal name (first and last name combined in a single field).

NOTE: PayHeld does NOT collect date of birth, nationality, or citizenship status during account creation. Such information may be collected later during identity verification for compliance purposes (see Section 2.3).

(b) Contact Information: Email address (primary only; no backup email). Phone number may be requested for compliance purposes but is not required during account creation.

NOTE: PayHeld does NOT collect mailing addresses or physical addresses during account creation. Such information may be collected during payment processing onboarding.

NOTE: PayHeld does NOT collect security questions or multi-factor authentication settings during account creation. MFA can be configured later in Account Settings.

(d) Business Information (for business accounts): Company name (optional field for clients).

NOTE: PayHeld does NOT collect EIN, business type, DBA names, business registration documents, or beneficial ownership information during account creation. Such information is collected later during payment onboarding for freelancers who wish to receive payments.

(e) Tax Information: PayHeld does NOT collect tax information during account creation. Tax information (including SSN/TIN, W-9/W-8 forms, and tax residency) is collected later through payment processor onboarding when users wish to receive payments. See Section 2.2 for payment-related information collection. All tax IDs are encrypted at rest using AES-256 encryption and are only decrypted when necessary for tax reporting or legal compliance.

(f) Profile Information: Profile photograph or avatar (optional), professional biography (optional), skills and expertise tags (optional), language preferences, timezone settings, portfolio links (website field), professional certifications (optional, added via profile settings).

NOTE: PayHeld does NOT collect education history or employment history as structured data. Users may include such information in their biography text field.

(g) Additional Account Information Collected During Registration or Profile Setup:

Account Type: Whether you register as a Client (hiring talent) or Freelancer (offering services);
Terms Acceptance: Timestamp and IP address of your acceptance of our Terms of Service and Privacy Policy;
Referral Information: If you sign up via a referral link, we collect the referral code to credit the referring user;
Professional Title: Your job title or professional role (e.g., "Senior Full Stack Developer");
Hourly Rate: Your billing rate for freelance services (freelancers only, optional);
Location: City/region for display on your profile (optional);
Response Time: Estimated time to respond to client inquiries (freelancers only, optional);
Availability Status: Current availability for new projects (e.g., "Available Now", "Available in 1 Week");
Company Information: Company name, company size, industry, and project types (clients only, optional);
Privacy Preferences: Profile visibility settings (Public, Logged-In Users Only, Private), email visibility, and messaging preferences.

2.2 PAYMENT INFORMATION

To process Transactions and comply with payment card industry standards, PayHeld collects:

(a) Payment Method Details: Tokenized payment card data (we never store full card numbers; only tokenized references provided by Stripe, Inc.), card type (Visa, Mastercard, American Express, Discover), card last four digits, card expiration date, cardholder name, billing address associated with payment method; (b) Bank Account Information: Bank account number and routing number (encrypted and tokenized), account holder name, bank name and address, account type (checking or savings), SWIFT/BIC codes for international transfers, IBAN for European accounts; (c) Transaction History: Payment amounts and currency, transaction dates and timestamps, payment method used, transaction status (pending, completed, failed, refunded), escrow hold periods, milestone payment schedules, invoice numbers and references; (d) Billing Information: Invoices generated through the Platform, payment receipts and confirmations, fee calculations (Platform Fees, Stripe processing fees), tax withholding calculations (as applicable), refund history, chargeback records.

(e) Fraud Detection and Risk Assessment Data: To protect Users and the Platform from fraudulent transactions, PayHeld collects and stores fraud-related metadata for each payment transaction, including:

- IP address from which payment was initiated
- Device fingerprint (browser user agent, device type, operating system)
- Geographic data (card issuing country, billing country, IP geolocation)
- Risk scoring data (fraud risk score, risk level assessment, authentication status)
- Card fingerprint (unique identifier to detect card reuse across accounts)
- Transaction velocity metrics (frequency and timing of payment attempts)
- Fraud flags and detection reasons (if payment is flagged as suspicious)

This information is processed based on our Legitimate Interest (GDPR Article 6(1)(f)) in preventing fraud and protecting Users from financial harm. You may request details about fraud detection data stored for your account by contacting privacy@payheld.com.

(f) Saved Payment Methods: If you choose to save payment methods for future transactions, PayHeld stores the following information for each saved payment method:

- Payment method type (card, bank account)
- Card details: brand, last 4 digits, expiration date, cardholder name, card fingerprint
- Bank account details: bank name, last 4 digits of account number, account type
- Complete billing address associated with the payment method (name, email, phone, street address, city, state, postal code, country)
- Usage tracking: date of last use, total number of times used
- Default payment method flag

You can view, edit, or delete saved payment methods through your Account Settings at any time. Deleting a saved payment method removes it from our active database but may be retained in backup systems for up to 90 days.

(g) Payout Settings and Withdrawal Controls: For Freelancers who receive payments through the Platform, PayHeld stores payout preferences and account controls, including:

- Instant payout preferences and fee acceptance
- Scheduled payout frequency (manual, daily, weekly, monthly)
- Minimum payout threshold amount
- Preferred payout method (bank transfer, ACH, wire transfer)
- Maximum daily and single payout limits (for risk management)
- Payout hold status (whether withdrawals are temporarily restricted)
- Manual approval requirements (for high-risk accounts)

Payout restrictions may be imposed based on account verification status, compliance requirements, or fraud risk assessment. If your account is subject to payout holds or limits, you will be notified via email and can request review by contacting support@payheld.com.

2.3 IDENTITY VERIFICATION INFORMATION

To comply with Know Your Customer (KYC), Anti-Money Laundering (AML), and Counter-Terrorist Financing (CTF) regulations, PayHeld collects:

(a) Government-Issued Identification: Driver's license (front and back), passport (photo page), national identity card, permanent resident card, work authorization documents; (b) Proof of Address: Utility bills (electricity, water, gas) dated within the last 90 days, bank statements showing current address, government-issued correspondence (tax notices, voter registration), lease agreements or mortgage statements; (c) Beneficial Ownership Information (for business accounts exceeding $3,000 in annual transaction volume): Names and addresses of individuals owning 25% or more of the business, control persons (CEO, CFO, COO, etc.), corporate structure documentation, articles of incorporation or organization; (d) Source of Funds Documentation (for transactions exceeding $10,000): Employment verification letters, business revenue statements, investment account statements, documentation of inheritance or gifts, sale of assets documentation; (e) Enhanced Due Diligence (for high-risk jurisdictions or high-volume users): Additional identity verification through Stripe Identity or similar services, video verification calls, notarized declarations, third-party attestations.

2.4 PROFILE AND PROFESSIONAL INFORMATION

For Freelancers creating public profiles or Clients posting Projects, PayHeld collects:

(a) Portfolio Information: Work samples, case studies, project descriptions, client testimonials (with permission), awards and recognition, published articles or media, GitHub repositories or code samples, design portfolios (Behance, Dribbble links); (b) Professional Credentials: Educational degrees and institutions, professional certifications (PMI, AWS, Google, etc.), licenses and registrations, continuing education records, professional memberships; (c) Work History: Previous employment (employer name, dates, role), freelance project history on PayHeld Platform, earnings history and statistics, client ratings and reviews, dispute history (visible to administrators only); (d) Skills and Expertise: Self-reported skills and proficiency levels, endorsements from other Users, skill assessments and test results, specialized expertise areas.

- Tax identification information (SSN, EIN, or foreign tax ID) - encrypted
- Tax form type (W9, W8, 1099) for reporting purposes
- Payment account details for payout processing
- Earnings history (total received, number of payments, average amount)

This information is collected to comply with tax reporting obligations under 26 U.S.C. § 6041 and § 6050W (requirement to issue Form 1099 for payments exceeding $600 annually). Recipients will be notified that their tax information is being collected and processed by PayHeld for tax reporting purposes.

