Your Privacy Choices
U.S. State Privacy Notice · Effective: July 10, 2026 · v2026-07-10
This notice explains the privacy choices and rights available to people in U.S. states that have consumer-privacy laws. It covers HoldFast, a video review and presentation platform operated by Smoke & Oakum ("HoldFast", "we", "us"). It sits alongside our Privacy Policy and Cookie Policy, which describe our data practices in full. Where this notice and the Privacy Policy overlap, this notice controls for U.S. state privacy rights. We've tried to write it in plain English.
We probably aren't legally required to do this. We do it anyway.
Most U.S. state privacy laws only apply to companies above certain size or data-volume thresholds. HoldFast is a small business: we don't reach California's revenue threshold (about $26.6M), we don't buy, sell, or share the personal information of 100,000+ residents of any state, and we don't make most of our money from selling data. So we most likely do not qualify as a "business" under the CCPA or as a covered "controller" under the newer state laws.
We're publishing this notice and honoring these rights voluntarily anyway — because it's the honest thing to do, because our customers' viewers deserve transparency about the analytics we run, and because it's the right posture for a product that tracks engagement. If a law ever does apply to us, this is how we intend to comply.
1. Which laws and who this covers
Comprehensive consumer-privacy laws are in effect in these states, and we aim to honor the rights each one grants its residents: California (CCPA/CPRA), Colorado (CPA), Connecticut (CTDPA), Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon (OCPA), Rhode Island, Tennessee, Texas (TDPSA), Utah, and Virginia (VCDPA). More states join this list over time; we extend the same choices to residents of any state that grants them.
These laws protect people acting in an individual or household capacity. Two groups interact with HoldFast:
- Account holders — the people who sign up for a HoldFast workspace. Outside California, most laws treat business-contact and employee data as exempt, so an account holder acting for their employer may not be a covered "consumer." In California, business-contact data does count.
- Viewers — the people a HoldFast customer shares a review link, reel, or presentation with. If you're a viewer acting personally (not on behalf of a company), you may be a covered "consumer" for the data we collect when you open a shared link. Much of what follows is written with viewers in mind.
2. Personal information we collect
The table below lists the categories of personal information we may process, using the categories from California's law, along with where each comes from and who we disclose it to. We collect this from three kinds of sources: (a) directly from you (for example, an email you type into a link's gate or a name you put on a comment); (b) automatically from your device and browser when you open a shared link; and (c) from the HoldFast customer who shared the link and from data-enrichment vendors.
| Category | Examples | Sources | Purpose | Disclosed to |
|---|---|---|---|---|
| Identifiers | Name, email address, IP address, a device/cookie identifier (hf_vid), a browser-fingerprint value, account and session identifiers. |
You; automatically from your browser/device; the customer's imported contacts. | Deliver and secure the shared link, attribute your comments, recognize returning devices, and produce engagement analytics for the sender. | Hosting/CDN and device-identity vendors (Cloudflare, Hetzner, FingerprintJS); the customer who shared the link. |
| Commercial information | Subscription plan, billing records, transaction history (account holders only — viewers usually have none). | You (account holders); our payment processor. | Manage subscriptions and process payments. | Stripe (payments). |
| Internet / network activity | Whether and when you opened a link, watch time, plays and pauses, clip enter/exit, slide dwell time, scroll depth, clicks and calls-to-action, playback diagnostics, browser and device type. | Automatically, from your interaction with the shared page. | Show the sender engagement analytics, keep playback working, and diagnose errors. | The customer who shared the link; hosting/CDN vendors. |
| Geolocation (coarse only) | Approximate city / region / country inferred from your IP address. We do not collect precise (GPS-level) location. | Derived on our servers from your IP (local database, no third party); company lookup via ipinfo.io. | Company-level analytics and abuse/fraud checks. | ipinfo.io (IP→company/region); the customer (region-level). |
| Professional / employment info | Company or organization name, work email, job-related contact details, and the company domain we resolve for a viewer. | The customer's imported contacts (Google/Microsoft/CSV/vCard); enrichment vendors; our company-resolution graph. | Identify the company associated with a viewer and provide company-level analytics. | Hunter.io (domain→org emails), ipinfo.io, our cross-workspace company graph, the customer, and the customer's own CRM (Copper). |
| Audio/visual & contents of communications | Media the customer uploaded, and text transcripts/captions generated from that media. Transcripts are produced on your own device; the audio never reaches our servers. Treated as sensitive information (see §3). | Customer uploads; on-device transcription. | Provide the review, transcript, and caption features only. | Cloudflare (storage of media and transcript text). Never sold; never used for advertising or profiling. |
| Inferences (engagement scores) | Engagement / "intent" scores, percentile ranks, viewing-rhythm signals, and short text notes describing viewing behavior. | Derived by us from the activity above. | Help the sender gauge who is interested and how engaged they are. | The customer who shared the link; the customer's own CRM (Copper). |
What we don't collect: we do not collect protected-classification data (such as race, religion, or health), biometric identifiers or voiceprints, precise geolocation, government IDs, financial-account numbers, or education records. We do not knowingly collect personal information from children.
3. Sensitive personal information
The only category of "sensitive" personal information we might handle is the contents of communications, in the form of transcripts and captions generated from uploaded media. This matters, so we want to be exact about it:
- Transcripts are generated on your own device (in your browser). The audio itself never leaves your device or reaches our servers.
- We use the resulting transcript text only to provide the transcript and caption features. We never sell it, and we never use it for advertising, targeting, or profiling.
- We do not collect precise geolocation or biometric identifiers, which are the other common types of sensitive information.
