Privacy Policy

Last updated: April 6, 2026

1. Data Controller#

HoltWalker is operated by LVSoft AB (org. nr 559486-7920), a company registered in Sweden. LVSoft AB is the sole data controller within the meaning of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), Article 4(7), and is responsible for the processing of your personal data as described in this policy.

LVSoft AB has determined that the nature and scale of its data processing activities do not require the appointment of a Data Protection Officer (DPO) under GDPR Article 37. Our processing does not involve regular and systematic monitoring of data subjects on a large scale, nor does it involve large-scale processing of special categories of data.

For any privacy-related inquiries, you may contact us at [email protected].

2. Data We Collect#

We collect and process the following categories of personal data. For each category, we specify the exact data fields, the source, and whether the data is mandatory for using the Service.

Account Data (Mandatory)

When you sign in via Discord OAuth, we receive the following data from Discord as a third-party source:

  • Discord user ID — Unique numerical identifier used as your primary account key.
  • Username — Your Discord display name, shown in the dashboard and admin interface.
  • Email address — Used for account identification and critical service communications.
  • Avatar URL — Link to your Discord profile image, displayed in the navigation menu.

This data is mandatory. Without it, we cannot create or maintain your account. Your account data is refreshed from Discord each time you sign in.

OAuth Tokens

When you authenticate via Discord, we receive and store an OAuth access token and a refresh token. The access token is used to fetch and update your profile information from Discord. The refresh token is used to obtain new access tokens when the current one expires. These tokens are stored in the database for the duration of your active session and are deleted when you revoke access or delete your account.

API Usage Data (Automatically Collected, Mandatory)

When you make API requests to HoltWalker, the following data is automatically logged:

  • Endpoint path — Which API endpoint was called (e.g., /generatePaths, /generateBankPaths, /ws).
  • Response status code — Whether the request succeeded or failed.
  • Response time — How long the request took to process, in milliseconds.
  • Path count — The number of paths generated in the response.
  • Timestamp — When the request was made.
  • API key reference — Which of your API keys was used (identified by key prefix, not the full key).

This data is mandatory for service delivery. It is used for rate limiting enforcement, billing calculations, your usage dashboard, and service reliability monitoring.

API Key Metadata (Automatically Collected)

When you create API keys, we store the following metadata:

  • Key prefix — The first 11 characters of the key (e.g., "sk_a1b2c3d4"), used for display and identification.
  • Key hash — A SHA-256 hash of the full key, used to authenticate API requests. The raw key is shown to you once at creation and is never stored.
  • Key name — An optional label you assign for your own reference.
  • Creation date — When the key was created.
  • Last used date — When the key was last used to make an API request.
  • Per-key rate limit — An optional rate limit you configure for the key.
  • Deletion date — If the key has been revoked, when it was soft-deleted.

Payment Data (Mandatory for Paid Plans)

Payment processing is handled entirely by Stripe. We never see, receive, or store your credit card number, CVC, or other payment instrument details. The following payment-related data is stored by us:

  • Stripe customer ID — Links your account to your Stripe customer profile.
  • Stripe subscription ID — Identifies your active subscription for plan management.
  • Subscription status — Whether your subscription is active, canceled, past due, or expired.
  • Billing period dates — Start and end dates of your current billing cycle.
  • Plan information — Which plan tier you are subscribed to and any scheduled changes.
  • Billing events — An audit trail of subscription changes, including event type (e.g., subscription_new, upgrade, downgrade_scheduled, cancellation, invoice_paid, payment_failed), Stripe event ID, and timestamp.

Server Request Logs (Automatically Collected, Transient)

Our application server generates structured request logs for operational monitoring and debugging. Each log entry includes:

  • Correlation ID — A unique request identifier (UUID) for tracing.
  • Request path — The tRPC procedure or API route called.
  • Duration — How long the request took to process.
  • User ID — Your account identifier, if you were authenticated.
  • Status — Whether the request succeeded or failed.
  • Timestamp — When the request was processed.

These logs are transient and are used exclusively for operational monitoring, debugging, and security incident investigation. They are not used for profiling or behavioral analysis.