2.6 TECHNICAL AND DEVICE INFORMATION

PayHeld collects technical data through automated means when you access the Platform:

(a) Device Information: Device type (desktop, mobile, tablet), device manufacturer and model, operating system and version (Windows, macOS, iOS, Android), screen resolution and display settings, installed fonts and plugins, battery level and charging status (mobile devices), hardware characteristics (CPU core count, device memory/RAM, hardware concurrency metrics, storage quota);

(d) Email Tracking Technologies: PayHeld uses tracking technologies in emails to measure delivery, engagement, and communication effectiveness:

Tracking Pixels (Open Tracking): Invisible 1-pixel by 1-pixel images embedded in HTML emails that notify PayHeld when an email is opened. Tracking pixels capture: email open timestamp, device type and operating system used to open the email, IP address (anonymized), email client software (Gmail, Outlook, Apple Mail, etc.), whether the email was opened multiple times. Each unique open is tracked separately.

Link Click Tracking: Links in emails are wrapped with tracking URLs that redirect through PayHeld servers before reaching the destination. Click tracking captures: which links were clicked, timestamp of each click, device and browser used for the click, IP address of the user clicking (anonymized). Individual click events and destination URLs are stored for up to 90 days for analytics purposes.

Delivery Status Tracking: Email delivery status is monitored through email service provider webhooks to track: successful delivery confirmation, bounce events (permanent or temporary delivery failures), spam complaint reports (when users mark emails as spam), unsubscribe requests processed by email service provider.

Email tracking applies to both transactional emails (payment confirmations, security alerts, account notifications) and marketing emails. Transactional email tracking is necessary for fraud prevention, deliverability monitoring, and ensuring critical messages reach users.

How to Prevent Email Tracking: (i) Disable image loading in your email client (blocks tracking pixels); (ii) Use privacy-focused email clients that automatically block trackers; (iii) Opt out of marketing emails entirely through Account Settings (transactional emails will still include tracking for security and deliverability purposes); (iv) Use text-only email viewing (disables HTML tracking pixels).

Email tracking data is retained for 90 days and is used solely for: improving email deliverability, measuring communication effectiveness, identifying technical delivery issues, detecting email spoofing or phishing attempts, compliance with anti-spam regulations (CAN-SPAM Act). Email tracking data is NOT sold to third parties and is not used for cross-site behavioral advertising.

(e) Local Storage Technologies: We use browser localStorage and sessionStorage to store user preferences, draft content, and application state. This data remains on your device and is not transmitted to our servers except when you explicitly save or submit content. (b) Browser Information: Browser type and version (Chrome, Safari, Firefox, Edge), browser language and locale settings, browser cookies and local storage, browser fingerprinting data (canvas, WebGL, audio), advanced browser fingerprinting data (canvas rendering signatures, audio context fingerprints, WebGL vendor and renderer information, installed font lists, browser plugin enumeration, MIME type support lists); (c) Network Information: IP address (IPv4 and IPv6), Internet Service Provider (ISP), geolocation data (country, region, city; precise location only with explicit permission), connection type (WiFi, cellular, wired), network speed and latency; (d) Usage Data: Pages visited and time spent on each page, click paths and navigation patterns, scroll depth and engagement metrics, feature usage statistics (which tools and functions you use), error messages and crash reports, session duration and frequency of visits; (e) Log Files: Server logs recording all API requests, access timestamps, HTTP headers, referrer URLs, authentication attempts (successful and failed), rate limiting events, security events (unusual login patterns, blocked requests). (f) Communication Metadata: For voice notes, video calls, and voice calls conducted through the platform: call duration in seconds, participant user IDs, call start and end timestamps, connection quality metrics (latency, packet loss), device type used for call. Content Not Recorded: PayHeld does NOT record or store the audio or video content of calls unless explicitly stated and consented to in advance (e.g., for customer support quality assurance with prior notice). Metadata is retained for 90 days for technical support and billing reconciliation.

2.7 COOKIES AND TRACKING TECHNOLOGIES

PayHeld uses cookies, web beacons, pixels, and similar tracking technologies to:

(a) Essential Cookies (required for service functionality): Session management and authentication tokens, load balancing and server affinity, security tokens and CSRF protection, user preference storage (language, currency); (b) Analytics Cookies (used with consent where required by law): Google Analytics (anonymized IP addresses, user behavior flow, conversion tracking), Mixpanel (product feature usage, A/B test assignments, user cohort analysis), custom analytics (Platform-specific performance metrics); (c) Marketing Cookies (used only with explicit consent): Retargeting pixels (Google Ads, Facebook Pixel), conversion tracking for advertising campaigns, affiliate and referral tracking, email open and click tracking.

(d) Email Tracking Technologies: PayHeld uses tracking technologies in emails to measure delivery, engagement, and communication effectiveness:

You can manage cookie preferences through your browser settings or our Cookie Consent Manager accessible at https://payheld.com/cookies. Disabling essential cookies may impair Platform functionality.

2.8 INFORMATION FROM THIRD-PARTY SOURCES

PayHeld receives personal information from external sources to verify identity, assess risk, and comply with legal obligations:

(a) Identity Verification Services: Stripe Identity (government ID verification, liveness detection, biometric matching), credit reporting agencies (credit scores, credit history; only with explicit consent), sanctions screening databases (OFAC SDN List, EU Consolidated List, UN Security Council sanctions), adverse media screening (negative news mentions, politically exposed person (PEP) status); (b) Payment Service Providers: Stripe, Inc. (payment processing data, fraud risk scores, card verification results, bank account ownership verification), banking partners (ACH transaction status, account balance verification where authorized); (c) Social Media Platforms (only if you choose to connect): LinkedIn (professional profile, employment history, connections), GitHub (code repositories, contribution history), Google account information (email, profile photo, if using Google Sign-In); (d) Publicly Available Sources: Business registration databases (Secretary of State records, corporate registries), professional licensing boards, court records and legal filings (for fraud prevention and legal compliance), public social media profiles.

2.9 LEGAL BASIS FOR PROCESSING (GDPR)

PayHeld processes personal information on the following legal bases under the General Data Protection Regulation (GDPR) and similar laws:

(a) Contractual Necessity (GDPR Article 6(1)(b)): Processing necessary to perform the Terms of Service, including Account creation, payment processing, escrow services, dispute resolution, and customer support; (b) Legal Obligation (GDPR Article 6(1)(c)): Processing required to comply with KYC/AML regulations, tax reporting obligations (IRS Form 1099-K, international tax treaties), court orders and legal process, regulatory investigations, data breach notification requirements; (c) Legitimate Interests (GDPR Article 6(1)(f)): Fraud prevention and detection (we have a legitimate interest in protecting the Platform and Users from fraudulent activity), Platform security and integrity, improvement of services and user experience, direct marketing to existing customers (with easy opt-out), enforcement of Terms of Service and policies, protection of legal rights; (d) Consent (GDPR Article 6(1)(a)): Marketing communications to non-customers, use of non-essential cookies and tracking technologies, processing of special categories of data (biometric data for enhanced verification), sharing data with third parties beyond service provision, automated decision-making with legal or similarly significant effects.

Where processing is based on consent, you have the right to withdraw consent at any time through your Account Settings or by contacting our Data Protection Officer at dpo@payheld.com. Withdrawal of consent will not affect the lawfulness of processing conducted prior to withdrawal.

2.10 SPECIAL CATEGORIES OF PERSONAL DATA

PayHeld does NOT intentionally collect "special categories" of personal data as defined under GDPR Article 9 (racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for unique identification, health data, sex life or sexual orientation) EXCEPT:

(a) Biometric Data: Facial recognition data collected through Stripe Identity for enhanced identity verification (processed only with your explicit consent and only for high-volume accounts or high-risk transactions); (b) Inadvertent Collection: If you voluntarily include special category data in your profile, messages, or uploaded documents, PayHeld will process such data only to the extent necessary for service provision and will not use it for any other purpose.

