Last Updated: February 7, 2026

We built Hold Anchor to help you see your money and time clearly — not to collect your data. This Privacy Policy explains exactly what we collect, what we don't collect, and why. We've tried to make it as straightforward and honest as the product itself.

1. SCOPE

This Privacy Policy describes how Hold Anchor LLC ("Company," "we," "us," or "our") collects, uses, stores, protects, and shares information in connection with the Hold Anchor service (the "Service"), which includes all dashboards, tools, features, and content available at holdanchor.com.

This Privacy Policy applies to all Users of the Service, regardless of location.

2. INFORMATION WE COLLECT

We collect only what is necessary to provide the Service. The following is an exhaustive list of all data we collect and store.

Email address — Stored in plaintext. Primary user identifier for authentication (OTP login), billing (Stripe), and support communication. This is the only personally identifiable information (PII) stored in plaintext.

Dashboard data (financial snapshot, time schedule) — End-to-end encrypted (AES-256-GCM client-side) and encrypted at rest (Fernet server-side). Used for cloud sync persistence — returned only to the authenticated User who saved it.

One-time passcodes (OTP) — SHA-256 hashed. Used for authentication verification. Raw OTP codes are never stored.

Session tokens — SHA-256 hashed. Used for session management. Raw session tokens are never stored in the database.

IP addresses — SHA-256 hashed. Used for rate limiting and abuse prevention only. Raw IP addresses never touch the database or server logs.

Rate-limiting logs — Associated with hashed IPs and hashed emails. Used for abuse prevention.

Legal consent records — Stored per user. Used for documentation of User consent to Terms of Use and Privacy Policy.

Subscription and billing state — Via Stripe integration (billing details stored by Stripe, not by us). Used for account status management.

2.1 Data You Enter Into the Dashboards

The Money Dashboard accepts manual input of: take-home pay, pre-tax deductions, checking balance, savings balance, recurring expenses (with configurable payment schedules), savings goals, retirement account details, and net worth items (assets and debts).

The Time Dashboard accepts manual input of: time blocks categorized as Routines, Resets, and Events, with configurable scheduling patterns and optional per-occurrence overrides.

All dashboard data is stored as a current snapshot rather than a transaction-level history or event-by-event record. There is no historical record of changes, no transaction categorization, and no spending tracking over time.

2.2 Data Collected Automatically

When you interact with the Service, we automatically collect:

IP address (hashed). Your IP address is hashed with SHA-256 before any storage. The raw IP address is never stored in our database or in server logs. We use the hashed IP solely for rate limiting and abuse prevention.

Session cookie. Upon successful authentication, we set a single httpOnly session cookie in your browser. This cookie is essential for maintaining your authenticated session. It is the only cookie we set.

2.3 Payment Data

All payment processing is handled by Stripe. When you subscribe, your credit card number and payment details are entered directly into Stripe's hosted checkout interface. Hold Anchor never receives, processes, transmits, or stores your credit card number or payment card details. We receive only subscription status information (active, canceled, past due) from Stripe via webhook events.

3. INFORMATION WE DO NOT COLLECT

We want to be explicit about what we do not collect, because the absence of collection is central to how this product works:

No analytics data. We do not use Google Analytics, Mixpanel, Hotjar, or any other analytics platform. We do not collect usage telemetry, engagement metrics, click patterns, scroll depth, feature usage frequency, or any other behavioral data.

No tracking cookies. We set no tracking cookies of any kind. The only cookie is the httpOnly session cookie required for authentication.

No third-party analytics scripts. There are no analytics scripts, tracking pixels, beacons, or similar technologies anywhere in the Service.

No advertising data. We do not collect, store, or process any data for advertising purposes.

No social media data. There is no social media integration. We do not connect to or receive data from Facebook, Google, Twitter/X, LinkedIn, or any other social platform.

No bank account credentials. The Service does not link to bank accounts, financial institutions, or financial data aggregators. We do not use Plaid, Finicity, Yodlee, or any similar service. All financial data is manually entered by the User.

No transaction history. We do not ingest, scrape, or receive any financial transaction data from any external source.

No device fingerprinting. We do not fingerprint devices or browsers.

No location data. We do not collect geolocation data (beyond the IP address, which is hashed before storage).

