Built for engineering teams working on software children may use.

Children spend more time inside software than they do in classrooms. The apps they use are built by teams who rarely see the regulatory landscape they're building into. Halo changes that.

check_circle Set up in 60 secondscheck_circle GitHub sign-incheck_circle Open source
halo scan output
$npx runhalo scan .
halo v1.3.1 scanning 847 files...
CRITICAL coppa-tracking-003 src/analytics/init.js:42
Tracking SDK Active for Under-18 Users
Penalty: $53,088/violation/day
HIGH aadc-defaults-002 src/config/telemetry.ts:15
Opt-Out Instead of Opt-In for Telemetry
MEDIUM coppa-cookies-016 src/lib/cookies.js:8
Missing Cookie Consent Banner
───────────────────────────────────
3 violations found across 847 files
1 critical · 1 high · 1 medium
Results uploaded to dashboard →

Three steps. Under two minutes.

No complicated setup. Sign up, connect your code, and Halo reviews pull requests on admitted repositories.

login
Step 1

Sign up with GitHub

One click. Your account is created and your compliance dashboard is ready.

radar
Step 2

Run your first scan

One command scans your entire project. Results appear in your dashboard.

$npx runhalo scan .
verified_user
Step 3

Find and fix issues

Each finding shows what’s wrong and how to fix it. Add Halo to your workflow to review pull requests on admitted repositories.

Found in production. Enforced by regulators.

What Halo catches in your code

These patterns exist in live apps right now. Regulators are actively enforcing against them.

CRITICALcoppa-tracking-003

Tracking SDK Active for Under-18 Users

Analytics tracking children without verifiable parental consent.

COPPA — $53,088/violation/day

HIGHaadc-defaults-002

Opt-Out Instead of Opt-In for Telemetry

Features must be off by default and require active user consent.

UK AADC — up to £17.5M

MEDIUMau-sbd-006

Location Data Without Explicit Consent

Geolocation collection requires informed opt-in, especially for minors.

AU Privacy Act — data exposure penalty

7+Languages Scanned
4Authority Tiers

Independent research

We scanned the top 100 children's apps.

3,569violations found
Data collection 31%Dark patterns 24%Age verification 18%Tracking 15%

Across open-source and public mobile codebases targeting children.

Enforcement deadline

COPPA 2.0 takes effect April 22, 2026.

The updated rule extends protections to children under 17 and introduces new requirements around biometric data, push notifications, and ed-tech data use.

$53,088

per violation, per day. FTC maximum civil penalty.

Built for compliance.
Designed for engineers.

Halo finds problems, helps you fix them, tracks your progress, and documents everything along the way.

Compliance

category

Grouped by rule

See all instances of the same problem across your projects. One pattern to fix. Progress bars show how close you are.

history

Full audit trail

Every resolution is recorded. Who decided, when, and why. Change a decision later and the full history is preserved.

psychology

AI-powered review

Each finding is assessed by Halo’s AI that filters false positives and provides fix suggestions with regulatory context.

workspace_premium

Informational review results

Track review results over time and export reports for stakeholders and board presentations.

Developer tools

terminal

Command-line scanner

One command scans your entire project. Works with JavaScript, TypeScript, Python, Ruby, Go, Java, and Swift. Results in seconds.

account_tree

Automated checks in your workflow

Add Halo to your GitHub workflow. Code updates get checked automatically. Problems get flagged before they go live.

code

Editor plugin

See violations highlighted as you write code. Available for VS Code. Fix problems before you even save.

tune

Customizable rules

Choose which regulations apply to you. Set severity levels. Exclude test files. One configuration file controls everything.

Focused on children’s privacy.

Halo reviews code for potential children’s-privacy concerns, starting with a COPPA / children’s-privacy pack. Results are informational and may include false positives or miss issues.

See the rule library

Why we built Halo

We built Halo because the gap between what the law requires and what engineering teams actually know is the single biggest risk to children online. Not malice. Blind spots.

COPPA was written in 1998. The 2.0 update extends protections to kids under 17, with penalties up to $53,088 per violation per day. Most engineering teams have never read it. Most codebases have never been audited against it.

Halo scans source code for dark patterns, unauthorized data collection, missing consent flows, and age verification gaps, surfacing potential issues before they go live, not after an enforcement action. Results are informational and may include false positives and false negatives.

Built by Mindful Media in Santa Monica, California 🌴😎

Built for the teams shipping to kids online. For less than movie night.

Start scanning for free. Upgrade when you need more.

Free

Scan and fix

$0

For individual developers who want to catch children’s privacy issues early.

  • check GitHub sign-in + scan on push
  • check Up to 5 repos
  • check COPPA rules (US)
  • check Basic violations view
  • check CLI + VS Code extension
Start Free
Most Popular

Pro

Children’s-privacy review

$29/mo

For teams reviewing software that children may use.

  • check Everything in Free, plus:
  • check Children’s-privacy rule pack
  • check Resolution audit trail
  • check AI Review Board
  • check Informational review reports
  • check Violations grouped by rule

Business

Compliance command center

$99/mo

For compliance teams that need attestation and audit readiness.

  • check Everything in Pro, plus:
  • check Developer attestation records
  • check Recurring scans with drift alerts
  • check Multi-repo workspace
  • check Resolution audit trail
  • check Team collaboration

All plans include the open-source CLI and GitHub Action. Cancel anytime.

Frequently Asked Questions

When does COPPA 2.0 take effect?

expand_more
April 22, 2026. The updated rule extends protections to children under 17 and introduces new requirements around biometric data, push notifications, and ed-tech data use. Penalties are up to $53,088 per violation per day.

Is Halo free?

expand_more
Yes. The free plan includes children’s-privacy rules for the US, AI false positive filtering, the CLI, and the VS Code extension. Pro ($29/mo) adds full reports and CI/CD integration. Business ($99/mo) adds developer attestation records, recurring scans, and team collaboration.

What does Halo scan for?

expand_more
Children’s privacy violations: unauthorized data collection, missing consent flows, tracking SDKs without child-directed flags, age verification gaps, dark patterns, and data retention issues. Halo covers regulations across the US, UK, EU, Australia, and more.

How is Halo different from other code scanning tools?

expand_more
Most code scanning tools look for security vulnerabilities like SQL injection, XSS, and dependency CVEs. Important, but not the same problem. Halo focuses on scanning source code for potential children’s privacy and safety concerns: dark patterns, unauthorized data collection, missing consent flows, and age verification gaps. It looks for the code patterns behind common children’s-privacy findings. Complementary to your existing security toolchain, not a replacement.

What languages does Halo support?

expand_more
JavaScript, TypeScript, Python, Ruby, Go, Java, Swift, and more. Halo analyzes code patterns that appear across frameworks and languages, so it works with most modern tech stacks.

Is my source code uploaded to your servers?

expand_more
It depends how you run Halo. CLI scans run locally on your machine — your source stays local, and only the findings (violation counts, rule IDs, scores) are uploaded if you choose to. The Halo GitHub App reads your code through GitHub’s APIs to scan it, and stores the resulting findings and metadata — we do not retain a copy of your source.

Can I use Halo in my CI/CD pipeline?

expand_more
Yes. The Halo GitHub Action reviews pull requests on admitted repositories for potential children’s-privacy concerns. Results are informational and may include false positives or miss issues. One YAML block in your workflow file. Available on Pro and Business plans.

Ready to get started?

Two minutes. Free. Before the FTC finds out for you.

$npx runhalo scan .
Get Started Free