Legal
Privacy Policy
Last updated July 6, 2026
This policy explains what data Harpoon Performance ("Harpoon", "we") collects, how we use and protect it, and the choices you have. It covers our website, apps, and APIs.
1. What we collect#
- Account information — your name, email, and (for social sign-in) the provider you used.
- Billing information — handled by Stripe. We store a customer/subscription reference, not your full card number.
- HAR uploads and captures — the network archives you upload or we capture at your direction. These can contain URLs, request/response headers, cookies, tokens, and other personal data present in the captured session.
- Capture artifacts — screenshots and step metadata from a capture run.
- Credential vault secrets — any login credentials you save for authenticated capture, stored encrypted.
- Operational metadata — request logs (without bodies), and AI usage records (token counts and cost — not the content of your data).
2. How we use your HAR data#
We store your HAR uploads and captures so we can produce analyses and let you compare runs and track trends over time. Our deterministic engine derives performance findings from them entirely on our servers.
Only the engine's derived findings — not your raw HAR — are ever sent to our AI subprocessor to generate plain-language explanations. Your captured cookies, tokens, headers, and page contents are not sent to the AI model.
3. AI processing#
To explain and prioritize findings, we send a curated, findings-only summary to OpenAI's API. We do not send raw HAR data, credentials, or your account details. Data sent to OpenAI's API is not used to train their models. If AI processing is unavailable, Harpoon falls back to a deterministic report with no external call.