← Back to Held

Privacy Policy

Last updated: [INSERT DATE BEFORE PUBLISHING]
This describes what the Held application actually does, technically, as of this version. If the app changes, this page needs to change with it.

What Held is

Held ("Held," "we," "us") is a diary app where each entry is written down, optionally read back, and then permanently deleted at a time you choose — anywhere from 5 minutes to 24 hours after you write it. Held is operated by [YOUR LEGAL ENTITY / NAME], and can be reached at diary@heldthoughts.com.

What we collect, and what we genuinely cannot see

When you create an account, we store your username, your email address, and two pieces of cryptographic material derived from your passcode — a one-way verification value and a random salt. We never store your passcode itself, in any form, and it is never transmitted to our servers in a readable form either. Your passcode is also your encryption key: it's used, entirely inside your own browser, to encrypt every entry before it's sent to us and to decrypt entries when you read them. We store only the encrypted result.

That means entries sitting in our database are ciphertext we cannot read — not casually, not with database access, not under a support request. The only exception is the moment you yourself have the app open and are actively using it, since that's the only time the decryption key exists anywhere outside your head.

We also store entry metadata that isn't encrypted: when an entry was created, when it's set to expire, and which disappearance animation you chose. This is enough to run the countdown and the background deletion clock, but not enough to know what you wrote.

Notifications about disappeared entries

When an entry disappears, we may send you an email about it. If the app was open at the moment it expired, that email can include the actual text (or a redacted stand-in shaped like it, if you've turned off "include entry text" in the app) — your browser is the one deciding what to include, since it's the only place that ever held the decryption key. If the app was closed, our server's background clock still deletes the entry on schedule, but can only send a generic notification, since the server has no way to decrypt it either.

Important: once content is included in an email, it leaves the protections described above. It's subject to your email provider's own storage, retention, and security practices, not ours. If you'd rather no entry content ever appears in an email, turn off "include entry text" in the app.

Who else sees your information

We use Resend to deliver email (passcode resets and disappearance notifications) from diary@heldthoughts.com. Resend receives the recipient's email address and the content of that specific email — see Resend's privacy policy. We use [HOSTING PROVIDER — e.g. Render / Railway / a VPS] to run the application; standard technical logs (like IP addresses and request timestamps) may be captured at that infrastructure level as part of normal web operations. We do not sell your information, and we do not share it with anyone else.

How long we keep things

Your choices

You can permanently delete your account and every piece of data associated with it at any time, from inside the app (look for "Delete my account and data"). This is immediate and irreversible — we don't keep a backup copy for recovery, since the entire design of Held is built around things actually going away.

We don't currently offer a way to export your data before deleting it. If that matters to you, tell us before you delete your account, since we can't retrieve anything afterward.

Children

Held is not directed at children, and we don't currently verify anyone's age. If you believe a child has created an account, contact us at diary@heldthoughts.com and we'll delete it.

Security

Entries are encrypted client-side with AES-GCM using a key derived from your passcode via PBKDF2 (150,000 iterations). All traffic to Held should occur over HTTPS. No method of transmission or storage is perfectly secure, and we can't guarantee absolute security — but the architecture is specifically built so that a breach of our servers or database would not, by itself, expose your entries, because we never hold the key.

Changes to this policy

If this policy changes in a way that matters, we'll update the date at the top of this page. Continued use of Held after a change means you accept the update.

Contact

Questions about this policy, or requests regarding your data: diary@heldthoughts.com.

Terms of Service →