Privacy Policy

HandUp (“we,” “us,” or “our”) operates a peer-to-peer lending platform that facilitates structured loans between friends and family. This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our website, mobile application, and related services (collectively, the “Platform”).

By using the Platform, you agree to the collection and use of information in accordance with this policy.

2.1 Information You Provide

• Account Information: First name, last name, email address, and phone number when you create an account.
• Identity Verification: Government-issued ID and biometric selfie data, collected through our identity verification provider (Plaid) to comply with Know Your Customer (KYC) requirements.
• Financial Information: Bank account details provided through Plaid for ACH payment processing. HandUp does not directly store your bank login credentials.
• Loan Information: Loan amounts, terms, interest rates, repayment schedules, and payment history.

2.2 Information Collected Automatically

• Device Information: Device type, operating system, and browser type.
• Usage Data: Pages visited, features used, and interaction patterns.
• Log Data: IP address, access times, and API request metadata.

2.3 Information from Third Parties

• Plaid: Identity verification results and bank account information for payment processing.
• Twilio: Phone verification status (we do not receive your SMS message content).

We use the information we collect to:

• Create and manage your account
• Verify your identity as required by financial regulations
• Facilitate loan creation, funding, and repayment between users
• Process ACH payments between borrowers and lenders
• Report payment history to credit bureaus (only when both parties opt in)
• Send transactional notifications (payment confirmations, loan status updates)
• Detect and prevent fraud, unauthorized access, and abuse
• Comply with legal obligations and regulatory requirements
• Improve and maintain the Platform

We do not sell your personal information. We share information only in the following circumstances:

4.1 With Other Users

When you create or participate in a loan, certain information (your first name, last initial, and loan-related details) is shared with the other party to the loan. Your full address, SSN, and bank account details are never shared with other users.

4.2 With Service Providers

• Plaid: For identity verification and bank account linking. Subject to Plaid's Privacy Policy.
• Twilio: For SMS delivery of one-time verification codes.
• Dwolla: For ACH payment processing between linked bank accounts.
• Railway: For cloud hosting and database infrastructure.

4.3 With Credit Bureaus

If both the borrower and lender opt in to credit reporting during loan creation, payment history (including on-time and late payments) is reported to major credit bureaus. This reporting cannot be reversed once a loan is active.

4.4 For Legal Compliance

We may disclose your information when required by law, subpoena, court order, or government regulation, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

We implement industry-standard security measures to protect your information:

• All data in transit is encrypted using TLS 1.2 or higher
• All data at rest is encrypted using AES-256 encryption
• Authentication requires multi-factor verification (phone + OTP)
• Bank credentials are managed by Plaid and never stored on our servers
• API keys and secrets are stored in encrypted environment variables, never in source code
• Access to production systems is restricted and reviewed quarterly

While we strive to protect your personal information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

• Active accounts: Data is retained for the duration of your account.
• Loan records: Retained for 7 years after loan completion to comply with IRS record-keeping and FCRA requirements.
• Verification codes: Deleted within 24 hours of use.
• Server logs: Retained for 90 days.
• Account deletion: Upon request, personally identifiable information is anonymized within 30 days. Records required for legal compliance are retained in anonymized form.

Depending on your location, you may have the following rights:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request deletion of your personal information, subject to legal retention requirements.
• Portability: Request your data in a structured, machine-readable format.
• Opt-out: Opt out of non-essential communications at any time.

To exercise any of these rights, contact us at [email protected].

The Platform is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will delete it promptly.

The Platform may contain links to third-party websites or services that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Platform with a revised effective date. Your continued use of the Platform after changes are posted constitutes acceptance of the revised policy.

If you have questions about this Privacy Policy or our data practices, contact us at:

HandUp
Email: [email protected]