Security & Trust

Your Data, Your Control

GoldHold is built around one principle: your data stays yours. Every plan keeps you in control.

All Plans

GoldHold provisions a private, isolated memory namespace for every account. Zero configuration required.

• Your memories are stored in an isolated namespace that only your agents can access
• Data is encrypted in transit (TLS) and at rest
• No other customer or GoldHold employee can access your data
• Export or delete everything at any time from your dashboard

BYOK (Bring Your Own Keys) OPTIONAL

For advanced users who want full infrastructure control. Available on any plan.

• Connect your own Pinecone index and vectors never touch our infrastructure
• Connect your own GitHub repo for file sync
• Connect your own R2 bucket for binary storage
• Your keys stay on your machine, sent directly to your services over HTTPS

Data Flow

What GoldHold servers handle

• Authentication (magic link, Google, GitHub sign-in)
• Managed memory storage and vector indexing
• Subscription management (via Stripe)
• License verification

What GoldHold servers never handle

• Your BYOK API keys or tokens (stored on your machine only)
• Cross-customer data access (strict namespace isolation)

What the Installer Changes

GoldHold installs into your OpenClaw workspace directory. Nothing outside it is touched.

Files patched (with automatic backups)

• SOUL.md. adds GoldHold memory awareness section
• AGENTS.md. adds GoldHold commands and startup sequence
• HEARTBEAT.md. adds memory sync to heartbeat routine
• MEMORY.md. adds GoldHold reference block

Files created

• scripts/pinecone_sync.py. memory sync engine
• scripts/goldhold_guardian.py. background sync (git, Pinecone, vault)
• scripts/goldhold_watcher.py. monitors Guardian health
• scripts/goldhold_doctor.py. full system health check
• LAST_SESSION.md. session continuity state
• memory/ directory. local memory archive

Never touched

• System files, registry, PATH, or environment variables
• Other applications or browser data
• Files outside the OpenClaw workspace directory

How to Uninstall

Backups of all patched files are created automatically before modification.

• Backups stored as SOUL.md.goldhold-backup, etc.
• To revert: rename each .goldhold-backup file back to the original name
• To fully remove: delete scripts/pinecone_sync.py, scripts/goldhold_guardian.py, scripts/goldhold_watcher.py, scripts/goldhold_doctor.py, LAST_SESSION.md, and the memory/ directory
• Your Pinecone data remains untouched. GoldHold never deletes vectors
• Your GitHub repo remains untouched
• Your R2 bucket remains untouched

How to Verify

Inspect network calls

GoldHold scripts only contact these domains:

• *.pinecone.io. your vector database
• api.github.com. your memory repo
• *.r2.cloudflarestorage.com. your R2 bucket
• checkout.goldhold.ai. auth and subscription only

Block GoldHold and keep working

You can block checkout.goldhold.ai entirely. Memory sync continues working. it only needs Pinecone and GitHub access. Only auth and subscription features require our servers.

Read the source

All installed scripts are plain Python. readable, auditable, and modifiable. No compiled binaries, no obfuscation, no telemetry.

Authentication

GoldHold supports three sign-in methods:

• Magic Link: one-time link sent to your email, no password needed
• Google Sign-In: OAuth via Google, no password stored
• GitHub Sign-In: OAuth via GitHub, no password stored

Sessions are JWT-based and stored only in your browser's localStorage. No cookies, no tracking pixels, no analytics scripts.

Payments

• All payments processed by Stripe: GoldHold never sees your card number
• Cancel anytime from your account page. one click through the Stripe billing portal
• All plans include a 7-day free trial
• No hidden fees, no data hostage. your data is always yours to export or delete

Who We Are

All Auto Tunes LLC
102 North St., Iron Ridge, WI 53035
support@goldhold.ai

GoldHold is built and maintained by a small team in Wisconsin. Patent pending.