4. HOW WE USE YOUR INFORMATION

We use collected information solely for the following purposes:

Providing the Service. Your email address identifies your account. Your encrypted dashboard data is stored and returned to you for cloud synchronization. Session tokens authenticate your requests.

Authentication. OTP codes are generated and sent to your email to verify your identity. Session cookies maintain your authenticated state.

Payment processing. Your email address is shared with Stripe to manage your subscription and process payments.

Support communication. If you contact us, we use your email address to respond to your inquiries. Support correspondence is delivered via Postmark.

Abuse prevention. Hashed IP addresses and hashed email addresses are used for rate limiting to prevent automated attacks and abuse.

Legal compliance. Consent records document your agreement to our Terms of Use and Privacy Policy.

Service improvement. We may use aggregated, non-identifiable technical information (such as error rates or system performance metrics) to maintain and improve the Service. We do not use individual User data, dashboard content, or behavioral patterns for this purpose.

The encrypted dashboard data stored on our servers is used for one purpose only: returning it to the authenticated User who saved it.

5. HOW WE DO NOT USE YOUR INFORMATION

This section is a binding commitment about what we will never do with your data:

We never sell User data to any third party, for any reason, under any circumstance.

We never share User data with advertisers or advertising networks.

We never use User data for marketing purposes — not by Hold Anchor, not by any partner or affiliate.

We never use User data for analytics, profiling, or behavioral tracking. There are no analytics tools, no usage telemetry, and no engagement metrics collected from User behavior.

We never use User data to train machine learning models or AI systems.

We never monetize User data in any way beyond the subscription fee Users pay for cloud sync.

There are no ads anywhere in the product — no display ads, no sponsored content, no affiliate links, no promoted placements.

Our business model is straightforward: Users pay $1.99/month for cloud synchronization. That is our only revenue source. User data is not a product, not an asset, and not a resource to be leveraged.

6. ENCRYPTION AND SECURITY

6.1 Client-Side End-to-End Encryption

When cloud sync is active, all dashboard data (financial snapshots and time schedules) is encrypted in the User's browser before transmission to our servers. The server never receives plaintext dashboard data.

The encryption scheme works as follows:

Algorithm: AES-256-GCM (authenticated encryption providing both confidentiality and integrity).

Key derivation: An encryption key is derived from the User's email and one-time passcode using PBKDF2 with 600,000 iterations.

Per-save random key: A random data encryption key (DEK) is generated for each save operation.

Key wrapping: The DEK is encrypted ("wrapped") with the derived key encryption key (KEK).

Result: The server stores only the encrypted envelope. The server never possesses the plaintext data or the encryption keys needed to decrypt it. This means that even the server operator cannot read User dashboard data in its fully encrypted form.

6.2 Server-Side Encryption at Rest

In addition to client-side encryption, all dashboard data is encrypted a second time at rest on the server using Fernet symmetric encryption. The implementation supports MultiFernet key rotation, allowing encryption keys to be rotated without re-encrypting all existing data simultaneously. A 512 KB payload size limit is enforced before encryption to prevent abuse.

6.3 Defense in Depth

Our security architecture implements multiple layers of protection:

(1) Data is encrypted client-side with AES-256-GCM before leaving the User's browser.

(2) Encrypted data is transmitted over HTTPS (TLS).

(3) Data is encrypted again at rest on the server with Fernet encryption.

(4) The server operator cannot decrypt the client-side encrypted payload.

(5) Database credentials and encryption keys are managed server-side with access controls.

6.4 Hashed Credentials and Identifiers

Session tokens: Only SHA-256 hashes of session tokens are stored in the database. Even a full database breach would not expose usable session tokens.

OTP codes: OTP codes are hashed with SHA-256 before storage. Raw OTP codes are never stored. OTP comparison uses constant-time functions to prevent timing attacks.

IP addresses: IP addresses are hashed with SHA-256 before any storage or logging. Raw IP addresses never exist in the database or server logs.

6.5 Session Security

Session tokens are set as httpOnly cookies, meaning JavaScript cannot access them, which protects against cross-site scripting (XSS) attacks.

6.6 Rate Limiting

Rate limiting is enforced at multiple levels to prevent abuse: per-email, per-session, per-IP (hashed), and globally. Automatic lockouts are triggered after repeated abuse. All rate limiting data is associated with hashed identifiers only.

