Cookie Policy

Effective: July 10, 2026 · v2026-07-10

This policy explains the cookies and similar technologies HoldFast uses, what each one is for, and how you control them. HoldFast is a video review and presentation platform operated by Smoke & Oakum. We’ve written this in plain English. For the complete picture of what we collect and why — including the analytics described here — read the Privacy Policy.

Two kinds of people encounter HoldFast: members, who log in to build and share content, and viewers, who open a review link (/r/), a reel (/s/), or a presentation (/d/) that a member sent them. The technologies below apply to both, and we say which is which.

1. What cookies and similar technologies are

A cookie is a small text file a website asks your browser to store, so it can recognize your browser on a later request — for example, to remember that you already typed a password. “Similar technologies” do the same job by other means:

We group everything into two buckets. Essential technologies are strictly necessary to deliver something you asked for (staying logged in, remembering a password you entered, recording your cookie choice); they don’t track you across sites and aren’t subject to consent. Engagement analytics technologies let the person who shared a link see how their content was viewed; these are optional and controlled by your consent, as described in section 3.

2. What we use

The named items below are everything HoldFast sets. We do not use advertising cookies, and we do not sell what these technologies collect. Durations are maximums — you can clear them sooner (section 5).

Name Type Purpose Duration
holdfast_tokenauth session token EssentiallocalStorage Keeps signed-in members logged in as they move around the HoldFast app. Without it you’d have to re-enter your password on every page. Until you log out or clear storage (the token itself expires after 7 days)
hfr_<id>review-link gate proof Essentialcookie Remembers that you entered the correct password for a password-protected review link, so you aren’t asked again on every visit. Set only when a link has a password. 30 days
hfd_<id>presentation gate proof Essentialcookie Remembers that you cleared the password or email gate for a presentation (deck), so you aren’t re-prompted. Set only when a presentation is gated. 30 days
hf_consent_v1consent record EssentiallocalStorage Records your cookie choice (allow or decline engagement analytics) so we can honour it and not ask again. This is stored on your device, never in a cookie, and never shared. Until you clear it
hf_vidviewer device id Engagement analyticscookie A device identifier used for viewer analytics on review links and reels. It lets the person who shared the link recognise a returning device and see who watched and for how long. Set only after you allow analytics. 1 year
FingerprintJS Probrowser fingerprinting Engagement analyticsfingerprinting Derives a device identifier from browser signals to help recognise a viewer more reliably on review links and reels. Those browser signals are sent to and processed by FingerprintJS, Inc. Loaded only after you allow analytics; never loaded for EU, UK, or California viewers who haven’t allowed it. Persistent device identifier (FingerprintJS may set its own storage)
hf_anon / hf_sesspresentation analytics Engagement analyticslocal & session storage Anonymous identifiers that measure how a shared presentation (deck) is viewed — which slides, for how long. Presentations do not load FingerprintJS. Persisted only after you allow analytics. hf_anon: until cleared · hf_sess: current session
In-memory ephemeral ide.g. eph_… Engagement analyticsno storage When you decline (or haven’t yet chosen) analytics, a throwaway identifier is used for a single page load so the page works. Nothing is written to your device and you aren’t recognised on a later visit. Not stored — discarded when the page is closed

Beyond these, ordinary web-server logs record the usual technical details of a request (such as IP address and browser type). That processing, and the third-party services involved (including FingerprintJS), is described in full in the Privacy Policy and the Data Processing Agreement.

3. Your choices — the consent model

Essential technologies always run — they’re what makes a login or a password-gated link work, and they don’t track you. Engagement analytics are optional, and how we ask depends on where you are.

Viewers in the EU/EEA, the UK, and California

Before any engagement-analytics identifier is set, you see a consent banner on the shared link with two equally weighted choices:

Nothing non-essential loads until you choose, and declining is as easy as allowing.

Declining doesn’t make you invisible — it makes you anonymous

Even if you decline, the person who sent the link can still see that the link was viewed. What they can’t see is which device viewed it or tie that view to you specifically, because no device identifier is stored. In other words: an anonymous view still counts; a personally recognisable one does not.

Everywhere else

Outside those regions, engagement analytics operate under this policy with the disclosures above. Wherever you are, you can turn analytics off at any time using the Cookie Preferences link in the footer of any review link, reel, or presentation. Your choice is saved on your device (in hf_consent_v1) and honoured going forward. You can also change your mind and re-enable it the same way.

4. Global Privacy Control (GPC)

If your browser or a browser extension sends a Global Privacy Control signal, we treat it as a decline. Engagement analytics stay off by default, no banner is shown, and the Cookie Preferences panel will tell you: “Your browser sent a Global Privacy Control signal, so analytics is off by default.” You can still turn analytics on manually from that panel if you want to.

5. How to manage or clear cookies and storage

You have full control from your browser, independent of the choices above:

Each browser handles this a little differently. Their help pages walk through it: Chrome, Safari, Firefox, and Edge.

6. Changes to this policy

We may update this policy as our technology or the law changes. When we make a significant change, we’ll update the effective date and version at the top of this page. Material changes that affect viewers may also be reflected in the consent banner.

7. Contact

Questions about cookies or the analytics described here? Reach us at [email protected]. For the full account of how we handle personal data, see the Privacy Policy and Your Privacy Choices.