You are NOT required to provide special category data to use PayHeld services. If you choose to provide such data, you explicitly consent to its processing for the stated purposes.

3. How We Use Your Information

PayHeld uses the personal information collected in Section 2 for the purposes described below. Each processing activity is conducted in accordance with applicable law and based on the legal bases identified in Section 2.9 (contractual necessity, legal obligation, legitimate interests, or consent).

3.1 SERVICE DELIVERY AND OPERATION

PayHeld processes your personal information to provide, maintain, and improve the Platform and Services:

(a) Account Management: Creating and maintaining User Accounts, authenticating Users and managing login sessions, storing Account preferences and settings, enabling Account recovery and password resets, processing Account upgrades or downgrades, managing Account suspension or termination; (b) Payment Processing: Authorizing and processing payment card transactions through Stripe, Inc., facilitating ACH bank transfers and wire transfers, managing payment methods (adding, updating, removing cards and bank accounts), calculating transaction amounts and applicable fees (Platform Fees, processing fees), generating invoices and payment receipts, processing refunds and chargebacks; (c) Escrow Services: Depositing Client funds into segregated escrow accounts, holding funds during Project completion and approval periods, releasing funds to Freelancers upon Client approval or milestone completion, managing escrow holds in accordance with the Escrow Agreement (Section 8 of Terms of Service), processing partial releases for milestone-based Projects, handling disputed payments and escrow-related disputes; (d) Transaction Facilitation: Matching Clients with Freelancers through search and discovery features, enabling communication between Clients and Freelancers through the Platform messaging system, tracking Project progress and milestones, managing contract terms and payment schedules, facilitating contract modifications and amendments, maintaining transaction records for audit and compliance purposes.

LEGAL BASIS: Contractual Necessity (GDPR Article 6(1)(b)) — processing is necessary to perform the Terms of Service and provide the Services you have requested.

3.2 FRAUD PREVENTION AND SECURITY

PayHeld processes personal information to protect the Platform, Users, and the integrity of the payment system:

(a) Identity Verification: Verifying User identity through government-issued identification documents, conducting Know Your Customer (KYC) checks as required by the Bank Secrecy Act and FinCEN regulations, screening Users against Office of Foreign Assets Control (OFAC) sanctions lists and other prohibited party lists, verifying beneficial ownership for business accounts, conducting enhanced due diligence for high-risk Users or transactions; (b) Fraud Detection and Prevention: Monitoring transactions for suspicious patterns or anomalies (unusual transaction amounts, frequency, or destinations), using machine learning models and risk scoring algorithms to assess fraud risk, detecting and preventing account takeover attempts and unauthorized access, identifying and blocking synthetic identities and fake accounts, investigating reported fraud or suspicious activity, cooperating with law enforcement investigations; (c) Anti-Money Laundering (AML) Compliance: Monitoring for structuring or smurfing (breaking large transactions into smaller ones to avoid reporting), conducting source of funds analysis for large or unusual transactions, filing Suspicious Activity Reports (SARs) with FinCEN as required by law, maintaining transaction monitoring systems compliant with Bank Secrecy Act requirements, screening for transactions with high-risk jurisdictions or sanctioned entities; (d) Platform Security: Implementing and maintaining technical and organizational security measures, monitoring for unauthorized access attempts and security breaches, conducting regular security audits and penetration testing, managing security incidents and data breaches in accordance with applicable breach notification laws, enforcing rate limiting and anti-scraping measures, protecting against distributed denial-of-service (DDoS) attacks; (e) Automated Attack Detection: We monitor for enumeration attacks, bot activity, and suspicious access patterns by tracking 404 error rates per IP address. IP addresses that exceed 100 404 errors within one minute may be subject to rate limiting or temporary blocking. Auth endpoint enumeration (50+ 404s to authentication endpoints) results in automatic IP blocking for 24 hours. This security measure is necessary to protect the Platform from credential stuffing, account enumeration, and automated abuse. (f) Payment Behavior Profiling: We use automated systems to analyze payment patterns and transaction behaviors to detect fraud and assess risk. This includes: Transaction frequency analysis (how often you make or receive payments), Payment amount patterns (average transaction size, unusual amounts), Geographic patterns (locations from which payments are initiated), Payment velocity metrics (rapid succession of transactions), Payment method switching patterns (frequently changing cards or banks), Risk scoring based on historical behavior. This automated processing may result in payment approval or rejection decisions. If a payment is declined due to automated risk assessment, you have the right to: (a) Request human review of the decision by contacting support@payheld.com, (b) Receive an explanation of the factors that contributed to the decision, (c) Contest the decision with additional verification documentation. LEGAL BASIS: Legitimate Interests (GDPR Article 6(1)(f)) - fraud prevention and platform security. For high-risk decisions, we obtain explicit consent or provide human review as required by GDPR Article 22. (g) Device Trust Scoring: We maintain persistent trust scores (0-100) for each unique device fingerprint based on payment history, fraud indicators, and behavioral patterns. Devices with trust scores below 20 may be blocked from making payments; scores between 20-40 may trigger additional verification challenges. Trust scores are recalculated after each payment attempt and stored indefinitely for fraud prevention purposes. (h) Account Integrity: Detecting and preventing multiple account creation or identity fraud, enforcing Account verification requirements, monitoring for Terms of Service violations (prohibited use cases, illegal activities), investigating reports of User misconduct or policy violations, suspending or terminating Accounts engaged in fraudulent or prohibited activity.

LEGAL BASIS: Legitimate Interests (GDPR Article 6(1)(f)) — PayHeld has a legitimate interest in preventing fraud, protecting the Platform and Users, and maintaining the security and integrity of the payment system. These interests are not overridden by your privacy rights given the high risk of financial harm from fraud. Additionally, certain AML/KYC activities are required by Legal Obligation (GDPR Article 6(1)(c)).

3.3 LEGAL AND REGULATORY COMPLIANCE

PayHeld processes personal information to comply with applicable laws, regulations, and legal obligations:

(a) Tax Reporting and Withholding: Reporting payment transactions to the Internal Revenue Service (IRS) on Form 1099-K for Users exceeding $600 in annual payments (as required by the American Rescue Plan Act of 2021), collecting and remitting backup withholding when required (for Users who fail to provide a valid TIN or are subject to IRS backup withholding orders), complying with international tax treaties and reporting obligations (FATCA, CRS), maintaining records for tax audit purposes (7-year retention as required by IRS regulations); (b) Know Your Customer (KYC) and Customer Due Diligence (CDD): Collecting and verifying Customer Identification Program (CIP) information as required by 31 CFR 1020.220, conducting risk-based due diligence commensurate with the level of risk presented by the customer relationship, updating and refreshing customer information periodically, maintaining KYC records for at least five (5) years after account closure (as required by FinCEN); (c) Sanctions Screening: Screening all Users and transactions against OFAC Specially Designated Nationals (SDN) List, screening against EU Consolidated List, UN Security Council Sanctions List, and other applicable sanctions regimes, blocking transactions involving sanctioned persons, entities, or jurisdictions, filing blocked property reports with OFAC as required; (d) Legal Process Response: Responding to subpoenas, court orders, and other valid legal process, complying with law enforcement requests when accompanied by appropriate legal authority, producing documents and records in litigation, arbitration, or regulatory proceedings, preserving data subject to litigation hold or regulatory investigation; (e) Regulatory Reporting: Reporting suspicious activity to the Financial Crimes Enforcement Network (FinCEN) through Suspicious Activity Reports (SARs), filing Currency Transaction Reports (CTRs) for cash transactions exceeding $10,000 (if applicable to future service offerings), responding to inquiries from financial regulators (state banking departments, Consumer Financial Protection Bureau, Federal Trade Commission), maintaining audit trails for regulatory examinations; (f) Data Protection Compliance: Responding to User requests to exercise privacy rights under GDPR, CCPA, and other data protection laws, maintaining records of processing activities as required by GDPR Article 30, conducting Data Protection Impact Assessments (DPIAs) for high-risk processing activities, reporting data breaches to supervisory authorities within 72 hours where required by GDPR Article 33.