Network Data (Automatically Collected, In-Memory Only)

We collect IP addresses for rate limiting and abuse prevention. IP data is held in application memory only and is not persisted to the database. IP addresses in memory are automatically purged when the sliding window expires (within 60 seconds) or when the application restarts.

3. Legal Basis for Processing#

Under GDPR Article 6(1), every processing of personal data must be justified by at least one legal basis. The following table sets out the legal basis we rely on for each category of data processing, along with the specific reason each basis applies.

DataPurposeLegal Basis
Discord profile (user ID, username, email, avatar)Account creation and identification — required to provide you with the ServiceContract performance (Art. 6(1)(b))
OAuth tokens (access token, refresh token)Maintaining your authenticated session and refreshing profile data from DiscordContract performance (Art. 6(1)(b))
API usage logs (endpoint, status, timing, path count)Rate limiting enforcement, billing calculations, and your usage dashboardContract performance (Art. 6(1)(b))
API key metadata (prefix, hash, name, dates)Authenticating API requests and managing your keysContract performance (Art. 6(1)(b))
Payment data (Stripe IDs, subscription status, billing events)Subscription management and billingContract performance (Art. 6(1)(b))
Payment records and billing events (retained 7 years)Compliance with Swedish Bokforingslag (Accounting Act, SFS 1999:1078)Legal obligation (Art. 6(1)(c))
IP addressesRate limiting and abuse preventionLegitimate interest (Art. 6(1)(f))
Server request logsOperational monitoring, debugging, and security incident investigationLegitimate interest (Art. 6(1)(f))
Session cookiesMaintaining your authenticated sessionContract performance (Art. 6(1)(b))

Legitimate Interest Assessment

Where we rely on legitimate interest (GDPR Article 6(1)(f)) as our legal basis, we have conducted a balancing test weighing our interests against your rights:

  • IP address processing: Our legitimate interest is preventing abuse, enforcing rate limits, and protecting service availability for all users. IP addresses are held in application memory only, are not persisted to any database, and are automatically purged within 60 seconds. Given the minimal scope, the short retention, and the absence of any profiling or tracking use, we have concluded that this processing does not override your rights and freedoms.
  • Server request logs: Our legitimate interest is maintaining the security, reliability, and operational integrity of the Service. Logs are transient, contain only the minimum data necessary for debugging and incident response, and are not used for profiling or behavioral analysis. The processing is proportionate to the purpose and does not override your rights and freedoms.

4. Third-Party Processors#

We share personal data only with the third-party processors listed below. Each processor has been assessed for GDPR adequacy, and we have entered into Data Processing Agreements (DPAs) that meet the requirements of GDPR Article 28 with each of them. We do not sell, rent, or trade your personal data to any third party, for any purpose.

  • Discord (Discord Inc., USA) — Authentication provider. Receives your sign-in request and provides your profile data (user ID, username, email, avatar URL) and OAuth tokens. Discord processes this data as a controller in its own right under its own privacy policy.
  • Stripe (Stripe Inc., USA) — Payment processor. Handles all credit card and payment instrument processing. We transmit your Stripe customer ID and subscription events. Stripe is PCI-DSS Level 1 certified and processes payment data as a controller for fraud prevention and compliance purposes.
  • Hosting provider (European data center) — Our application servers and database are hosted in a European data center. The hosting provider processes personal data solely on our behalf as a processor, under a DPA compliant with GDPR Article 28. The provider does not access your data except as necessary to maintain the infrastructure.

5. International Data Transfers#

Your personal data is primarily stored and processed on servers located within the European Economic Area (EEA). However, some of our third-party processors are based in the United States, which the European Commission has not issued a general adequacy decision for under GDPR Article 45.

In accordance with GDPR Chapter V (Articles 44–49), we rely on the following transfer mechanisms to ensure adequate protection of your personal data when it is transferred outside the EEA:

  • Discord (USA): Data transfers are protected under the EU-U.S. Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Article 46(2)(c).
  • Stripe (USA): Data transfers are protected under the EU-U.S. Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Article 46(2)(c).

