Privacy Policy
Last updated: TBD. Effective from: TBD.
This Privacy Policy explains how Halfed (the “Service”, halfed.app) collects, uses, shares and protects personal data. It supplements the Terms of Use. Where the two overlap, the Terms govern your contractual relationship with us; this Policy governs how we process your personal data under the EU General Data Protection Regulation 2016/679 (“GDPR”) and the Luxembourg Data Protection Act of 1 August 2018.
Halfed is currently in free private beta. Some processes referenced below (automated retention jobs, self-service data export) are being rolled out during the beta. Where this is the case it is flagged explicitly so you can see what is operationally true today.
1. Controller and contact
The data controller is a private individual established in the
European Union (the “Operator”). The Operator’s full legal name
and address are not published on this page. They are disclosed to users
on written request to privacy@halfed.app, and to competent supervisory
authorities and courts on demand.
- Privacy contact:
privacy@halfed.app - Legal contact:
legal@halfed.app - Support, abuse and safety:
support@halfed.app
A Data Protection Officer is not appointed; the Service does not meet the criteria of GDPR Art. 37.
2. Who Halfed is for
Halfed is a tool for two adults sharing a household. You must be at least 18 years old to use it. The Service does not host profiles for children or other third parties. By design, the only people whose personal data we hold are the two adults of a Family, plus a small amount of operational data described below.
3. What personal data we process
We process the following categories of personal data:
3.1 Account data
- Email address, first name, last name (registration).
- Password (stored only as a salted hash; we never see the plaintext).
- If you sign in with Google: the OAuth identifier and basic profile data Google provides (email, name).
- Multi-factor authentication state and recovery codes (where you enable MFA).
3.2 Family data
- The Family name (defaulted from your first name; editable).
- The membership link between your user account and the Family.
- Invite codes that you generate to bring in your partner.
3.3 Task and content data
- Task titles, optional notes and deadlines that you (or your partner) create.
- Tags you place on tasks (which parent the task is categorised under).
- Claim and completion timestamps, and which user performed them.
Task fields are free-text. You agree under the Terms not to enter special-category data (Art. 9 GDPR) or identifying information about third parties in these fields. Where you do so anyway, we process the content only as described in this Policy and rely on your acceptance of the Terms as the basis for that processing.
3.4 Consent and acceptance records
- A record of which version of the Terms and Privacy Policy you accepted, the timestamp, and the IP address and user-agent at the moment of acceptance. These records are immutable and used to prove consent under GDPR Art. 7(1).
3.5 Security and audit data
- Audit log of security-relevant events (login, password change, MFA toggle, account deletion request, etc.) with IP address, user-agent and JSON details.
- Rate-limit counters and signals used to detect abuse.
3.6 Technical data
- IP address, user-agent, request timestamps and URLs accessed (in server logs).
- Cookie identifiers as described in Section 9.
3.7 AI processing data
- The text content of tasks you submit through extraction flows is transmitted to our AI processor for the sole purpose of structuring it into tasks. See Section 5 and Section 6.
3.8 Payment data
Halfed does not currently take payment. Stripe is wired into the codebase in test mode only and processes no real cardholder data. When paid plans launch, payment data will be handled directly by Stripe; we will receive a Stripe customer reference and limited billing metadata, never card numbers. This Policy will be updated and re-accepted before that happens.
4. Why we process it, and our legal basis
Each processing purpose is tied to one or more legal bases under Art. 6(1) GDPR:
| Purpose | Legal basis |
|---|---|
| Creating and operating your account, your Family and your shared inbox | Contract (Art. 6(1)(b)) — performance of the Terms with you |
| Authenticating you and keeping your account secure (MFA, password reset, sessions) | Contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) — securing the Service |
| Detecting and preventing abuse, fraud, brute-force attacks, and bugs (rate limits, audit log, error tracking) | Legitimate interests (Art. 6(1)(f)) — running a safe, reliable Service. Balancing test: data is minimal, scoped to security signals, and not used for profiling |
| Sending transactional emails (verification, password reset, invite, reminders) | Contract (Art. 6(1)(b)) for the ones you ask for; legitimate interests (Art. 6(1)(f)) for service-essential notifications |
| Extracting structured tasks from text via an AI processor (Section 6) | Contract (Art. 6(1)(b)) — feature you actively invoke |
| Recording your acceptance of the Terms and this Policy | Legal obligation (Art. 6(1)(c)) — proving consent under Art. 7 |
| Keeping audit logs and meeting tax, accounting and legal-hold obligations (when paid plans launch) | Legal obligation (Art. 6(1)(c)) |
| Optional analytics on the marketing site | Consent (Art. 6(1)(a)), opt-in only via the cookie banner — see Section 9 |
We do not rely on legitimate interests to process special-category data or to bypass your refusal of optional processing.
