Privacy Policy
Effective: July 10, 2026 · v2026-07-10
HoldFast is a video review and presentation platform. This policy explains, in plain English, what personal information we collect, why we collect it, who we share it with, and the choices and rights you have. We would rather be honest and specific than short and vague, so this policy is longer than most.
Two different kinds of people are covered here:
- Account holders — the people at a company who sign up for HoldFast, upload video, and send links. We have a direct relationship with you.
- Viewers — the people an account holder shares a review link, reel, or presentation with, who never created a HoldFast account. If a link was shared with you, the section "If someone shares a HoldFast link with you" is written for you.
1. Who is responsible for your data
The company that operates HoldFast and is responsible for the personal data described here is:
- Smoke & Oakum ("HoldFast", "we", "us", "our"), a United States-based business
- Privacy contact: [email protected]
We operate from the United States. HoldFast is used by people and companies in the EU, UK, and elsewhere, so this policy is written to meet the GDPR and UK GDPR, the California and other US state privacy laws, and comparable rules — not just US law.
We play two roles, and we want to be upfront about it
For most viewer data, we act as a service provider (processor) — we host a customer's video and run their links on their instructions, and the engagement data belongs to that customer's workspace. But for a few things we described below — our shared company-resolution graph, our reusable engagement and intent models, and general product improvement — we decide how and why the data is used, which makes us an independent controller for those uses. Where we push viewer data into a customer's own CRM at their direction, we and that customer are effectively jointly responsible. We think the honest "we do both" description is more useful to you than a tidy but false claim that we only ever process on a customer's behalf.
2. If someone shares a HoldFast link with you
When you open a HoldFast review link, reel, or presentation — whether or not you have a HoldFast account — we and the person or company who sent it (the "sender") collect information about that visit. This is the core of how HoldFast works: senders use HoldFast to see how the people they share with engage with their video.
The sender is the party who decided to share the link and to use HoldFast's engagement features. They have their own relationship with you and their own privacy practices. HoldFast provides the tooling and also, for some purposes, uses this data for itself as described in this policy. If you are unsure why you received a link, the sender is the best first contact; you can also reach us at [email protected].
When you open a shared link, we may collect:
- That you opened it, and when — page views, and the fact the link was viewed.
- How you engaged — how long you watched, which parts you watched, re-watches, whether you finished, scrolling through a presentation, time spent on each slide, and clicks on buttons or calls to action.
- Your IP address and a rough location derived from it (country, region, and often city). We use a local geolocation database for the rough location; your IP is also sent to a lookup provider to identify the likely company or network you are visiting from (see sections 5 and 8).
- Your device and browser — device type, browser, operating system, and similar technical information.
- A device identifier, where analytics is active — including a browser "fingerprint" and a device cookie, used to recognize a returning device across visits (see sections 5 and 6).
- Any details you provide — for example a name, email, or password you enter at a gate, or a name and email you attach to a comment on a review link. If you enter this at a gate, it is received by both HoldFast and the sender, and is also subject to the sender's own privacy policy.
Whether all of this is collected depends on your location and your choices. In the EU, UK, and California, device-level tracking (the fingerprint and device cookie) does not run until you agree to it — see section 6. If you decline, the sender can still see that the link was viewed and can still see company-level engagement, but your specific device is not identified.
3. Information we collect from account holders
Account information
When you sign up, we collect your name, email address, and (optionally) company name, plus a password or the identifier from the Google or Microsoft account you sign in with. We use this to create and run your workspace.
Content you upload
Video, audio, images, documents, presentations, and the comments, annotations, and version history created around them. We store and process this to provide the service. Text transcripts of your video are generated on your own device — the audio itself never reaches our servers (see section 12).
Contacts you import
You may import contacts from Google Contacts, Microsoft Contacts, CSV, or vCard. We store the contact fields (name, email, company, phone) in your workspace so you can send links and track engagement. We handle imported contacts on your instruction, as your service provider.
Billing information
If you subscribe to a paid plan, our payment processor collects and processes your payment details. We keep a record of your plan, invoices, and billing status; we do not store full card numbers ourselves.
Usage and diagnostics
Logs, error reports, and playback diagnostics generated as you use the app, so we can keep it working and fix problems.
Communications with us
If you contact support or we send you service messages, we keep those records.
Google and Microsoft account data
When you connect Google Contacts or Microsoft Contacts:
- We request read-only access to your contacts.
- Contact fields (name, email, company, phone) are imported into your workspace only.
- Imported contacts are never sold, and are not shared with other workspaces.
- You can delete imported contacts from your workspace at any time.