As supplementary safeguards pursuant to the EDPB recommendations, all data in transit between our servers and third-party processors is encrypted using TLS 1.2 or higher. Data stored in our database is encrypted at rest. We review the transfer mechanisms and adequacy of safeguards annually.

6. Data Retention#

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy, or as required by applicable law. The following table specifies retention periods and their legal justification.

DataRetentionJustification
Account dataUntil you delete your accountNecessary for ongoing contract performance (Art. 6(1)(b)). Deleted upon account closure.
OAuth tokensDuration of active sessionRequired for session maintenance. Deleted on logout or session expiry.
API usage logs90 days (detailed); 12 months (aggregated)Detailed logs retained for billing disputes and service monitoring. Aggregated statistics retained for trend analysis and capacity planning.
API key metadataUntil key deletion + 90 daysSoft-deleted keys retained briefly for abuse investigation. Permanently purged after 90 days.
Payment records & billing events7 years from the end of the fiscal yearRequired by the Swedish Bokforingslag (Accounting Act, SFS 1999:1078, Chapter 7 Section 2), which mandates retention of accounting records for 7 fiscal years. Legal obligation under Art. 6(1)(c).
Server request logs30 daysRetained for operational monitoring and security incident investigation. Automatically rotated.
IP addressesIn-memory only (~60 seconds)Held in a sliding window for rate limiting. Never persisted. Purged on window expiry or application restart.
Session cookiesUntil logout or 30 days of inactivityRequired for session continuity. Cleared on explicit logout or expiry.

When a retention period expires, data is either permanently deleted or irreversibly anonymized. Anonymized and aggregated data (e.g., total API request counts, average response times) no longer constitutes personal data within the meaning of GDPR Recital 26 and may be retained indefinitely for statistical and service improvement purposes.

7. Your Rights#

Under GDPR Chapter III (Articles 12–23), you have the following rights regarding your personal data. You may exercise any of these rights free of charge (Article 12(5)), unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act.

  • Right of Access (Art. 15) — You may request a copy of all personal data we hold about you, including the purposes of processing, the categories of data, recipients, and retention periods. In practice, this includes your account data, API usage history, API key metadata, subscription details, and billing events.
  • Right to Rectification (Art. 16) — You may request correction of inaccurate personal data. Since your account data originates from Discord, most corrections are applied by updating your Discord profile and re-authenticating. For data that we control directly (e.g., API key names), you may correct it through the dashboard or by contacting us.
  • Right to Erasure (Art. 17) — You may request deletion of your personal data. We will comply unless retention is required by law (e.g., payment records under the Swedish Accounting Act, which must be retained for 7 fiscal years per Art. 17(3)(b)). Upon erasure, your account, API keys, and usage logs are permanently deleted; legally required payment records are retained until their retention period expires.
  • Right to Data Portability (Art. 20) — You may receive your personal data in a structured, commonly used, and machine-readable format (JSON). This includes your account data, API usage logs, API key metadata, and subscription history. You may also request that we transmit this data directly to another controller where technically feasible.
  • Right to Restriction of Processing (Art. 18) — You may request that we restrict (i.e., limit) the processing of your personal data while a dispute about accuracy or lawfulness is being resolved, or if you need the data preserved for legal claims. While restricted, we will store but not process the data except with your consent or for legal claims.
  • Right to Object (Art. 21) — You may object to processing based on legitimate interest (Art. 6(1)(f)). This applies to our processing of IP addresses and server request logs. Upon receiving your objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your rights.
  • Right to Withdraw Consent (Art. 7(3)) — Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. We note that our primary legal bases are contract performance and legitimate interest; however, this right is available to you in full.

How to Exercise Your Rights

To exercise any of these rights, email [email protected] with the subject "GDPR Request". We will verify your identity (typically by confirming ownership of the Discord account linked to your HoltWalker account) and respond within 30 days. If your request is complex or we have received a large number of requests, we may extend this period by up to 60 additional days, in which case we will notify you of the extension and the reasons for it within the initial 30-day period, in accordance with Article 12(3).

You also have the right to lodge a complaint with the Swedish data protection authority: Integritetsskyddsmyndigheten (IMY), Box 8114, 104 20 Stockholm, Sweden. Email: [email protected]. Website: www.imy.se. If you reside in another EU/EEA member state, you may also lodge a complaint with your local supervisory authority, which will cooperate with IMY under the GDPR consistency mechanism (Art. 60–67).

