Legal

Privacy Policy

Last updated: June 15, 2026

HLID.io (“HLID,” “we,” “us”) gives you a free, public Human Number so people can reach you without you handing over your real email, phone number, or address. This policy explains what we collect, why, how we protect it, and the control you have over it. An HLID is an address, not a password and not proof of identity — knowing it only lets someone attempt to contact you.

Information we collect

We collect only what the service needs to function:

• • Account — your email address, handled through our identity provider (Amazon Cognito) to create and verify your account.
• • Your HLID & profile — your assigned number and any optional display name or bio you choose to make public.
• • Routing — the destination email you want protected messages relayed to.
• • Inbound messages — when someone uses your public page to contact you, the sender’s email, subject, and message body.
• • Operational data — limited technical signals used to prevent abuse (e.g., a one-way hashed form of an IP address for rate limiting, and a bot-check token via Cloudflare Turnstile). We do not use third-party advertising or cross-site tracking cookies.

How we use it

To create your account and HLID; to render your public page (showing only what you have opted to make public); to relay protected messages to your destination email; to operate, secure, and debug the service; and to prevent spam, abuse, and fraud. We do not sell your personal information.

How we protect it

Sensitive fields — your account email, destination email, and the sender email, subject, and body of each message — are encrypted at rest with a customer-managed key in AWS Key Management Service (KMS), bound to each field and owner so a stored value cannot be replayed elsewhere. Data is transmitted over HTTPS/TLS. Application access runs under a least-privilege role, administrative actions are audit-logged (AWS CloudTrail), and your login session is an opaque, revocable, expiring server-side session — your authentication token is never stored in your browser.

Cookies

We use only strictly-necessary cookies: a secure, http-only session cookie holding an opaque session identifier, and short-lived cookies that protect the login flow (OAuth state and PKCE). We do not use advertising or analytics tracking cookies.

Service providers

We rely on Amazon Web Services (hosting, database, identity via Cognito, email delivery via SES, and key management via KMS) and Cloudflare (bot protection via Turnstile). These providers process data on our behalf to deliver the service. We do not sell personal information or share it for cross-context behavioral advertising.

Retention & deletion

Abuse-prevention counters expire automatically within hours. Account and message data are retained until you delete them. You can erase your account at any time from your dashboard (“Delete Account”): this permanently removes your profile, email route, and all stored messages, retires your HLID, and deletes your identity record from our identity provider. Deletion is immediate and irreversible. One limitation to note honestly: if you have sent a message to another HLID owner, your email remains part of that recipient’s received-message record, which we do not delete on your behalf.

Your rights

Depending on where you live (e.g., the EU/UK under GDPR, or California under CCPA/CPRA), you may have rights to access, correct, delete, or port your personal data, and to object to or restrict certain processing. The self-service deletion above satisfies the right to erasure. To exercise other rights, contact us at the address below.

Children

HLID is not directed to children. Do not use the service if you are under 13 (or the minimum age of digital consent in your jurisdiction).

Changes

We may update this policy as the service evolves. Material changes will be reflected by an updated date above and, where appropriate, additional notice.

Contact

Privacy questions or requests: privacy@hlid.io. Abuse reports: abuse@hlid.io.