Privacy Policy

Hold is built to minimize data collection. This page is a placeholder covering the baseline commitments. Full policy is in active drafting with counsel.

What we collect

URLs you submit to be scanned (and the AI-generated report from each)
Handshake session cookies (HttpOnly, 30-day maxAge, scoped per handshake)
Basic request logs (timestamp, IP, user-agent) for rate-limiting and abuse prevention
Dispute / deletion requests you submit, including the contact you provide

What we don't

Accounts or sign-ups — Hold is usable without registration
Tracking pixels or third-party advertising tags
Selling or sharing personal data with third parties for advertising

Retention

Handshake rows and attached scan data are deleted 30 days after creation. We keep aggregate, non-identifying metrics indefinitely.

Sub-processors

Supabase (database hosting — US region)
Perplexity (AI investigation API)
Vercel (application hosting)

Your rights

If you are a California, Virginia, Colorado, or Connecticut resident — or the subject of any Hold scan — you can request access, correction, or deletion of your data at sendhold.link/dispute. We respond within 7 days.

Security

Reasonable administrative, technical, and physical safeguards per NY SHIELD Act. Session cookies are HttpOnly and transmitted over HTTPS in production.

Contact

Privacy questions: hello@sendhold.link

Full legal review in progress. Updates will be reflected here and dated above.