Privacy Policy
How we collect, use, and protect your data.
Last updated: June 30, 2026
1. Introduction
This Privacy Policy describes how HOLLY AND STICK ("we," "us," or "our"), a company registered in France, collects, uses, and protects your personal data when you use the Cockpit application and related services (collectively, the "Service").
By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.
2. Data Controller
The data controller responsible for your personal data is:
HOLLY AND STICK
Registered in France
For privacy inquiries, please contact us through the Service's support channels.
3. Data We Collect
We collect the following categories of personal data:
Account Information
- Email address
- Name
- Profile picture (if you sign in with Google)
- Company name (optional)
Business Context
- Company website URL
- Role and primary use case
- Ideal customer profile, offer, positioning, and brand voice (if provided)
Spreadsheet and User-Generated Content
- Imported lead lists and contact data
- Column configurations and cell values
- Enrichment pipelines and results
- AI-generated content (outreach copy, research notes)
- Export configurations
Billing Information
- Subscription plan and credit usage
- Stripe customer and subscription IDs
- Payment status
Usage Data
- Analytics events (page views, feature usage)
- Session recordings (opt-out available via the tracking preference modal)
- Error logs
4. How We Use Your Data
We use your personal data for the following purposes:
- Service delivery: To provide, operate, and maintain the Service, including spreadsheet functionality, data enrichment, AI features, and export workflows.
- Account management: To create and manage your account, process authentication, and handle billing through Stripe.
- Service improvement: To monitor and analyze usage patterns to improve the Service's features and performance.
- Communication: To send you service-related communications (e.g., billing confirmations, security alerts). We do not send marketing emails.
- Security: To detect and prevent fraud, abuse, and security incidents.
- Legal compliance: To comply with applicable laws, regulations, and legal processes.
5. Third-Party Services
We share data with the following third-party services solely to provide the Service:
- Convex: Backend infrastructure (database, serverless functions)
- Cloudflare: Hosting and CDN
- Stripe: Payment processing and subscription management
- PostHog: Product analytics and session recording (opt-out available)
- Google OAuth: Authentication (optional sign-in method)
- Data enrichment providers: Third-party APIs used to enrich your spreadsheet data as configured by your enrichment pipelines (e.g., BrightData, Apify, DataForSEO, Exa, Icypeas, MillionVerifier)
- CRM integrations: HubSpot, Pipedrive, Attio, and outbound tools (Lemlist, Instantly) when you choose to connect or export data
We do not sell your personal data to any third party.
6. Data Retention
We retain your personal data for as long as your account is active. If you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain certain data for legal, tax, or accounting purposes.
Spreadsheet data and user-generated content is deleted along with your account unless you export it beforehand.
7. Your Rights (GDPR)
If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Request correction of inaccurate or incomplete data.
- Right to erasure: Request deletion of your personal data ("right to be forgotten").
- Right to restrict processing: Request that we limit how we use your data.
- Right to data portability: Receive your data in a structured, machine-readable format.
- Right to object: Object to our processing of your personal data.
- Right to withdraw consent: Where processing is based on consent, withdraw it at any time.
To exercise these rights, please contact us through the Service's support channels. We will respond to your request within 30 days.
8. Your Rights (CCPA)
If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following rights:
- Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
- Right to delete: Request deletion of your personal information.
- Right to opt out: We do not sell your personal information, so there is no opt-out needed.
- Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.
To exercise these rights, please contact us through the Service's support channels. We will verify your identity before processing your request.
9. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption in transit (TLS) and at rest, access controls, and regular security audits. However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.
10. International Data Transfers
Your data is processed within the European Union. If we transfer data outside the EU/EEA in the future, we will ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or equivalent mechanisms under the GDPR.
11. Cookies
We use PostHog analytics, which may set cookies to track usage. You can opt out of analytics tracking at any time through the tracking preference modal displayed when you first visit the Service. We do not use advertising or third-party tracking cookies.
12. AI-Generated Content
When you use AI features within the Service (such as AI columns, research, and outreach generation), the content generated is owned by you. We do not use your prompts, inputs, or AI-generated outputs to train machine learning or artificial intelligence models.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page with a revised "Last updated" date. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.
14. Contact Us
If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us through the support channels available within the Service.