8. Automated Decision-Making#

In accordance with GDPR Article 22, we inform you that we do not engage in automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you.

Our rate limiting system is a rule-based mechanism that applies uniform, pre-defined thresholds to all users based on their subscription plan. It is not algorithmic profiling — it does not evaluate personal characteristics, predict behavior, or produce individualized assessments. Rate limiting is a contractual feature of the Service and applies identically to all users on the same plan tier.

9. Cookies#

We use a single session cookie to keep you signed in. Under the Swedish Electronic Communications Act (Lag (2003:389) om elektronisk kommunikation, "LEK"), which implements the EU ePrivacy Directive (2002/58/EC), cookies that are strictly necessary for providing a service explicitly requested by the user are exempt from the consent requirement (LEK Section 6:18). Our session cookie falls within this exemption because it is essential for maintaining your authenticated session — the Service cannot function without it.

CookiePurposeDurationType
authjs.session-tokenMaintains your authenticated session30 daysStrictly necessary
__Secure-authjs.session-tokenSame as above, with Secure prefix (production)30 daysStrictly necessary

Our session cookies are configured with httpOnly (not accessible to JavaScript), Secure (transmitted only over HTTPS in production), and SameSite=Lax (protection against cross-site request forgery).

We do not use analytics cookies, marketing cookies, or third-party tracking cookies. Stripe may set cookies for fraud prevention during the checkout process — these are also strictly necessary and are governed by Stripe's own privacy policy.

10. Security#

In accordance with GDPR Article 32, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing. These measures include:

  • Encryption in transit: All connections to and from our servers use TLS 1.2 or higher. HSTS (HTTP Strict Transport Security) is enforced with a one-year max-age.
  • Encryption at rest: Database storage is encrypted at rest using AES-256.
  • API key security: API keys are hashed with SHA-256 before storage. Raw keys are shown to the user once at creation and are never stored or logged.
  • Session security: Session cookies are httpOnly, Secure, and SameSite protected. Sessions expire after 30 days of inactivity.
  • Payment security: All payment data is handled by Stripe (PCI-DSS Level 1 certified). We never process or store payment instrument details.
  • Access control: Database access is restricted to the application layer via internal networking. Administrative access requires authenticated sessions with admin-level privileges.
  • Security headers: Our application enforces X-Frame-Options, Content-Security-Policy, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy headers on all responses.
  • Regular assessments: We conduct regular security assessments of our infrastructure and application code.

Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Swedish supervisory authority (IMY) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, in accordance with Article 34, describing the nature of the breach, the likely consequences, and the measures we have taken or propose to take.

11. Children#

The Service is not directed at children. In Sweden, the age of digital consent is 13 years (as determined under Sweden's implementation of GDPR Article 8, which permits member states to set the age between 13 and 16). We do not knowingly collect personal data from children under 13.

If we become aware that we have collected personal data from a child under 13 without appropriate parental consent, we will take immediate steps to delete that data. If you believe a child under 13 has provided us with personal data, please contact us at [email protected].

12. Changes to This Policy#

We may update this policy to reflect changes in our processing activities, applicable law, or regulatory guidance. Any updates will be published on this page with an updated "Last updated" date.

If we make changes that materially reduce your rights or expand the scope of data processing beyond what is described here, we will notify you via email at least 30 days before the changes take effect and will require your affirmative acceptance (e.g., by acknowledging the updated policy when you next sign in) before the new terms apply. Continued use of the Service does not constitute acceptance of material changes that reduce your rights.

Minor clarifications, formatting changes, or updates required by law that do not materially affect your rights will take effect upon publication without additional notice.

13. Contact#

For privacy inquiries, data subject access requests, or complaints, contact us at: [email protected]

LVSoft AB
Org. nr 559486-7920
Sweden

We aim to resolve all privacy-related inquiries directly. If you are not satisfied with our response, you have the right to lodge a complaint with Integritetsskyddsmyndigheten (IMY) or your local EU/EEA supervisory authority.