Cookie Policy
Effective: July 10, 2026 · v2026-07-10
This policy explains the cookies and similar technologies HoldFast uses, what each one is for, and how you control them. HoldFast is a video review and presentation platform operated by Smoke & Oakum. We’ve written this in plain English. For the complete picture of what we collect and why — including the analytics described here — read the Privacy Policy.
Two kinds of people encounter HoldFast: members, who log in to build and share content, and viewers, who open a review link (/r/), a reel (/s/), or a presentation (/d/) that a member sent them. The technologies below apply to both, and we say which is which.
1. What cookies and similar technologies are
A cookie is a small text file a website asks your browser to store, so it can recognize your browser on a later request — for example, to remember that you already typed a password. “Similar technologies” do the same job by other means:
- localStorage and sessionStorage — browser storage that holds small values on your device. localStorage persists until it’s cleared; sessionStorage lasts only for the current tab or session.
- Device fingerprinting — deriving a recognizable identifier from characteristics your browser reveals (screen, fonts, rendering behaviour, and so on), rather than storing a file. We use one such service, FingerprintJS Pro, and disclose it in the table below.
We group everything into two buckets. Essential technologies are strictly necessary to deliver something you asked for (staying logged in, remembering a password you entered, recording your cookie choice); they don’t track you across sites and aren’t subject to consent. Engagement analytics technologies let the person who shared a link see how their content was viewed; these are optional and controlled by your consent, as described in section 3.
2. What we use
The named items below are everything HoldFast sets. We do not use advertising cookies, and we do not sell what these technologies collect. Durations are maximums — you can clear them sooner (section 5).
| Name | Type | Purpose | Duration |
|---|---|---|---|
holdfast_tokenauth session token |
EssentiallocalStorage | Keeps signed-in members logged in as they move around the HoldFast app. Without it you’d have to re-enter your password on every page. | Until you log out or clear storage (the token itself expires after 7 days) |
hfr_<id>review-link gate proof |
Essentialcookie | Remembers that you entered the correct password for a password-protected review link, so you aren’t asked again on every visit. Set only when a link has a password. | 30 days |
hfd_<id>presentation gate proof |
Essentialcookie | Remembers that you cleared the password or email gate for a presentation (deck), so you aren’t re-prompted. Set only when a presentation is gated. | 30 days |
hf_consent_v1consent record |
EssentiallocalStorage | Records your cookie choice (allow or decline engagement analytics) so we can honour it and not ask again. This is stored on your device, never in a cookie, and never shared. | Until you clear it |
hf_vidviewer device id |
Engagement analyticscookie | A device identifier used for viewer analytics on review links and reels. It lets the person who shared the link recognise a returning device and see who watched and for how long. Set only after you allow analytics. | 1 year |
| FingerprintJS Probrowser fingerprinting | Engagement analyticsfingerprinting | Derives a device identifier from browser signals to help recognise a viewer more reliably on review links and reels. Those browser signals are sent to and processed by FingerprintJS, Inc. Loaded only after you allow analytics; never loaded for EU, UK, or California viewers who haven’t allowed it. | Persistent device identifier (FingerprintJS may set its own storage) |
hf_anon / hf_sesspresentation analytics |
Engagement analyticslocal & session storage | Anonymous identifiers that measure how a shared presentation (deck) is viewed — which slides, for how long. Presentations do not load FingerprintJS. Persisted only after you allow analytics. | hf_anon: until cleared · hf_sess: current session |
In-memory ephemeral ide.g. eph_… |
Engagement analyticsno storage | When you decline (or haven’t yet chosen) analytics, a throwaway identifier is used for a single page load so the page works. Nothing is written to your device and you aren’t recognised on a later visit. | Not stored — discarded when the page is closed |
Beyond these, ordinary web-server logs record the usual technical details of a request (such as IP address and browser type). That processing, and the third-party services involved (including FingerprintJS), is described in full in the Privacy Policy and the Data Processing Agreement.
3. Your choices — the consent model
Essential technologies always run — they’re what makes a login or a password-gated link work, and they don’t track you. Engagement analytics are optional, and how we ask depends on where you are.
Viewers in the EU/EEA, the UK, and California
Before any engagement-analytics identifier is set, you see a consent banner on the shared link with two equally weighted choices:
- Allow — engagement analytics turn on (
hf_vid, FingerprintJS, andhf_anon/hf_sessmay be used, depending on the link type). - Decline — no analytics identifiers are set or read. A throwaway in-memory id is used for that one page load and then discarded.
Nothing non-essential loads until you choose, and declining is as easy as allowing.
Declining doesn’t make you invisible — it makes you anonymous
Even if you decline, the person who sent the link can still see that the link was viewed. What they can’t see is which device viewed it or tie that view to you specifically, because no device identifier is stored. In other words: an anonymous view still counts; a personally recognisable one does not.
Everywhere else
Outside those regions, engagement analytics operate under this policy with the disclosures above. Wherever you are, you can turn analytics off at any time using the Cookie Preferences link in the footer of any review link, reel, or presentation. Your choice is saved on your device (in hf_consent_v1) and honoured going forward. You can also change your mind and re-enable it the same way.
4. Global Privacy Control (GPC)
If your browser or a browser extension sends a Global Privacy Control signal, we treat it as a decline. Engagement analytics stay off by default, no banner is shown, and the Cookie Preferences panel will tell you: “Your browser sent a Global Privacy Control signal, so analytics is off by default.” You can still turn analytics on manually from that panel if you want to.
5. How to manage or clear cookies and storage
You have full control from your browser, independent of the choices above:
- Clear cookies and site data for HoldFast (or a workspace’s custom domain) to remove everything in the table — cookies, localStorage, and sessionStorage. This also clears your saved consent choice, so you’ll be asked again where a banner applies.
- Block or limit cookies in your browser settings. Note that blocking essential cookies can break password-gated links and keep you from staying logged in.
- Use private/incognito browsing, which discards cookies and storage when you close the window.
Each browser handles this a little differently. Their help pages walk through it: Chrome, Safari, Firefox, and Edge.
6. Changes to this policy
We may update this policy as our technology or the law changes. When we make a significant change, we’ll update the effective date and version at the top of this page. Material changes that affect viewers may also be reflected in the consent banner.
7. Contact
Questions about cookies or the analytics described here? Reach us at [email protected]. For the full account of how we handle personal data, see the Privacy Policy and Your Privacy Choices.