- We do not retain Google or Microsoft OAuth tokens after an import completes — tokens are used to perform the import and then discarded.
Our use of Google user data follows the Google API Services User Data Policy, including its Limited Use requirements. HoldFast does not use Google or Microsoft user data to train generalized AI models.
4. Why we use your information, and our legal basis
Under the GDPR and UK GDPR we must have a lawful basis for each use. Here is the mapping in plain terms.
- Run the service for account holders — host media, enable review/reel/presentation workflows, deliver links. Basis: performance of our contract with you (Art. 6(1)(b)).
- Billing, invoicing, and tax records. Basis: contract (Art. 6(1)(b)) and our legal obligations (Art. 6(1)(c)).
- Security, gate/password proofs, abuse prevention, and keeping the platform reliable. Basis: our legitimate interests in a secure, working service (Art. 6(1)(f)).
- Service and transactional email — password resets, invitations, storage and billing notices. Basis: contract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)).
- Marketing email to account holders. Basis: legitimate interests, or your consent where required; every such message includes an unsubscribe link.
- Deliver a shared link to a viewer and record that it was viewed, including company-level (not device-level) engagement. Basis: legitimate interests of the sender and of HoldFast in providing engagement analytics (Art. 6(1)(f)).
- Device-level viewer analytics — browser fingerprint, device cookie, recognizing a returning device, and per-person intent scoring. Basis: your consent (Art. 6(1)(a)), and, for the storage/reading of identifiers on your device, consent under ePrivacy rules. In the EU, UK, and California this does not run until you agree (section 6).
- Company identification and enrichment — IP→company lookup and email→company enrichment. Basis: legitimate interests in identifying the organization a viewer belongs to (Art. 6(1)(f)); see also section 9 on where this data comes from.
- Improve HoldFast and our shared company-resolution graph. Basis: our legitimate interests (Art. 6(1)(f)); we limit the graph to firmographic, non-personal mappings (section 7).
- The Vimeo backup funnel — if you connect a Vimeo account to scan your library before signing up, we email you about the scan. Basis: consent / legitimate interests; every message includes a one-click unsubscribe.
Where we rely on legitimate interests, you have the right to object (section 13). Where we rely on consent, you can withdraw it at any time.
5. Engagement analytics and viewer intelligence — what this actually means
HoldFast's engagement features go further than a simple "opened / not opened" counter, and we want to describe them plainly rather than bury them.
- Device identifiers, including browser fingerprinting. When analytics is active, we set a device cookie and generate a browser "fingerprint" — a value derived from characteristics of your browser and device — to recognize the same device across visits. Producing the fingerprint sends browser and device signals to our fingerprinting provider (see section 8). This is a probabilistic identifier and is treated as personal information.
- IP-to-company lookup. We send a viewer's IP address to a lookup provider to identify the likely company, organization, or network behind the visit.
- Email-to-company enrichment. Where a viewer's email or company domain is known, we may enrich it — for example to associate an organization or find related business email addresses — using a third-party enrichment provider.
- Engagement and intent scoring. We combine the above into a behavioral profile: an engagement/intent score, percentile rankings, and short plain-language notes describing viewing behavior (for example, that a viewer returned after a gap, or watched a specific segment repeatedly). This is automated profiling. It informs the sender's understanding of interest; it does not by itself produce legal or similarly significant effects about you, and you can object to it (section 13).
- Disclosure to the sender's CRM. If a sender connects their customer-relationship-management (CRM) system, we push the viewer contact details we hold (name, email, company, phone) together with the engagement/intent score and tier into that sender's CRM, at their direction.
This processing is what section 6's consent controls, and section 13's objection right, apply to.
6. Cookies, tracking, and your consent choices
We use a small number of cookies and similar technologies. Some are strictly necessary and always on; the rest are analytics/tracking technologies that we gate behind your choice where the law requires it. Full detail is in our Cookie Policy.
Strictly necessary (always on)
Login/session tokens for account holders, and the short-lived, server-set proofs that you cleared a link's password or email gate (the hfr_ and hfd_ cookies). These keep the service working and do not track you across sites.
Marketing website statistics (anonymous)
On our public marketing website (the holdfast.video home, pricing, and guides pages) we keep anonymous, cookieless, first-party page statistics: we count page views and unsuccessful guide searches in aggregate only, without setting any cookie, without any device or visitor identifier or fingerprint, and without storing your IP address.
Analytics / tracking (your choice)
A viewer device cookie (hf_vid, up to one year), the browser fingerprint, and the view-event analytics described in section 5. These are not essential to you as a viewer — they exist so the sender can see engagement.