6.7 Input Validation and Payload Limits

The backend enforces strict input validation, including email format and length limits, allowlisted page identifiers, date validation, and a 512 KB payload size limit on save operations to prevent abuse.

6.8 Stripe Webhook Security

Stripe webhook payloads are verified using Stripe's cryptographic signature mechanism before any processing occurs, ensuring that subscription state changes originate from Stripe and have not been tampered with.

6.9 Server Logging

Server logs are designed to minimize exposure of User identity. Logs use truncated hashes instead of email addresses or other identifying information. No raw IP addresses appear in any logs.

6.10 Privacy Positioning

While we implement substantial encryption and security measures to protect User data, we do not claim that Hold Anchor is "anonymous," "zero-knowledge," or "trustless." The Service is designed to minimize data collection and avoid surveillance-based business models. It provides privacy paired with persistence — your data is protected from unauthorized access and is not used for advertising, profiling, or analytics — but we do not make absolute cryptographic guarantees. Users who require anonymity or zero-knowledge architectures should evaluate whether this Service meets their specific needs.

7. THIRD-PARTY SERVICES

We share data with the following third-party service providers, solely as necessary to operate the Service.

Stripe — Receives: email address and payment information (entered directly into Stripe's hosted checkout — we never see card details). Purpose: subscription billing and payment processing.

Postmark — Receives: email address and email content. Purpose: transactional email delivery (OTP codes, support responses).

Supabase — Receives: all server-side stored data (encrypted dashboard data, hashed tokens, user records, consent records). Purpose: PostgreSQL database hosting.

Render — Receives: application runtime data. Purpose: backend application hosting.

YouTube (via youtube-nocookie.com) — Receives: no User data is sent by Hold Anchor to YouTube; however, once a User plays an embedded video, YouTube may collect data according to its own privacy policy. Purpose: video embedding in the Video Library.

Each provider operates under its own terms of service and privacy policy, which govern their handling of data:

Stripe: https://stripe.com/privacy

Postmark: https://postmarkapp.com/privacy-policy

Supabase: https://supabase.com/privacy

Render: https://render.com/privacy

YouTube/Google: https://policies.google.com/privacy

7.1 No Other Third Parties

Hold Anchor does not use any analytics services, advertising networks, data brokers, social media tracking pixels, or any other third-party data collection tools beyond those listed above.

7.2 Legal Disclosures

We may disclose information if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.

8. DATA RETENTION

8.1 Active Accounts

Your data is retained as long as your account is active and your subscription is current.

8.2 Subscription Lapse

When a subscription lapses (due to cancellation or payment failure):

Days 1–14: Read-only access. Your data is retained and viewable.

Days 15–31: Frozen period. Your data is retained but not accessible.

After Day 31: All dashboard data is permanently and irreversibly deleted.

8.3 Voluntary Account Deletion

When you delete your account, a full cascade delete immediately and permanently removes all of your data from every table in our database: encrypted dashboard data, OTP history, rate-limit logs, legal consent records, and your user record. This is immediate, permanent, and irreversible.

8.4 Inactivity-Based Deletion

Accounts that have been inactive for twenty-four (24) consecutive months are automatically subjected to the same full cascade delete. All associated data is permanently removed without prior notice.

8.5 Backup and Recovery

Due to the permanent nature of our deletion processes, deleted data cannot be recovered. We do not maintain backups of individual User data after deletion.

9. USER RIGHTS

Regardless of your location, we provide the following rights to all Users:

Access. You can view all data stored in your account at any time through the Service dashboards.

Correction. You can modify your dashboard data at any time through the Service. Because all data is manually entered by you, you have full control over its accuracy.

Deletion. You can delete your account and all associated data at any time. Deletion is immediate, permanent, and irreversible.

Data portability. Paid subscribers can export their time schedule data via ICS calendar files. Your dashboard data is displayed in the browser and can be recorded by you at any time.

Withdrawal of consent. You can stop using the Service and delete your account at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

To exercise any of these rights, contact us at privacy@holdanchor.com.

10. COOKIES AND TRACKING

10.1 What We Set

We set one cookie: a single httpOnly session cookie that is essential for maintaining your authenticated session after login. This cookie is set only upon successful authentication and cannot be accessed by JavaScript.