5. Who we share your data with — sub-processors
We use the following third parties to operate the Service. Each acts as a processor on our behalf and is bound by a written data-processing agreement (DPA) reflecting Art. 28 GDPR. DPAs with all active processors are being signed during beta and will be in place before public launch.
| Processor | Role | Region | Transfer outside EEA? | Safeguard |
|---|---|---|---|---|
| Render | Application hosting and managed PostgreSQL database | Frankfurt, Germany (EU) | No | n/a |
| Brevo | Transactional email (verification, password reset, invites, reminders) | France (EU) | No | n/a |
| Mistral AI | AI processing of task text into structured tasks | France (EU) | No | n/a |
| Google (OAuth) | “Sign in with Google” identity provider, when you choose it | Ireland (EU) and United States | Yes (US) | EU–US Data Privacy Framework |
| Bugsnag | Server- and client-side error tracking | United States | Yes (US) | EU–US Data Privacy Framework and EU Standard Contractual Clauses; PII scrubbing applied at source |
| Stripe | Payments — test mode only, no real cardholder data processed today | Ireland (EU) and United States | Yes (US, when activated) | EU Standard Contractual Clauses; will be re-disclosed at paid launch |
We do not sell or rent personal data, and we do not share it with advertising networks, data brokers or social media platforms for profiling.
We may disclose personal data when required to do so by law, by a court or by a competent supervisory authority, or to protect the vital interests of a person.
6. AI processing of task content
To turn text and shared content into structured tasks, the Service sends task content to Mistral AI, an EU-based AI provider, for inference only.
- Purpose: extracting and structuring tasks for your inbox.
- Legal basis: performance of the contract (Art. 6(1)(b)) — you invoke the feature.
- Region: France (EU); no transfer outside the EEA.
- No model training on your content: our DPA with Mistral contractually prohibits use of your content to train the underlying models. We do not consent to such use.
- Retention at the processor: limited to the operational window required to serve the request; no long-term storage of your inputs by the processor.
- No automated decisions with legal or similarly significant effects (Art. 22 GDPR): AI output is informational. It does not determine your access to any service, your contractual rights, your finances, or any other matter producing legal or similarly significant effects on you. You remain in control of which tasks you keep, edit, claim or delete.
If we change AI providers or expand AI processing, we will update this section, list the new processor, and where the change is material trigger a re-acceptance of this Policy.
7. Shared visibility within your Family
Halfed is, by design, a shared inbox for two adults. This means:
- All tasks in your Family are visible to both parents, identically. There is no private or hidden view.
- Your partner can see task titles, notes, deadlines, tags and who claimed or completed each task.
- Your partner can also see, in basic form, your name, your avatar (if any) and your activity within the Family.
- Outside your Family, no other Halfed user can see any of this data.
We are the sole controller of this data. Sharing within the Family is a feature of the Service that you actively chose by joining a Family; it is not a separate disclosure or a joint-controllership arrangement.
If you need to leave a Family quietly because the relationship has
become unsafe, see Section 10 of the Terms (“Export-and-leave for
users in unsafe situations”) and write to privacy@halfed.app from the
email associated with your account.
8. How long we keep your data — retention
| Data | Retention | Status |
|---|---|---|
| Active account, Family and tasks | While your account is active | Live |
| Tasks belonging to a removed parent (soft-deleted) | Visible to the remaining parent for the life of the Family | Live |
| Closed account (account deletion request) | Hard-deleted 30 days after the request, except where we have an overriding legal obligation to retain | Cron job rolling out during beta; manual deletion on request in the meantime |
| Audit logs (security events) | 12 months, then deleted | TTL job rolling out during beta; logs are minimal and access-restricted in the meantime |
| Server access logs | 30 days | Live |
| Backup snapshots of the database | Up to 35 days before rotation | Live |
| Consent and acceptance records | Kept as long as the account exists, and for the limitation period of any related claim | Live |
| Email send logs (Brevo) | Per Brevo’s retention policy, capped at 12 months | Live |
| Error reports (Bugsnag) | 30 days, with PII scrubbing applied at source | Live |
Where a longer retention is required by tax, accounting or other law (typically up to 10 years in Luxembourg for accounting records once paid plans launch), we keep only what the law requires and only for as long as it requires.