How the choice works, by region
- EU, UK, and California viewers: we ask before any analytics/tracking technology loads. Until you agree, we do not set the device cookie, do not run the fingerprint, and do not identify your specific device. A consent banner appears on the shared page; you can decline as easily as accept and change your mind later.
- If you decline (or ignore the banner): the sender can still see that the link was viewed and can still see company-level engagement, but your device is not identified and no device cookie or fingerprint is stored.
- Elsewhere: analytics runs by default under this policy; you can still opt out using the controls on the page and the mechanisms in section 13.
Global Privacy Control (GPC)
If your browser sends a Global Privacy Control signal, we treat it as a valid choice to turn off analytics/tracking and to opt out of any "sale" or "sharing" for that browser — automatically, with no extra step. Our preference center will tell you when a GPC signal has been detected.
7. The shared company-resolution graph
To identify the company behind a visit more reliably over time, we maintain a shared resolution graph that is pooled across all customer workspaces. We describe it precisely, because it is the one place where a device-derived signal crosses between customers:
HoldFast maintains a shared company-resolution graph mapping IP addresses, network identifiers (ASN), and device fingerprint hashes to company domains, pooled across all customer workspaces to improve company (not individual) identification. No viewer name, email, or personal profile is shared between workspaces.
In other words: what crosses between workspaces is firmographic — a network or device-derived signal resolved to a company domain and name. A device fingerprint hash is one of those signals, so we do not claim (as an earlier version of this policy wrongly did) that fingerprint data is "never shared across workspaces." What does not cross workspaces is any viewer identity: no name, email, viewer profile, or per-person engagement history is pooled or joined between customers. We treat this graph as our own processing, and we limit it to this firmographic, company-level purpose.
8. Who we share information with
We share personal data only as needed to run HoldFast, and only with the categories of recipients below. We do not sell your personal information for money, and we do not share it for cross-context behavioral advertising. See Your Privacy Choices for the US-law framing and opt-out.
Service providers (subprocessors)
These vendors process personal data on our behalf so HoldFast can function. A structured, version-controlled list also lives in our Data Processing Addendum.
- Cloudflare (R2 and CDN) — stores and delivers media files, transcripts, and presentation bundles.
- Hetzner (Germany) — hosts our application and database; effectively all personal data lives here.
- Runpod (United States) — GPU video transcoding. Receives the source video only, via a temporary download link; no viewer personal data is sent. This is a cross-border transfer of the video (section 10).
- Stripe — payment processing and billing for account holders.
- ipinfo.io (United States) — receives viewer IP addresses to return the associated network, ASN, company, and geolocation.
- Hunter.io — receives company domains for enrichment and returns organization email addresses.
- Fingerprint (FingerprintJS Pro) — receives browser and device signals from viewers' browsers to produce the device fingerprint / visitor identifier.
- Google and Microsoft — sign-in (OAuth) and, if you connect them, read-only contacts import (name, email, company, phone).
- Vimeo — for the optional backup funnel: OAuth to your Vimeo account, returning your account email and video metadata.
- Email delivery (our system mail service, and any SMTP server you configure for your workspace) — receives recipient email addresses, names, and the content of the emails you send. Credentials for a workspace's own SMTP server are stored encrypted.
- Copper (CRM) — if a sender connects it, receives viewer name, email, company, and phone plus the HoldFast engagement/intent score and tier, pushed into that sender's CRM at their direction.
- Slack and Mattermost — if a sender enables engagement alerts, we send alert messages to that sender's chat webhook. These messages can include a viewer's name, email, and company in the alert text.
- Public code CDNs (esm.sh, jsdelivr, unpkg) — when a viewer opens a presentation (
/d/), the viewer's browser loads presentation-viewer libraries from these public CDNs. As a result the viewer's IP address and the page referer are visible to those CDNs.
The sender / workspace
Viewer engagement data is made available to the sender who shared the link, in their HoldFast workspace and, at their direction, in their connected CRM and chat tools as listed above.
Legal, safety, and business transfers
We may disclose data to comply with law or a valid legal request, to protect the rights and safety of people and of HoldFast, and — if HoldFast is ever involved in a merger, acquisition, or asset sale — to the party involved, subject to this policy.
9. Where some information comes from (viewers)
If a link was shared with you, some of what we hold about you did not come from you directly. In addition to what your visit generates, we may obtain:
- Company, network, and geolocation — from our IP lookup provider (ipinfo.io), derived from your IP address.
- Organization details and related business emails — from our enrichment provider (Hunter.io), derived from your email or company domain.
- Company identification — from our own shared company-resolution graph (section 7).