LEGAL BASIS: Legal Obligation (GDPR Article 6(1)(c)) — processing is necessary to comply with legal obligations to which PayHeld is subject, including financial services regulations, tax laws, and data protection laws.

3.4 PLATFORM IMPROVEMENT AND ANALYTICS

PayHeld processes personal information to analyze usage patterns, improve the Platform, and develop new features:

(a) Usage Analytics: Analyzing how Users interact with the Platform (pages viewed, features used, time spent), identifying popular features and underutilized functionality, measuring user engagement and retention metrics, tracking conversion funnels (signup, onboarding, first transaction), detecting and diagnosing technical errors and performance issues; (b) Product Development: Conducting A/B testing to evaluate new features and design changes, gathering User feedback through surveys and usability studies, prioritizing feature development based on User needs and behavior, testing beta features with select User groups, measuring the impact of product changes on key metrics; (c) Personalization: Customizing the User interface based on preferences and past behavior (showing relevant Projects to Freelancers, suggesting qualified Freelancers to Clients), providing personalized search results and recommendations, tailoring email communications based on User activity and interests, adapting onboarding flows based on User type and experience level; (d) Performance Optimization: Monitoring Platform performance (page load times, API response times, database query performance), identifying and resolving bottlenecks and scalability issues, optimizing infrastructure and resource allocation, conducting load testing and capacity planning; (e) Research and Statistical Analysis: Creating anonymized and aggregated datasets for research purposes, generating industry benchmarks and market insights (average freelancer rates, Project completion times, dispute rates), publishing statistical reports and whitepapers (with all personal identifiers removed), conducting academic or commercial research on payment systems and freelance marketplaces. (f) Internal Analytics Systems: We collect and analyze Platform performance through proprietary analytics systems including: - Upload Analytics: File upload success rates, bandwidth usage, storage patterns - Delivery Performance Metrics: Project delivery timing, SLA compliance, quality scores - Approval Analytics: Approval workflow efficiency, auto-approval eligibility - Communication Health Metrics: Message response times, video call quality, collaboration patterns - Freelancer Performance Tracking: Profile completion rates, client satisfaction metrics, earnings trends - Payment Link Analytics: View-to-conversion rates, abandonment patterns, referral sources

All internal analytics use hashed or anonymized user identifiers where possible. Individual-level analytics are only accessible to Platform administrators and are not shared with third parties.

LEGAL BASIS: Legitimate Interests (GDPR Article 6(1)(f)) — PayHeld has a legitimate interest in improving the Platform, understanding user behavior, and developing new features to better serve Users. Where processing involves creation of user profiles or personalization, we rely on consent (GDPR Article 6(1)(a)) in jurisdictions where required.

3.5 CUSTOMER SUPPORT AND DISPUTE RESOLUTION

PayHeld processes personal information to provide assistance and resolve issues:

(a) Support Ticket Management: Responding to User inquiries and support requests submitted through the Platform, email, or phone, troubleshooting technical issues and Account problems, providing guidance on Platform features and functionality, escalating complex issues to specialized support teams, maintaining support ticket history for quality assurance and training; (b) Dispute Resolution: Investigating disputes between Clients and Freelancers regarding Project deliverables or payment, reviewing evidence submitted by parties to a dispute (communications, deliverables, contracts), making determinations on escrow fund releases in accordance with the Dispute Resolution process (Section 9 of Terms of Service), facilitating mediation or arbitration proceedings, enforcing dispute resolution decisions and managing escrow holds; (c) Chargebacks and Refunds: Investigating chargeback claims filed by payment card holders, providing evidence to payment processors and card networks to contest invalid chargebacks, processing refund requests in accordance with the Refund Policy (Section 6.5 of Terms of Service), reconciling accounts following chargebacks or refunds, managing User suspension or Account holds related to excessive chargebacks; (d) Quality Assurance: Recording customer support calls for quality and training purposes (with your consent where required by law), analyzing support interactions to identify common issues and improve self-service resources, measuring customer satisfaction and support performance metrics, training support staff on policies and best practices.

LEGAL BASIS: Contractual Necessity (GDPR Article 6(1)(b)) — providing customer support and resolving disputes is necessary to perform the Terms of Service and ensure the proper functioning of the escrow and payment system.

3.6 COMMUNICATION AND NOTIFICATIONS

PayHeld processes personal information to send transactional, operational, and promotional communications:

(a) Transactional Communications (cannot be opted out): Payment confirmations and receipts for completed transactions, escrow deposit and release notifications, Account security alerts (login from new device, password changes, failed login attempts), Payment method expiration notices, tax reporting notifications (1099-K availability), dispute notifications and status updates, service disruption or maintenance notices; (b) Operational Communications (limited opt-out): Platform updates and new feature announcements, changes to Terms of Service or Privacy Policy, requests for feedback on recent transactions or support interactions, reminders about incomplete actions (incomplete profile, pending approvals), Account reactivation prompts for inactive Users; (c) Marketing Communications (full opt-out available): Promotional offers, discounts, or special programs, newsletters featuring Platform news and success stories, educational content (webinars, guides, best practices), referral program invitations, surveys and research studies requesting voluntary participation.

Notification Preferences and Opt-Out Controls: You can manage your notification preferences with granular control through your Account Settings. Available controls include:

(i) Category-Based Preferences: Enable or disable notifications for six categories independently: project updates, payment notifications, messages, disputes, marketing communications, and system alerts.

(ii) Frequency Settings: Choose notification frequency for each category: instant (real-time), hourly digest, daily digest, weekly digest, or never.

(iii) Multi-Channel Control: Select delivery channels for each notification type: email, SMS, push notifications, or in-app only. You can enable email for project updates while disabling SMS, for example.

(iv) Quiet Hours: Set do-not-disturb hours during which non-critical notifications are suppressed (note: critical alerts like payment failures or security incidents override quiet hours).

(v) Digest Options: Batch multiple notifications into daily, weekly, or monthly email digests instead of receiving individual messages.

(vi) Unsubscribe Options: Unsubscribe from specific categories without disabling all notifications. Marketing emails include one-click unsubscribe links in every message.

Restrictions: Certain critical notifications cannot be fully disabled while maintaining an active account, including: payment failure alerts, account security notifications, legal compliance notices (tax forms, regulatory updates), dispute deadlines and resolutions, Terms of Service violation warnings. Disabling these notifications may result in account suspension or closure as they are necessary for platform operation and legal compliance.

(d) SMS Notifications (opt-in required): For users who provide a phone number and enable SMS notifications, PayHeld sends text messages for: payment reminders and confirmations, project milestone updates, dispute alerts and deadlines, payout processing notifications, critical account security alerts. SMS notifications can be managed through Account Settings. Standard message and data rates may apply. Users can opt out at any time by texting STOP or disabling SMS in notification preferences.

(e) Email Delivery and Engagement: See Section 2.7(d) for details on email tracking technologies including open tracking, click tracking, and delivery monitoring.

LEGAL BASIS: Transactional and operational communications are based on Contractual Necessity (GDPR Article 6(1)(b)) and Legitimate Interests (GDPR Article 6(1)(f)). Marketing communications are based on Consent (GDPR Article 6(1)(a)) for non-customers and Legitimate Interests (GDPR Article 6(1)(f)) for existing customers with easy opt-out (soft opt-in).

