Pure Digital Pte Ltd (UEN 201830211Z) ("Pure Digital", "Hoist", "we", "us", "our") operates the Hoist URL-shortening service at hoist.cc. This Privacy Policy explains how we collect, use, disclose and protect personal data, in accordance with the Personal Data Protection Act 2012 of Singapore ("PDPA"). "Personal data" has the meaning given in the PDPA.
Hoist is built around a deliberately privacy-conscious design: we do not log IP addresses, and we do not store personally identifiable information in our click analytics. This Policy describes only what we actually collect.
1. Who We Are and Scope
1.1Pure Digital is the organisation responsible for personal data processed through the Service. This Policy applies to our marketing website, app/dashboard and API.
2. The Personal Data We Collect
2.1Account data: your email address and name, and your workspace/team membership and roles.
2.2Authentication data: magic-link login tokens (which are short-lived and transient). Where you enable password protection on a link, we store only a bcrypt hash of that link password — never the plaintext.
2.3Link data: the destination URLs you shorten, your slugs/hoists, custom domains and related settings. Destination URLs may themselves contain personal data if you choose to include it; you are responsible for that choice.
2.4Click ("lift") analytics — privacy-conscious by design. For each lift we record only: country (2-letter code, derived solely from hosting/CDN provider headers), coarse city, device type (desktop/mobile/tablet/bot), operating system, browser, and the referrer domain (hostname only — not the full path). There is no IP address field in our database; we do not store IP addresses, and we do not collect personally identifiable information about the people who click your links. Geo-data is derived only from hosting/CDN headers, not from any IP geolocation that we perform or retain.
2.5Payment data: processed by Stripe. We do not store full card numbers; we may retain limited billing metadata (e.g. plan, invoice and transaction records).
3. Purposes, Consent and Notification
3.1We collect, use and disclose personal data only for purposes that a reasonable person would consider appropriate in the circumstances and which we have notified to you, including to: provide, secure and operate the Service; authenticate you; generate analytics for you; process billing; provide customer support; detect, prevent and address abuse, fraud and illegal use; and comply with legal obligations.
3.2We rely on your consent (including deemed consent for personal data reasonably necessary to provide a service you have requested) and, where applicable, on exceptions to consent permitted under the PDPA (for example, the legitimate-interests exception to detect and prevent abuse and protect the Service and the public).
3.3We will not, as a condition of providing the Service, require you to consent to the collection, use or disclosure of personal data beyond what is reasonable to provide the Service. You may withdraw consent as described in Clause 7.
4. Marketing Communications
4.1We send transactional emails (e.g. magic links and billing notices) via Resend. With your consent, we may also send product updates or marketing emails. Every marketing message will identify us, contain accurate header and subject-field information, and include an unsubscribe facility. Consistent with the Spam Control Act 2007 (Second Schedule), the unsubscribe facility will remain valid for at least 30 days after the message is sent, and we will stop sending further such messages within 10 business days after you submit an unsubscribe request.
5. Disclosure and Subprocessors; Cross-Border Transfers
5.1We share personal data with the following service providers ("subprocessors"), who process it on our behalf:
- Vercel — hosting and deployment — United States
- Neon — PostgreSQL database hosting — United States
- Resend — transactional email — United States
- Stripe — payment processing — United States
5.2Because these subprocessors are located outside Singapore, such transfers are subject to the PDPA's Transfer Limitation Obligation (Section 26). We take reasonable steps to ensure each overseas recipient is bound by legally enforceable obligations (through data-processing agreements and/or contractual clauses) to provide the transferred personal data a standard of protection comparable to the PDPA.
5.3We may also disclose personal data: to comply with applicable law, regulation, or a lawful request from law enforcement or a regulator; to enforce our Terms or AUP, including investigating potential violations; to detect, prevent or address fraud, security or technical issues; and to protect the rights, property and safety of Hoist, our users and the public. We may disclose data in connection with a merger, acquisition, financing or sale of assets, subject to this Policy.
6. Data Retention
6.1We retain click analytics according to your plan tier: Free — 30 days; Starter — 1 year; Pro — retained until you delete the link or your account (unlimited retention period). Account data is retained while your account is active and for a reasonable period afterward for legal, accounting, security and dispute-resolution purposes, after which it is deleted or anonymised in accordance with the PDPA.
7. Your Rights
7.1Subject to the exceptions in the PDPA, you may: request access to the personal data we hold about you and to information on how it has been used or disclosed in the year before your request; request correction of errors or omissions; and withdraw consent to our collection, use or disclosure of your personal data, on giving reasonable notice (we will inform you of the likely consequences, which may include our inability to continue providing the Service).
7.2The PDPA's Data Portability Obligation has been enacted but is not yet in force. We will support data-porting requests once it commences and the prescribed requirements apply.
7.3To exercise any right, contact our Data Protection Officer (Clause 11). We may verify your identity, may charge a reasonable fee for access requests where permitted, and will respond within the timeframes required by the PDPA.
8. Accuracy, Protection and Security
8.1We make reasonable efforts to ensure personal data is accurate and complete where it may be used to make a decision affecting you.
8.2We implement reasonable security arrangements, including encryption in transit (HTTPS), hashed link passwords (bcrypt), access controls, and an audit log of administrative actions. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.
9. Data Breach Notification
9.1If we assess a data breach to be notifiable under the PDPA — that is, it is likely to result in significant harm to affected individuals, or it affects 500 or more individuals (regardless of harm) — we will notify the Personal Data Protection Commission (PDPC) as soon as practicable and no later than 3 calendar days after we assess that the breach is notifiable, and we will notify affected individuals where the PDPA requires.
10. Children's Data
10.1The Service is not directed to, or intended for, individuals under 18 years of age. We do not knowingly collect their personal data. If we learn we have collected such data without appropriate consent, we will delete it.
11. Data Protection Officer; Complaints
11.1In accordance with the PDPA's Accountability Obligation, we have appointed a Data Protection Officer (DPO). Contact: dpo@hoist.cc; Pure Digital Pte Ltd, 22 Sin Ming Lane, #06-76, Midview City, Singapore 573969.
11.2If you have a question or concern about your personal data, please contact our DPO first. You also have the right to lodge a complaint with the PDPC (pdpc.gov.sg).
12. Cookies
12.1We use minimal cookies. Please see the Hoist Cookie Policy for details.
13. Changes to this Policy
13.1We may update this Privacy Policy from time to time. We will post the revised version with a new "Last Updated" date and, where required, obtain fresh consent.