Privacy Policy
01 Summary
02 What We Collect
When you use HOLDOUT, we collect:
- Solana wallet address — the public address of the wallet you connect. This is a public identifier on the blockchain.
- Sign-in signatures — when you authenticate, your wallet signs a one-time challenge (Ed25519) to prove ownership. We do not store the signature beyond the session.
- Device sensor signals — during active gameplay challenges, we read your device's accelerometer (x, y, z, pitch, roll) and touch events. These signals drive gameplay (e.g., the "shake" or "level" challenges) and inform anti-cheat. We do not stream raw sensor data continuously; we only transmit event-derived signals tied to specific in-game actions.
- Network metadata — an approximate region derived from the Cloudflare edge that served your request. We use this to route you to a nearby game server. We do not collect precise GPS or fine-grained IP geolocation.
- Gameplay telemetry — hold duration, session outcomes, in-game events, and similar performance data tied to your wallet.
- User-Agent — only when you submit your email to our waitlist, to help us debug submissions.
- Email — only if you voluntarily submit it to our waitlist.
03 How We Use Your Data
We use the information we collect to:
- Operate the game — match you into sessions, run challenges, track results, settle outcomes
- Enforce fair play and detect cheating
- Debug bugs and improve the alpha
- Keep the service secure
- Respond to you when you contact us
04 Public On-Chain Activity
The Solana blockchain — including devnet — is public. Anyone can look up your wallet's transactions, including HOLDOUT-related transactions, using a block explorer. We do not control blockchain visibility, and on-chain records cannot be deleted by us or anyone else.
05 Service Providers We Use
HOLDOUT runs on top of a small set of infrastructure providers:
- Cloudflare — hosts our landing site (Pages), CDN/storage (R2), serverless workers (Workers), and the real-time game state layer (Durable Objects / PartyKit)
- Fly.io — hosts our API
- Solana RPC providers (such as Helius) — to read and submit transactions to the Solana network
Each provider operates under its own privacy practices. Their data handling is governed by their own terms.
06 Storage on Your Device
To keep you signed in, the mobile app stores your authentication session token in your device's native secure storage (Keychain on iOS, Keystore on Android). We do not use advertising cookies on the landing site, and we do not set third-party tracking cookies.
07 Data Retention
Gameplay records may be retained while the alpha is running, to support leaderboards, anti-cheat investigations, and debugging. Alpha data may also be reset at any time without notice as part of normal alpha testing.
If you submitted your email to our waitlist, we keep it until you ask us to remove you.
08 Your Choices
You can ask us to delete the off-chain data tied to your wallet by emailing legal@holdout.gg. We'll do our best to honor reasonable requests during the alpha.
On-chain transactions cannot be deleted by us or anyone else — that's a property of how blockchains work. If you want to limit on-chain visibility, the best approach is not to connect that wallet in the first place.
09 Security, Children, Changes, Contact
Security. We use TLS in transit and rely on our providers' encryption at rest. We do our best, but no online service can promise perfect security.
Children. HOLDOUT is not intended for anyone under 18, and we don't knowingly collect data from people under 18.
Changes. We may update this Privacy Policy. When we do, we'll update the "Last updated" date at the top of the page.
Contact. Questions about privacy? Reach us at legal@holdout.gg.