3.7 ENFORCEMENT OF TERMS AND POLICIES

PayHeld processes personal information to enforce the Terms of Service and Platform policies:

(a) Terms of Service Enforcement: Monitoring compliance with Prohibited Use provisions (Section 3.3 of Terms of Service), investigating reports of policy violations or User misconduct, issuing warnings, suspensions, or Account terminations for violations, maintaining records of enforcement actions for audit and legal purposes; (b) Intellectual Property Protection: Responding to Digital Millennium Copyright Act (DMCA) takedown notices and counter-notices, investigating claims of trademark infringement or misappropriation, removing infringing content or suspending infringing Accounts, maintaining DMCA agent records as required by 17 U.S.C. § 512(c); (c) Legal Rights Protection: Pursuing legal action to collect debts owed to PayHeld (unpaid Platform Fees, chargebacks), defending PayHeld in litigation, arbitration, or regulatory proceedings, asserting legal defenses or counterclaims, recovering damages for breach of contract or Terms of Service violations; (d) Insurance and Risk Management: Providing information to insurance carriers for claims processing or underwriting, conducting internal audits and risk assessments, managing professional liability and cyber insurance policies.

LEGAL BASIS: Legitimate Interests (GDPR Article 6(1)(f)) — PayHeld has a legitimate interest in enforcing its contractual terms, protecting its legal rights, and maintaining the integrity of the Platform.

3.8 BUSINESS OPERATIONS AND CORPORATE TRANSACTIONS

PayHeld processes personal information for internal business purposes and in connection with corporate transactions:

(a) Internal Business Operations: Financial accounting and reporting, budgeting and forecasting, investor relations and reporting to shareholders or board of directors, internal audits and compliance reviews, corporate governance and legal compliance; (b) Mergers and Acquisitions: Due diligence in connection with potential sale, merger, consolidation, or acquisition of PayHeld, transferring personal information to acquirers or successors in interest (subject to continued compliance with this Privacy Policy or providing notice of changes), restructuring or reorganization of PayHeld's business, bankruptcy or insolvency proceedings (to the extent permitted by law).

In the event of a corporate transaction, you will be notified via email and/or prominent notice on the Platform. The acquiring entity will be required to honor the privacy commitments made in this Policy, or you will be given an opportunity to opt out or delete your Account before the transfer.

LEGAL BASIS: Legitimate Interests (GDPR Article 6(1)(f)) — PayHeld has a legitimate interest in operating its business efficiently and pursuing strategic transactions that may enhance service delivery.

4. Information Sharing and Disclosure

PayHeld shares personal information with third parties only as described in this Section 4. PayHeld DOES NOT SELL personal information to third parties for monetary consideration. Any sharing is conducted pursuant to written Data Processing Agreements that require recipients to maintain confidentiality and use personal information only for the specified purposes.

4.1 PAYMENT PROCESSORS AND FINANCIAL INSTITUTIONS

PayHeld shares personal information with payment service providers necessary to process Transactions and maintain the escrow system:

(a) Stripe, Inc. (Payment Processor): PayHeld shares Account Information (name, email, phone, address, date of birth, SSN/TIN), Payment Information (tokenized card data, bank account details), Identity Verification Information (government ID, proof of address), and Transaction Data (payment amounts, timestamps, descriptions) with Stripe, Inc., our primary payment processor. Stripe processes this information to: authorize and settle payment card transactions, conduct fraud detection and risk scoring, verify bank account ownership for ACH transfers, perform Know Your Customer (KYC) and identity verification through Stripe Identity, comply with PCI DSS Level 1 requirements for card data security, and report suspicious activity as required by law. Stripe's use of your personal information is governed by Stripe's Privacy Policy available at https://stripe.com/privacy. Stripe is a registered Money Services Business and is subject to oversight by FinCEN and state regulators.

(b) Banking Partners: PayHeld maintains escrow accounts with FDIC-insured financial institutions (currently JPMorgan Chase Bank, N.A. and Wells Fargo Bank, N.A.) for the purpose of holding Client funds in segregated escrow. These banking partners receive limited information including Account holder names, transaction amounts, and bank account details necessary to process ACH transfers and wire transfers. Banking partners do NOT receive full User profiles or transaction histories beyond what is necessary for fund transfer execution.

(c) Payment Card Networks: Transaction information (tokenized card data, transaction amounts, merchant category codes) is shared with payment card networks (Visa Inc., Mastercard Incorporated, American Express Company, Discover Financial Services) to authorize transactions, settle funds, process chargebacks, and comply with card network operating rules. Card networks may use this information for fraud detection and network security purposes in accordance with their respective privacy policies.

(d) ACH Network Operators: For ACH bank transfers, PayHeld shares bank account information and transaction details with the National Automated Clearing House Association (NACHA) network and participating financial institutions to facilitate electronic fund transfers in accordance with NACHA Operating Rules.

4.2 IDENTITY VERIFICATION AND FRAUD PREVENTION SERVICES

To comply with legal obligations and protect Users from fraud, PayHeld shares information with identity verification and fraud prevention providers:

(a) Stripe Identity (Identity Verification): For Users requiring enhanced verification (high-volume accounts, business accounts, or Users in high-risk jurisdictions), PayHeld shares government-issued identification documents, selfie photographs for liveness detection, and biometric data with Stripe Identity for identity verification purposes. Stripe Identity uses machine learning and human review to verify document authenticity, match biometric data to identity documents, and detect fraudulent or synthetic identities. Processing is conducted in accordance with Stripe's Privacy Policy and applicable biometric privacy laws (including Illinois Biometric Information Privacy Act where applicable).

(b) Sanctions Screening Databases: PayHeld screens all Users and transactions against sanctions lists including: Office of Foreign Assets Control (OFAC) Specially Designated Nationals (SDN) List, U.S. Department of State Sanctions Lists, European Union Consolidated Financial Sanctions List, United Kingdom HM Treasury Sanctions List, and United Nations Security Council Sanctions List. This screening is conducted through automated database queries and does not involve transfer of personal information to third parties except where a potential match is identified and further investigation is required by law.

(c) Fraud Detection Services: PayHeld shares IP addresses, device fingerprints, transaction patterns, and User behavior data with fraud detection service providers (including but not limited to third-party risk scoring APIs) to assess fraud risk and prevent unauthorized transactions. These providers use machine learning models to detect suspicious patterns but do NOT retain personal information beyond the duration necessary for risk assessment.

4.3 CLOUD INFRASTRUCTURE AND HOSTING PROVIDERS

PayHeld's Platform and databases are hosted on third-party cloud infrastructure:

(a) Amazon Web Services, Inc. (AWS): PayHeld uses AWS for cloud infrastructure, including data storage (Amazon RDS for PostgreSQL databases, Amazon S3 for file storage), application hosting (Amazon EC2, Amazon ECS), and content delivery (Amazon CloudFront). AWS has access to all personal information stored on PayHeld servers as a data processor but is contractually prohibited from accessing or using this data except as necessary to provide hosting services and maintain security. AWS maintains SOC 2 Type II, ISO 27001, and PCI DSS Level 1 certifications. AWS data centers are located in the United States (us-east-1 region: Northern Virginia). For European Users, data is replicated to AWS eu-west-1 region (Ireland) in accordance with GDPR data localization requirements. AWS's data processing practices are governed by the AWS Customer Agreement and AWS GDPR Data Processing Addendum available at https://aws.amazon.com/compliance/gdpr-center/.

(b) Vercel Inc. (Application Hosting): PayHeld's web application frontend is hosted on Vercel's edge network for performance optimization and global content delivery. Vercel processes IP addresses, browser information, and page request data to deliver web content and analyze performance metrics. Vercel does NOT have access to User Account data or payment information stored in PayHeld databases. Vercel's infrastructure is deployed across global edge locations with primary data centers in the United States. Vercel maintains SOC 2 Type II certification and processes data in accordance with GDPR requirements.