10.2 What We Do Not Set

We do not set tracking cookies, advertising cookies, analytics cookies, social media cookies, or any other non-essential cookies. There are no third-party cookies set by the Service (note: if you play a YouTube video in the Video Library, YouTube's privacy-enhanced mode may set cookies in accordance with YouTube/Google's own policies).

10.3 No Tracking Technologies

We do not use tracking pixels, web beacons, clear GIFs, device fingerprinting, or any other tracking technologies.

11. CHILDREN'S PRIVACY

The Service is not intended for users under eighteen (18) years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to promptly delete that information. If you believe a child under 18 has provided us with personal information, please contact us at privacy@holdanchor.com.

12. INTERNATIONAL DATA TRANSFERS

Hold Anchor is based in the United States. Our servers, database, and infrastructure providers (Render, Supabase) are located in the United States. If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States.

By using the Service, you consent to the transfer of your information to the United States. We take reasonable steps to ensure that your data is treated securely and in accordance with this Privacy Policy, regardless of where it is processed. For Users in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on your explicit consent for data transfers to the United States.

13. U.S. STATE PRIVACY RIGHTS

13.1 California (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information:

Right to know. You have the right to request that we disclose what personal information we collect, use, disclose, and sell about you.

Right to delete. You have the right to request deletion of your personal information, subject to certain exceptions.

Right to correct. You have the right to request correction of inaccurate personal information.

Right to opt-out of sale or sharing. We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. There is nothing to opt out of.

Right to non-discrimination. We will not discriminate against you for exercising any of your privacy rights.

Categories of personal information collected: Identifiers (email address); internet or other electronic network activity information (hashed IP addresses, hashed session tokens); financial information (encrypted dashboard data entered by the User — note: we do not collect bank account numbers, credit card numbers, or financial account credentials).

Categories sold or shared for cross-context behavioral advertising: None.

Categories disclosed to third parties for business purposes: Identifiers (email address disclosed to Stripe for billing and Postmark for email delivery).

13.2 Other U.S. State Privacy Laws

If you are a resident of Colorado, Connecticut, Delaware, Indiana, Iowa, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, or Virginia, your state's privacy law may provide you with similar rights, including the right to access, correct, and delete your personal information, the right to opt out of the sale of personal information (which we do not engage in), and the right to appeal a denied privacy request.

To exercise any rights under applicable state privacy laws, contact us at privacy@holdanchor.com. We will respond within the timeframe required by applicable law (typically 45 days, with extensions as permitted by law). We will not discriminate against you for exercising your rights.

14. EUROPEAN PRIVACY RIGHTS (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and applicable local laws provide you with additional rights. For the purposes of the GDPR, Hold Anchor LLC is the data controller.

14.1 Legal Basis for Processing

We process your personal data on the following legal bases:

Contractual necessity (Article 6(1)(b)). Processing your email address for authentication and account management, processing encrypted dashboard data for cloud synchronization, and processing subscription status information — all of which are necessary to perform our contract with you (the Terms of Use).

Legitimate interest (Article 6(1)(f)). Rate limiting and abuse prevention using hashed IP addresses, to protect the security and integrity of the Service.

Consent (Article 6(1)(a)). Where required by applicable law, such as for international data transfers.

Legal obligation (Article 6(1)(c)). Where we are required to retain or disclose information to comply with applicable law.

14.2 Your GDPR Rights

Under the GDPR, you have the following rights: access to your personal data; rectification of inaccurate data; erasure of your data ("right to be forgotten"); restriction of processing; data portability; objection to processing based on legitimate interest; withdrawal of consent at any time (without affecting the lawfulness of processing based on consent before withdrawal); and the right to lodge a complaint with a supervisory authority.

14.3 Data Protection Officer

For data protection inquiries under the GDPR or any applicable data protection law, contact our Data Protection Officer at: dpo@holdanchor.com.

15. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. If we make material changes, we will notify you by posting a prominent notice on the Service or by sending an email to the address associated with your account. We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the revised Privacy Policy.

16. CONTACT INFORMATION

For privacy-related questions, to exercise your rights, or for any other inquiries:

General Support: support@holdanchor.com

Privacy Inquiries: privacy@holdanchor.com

Data Protection Officer: dpo@holdanchor.com