Privacy Policy

Halden is a desktop app and web account service that finds exposed API keys in local projects and fixes env-file mistakes before secrets leak into code, git history, cloud sync, or deployment.

The desktop app scans project folders that you choose. The web service handles account sign-in, license status, and checkout.

Halden is designed so source code, .env values, detected secret values, scan results, project paths, and fix contents are processed on your device.

Project lists and scan caches are stored locally under the app data directory on your device. Refresh tokens used by the desktop app are stored in the operating system keychain.

Halden does not intentionally upload your source code, .env values, or detected secret values to the web service for normal scanning, fixing, or project-limit enforcement.

When you create an account or sign in, Halden may store your user identifier, email address, OAuth provider information, profile record, license status, and timestamps needed to run the service.

For desktop sign-in, Halden may temporarily store an app-auth token payload so the browser login can hand a session back to the desktop app. This token is short-lived and is consumed or deleted after use.

Starter accounts can use one local project. A Lifetime license unlocks additional local projects for the same account.

Halden uses Stripe to process payments. Halden stores payment references such as a Stripe customer identifier, payment intent identifier, license type, license status, and price amount.

Halden does not store full card numbers. Payment information is handled by Stripe according to Stripe's own privacy and security practices.

Halden uses Supabase for authentication, account data, license records, and short-lived desktop auth handoff records.

Halden uses Stripe for checkout, payment processing, payment status, refunds, and customer records.

These providers process personal information only as needed to provide account, authentication, licensing, and payment functions.

The web app uses authentication cookies set through Supabase so you can stay signed in.

The web app may use local storage for non-sensitive preferences such as theme selection.

Halden does not currently use advertising cookies or third-party behavioral advertising in the codebase reviewed for this policy.

Halden uses account and license information to authenticate users, enforce project limits, provide checkout, prevent duplicate Lifetime licenses, process refunds, and operate the account dashboard.

Halden may use operational logs and security records to protect the service, investigate abuse, debug errors, comply with legal obligations, and maintain reliable service.

You can stop using Halden, sign out of the desktop app, and remove local app data from your device.

Depending on where you live, you may have rights to request access, correction, deletion, portability, restriction, objection, or information about how your personal data is used.

Halden does not sell personal information or share it for cross-context behavioral advertising based on the implementation reviewed for this policy.

Local project records and scan caches remain on your device until you remove them or uninstall/delete local app data.

Account, license, and payment-reference records are kept for as long as needed to provide the service, support purchases, prevent fraud or abuse, keep accounting records, and comply with legal obligations.

Short-lived desktop app-auth tokens are intended only for the browser-to-desktop login handoff and are consumed or expired after that process.

Halden separates local project scanning from account and billing systems so secret values do not need to leave your device during normal use.

No security tool can guarantee that every exposed key, token, or credential will be detected. If a secret may have been exposed, you should rotate it with the affected provider.

This policy is written to provide clear notice about personal information practices, including categories of data, purposes, service providers, retention, and rights where applicable.

It is intended to support common notice principles reflected in laws and guidance such as the California Online Privacy Protection Act, the California Consumer Privacy Act where applicable, FTC privacy and security guidance, and GDPR transparency requirements where applicable.

For privacy, account, or deletion requests, contact Halden at hello@gethalden.com.

Do not send API keys, .env values, passwords, or other secrets in support requests.