4.4 COMMUNICATION SERVICE PROVIDERS

PayHeld uses third-party communication platforms to send emails, SMS, and push notifications:

(a) SendGrid (Twilio SendGrid, Inc.) - Transactional Email: PayHeld shares email addresses, User names, and transaction-specific information (payment amounts, Project names, invoice numbers) with SendGrid to deliver transactional emails including payment confirmations, escrow notifications, security alerts, and password reset emails. SendGrid processes email metadata (open rates, click rates, bounce rates) to improve email deliverability. SendGrid maintains SOC 2 Type II and ISO 27001 certifications and processes data in accordance with its Privacy Policy available at https://www.twilio.com/legal/privacy.

(b) Twilio Inc. - SMS Notifications: PayHeld uses Twilio Inc. to deliver SMS text messages for multiple purposes: (i) two-factor authentication codes and login security alerts; (ii) payment reminders and payment confirmations; (iii) project milestone updates and status changes; (iv) dispute notifications and response deadlines; (v) payout processing alerts (processing started, completed, or failed); (vi) critical account alerts. PayHeld shares phone numbers and message content with Twilio Inc. solely for message delivery. Twilio processes data in accordance with its Privacy Policy (https://www.twilio.com/legal/privacy) and complies with the Telephone Consumer Protection Act (TCPA) and GDPR. SMS notifications are opt-in only and require users to provide a valid phone number with consent. Users can opt out at any time by: (a) texting STOP to any PayHeld SMS message; (b) disabling SMS notifications in Account Settings; or (c) removing their phone number from their account. Certain transactional SMS (payment confirmations, security alerts) cannot be fully disabled while maintaining an active account as they are necessary for fraud prevention and account security. Standard message and data rates may apply.

(c) Firebase Cloud Messaging (Google LLC) - Push Notifications: For Users who install PayHeld mobile applications (future offering), push notification tokens and notification content (payment alerts, message notifications) are shared with Google Firebase Cloud Messaging to deliver in-app notifications to mobile devices. Users can disable push notifications through device settings.

4.5 ANALYTICS AND PERFORMANCE MONITORING

PayHeld uses analytics providers to understand Platform usage and improve user experience:

(a) Google Analytics (Google LLC): PayHeld shares anonymized IP addresses (last octet masked), browser information, page views, and User interaction events with Google Analytics to analyze Platform usage patterns, measure conversion rates, and identify performance bottlenecks. PayHeld uses Google Analytics' IP anonymization feature to mask the last octet of IP addresses before processing. Google Analytics uses cookies and similar tracking technologies as described in Section 2.7. PayHeld has enabled IP anonymization and opted out of data sharing with other Google services. Users can opt out of Google Analytics using the Google Analytics Opt-out Browser Add-on available at https://tools.google.com/dlpage/gaoptout. Google's data processing practices are governed by Google's Privacy Policy available at https://policies.google.com/privacy.

(b) Internal Product Analytics: PayHeld uses proprietary analytics systems to track feature usage, user cohorts, and A/B test assignments. User identifiers are hashed (SHA-256) and stored separately from personally identifiable information. Analytics data is retained for 24 months and used solely for product improvement and user experience optimization.

(c) Sentry (Performance Monitoring and Error Tracking): PayHeld shares error logs, stack traces, browser information, and User context (hashed user IDs, page URLs) with Sentry to monitor application errors and performance issues. Sentry automatically scrubs sensitive data (credit card numbers, passwords, API keys) from error reports. Sentry maintains SOC 2 Type II certification and GDPR compliance.

4.6 CUSTOMER SUPPORT AND COMMUNICATION TOOLS

PayHeld uses third-party tools to manage customer support and User communications:

(a) Zendesk, Inc. (Customer Support Platform): Support ticket content (User inquiries, support agent responses, attachments), Account Information (name, email, User ID), and support interaction history are stored in Zendesk's customer support platform. Zendesk employees do NOT access support ticket data except as necessary to provide technical support to PayHeld staff. Zendesk maintains SOC 2 Type II, ISO 27001, and GDPR certifications. Zendesk's data processing is governed by its Privacy Policy available at https://www.zendesk.com/company/agreements-and-terms/privacy-notice/.

4.7 GOVERNMENT AUTHORITIES AND LEGAL COMPLIANCE

PayHeld discloses personal information to government authorities and regulators as required by law or in response to valid legal process:

(a) Tax Authorities: PayHeld reports payment transaction information to the Internal Revenue Service (IRS) on Form 1099-K for Users who receive $600 or more in payments during a calendar year (as required by 26 U.S.C. § 6050W and the American Rescue Plan Act of 2021). Reported information includes User name, address, Taxpayer Identification Number (SSN or EIN), and gross payment amounts. PayHeld also complies with international tax reporting obligations under the Foreign Account Tax Compliance Act (FATCA) and Common Reporting Standard (CRS) by reporting foreign account holder information to the IRS for transmission to foreign tax authorities pursuant to bilateral tax treaties.

(b) Law Enforcement and Legal Process: PayHeld discloses personal information to law enforcement agencies, courts, and government authorities when: (i) required by valid subpoena, court order, search warrant, or other legal process; (ii) necessary to comply with applicable law or regulatory requirements; (iii) necessary to protect the rights, property, or safety of PayHeld, Users, or the public; or (iv) necessary to detect, prevent, or address fraud, security, or technical issues. PayHeld requires law enforcement requests to be in writing, properly served, and legally sufficient before disclosing User information. Where permitted by law, PayHeld will notify affected Users of legal process requests unless prohibited by court order or law (e.g., 18 U.S.C. § 2705(b) prohibits disclosure of National Security Letters). PayHeld publishes a Transparency Report annually detailing the number and type of government requests received (available at https://payheld.com/transparency).

(c) Financial Regulators: PayHeld cooperates with financial regulatory authorities including FinCEN (Financial Crimes Enforcement Network), state banking departments, the Consumer Financial Protection Bureau (CFPB), and the Federal Trade Commission (FTC) by providing personal information in response to regulatory examinations, investigations, and inquiries. PayHeld files Suspicious Activity Reports (SARs) with FinCEN as required by 31 CFR Part 1022 when transactions or User behavior indicates possible money laundering, fraud, or other financial crimes. The filing of SARs is confidential and PayHeld is prohibited by law from notifying the subject of a SAR (31 U.S.C. § 5318(g)(2)).

(d) Data Protection Authorities: PayHeld cooperates with data protection supervisory authorities (including EU Data Protection Authorities and the UK Information Commissioner's Office) in response to inquiries or investigations regarding data protection compliance. PayHeld provides personal information to these authorities as necessary to demonstrate GDPR or other data protection law compliance.

4.8 PROFESSIONAL ADVISORS

PayHeld shares personal information with professional advisors subject to confidentiality obligations:

(a) Legal Counsel: PayHeld engages external law firms (including but not limited to intellectual property counsel, litigation counsel, and regulatory compliance counsel) who may access personal information necessary to provide legal advice, represent PayHeld in legal proceedings, or ensure regulatory compliance. All legal counsel is bound by attorney-client privilege and professional rules of confidentiality.

(b) Accountants and Auditors: PayHeld shares financial records (including transaction data, payment amounts, and User identifiers) with external accounting firms and auditors for financial statement preparation, tax compliance, and audit purposes. Auditors are bound by professional standards and confidentiality agreements.

(c) Business Consultants: PayHeld may engage management consultants, technology advisors, or other professional service providers who require access to personal information to provide services. All consultants execute Non-Disclosure Agreements (NDAs) and Data Processing Agreements (DPAs) prior to receiving access to personal information.

