Privacy Policy

Last updated: April 15, 2026

This Privacy Policy explains how Halli Group ("we," "us," or "our") collects, uses, and protects information when you use our products and services, including Halli.io, Halcell, Halcheck, and any related websites or APIs (collectively, the "Services").

1. Information We Collect

Account information: When you create an account, we collect your email address and a hashed password. We do not store plaintext passwords.

Payment information: Payment processing is handled by Stripe. We do not store credit card numbers or banking details on our servers. Stripe's privacy policy governs their handling of your payment data.

Usage data: We collect information about how you use the Services, including API call counts, timestamps, action types, and check decisions. This data is used to enforce plan limits and provide the audit log feature.

Secrets and credentials: When you store API keys or credentials in Halcheck's encrypted vault, they are encrypted using AES-256-GCM with per-user derived keys before storage. We cannot read your stored secrets.

Communication data: If you contact us via email, we retain the correspondence to provide support.

2. How We Use Your Information

• To provide, operate, and maintain the Services
• To process payments and manage subscriptions
• To send notifications you have configured (email, Telegram, WhatsApp, web push)
• To enforce usage limits and prevent abuse
• To respond to support requests
• To improve the Services

We do not sell your personal information to third parties. We do not use your data to train AI models.

3. Data Storage and Security

Your data is stored on Supabase (PostgreSQL) and Cloudflare infrastructure. API secrets stored in the Halcheck vault are encrypted at rest using AES-256-GCM with per-user key derivation (HKDF). The encryption master key is stored separately from the database.

We implement industry-standard security measures, but no system is 100% secure. You are responsible for keeping your account credentials and API keys confidential.

4. Third-Party Services

We use the following third-party services to operate:

• Stripe — payment processing
• Supabase — database and authentication
• Cloudflare — hosting, CDN, and edge computing
• Resend — transactional email delivery
• Telegram Bot API — notification delivery (if configured)
• Google Gemini — LLM evaluation of agent actions (action descriptions only, never your secrets or credentials)

Each third-party service is governed by its own privacy policy.

5. Data Retention

We retain your data for as long as your account is active. Check and audit log data is retained according to your plan tier (30 days, 90 days, or 1 year). When you delete your account, we delete your data within 30 days, except where retention is required by law.

6. Your Rights

You may:

• Access your account data through the dashboard
• Export your check history via the API
• Delete your stored secrets at any time
• Delete your account by contacting us at hello@halligroup.com

7. Cookies

We use essential cookies for authentication (session management). We do not use tracking cookies, analytics cookies, or advertising cookies.

8. Children's Privacy

The Services are not intended for individuals under 18 years of age. We do not knowingly collect information from children.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Services. Continued use after changes constitutes acceptance.

10. Contact

If you have questions about this Privacy Policy, contact us at hello@halligroup.com.

Halli Group — doing business in Mexico.