Privacy Policy
This Privacy Policy describes how HLDHub ("we", "us", "our") collects, uses, and protects information when you visit hldhub.com (the "Site") or engage us for services. We respect your privacy and are committed to handling personal data lawfully, transparently, and with security in mind.
1. Who we are
HLDHub is a productized SEO, GEO (Generative Engine Optimization), and organic-traffic infrastructure agency. For privacy questions, contact us at [email protected] or (857) 919-6093.
2. Information we collect
2.1 Information you provide directly
When you submit our contact form, we collect:
- Name
- Work email address
- Company name (optional)
- Service interest (optional, dropdown selection)
- Message content
2.2 Information collected automatically
When you visit the Site, our infrastructure automatically logs:
- IP address of the requesting client
- User-agent string (browser and operating system)
- Pages visited, referrer, and timestamps
- Approximate geographic location derived from IP (country / region only)
This information is used for security, fraud prevention, performance monitoring, and aggregate analytics. It is processed by our infrastructure providers (Cloudflare, AWS) on our behalf.
2.3 Cookies
We use a minimal set of cookies for session continuity and security. We do not use third-party advertising or behavioral-tracking cookies. Specifically:
| Cookie | Purpose | Duration |
|---|---|---|
server_name_session | nginx session continuity | 24 hours |
Cloudflare cookies (e.g. __cf_bm) | Bot protection, security | Up to 30 days |
3. How we use your information
We use the information we collect to:
- Respond to your inquiry and follow up on a strategy call
- Deliver and operate the services you engage us for
- Send you administrative communications (scheduling, invoices, project updates)
- Maintain the security and integrity of the Site
- Comply with legal obligations
We do not sell your personal information, share it with advertisers, or use it for automated decision-making.
4. Legal basis for processing
Where the EU/UK GDPR applies, we process personal data based on:
- Consent — when you submit the contact form
- Legitimate interest — for security logs, fraud prevention, and aggregate analytics
- Contract performance — once you become a client
- Legal obligation — when required by law
5. Third-party processors
We use a small number of vetted infrastructure providers. Each is contractually bound to process data only on our instructions and to apply appropriate security measures.
| Provider | Purpose | Data location |
|---|---|---|
| Cloudflare, Inc. | CDN, DNS, WAF, bot mitigation, TLS termination | Global edge |
| Amazon Web Services (AWS) | Origin server hosting (EC2) + transactional email (SES) | United States (us-east-1) |
6. Data retention
- Contact-form submissions — retained for up to 24 months for follow-up and service-history purposes, then deleted.
- Server access logs — retained for up to 90 days, then rotated and deleted.
- Client engagement records — retained for the duration of the engagement plus the period required by applicable tax and accounting law (typically 7 years in the US).
7. Security
We apply standard, defense-in-depth controls, including:
- HTTPS (TLS 1.2+) end-to-end, including between Cloudflare and origin
- HSTS with a 6-month max-age
- Cloudflare Managed WAF and bot mitigation
- Restricted file system permissions on credential files (mode 600)
- Principle-of-least-privilege access for service accounts
No system is perfectly secure. If we become aware of a breach affecting your personal data, we will notify you and the relevant authorities as required by law.
8. Your rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete data
- Delete your data ("right to be forgotten")
- Restrict or object to certain processing
- Receive a portable copy of your data
- Withdraw consent at any time, where processing is based on consent
- Lodge a complaint with a supervisory authority (in the EU/UK) or your state attorney general (in the US)
To exercise any of these rights, email [email protected]. We will respond within 30 days.
9. California (CCPA / CPRA) notice
California residents have additional rights under the CCPA/CPRA, including the right to know what personal information we collect, to request deletion, and to opt out of any "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under California law.
10. International data transfers
Our infrastructure is located in the United States. If you access the Site from outside the US, your information will be transferred to and processed in the US. We rely on Standard Contractual Clauses (where applicable) and our processors' compliance certifications (Cloudflare and AWS are certified under widely recognized international frameworks).
11. Children's privacy
The Site is not directed to children under 16 and we do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us so we can delete it.
12. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be announced on the Site or by email to active clients.
13. Contact
Questions, concerns, or rights requests:
Email: [email protected]
Phone: (857) 919-6093