Because we already limit our use of this information to providing the service, there is effectively nothing for a "right to limit the use of sensitive personal information" to further restrict. You can still contact us if you'd like — see §7.
4. Selling and sharing — our position
We do not sell personal information for money. We have never sold personal information, and we don't intend to.
Two things we do could be characterized as "sharing" under some state laws, so we're flagging them plainly and giving you an opt-out out of caution:
- Engagement analytics to the sender. When a HoldFast customer shares a link with you, we show that customer analytics about how their content was viewed — including, where we can, who viewed it. That disclosure is the core purpose of the product, but a regulator could view it as a form of "sharing."
- Our shared company-resolution graph. To identify the company behind a visit, we maintain a graph that maps IP addresses, network identifiers (ASN), and device-fingerprint values to company domains, pooled across all customer workspaces. This improves company-level (not individual) identification. No viewer name, email, or personal profile is shared between workspaces — but because a device-derived value does cross workspace boundaries, some state laws might treat this as "sharing."
Because either could be read as "sharing," we treat both as opt-out-able and we honor the Global Privacy Control (GPC) browser signal as a valid opt-out. See the next section for how.
5. How to opt out of "sharing"
You have three ways to opt out, and any one of them is enough:
- Turn on Global Privacy Control (GPC). If your browser or a browser extension sends a GPC signal, we automatically treat it as an opt-out for that browser and device — no pop-up, no extra step, no account needed. GPC is a per-browser, per-device setting, so you'll need it enabled on each browser and device you want covered.
- Use "Cookie Preferences" on any shared page. Every HoldFast review link, reel, and presentation shows a Cookie Preferences control. Open it and decline engagement analytics. When you decline, we stop using a persistent device identifier and browser fingerprinting for you, and the sender can no longer identify your device — though they can still see, at a company level, that the link was opened.
- Email us. Send a request to [email protected] and we'll process the opt-out.
Opting out doesn't require us to verify your identity. An authorized agent can also submit an opt-out on your behalf.
6. Your rights
Depending on your state, you may have some or all of these rights. We extend them to residents of any state whose law grants them:
- Know / access — ask what categories and specific pieces of personal information we've collected about you, where it came from, why we collected it, and the categories of third parties we disclosed it to.
- Delete — ask us to delete personal information we hold about you, subject to legal exceptions.
- Correct — ask us to fix inaccurate personal information.
- Portability — get a copy of your personal information in a portable, usable format.
- Opt out of "sharing" — as described in §4–5. (We don't do targeted advertising, and we don't sell your data or use it for automated decisions that have legal or similarly significant effects on you.)
- Limit sensitive information — as described in §3.
- Non-discrimination — we won't deny you service, charge you a different price, or give you a lower quality of service because you exercised any of these rights.
7. How to submit a request
To exercise any right, email [email protected] with what you'd like to do. Because we don't yet have a self-service portal, we handle these requests by hand — so please give us enough detail to find your data.
Verifying who you are
For access, deletion, correction, and portability requests, the law requires us to reasonably verify your identity first. For account holders, we verify against your account. For viewers, we may ask you to confirm the email address you entered at a link's gate, the specific link or content involved, and other details we can match against what we hold. If we can't verify you to the degree of certainty the law requires, we may decline the request and will tell you why. (Opt-outs and GPC signals don't require verification.)
A note on pseudonymous data
A lot of viewer data is tied only to a pseudonymous browser or device identifier, not to your name. Where we can't reasonably link a request to a verified identity, some rights (like access or deletion of that specific data) may be limited — and the law does not require us to collect or keep extra information just to re-identify you. We'll still honor opt-out and GPC signals for that browser or device.
Authorized agents
You may designate an authorized agent to submit requests for you. We'll ask for written proof that you authorized the agent, and — for access, deletion, or correction — we may also verify your own identity directly. Agents may submit opt-outs on your behalf.
Timelines
We'll confirm we received your request within 10 business days. We respond to verifiable access, deletion, correction, and portability requests within 45 days. When reasonably necessary, we may extend once by another 45 days (90 days total) and will let you know. Opt-out requests are honored promptly (within about 15 business days). There's no charge unless a request is excessive or repetitive, in which case we'll tell you before doing any work.
8. Appeals
If we deny your request and you live in a state that provides an appeal (such as Virginia, Colorado, Connecticut, and most of the newer-law states), you may appeal. Email [email protected] with "Appeal" in the subject line within a reasonable time after our decision. We'll review it and respond in writing, with our reasons, within 60 days. If we deny your appeal, we'll give you a way to submit a complaint to your state Attorney General.
9. Financial incentives — none
We do not offer any financial incentive, price difference, or service difference in exchange for your personal information. In other words, we run no "data-for-value" program that a state law would treat as a financial incentive.
Some shared links ask you to enter an email address before you can view the content. That email gate is an access condition chosen by the customer who shared the content — it's their decision about who may view their material, not a HoldFast incentive program, and we don't reward you or charge you differently based on it.
10. Do Not Track vs. Global Privacy Control
Browsers can send two different signals, and we treat them differently:
- Do Not Track (DNT) — there's no common industry standard for what DNT should do, so, like most operators, we do not respond to DNT signals.
- Global Privacy Control (GPC) — this is a recognized opt-out standard, and we do honor it. We treat a GPC signal as a valid request to opt out of "sharing" for that browser and device, automatically.
11. Changes to this notice
We may update this notice from time to time. When we make significant changes, we'll update the effective date and version at the top of this page, and we'll give notice where the law requires it.
12. Contact us
Questions about this notice, or want to exercise a right? Reach us at [email protected].