We provide this notice so you know the sources, as the GDPR (Art. 14) requires. You can object to this processing and ask us to delete the resulting records (section 13).
10. International data transfers
HoldFast is operated from the United States, and some of our providers are in the United States, while our primary hosting is in Germany. This means personal data — including EU and UK data — may be transferred to and processed in the United States and other countries.
Where we transfer personal data out of the EEA or UK to a country without an adequacy decision, we rely on appropriate safeguards, principally the European Commission's Standard Contractual Clauses (and the UK Addendum / IDTA for UK data), together with a transfer risk assessment. This applies in particular to our US GPU transcoding provider (Runpod). You can ask us for more detail about the safeguards for a specific transfer at [email protected].
11. How long we keep information
We describe retention as it works today, not as an aspiration.
- Account and workspace data — kept while the account is active. When a workspace is archived (for example, if a subscription lapses) we preserve it for a grace period, currently 90 days, and then delete it from our active systems.
- Viewer and engagement data — view events, viewer/device records, engagement and intent scores, and related analytics are kept for as long as the workspace that generated them stays active, so the sender can see engagement history. They are removed when we delete that workspace, and we will delete specific records sooner on request.
- Transcripts — kept with the video version they belong to and refreshed when that version changes (section 12).
- The shared company-resolution graph — holds firmographic mappings (section 7) that age out over time; it contains no viewer names, emails, or profiles.
- Raw IP addresses and technical logs — currently retained while the associated workspace is active. We are working toward shorter, automatic retention windows for this data and will update this policy as they are in place.
- Backups — roll off on their own schedule after data is deleted from active systems.
Whatever the schedule, you can exercise the deletion and other rights in section 13 at any time, and we will honor them.
12. Transcripts are generated on your device
HoldFast can produce a text transcript of a video. This runs entirely in your browser, on your own device (member or viewer), using an in-browser speech model. The audio never leaves your device and is never sent to our servers. Only the resulting text transcript is saved, and it is stored with the specific video version it was generated for. We think this is a genuinely more private design than sending your audio to a server, and we call it out for that reason.
13. Your privacy rights
Depending on where you live, you have some or all of the following rights over your personal data. These apply to viewers as well as account holders — if a link was shared with you, you can exercise them too.
Everyone / GDPR & UK GDPR
- Access — get a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure — ask us to delete your data.
- Restriction — ask us to limit how we use it.
- Portability — receive your data in a portable format.
- Object — object to processing based on our legitimate interests, including the engagement/company analytics and profiling described in sections 5–7.
- Withdraw consent — where we rely on consent (such as device-level analytics), withdraw it at any time.
- Automated decisions — we do not make decisions producing legal or similarly significant effects about you by automated means alone; you can still object to the profiling in section 5.
- Complain — lodge a complaint with your local data protection authority.
US state residents (California, Colorado, Connecticut, Virginia, Texas, and others)
- Know / access the categories and specific pieces of personal information we hold.
- Delete personal information we hold about you.
- Correct inaccurate personal information.
- Opt out of any "sale" or "sharing" of personal information and of targeted advertising and profiling — including via the Global Privacy Control (section 6). As stated in section 8, we do not sell personal information for money or share it for cross-context behavioral advertising.
- Limit the use of sensitive personal information.
- Non-discrimination — we will not treat you worse for exercising these rights.
Details of the US-state framework and the opt-out are on our Your Privacy Choices page.
How to exercise your rights
Email [email protected] and tell us what you would like to do. We aim to respond within one month (GDPR) or 45 days (US state law), and will tell you if we need more time. We may need to verify your identity first. You can use an authorized agent where the law allows. If a request concerns data a sender controls through their own workspace, we may direct you to that sender or handle it together with them.
14. Children's privacy
HoldFast is a business tool and is not directed to children. We do not knowingly collect personal information from anyone under 16, and we do not knowingly collect it from children under 13. If you believe a child has provided us personal information, contact [email protected] and we will delete it.
15. How we protect information
All traffic is served over HTTPS. Media is stored with access-controlled URLs. Account passwords, review-link and presentation passwords are hashed; workspace SMTP credentials and connected-account tokens are encrypted at rest with keys we control. Access between customer workspaces is isolated in our application logic. No system is perfectly secure, but we follow accepted practices for a service of this kind and keep improving them.
16. Changes to this policy
We will update this policy as HoldFast changes. The effective date and version at the top of the page always reflect the current version, and we keep prior versions. When we make a material change, we will give notice by email or an in-app notice before it takes effect. Continuing to use HoldFast after a change means you accept the updated policy.
17. Contact us
Questions about this policy, your data, or to exercise a right:
Smoke & Oakum · United States