4.9 CORPORATE TRANSACTIONS

In the event of a merger, acquisition, asset sale, or bankruptcy, personal information may be transferred to successor entities:

PayHeld may disclose or transfer personal information to a buyer, successor, or assignee in connection with any merger, acquisition, sale of assets, or transfer of all or a portion of PayHeld's business. In such event:

(a) Users will be notified via email and/or prominent notice on the Platform at least thirty (30) days before personal information is transferred or becomes subject to a different privacy policy; (b) The acquiring entity will be contractually required to honor the commitments made in this Privacy Policy, or Users will be given the opportunity to delete their Accounts before the transfer; (c) Users may exercise their right to deletion (subject to legal retention requirements) prior to the transfer; (d) PayHeld will require the acquiring entity to maintain equivalent or greater privacy protections than those set forth in this Policy.

In bankruptcy or insolvency proceedings, personal information may be treated as a business asset subject to sale or transfer. PayHeld will seek court approval to ensure transferees agree to privacy protections substantially similar to this Policy.

4.10 WITH USER CONSENT OR DIRECTION

PayHeld shares personal information with third parties when Users explicitly consent or direct such sharing:

(a) Public Profile Information: Freelancers who create public profiles consent to display of profile information (name, username, profile photo, biography, skills, portfolio, work history, ratings, reviews) on the PayHeld Platform and in search engine results. Freelancers can control public visibility through Account Settings. Client names and Project information may be displayed on Freelancer profiles as portfolio items (subject to Client approval or anonymization).

(b) Third-Party Integrations: If PayHeld offers integrations with third-party services (e.g., accounting software, project management tools, time tracking applications) in the future, Users who connect these integrations will be asked to authorize data sharing. PayHeld will clearly disclose what information will be shared before the User authorizes the integration.

(c) Testimonials and Case Studies: PayHeld may publish User testimonials, success stories, or case studies on the Platform, in marketing materials, or in press releases. PayHeld will obtain explicit written consent from Users before publishing any testimonial that includes personal information beyond first name and last initial.

(d) Referral Programs: Users who participate in referral programs consent to PayHeld sharing their referral code or referral link with invitees, and acknowledging the referrer by name to invitees who sign up using the referral.

4.11 AGGREGATED AND ANONYMIZED DATA

PayHeld may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify individual Users:

(a) Industry Research and Benchmarks: PayHeld may publish or share aggregated statistics such as average transaction volumes, average freelancer rates by category, Project completion rates, or industry benchmarks without identifying individual Users.

(b) Academic and Commercial Research: PayHeld may collaborate with academic researchers or commercial research organizations by providing anonymized datasets for research on payment systems, freelance marketplaces, or economic trends. All datasets are subjected to anonymization techniques including aggregation, data masking, and removal of direct identifiers before sharing.

(c) Business Partners and Investors: PayHeld may share aggregated metrics with business partners, investors, or potential acquirers to demonstrate Platform growth and performance. Such metrics do NOT include individual User information.

Aggregated and anonymized data is NOT considered "personal information" under GDPR, CCPA, or other privacy laws, and sharing of such data is not restricted by this Privacy Policy.

4.12 CROSS-BORDER DATA TRANSFERS

PayHeld operates globally and personal information may be transferred to and processed in countries other than your country of residence:

(a) United States: PayHeld's primary data processing facilities are located in the United States. If you are located outside the United States, your personal information will be transferred to and processed in the United States, which may have data protection laws that differ from those in your country. For European Economic Area (EEA), United Kingdom, and Swiss Users, PayHeld relies on Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) to legitimize transfers of personal information from the EEA/UK/Switzerland to the United States and other jurisdictions not recognized as providing adequate data protection.

(b) European Union: For Users located in the European Economic Area, United Kingdom, or Switzerland, PayHeld stores a replica of personal information on AWS servers located in the EU (specifically AWS eu-west-1 region in Ireland) to comply with GDPR data localization preferences and reduce data transfer latency.

(c) Data Processing Agreements: All third-party service providers who receive personal information from PayHeld execute Data Processing Agreements (DPAs) that include Standard Contractual Clauses (SCCs) where required by GDPR. These agreements ensure that personal information transferred outside the EEA/UK/Switzerland receives equivalent protection to that provided under GDPR.

(d) Safeguards for International Transfers: PayHeld implements technical and organizational safeguards for international data transfers including encryption in transit (TLS 1.3), encryption at rest (AES-256), access controls, regular security audits, and contractual protections with data processors. PayHeld has conducted Transfer Impact Assessments (TIAs) as recommended by the European Data Protection Board to evaluate risks associated with transfers to the United States following the invalidation of the EU-U.S. Privacy Shield framework (Schrems II decision).

4.13 NO SALE OF PERSONAL INFORMATION

PayHeld DOES NOT SELL personal information as defined under the California Consumer Privacy Act (CCPA) or other privacy laws. PayHeld has NOT sold personal information in the preceding twelve (12) months and does not intend to sell personal information in the future.

Certain data sharing practices described in this Section 4 (such as sharing with analytics providers or advertising partners) may be considered "sharing" for cross-context behavioral advertising under California law. California residents have the right to opt out of such sharing as described in Section 7 (Privacy Rights).

5. Payment Data Security

5.1 PCI DSS Compliance: - We maintain PCI DSS Level 1 compliance - Card data is tokenized and never stored in plain text - Regular security audits and assessments - Secure transmission using TLS 1.3 encryption

5.2 Encryption: - AES-256 encryption for data at rest - TLS 1.3 for data in transit - End-to-end encryption for sensitive communications - Secure key management practices

5.3 Access Controls: - Role-based access control (RBAC) - Multi-factor authentication (MFA) required - Regular access reviews and audits - Principle of least privilege - Session management and timeout policies

5.4 Infrastructure Security: - Secure cloud infrastructure (AWS) - Web application firewall (WAF) - DDoS protection - Regular security patching - Intrusion detection and prevention systems

5.5 Incident Response: - 24/7 security monitoring - Incident response team - Breach notification procedures - Forensic investigation capabilities - Regular incident response drills

6. Data Retention and Deletion

6.1 Retention Periods: - Transaction records: 7 years (legal requirement) - Identity verification documents: 5 years after account closure - Communication logs: 3 years - Marketing preferences: Until withdrawn - Technical logs: 90 days - Notification history (in-app, email, SMS, push): 3 years after delivery - Records of all notifications sent to users across all channels including delivery status, read receipts, and notification content summaries. Retained to support customer service inquiries, dispute resolution investigations, and compliance audits. - Communication analytics data: 3 years after message creation - Automated analysis results for platform messages including sentiment classification, communication quality scores, detected keywords and urgency levels, generated alerts and their resolution status, response time metrics. Retained to improve dispute prevention systems and support appeals of account actions related to communication policy violations. - Message content: 3 years after last project activity or indefinitely for disputed projects - Full text of messages sent through the platform messaging system, including message content, message metadata, voice note recordings, and shared file attachments. Messages related to active projects, ongoing disputes, legal holds, or regulatory investigations are retained beyond 3 years as necessary. - Email tracking data: 90 days - Email open tracking, click tracking, delivery status, and engagement metrics are retained for 90 days after email delivery for deliverability optimization and communication analytics. After 90 days, individual tracking events are aggregated into summary statistics and individual tracking records are deleted. - Device fingerprints: Retained indefinitely for fraud prevention - Trust scores, risk flags, and payment history associated with device fingerprints are retained permanently to protect against fraud. - Profile view tracking: 90 days - Profile view analytics including viewer IP addresses (hashed), referrer sources, and view timestamps are automatically deleted after 90 days. - Security logs (404 tracking, enumeration detection): 30 days - Logs of 404 errors, failed authentication attempts, and automated attack detection are retained for 30 days for security monitoring. - Payment fraud detection data: 7 years - IP addresses, device fingerprints, risk scores, and fraud flags associated with payment transactions are retained for 7 years to comply with financial regulations and fraud prevention requirements.

