Legal

Privacy Policy

Last updated July 6, 2026

This policy explains what data Harpoon Performance ("Harpoon", "we") collects, how we use and protect it, and the choices you have. It covers our website, apps, and APIs.

1. What we collect#

  • Account information — your name, email, and (for social sign-in) the provider you used.
  • Billing information — handled by Stripe. We store a customer/subscription reference, not your full card number.
  • HAR uploads and captures — the network archives you upload or we capture at your direction. These can contain URLs, request/response headers, cookies, tokens, and other personal data present in the captured session.
  • Capture artifacts — screenshots and step metadata from a capture run.
  • Credential vault secrets — any login credentials you save for authenticated capture, stored encrypted.
  • Operational metadata — request logs (without bodies), and AI usage records (token counts and cost — not the content of your data).

2. How we use your HAR data#

We store your HAR uploads and captures so we can produce analyses and let you compare runs and track trends over time. Our deterministic engine derives performance findings from them entirely on our servers.

Only the engine's derived findings — not your raw HAR — are ever sent to our AI subprocessor to generate plain-language explanations. Your captured cookies, tokens, headers, and page contents are not sent to the AI model.

3. AI processing#

To explain and prioritize findings, we send a curated, findings-only summary to OpenAI's API. We do not send raw HAR data, credentials, or your account details. Data sent to OpenAI's API is not used to train their models. If AI processing is unavailable, Harpoon falls back to a deterministic report with no external call.

4. Retention & deletion#

  • Free tier keeps your most recent analyses (older ones are pruned automatically); paid plans retain according to your plan.
  • Raw HAR files can hold personal data, so we sweep them after a retention window and keep only the derived, PII-free analysis for your history and trends.
  • You can delete an individual analysis, your whole organization, or your account at any time — this removes your data from our systems (backups are rotated on their own schedule).
  • Public share links are opt-in and revocable; revoking one takes the link offline.

You can delete your organization or account from your billing settings.

5. Capture credentials#

Credentials you save for authenticated capture are encrypted with AES-256-GCM and stored write-only — they are never displayed back to you or returned by our API, and are used only to replay the capture flow you configured. Captured HARs are scrubbed of known secret values before storage.

6. How we share data#

We do not sell your data. We share it only with the subprocessors below (to run the Service), when you explicitly ask us to (e.g. connecting a repository or creating a public share link), or where required by law.

SubprocessorPurposeData shared
StripePayments & subscriptionsBilling contact & subscription data (no card numbers stored by us)
OpenAIAI explanations of findingsCurated engine findings only — never raw HAR
RailwayApplication hosting & databaseAll stored application data
ResendTransactional emailYour email address & message content
PostHog (EU)Product analytics (cookieless)Anonymous usage events (pageviews, funnel steps) — never HAR content
Object storage (S3-compatible)Raw-HAR backup storageYour uploaded/captured HAR files

7. Security#

  • Data is encrypted in transit (HTTPS); vault secrets and connected-repo tokens are encrypted at rest with AES-256-GCM.
  • Every request is scoped to your organization; one organization cannot read another’s data.
  • Automated capture runs in a sandboxed, non-root browser with egress restrictions to reduce the blast radius of a malicious page.

8. Your rights#

Depending on where you live, you may have rights to access, correct, export, or delete your personal data. You can export any analysis or comparison from the app, and delete your data yourself as described above. For anything else, contact us and we'll help.

9. Cookies#

We use only strictly-necessary cookies — the session cookie that keeps you signed in. We do not use advertising or cross-site tracking cookies, so there's no consent banner to click. Our product analytics (PostHog, EU) run cookieless — usage events are held in memory for the page session only and set no cookies or persistent local storage.

10. International transfers & changes#

Our subprocessors may process data in the United States and the EU. When we make material changes to this policy we'll update the date above. Continued use after a change means you accept the update.

11. Contact#

Questions or requests about your data? Email us at support. To report a security issue, see /.well-known/security.txt. This document is not legal advice; some specifics (legal entity, data-protection contact) are finalized as we complete our production launch.