9. Cookies and similar technologies
9.1 On the marketing site (halfed.app landing)
We use a consent banner powered by Klaro to manage non-essential cookies. You can accept, refuse or change your preferences at any time from the banner.
- Strictly necessary cookies: load the site, remember your cookie choice. No consent required.
- Analytics (opt-in, OFF by default): Google Analytics. Loaded only after you opt in. Used to understand traffic in aggregate.
9.2 In the app (halfed.app)
The application uses only one cookie, an httpOnly and Secure
authentication cookie that holds your session token. It is strictly
necessary to keep you logged in and is not subject to consent under
Art. 5(3) of the ePrivacy Directive. The app does not run analytics or
advertising trackers.
10. Your rights under GDPR
You have the following rights in respect of your personal data:
- Access (Art. 15): a copy of the data we hold about you.
- Rectification (Art. 16): correction of inaccurate data.
- Erasure (Art. 17): deletion, subject to legal retention duties.
- Restriction (Art. 18): pause processing while a dispute is resolved.
- Portability (Art. 20): a machine-readable copy of data you have provided, where processing is based on contract or consent.
- Objection (Art. 21): object to processing based on legitimate interests.
- Withdraw consent (Art. 7(3)) at any time, where processing is based on consent. Withdrawal does not affect lawfulness of processing before withdrawal.
- Right not to be subject to automated decisions with legal or similarly significant effects (Art. 22) — see Section 6.
How to exercise your rights. Email privacy@halfed.app from the
address on your account. We respond within one month of receipt
(extendable by two further months for complex requests, with notice),
in line with Art. 12(3) GDPR. During the beta, requests are handled
manually; a self-service export will replace this when it ships and is
verified.
You also have the right to lodge a complaint with a supervisory authority (Art. 77). The competent authority for the Operator is the Commission Nationale pour la Protection des Données (CNPD), 15 Boulevard du Jazz, L-4370 Belvaux, Luxembourg — www.cnpd.lu. You may also complain to the authority of your country of habitual residence.
11. International transfers
Most of our processing takes place in the European Union: hosting, database, email and AI inference are EU-based.
A small number of processors involve a transfer to the United States:
- Google (OAuth) when you choose to sign in with Google — EU–US Data Privacy Framework.
- Bugsnag for error tracking — EU–US Data Privacy Framework and EU Standard Contractual Clauses, with PII scrubbing at source.
- Stripe when paid plans launch — EU Standard Contractual Clauses; this Policy will be updated before the first transfer.
You can request a copy of the relevant transfer safeguards by writing
to privacy@halfed.app.
12. How we keep your data secure
Security measures actually deployed today:
- Passwords stored as salted hashes (never in plaintext).
- Multi-factor authentication available on every account.
- Authentication tokens issued as JWTs in
httpOnly,Secure,SameSitecookies; not accessible to JavaScript. - TLS in transit on all endpoints.
- Tight rate-limiting on authentication endpoints.
- EU-only database and application hosting (Frankfurt) with managed-database backups.
- Audit logging of security events.
- Production credentials separated from development; no production Stripe keys in any environment today.
At-rest application-level encryption of task titles and notes is on our roadmap as an additional safeguard for free-text content. It is not yet implemented; tasks are protected today by the underlying managed-database disk encryption and access controls.
No system is completely secure. We notify the CNPD within 72 hours of becoming aware of a personal-data breach where required by Art. 33 GDPR, and we notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Art. 34 GDPR).
13. Profiling, marketing and automated decisions
- We do not profile users for advertising.
- We do not sell personal data.
- We do not carry out automated decision-making with legal or similarly significant effects (Art. 22 GDPR) — see Section 6.
- We do not send marketing emails to your account address by default. Service emails (verification, password reset, invite, reminders) are sent because you asked for them or because they are essential to the Service.
14. Changes to this Policy
We may update this Policy from time to time.
- Material changes — for example, adding a new category of personal data, a new processor, a new processing purpose, or a new international transfer — trigger a new version, a new effective date, and a re-acceptance gate in the app before you can continue using the Service. Your prior acceptance is preserved as an immutable record.
- Non-material changes — typographical fixes, contact-detail updates, clarifications — are published with a new effective date and announced in-app at least 30 days before they take effect.
A history of versions is maintained internally and made available on
request to privacy@halfed.app.
15. Contact
For any privacy question, request or complaint, write to
privacy@halfed.app. For a complaint to the supervisory authority, see
Section 10.
Halfed — the mental load, split in two.