Privacy Policy

Effective: July 10, 2026 · v2026-07-10

HoldFast is a video review and presentation platform. This policy explains, in plain English, what personal information we collect, why we collect it, who we share it with, and the choices and rights you have. We would rather be honest and specific than short and vague, so this policy is longer than most.

Two different kinds of people are covered here:

1. Who is responsible for your data

The company that operates HoldFast and is responsible for the personal data described here is:

We operate from the United States. HoldFast is used by people and companies in the EU, UK, and elsewhere, so this policy is written to meet the GDPR and UK GDPR, the California and other US state privacy laws, and comparable rules — not just US law.

We play two roles, and we want to be upfront about it

For most viewer data, we act as a service provider (processor) — we host a customer's video and run their links on their instructions, and the engagement data belongs to that customer's workspace. But for a few things we described below — our shared company-resolution graph, our reusable engagement and intent models, and general product improvement — we decide how and why the data is used, which makes us an independent controller for those uses. Where we push viewer data into a customer's own CRM at their direction, we and that customer are effectively jointly responsible. We think the honest "we do both" description is more useful to you than a tidy but false claim that we only ever process on a customer's behalf.

2. If someone shares a HoldFast link with you

When you open a HoldFast review link, reel, or presentation — whether or not you have a HoldFast account — we and the person or company who sent it (the "sender") collect information about that visit. This is the core of how HoldFast works: senders use HoldFast to see how the people they share with engage with their video.

The sender is the party who decided to share the link and to use HoldFast's engagement features. They have their own relationship with you and their own privacy practices. HoldFast provides the tooling and also, for some purposes, uses this data for itself as described in this policy. If you are unsure why you received a link, the sender is the best first contact; you can also reach us at [email protected].

When you open a shared link, we may collect:

Whether all of this is collected depends on your location and your choices. In the EU, UK, and California, device-level tracking (the fingerprint and device cookie) does not run until you agree to it — see section 6. If you decline, the sender can still see that the link was viewed and can still see company-level engagement, but your specific device is not identified.

3. Information we collect from account holders

Account information

When you sign up, we collect your name, email address, and (optionally) company name, plus a password or the identifier from the Google or Microsoft account you sign in with. We use this to create and run your workspace.

Content you upload

Video, audio, images, documents, presentations, and the comments, annotations, and version history created around them. We store and process this to provide the service. Text transcripts of your video are generated on your own device — the audio itself never reaches our servers (see section 12).

Contacts you import

You may import contacts from Google Contacts, Microsoft Contacts, CSV, or vCard. We store the contact fields (name, email, company, phone) in your workspace so you can send links and track engagement. We handle imported contacts on your instruction, as your service provider.

Billing information

If you subscribe to a paid plan, our payment processor collects and processes your payment details. We keep a record of your plan, invoices, and billing status; we do not store full card numbers ourselves.

Usage and diagnostics

Logs, error reports, and playback diagnostics generated as you use the app, so we can keep it working and fix problems.

Communications with us

If you contact support or we send you service messages, we keep those records.

Google and Microsoft account data

When you connect Google Contacts or Microsoft Contacts:

Our use of Google user data follows the Google API Services User Data Policy, including its Limited Use requirements. HoldFast does not use Google or Microsoft user data to train generalized AI models.

4. Why we use your information, and our legal basis

Under the GDPR and UK GDPR we must have a lawful basis for each use. Here is the mapping in plain terms.

Where we rely on legitimate interests, you have the right to object (section 13). Where we rely on consent, you can withdraw it at any time.

5. Engagement analytics and viewer intelligence — what this actually means

HoldFast's engagement features go further than a simple "opened / not opened" counter, and we want to describe them plainly rather than bury them.

This processing is what section 6's consent controls, and section 13's objection right, apply to.

6. Cookies, tracking, and your consent choices

We use a small number of cookies and similar technologies. Some are strictly necessary and always on; the rest are analytics/tracking technologies that we gate behind your choice where the law requires it. Full detail is in our Cookie Policy.

Strictly necessary (always on)

Login/session tokens for account holders, and the short-lived, server-set proofs that you cleared a link's password or email gate (the hfr_ and hfd_ cookies). These keep the service working and do not track you across sites.

Marketing website statistics (anonymous)

On our public marketing website (the holdfast.video home, pricing, and guides pages) we keep anonymous, cookieless, first-party page statistics: we count page views and unsuccessful guide searches in aggregate only, without setting any cookie, without any device or visitor identifier or fingerprint, and without storing your IP address.

Analytics / tracking (your choice)

A viewer device cookie (hf_vid, up to one year), the browser fingerprint, and the view-event analytics described in section 5. These are not essential to you as a viewer — they exist so the sender can see engagement.

How the choice works, by region

Global Privacy Control (GPC)

If your browser sends a Global Privacy Control signal, we treat it as a valid choice to turn off analytics/tracking and to opt out of any "sale" or "sharing" for that browser — automatically, with no extra step. Our preference center will tell you when a GPC signal has been detected.