6.2 Account Closure: - Active data deleted within 30 days of account closure - Transaction history retained for legal compliance - Anonymization of non-essential data - Secure deletion using DoD 5220.22-M standard

6.3 Backup Retention: - Backup data retained for 90 days - Encrypted backup storage - Secure backup deletion procedures - Disaster recovery copies managed separately

6.4 Legal Holds: - Data preserved when subject to legal hold - Notification of preservation requirements - Suspension of deletion policies during holds - Secure preservation procedures

7. Your Privacy Rights

7.1 Access Rights: - Request a copy of your personal data - Receive data in a portable format - Access transaction history - Review data sharing records

7.2 Correction Rights: - Update incorrect information - Complete incomplete data - Annotate disputed information - Request verification updates

7.3 Deletion Rights (Right to be Forgotten): - Request deletion of personal data - Exceptions for legal requirements - Transaction data retained for compliance - Anonymization as alternative to deletion

7.4 Restriction Rights: - Limit processing of your data - Opt-out of marketing communications - Restrict data sharing - Control public visibility

7.5 Portability Rights: - Export your data in machine-readable format - Transfer data to another service - API access for authorized applications - Bulk export capabilities

7.6 Objection Rights: - Object to data processing - Opt-out of automated decision-making - Refuse profiling activities - Withdraw consent for optional processing

7.7 Complaint Rights: - File complaints with supervisory authorities - Contact information for data protection officers - Escalation procedures - External dispute resolution options

8. International Data Transfers

8.1 Transfer Mechanisms: - Standard Contractual Clauses (SCCs) - Adequacy decisions where applicable - Explicit consent for specific transfers - Binding Corporate Rules (BCRs) for group companies

8.2 Data Localization: - EU data stored in EU data centers - Compliance with local data residency requirements - Regional processing where required - Cross-border transfer logging

8.3 Safeguards: - Encryption for all international transfers - Access controls and monitoring - Data minimization principles - Regular transfer impact assessments

9. Cookies and Tracking Technologies

9.1 Essential Cookies: - Session management - Security tokens - Load balancing - User preferences

9.2 Analytics Cookies: - Usage patterns and metrics - Performance monitoring - Error tracking - A/B testing

9.3 Marketing Cookies (with consent): - Remarketing pixels - Conversion tracking - Interest-based advertising - Social media integration

9.4 Cookie Management: - Cookie consent banner - Preference center - Opt-out mechanisms - Browser-based controls

9.5 Do Not Track: - Response to DNT signals - Alternative privacy controls - Opt-out options - Privacy-preserving analytics

10. Children's Privacy

10.1 Age Restrictions: - Services not available to users under 18 - Age verification procedures - Parental consent not applicable - Immediate deletion if underage user detected

10.2 Inadvertent Collection: - Prompt deletion upon discovery - Notification procedures - Prevention measures - Staff training on COPPA compliance

11. California Privacy Rights (CCPA/CPRA)

11.1 Additional Rights for California Residents: - Right to know categories of personal information collected - Right to know purposes of collection - Right to know categories of third parties with whom we share data - Right to opt-out of sale of personal information - Right to non-discrimination for exercising privacy rights

11.2 Financial Incentives: - Description of financial incentive programs - How to opt-in to programs - Terms of financial incentives - Right to withdraw from programs

11.3 Authorized Agents: - Process for authorized agent requests - Verification requirements - Power of attorney requirements - Direct confirmation with consumer

11.4 Metrics: - Annual reporting of privacy requests - Response times and compliance rates - Categories of requests received - Outcomes of requests

12. GDPR Compliance (EU/UK Residents)

12.1 Legal Bases for Processing: - Contract performance for payment services - Legal obligations for compliance - Legitimate interests for fraud prevention - Consent for marketing communications

12.2 Data Protection Officer: - Contact: dpo@payheld.com - Response time: 30 days - Escalation procedures - Annual privacy reviews

12.3 Supervisory Authority: - Right to lodge complaints - Contact information for local authorities - Cross-border complaint procedures - Alternative dispute resolution

12.4 Automated Decision-Making: - Disclosure of automated processing - Logic involved in decisions - Significance and consequences - Right to human review

Communication Content Analysis (Automated Processing):

PayHeld uses automated systems to analyze the content of messages sent through the platform messaging system for dispute prevention, safety monitoring, and service quality improvement. This automated processing includes:

Sentiment Classification: Natural language processing algorithms classify message tone as positive, neutral, negative, or urgent based on word choice, punctuation, capitalization, and linguistic patterns.

Keyword Detection: Automated scanning for terms indicating potential disputes, safety concerns, or Terms of Service violations, including but not limited to: "refund", "dispute", "lawyer", "legal action", "sue", "scam", "fraud", "report", "complaint", "unacceptable", "terrible".

Communication Quality Scoring: Automated calculation of message quality (0-100 scale) based on: message length and completeness, tone and professionalism indicators, presence of polite language ("thank you", "please"), use of proper grammar and spelling, responsiveness (reply time to previous messages).

Urgency Level Calculation: Automated assessment of message urgency (0-10 scale) based on deadline-related language such as "urgent", "ASAP", "immediately", "emergency", "critical", "deadline", "today", "now".

Automated Alert Generation: Messages scoring high on urgency, negative sentiment, or containing escalation keywords automatically trigger alerts to PayHeld administrators for manual review. Alerts include message summary, calculated scores, and flagged keywords.

Legal Basis for Processing: This automated processing is conducted based on Legitimate Interests (GDPR Article 6(1)(f)) for the purposes of: (i) dispute prevention and early detection of conflicts between users; (ii) platform safety and fraud prevention; (iii) enforcement of Terms of Service (prohibited language, harassment prevention); (iv) customer service quality improvement and training.

No Automated Enforcement Actions: No account suspension, payment holds, project cancellations, penalties, or other enforcement actions are taken based solely on automated communication analysis. All flagged messages undergo human review by PayHeld staff before any action is taken. Automated analysis serves only as an alert mechanism for manual investigation.

Your GDPR Rights Regarding Automated Processing:

Under GDPR Article 22, you have the right to:

(a) Request Human Review: Request that a human review any automated communication analysis that affected your account or projects.

(b) Object to Processing: Object to automated processing of your communications. Note that objecting may limit access to certain platform features related to dispute prevention and may increase manual review times for your account.

(c) Receive Explanation: Receive a clear explanation of the logic involved in automated decision-making, the significance of such processing, and the envisaged consequences for you.

(d) Obtain Intervention: Contest any decision reached through automated means and express your point of view to PayHeld staff.

To exercise these rights, contact our Data Protection Officer at dpo@payheld.com with the subject line "Automated Processing Review Request". We will respond within 30 days with details of any automated analysis conducted on your communications and provide opportunities for human review and appeal.

Transparency Commitment: PayHeld will not use automated communication analysis to discriminate against users based on protected characteristics. Sentiment analysis and quality scoring are applied uniformly to all users and are not adjusted based on user demographics, nationality, or account age.

13. Changes to This Privacy Policy

13.1 Notification of Changes: - Email notification for material changes - 30-day notice period - Platform notifications - Summary of changes provided

13.2 Consent to Changes: - Continued use constitutes acceptance - Opt-out procedures - Data export before changes - Account closure options

13.3 Version History: - Previous versions available on request - Change log maintenance - Effective date tracking - Archive of historical policies

14. Contact Information

For privacy-related inquiries and requests:

Data Protection Officer: Email: dpo@payheld.com

Privacy Portal: https://payheld.com/privacy Support: privacy@payheld.com

Response Time: We aim to respond to all privacy requests within 30 days.

Supervisory Authorities: - US: Federal Trade Commission (FTC) - EU: Your local Data Protection Authority - UK: Information Commissioner's Office (ICO)

Questions about privacy? Contact us at privacy@payheld.com