7. The shared company-resolution graph

To identify the company behind a visit more reliably over time, we maintain a shared resolution graph that is pooled across all customer workspaces. We describe it precisely, because it is the one place where a device-derived signal crosses between customers:

HoldFast maintains a shared company-resolution graph mapping IP addresses, network identifiers (ASN), and device fingerprint hashes to company domains, pooled across all customer workspaces to improve company (not individual) identification. No viewer name, email, or personal profile is shared between workspaces.

In other words: what crosses between workspaces is firmographic — a network or device-derived signal resolved to a company domain and name. A device fingerprint hash is one of those signals, so we do not claim (as an earlier version of this policy wrongly did) that fingerprint data is "never shared across workspaces." What does not cross workspaces is any viewer identity: no name, email, viewer profile, or per-person engagement history is pooled or joined between customers. We treat this graph as our own processing, and we limit it to this firmographic, company-level purpose.

8. Who we share information with

We share personal data only as needed to run HoldFast, and only with the categories of recipients below. We do not sell your personal information for money, and we do not share it for cross-context behavioral advertising. See Your Privacy Choices for the US-law framing and opt-out.

Service providers (subprocessors)

These vendors process personal data on our behalf so HoldFast can function. A structured, version-controlled list also lives in our Data Processing Addendum.

The sender / workspace

Viewer engagement data is made available to the sender who shared the link, in their HoldFast workspace and, at their direction, in their connected CRM and chat tools as listed above.

Legal, safety, and business transfers

We may disclose data to comply with law or a valid legal request, to protect the rights and safety of people and of HoldFast, and — if HoldFast is ever involved in a merger, acquisition, or asset sale — to the party involved, subject to this policy.

9. Where some information comes from (viewers)

If a link was shared with you, some of what we hold about you did not come from you directly. In addition to what your visit generates, we may obtain:

We provide this notice so you know the sources, as the GDPR (Art. 14) requires. You can object to this processing and ask us to delete the resulting records (section 13).

10. International data transfers

HoldFast is operated from the United States, and some of our providers are in the United States, while our primary hosting is in Germany. This means personal data — including EU and UK data — may be transferred to and processed in the United States and other countries.

Where we transfer personal data out of the EEA or UK to a country without an adequacy decision, we rely on appropriate safeguards, principally the European Commission's Standard Contractual Clauses (and the UK Addendum / IDTA for UK data), together with a transfer risk assessment. This applies in particular to our US GPU transcoding provider (Runpod). You can ask us for more detail about the safeguards for a specific transfer at [email protected].

11. How long we keep information

We describe retention as it works today, not as an aspiration.

Whatever the schedule, you can exercise the deletion and other rights in section 13 at any time, and we will honor them.

12. Transcripts are generated on your device

HoldFast can produce a text transcript of a video. This runs entirely in your browser, on your own device (member or viewer), using an in-browser speech model. The audio never leaves your device and is never sent to our servers. Only the resulting text transcript is saved, and it is stored with the specific video version it was generated for. We think this is a genuinely more private design than sending your audio to a server, and we call it out for that reason.

13. Your privacy rights

Depending on where you live, you have some or all of the following rights over your personal data. These apply to viewers as well as account holders — if a link was shared with you, you can exercise them too.

Everyone / GDPR & UK GDPR

US state residents (California, Colorado, Connecticut, Virginia, Texas, and others)

Details of the US-state framework and the opt-out are on our Your Privacy Choices page.

How to exercise your rights

Email [email protected] and tell us what you would like to do. We aim to respond within one month (GDPR) or 45 days (US state law), and will tell you if we need more time. We may need to verify your identity first. You can use an authorized agent where the law allows. If a request concerns data a sender controls through their own workspace, we may direct you to that sender or handle it together with them.

14. Children's privacy

HoldFast is a business tool and is not directed to children. We do not knowingly collect personal information from anyone under 16, and we do not knowingly collect it from children under 13. If you believe a child has provided us personal information, contact [email protected] and we will delete it.

15. How we protect information

All traffic is served over HTTPS. Media is stored with access-controlled URLs. Account passwords, review-link and presentation passwords are hashed; workspace SMTP credentials and connected-account tokens are encrypted at rest with keys we control. Access between customer workspaces is isolated in our application logic. No system is perfectly secure, but we follow accepted practices for a service of this kind and keep improving them.

16. Changes to this policy

We will update this policy as HoldFast changes. The effective date and version at the top of the page always reflect the current version, and we keep prior versions. When we make a material change, we will give notice by email or an in-app notice before it takes effect. Continuing to use HoldFast after a change means you accept the updated policy.

17. Contact us

Questions about this policy, your data, or to exercise a right:

[email protected]

Smoke & Oakum · United States