A consumer data security platform · Pre-launch

Personal data security, finally accounted for.

Haven shows you where your sensitive data lives, who can see it, and what's worth fixing — across every cloud account and device you use. Classification happens on your device. Our cloud cannot see your content, not as a promise, but as architecture.

On-device classification End-to-end encrypted sync Open-source scanner Every action reversible 30 days
The problem, stated plainly

Most people cannot answer four questions about their own data.

A 15-year-old Gmail has 150,000 messages. A decade of Drive has tens of thousands of files. No human will audit that — and yet the sensitive data is all there: tax returns, medical records, plaintext passwords, API keys, driver's license scans. The industry has a name for this in the enterprise. Consumers have nothing.

01

What sensitive data do I have?

How many documents contain your SSN, your driver's license, your bank account numbers, your medical records — actually?

02

Where does it all live?

Spread across Gmail, Drive, iCloud, OneDrive, Dropbox, local folders, screenshot archives, and forgotten backups.

03

Who still has access?

Former coworkers. Ex-partners. Defunct vendor accounts. Publicly-shared links from 2017 that still work today.

04

What should I actually do about it?

Remediation requires navigating six cloud platforms with six different sharing controls. Haven turns it into one list.

How it works

Three steps. Zero content ever leaves your device.

Step one

Connect your accounts

Grant Haven read access to Gmail, Drive, iCloud, OneDrive, or Dropbox — or let it watch a folder on your desktop. OAuth tokens stay in your system keychain. We never see them.

Step two

Scan locally

A small AI model on your device classifies every email and file: tax documents, medical records, API keys, credentials, ID scans. Findings are stored encrypted on the same device.

Step three

Act with confidence

Review findings ranked by severity. Delete an email, revoke a share, move a file to vault — every action is reversible for 30 days. Your posture score climbs as you resolve things.

The trust story, spelled out.

If our cloud is breached tomorrow, an attacker gets aggregate counts and encrypted blobs they can't decrypt. That's the entire security posture — and it's structural, not a policy.

YOUR DEVICE Mac, Windows, or Linux Local scanner Regex + DistilBERT Open source · auditable On-device LLM Qwen 2.5 3B (optional) High-signal items only Encrypted findings store SQLCipher · key derived from your OS keychain TRUST BOUNDARY no plaintext · ever HAVEN CLOUD Identity · aggregates Account & billing Aggregate counts only Encrypted sync blobs counts ciphertext
Diagrammed for clarity. Published in full as part of the open-source release.

We cannot read your email.

Haven never uploads message bodies, attachments, filenames, or sender data. Inference runs on your machine.

We cannot decrypt your findings.

Your findings database is encrypted with a key derived from your OS keychain. The cloud never holds the key.

You can verify all of this.

The scanner is open source. Our network traffic is documented. We want hostile journalists to inspect it.

Inside Haven

A desktop agent that actually shows you what you have.

Everything you've forgotten, ranked by how much it matters.

Your dashboard opens with a single posture score and the handful of things worth fixing today. Filter by source, select in bulk, act with one click — and know that every action has a 30-day undo.

First critical finding within 60 seconds of first auth
Gmail, Drive, OneDrive, iCloud, Dropbox, local folders
Paraphrased findings — we describe, we don't reveal
Every action reversible for 30 days
See the full interactive tour
Load-bearing principles

Eight rules that outrank any shipping deadline.

When a feature request collides with one of these, the principle wins. We believe these are the difference between a security product and a security theater product.

01

Content never leaves the device in plaintext.

Classification, findings storage, and remediation all happen locally. Only anonymous aggregates and encrypted blobs cross the trust boundary.

02

Every action is reversible for 30 days.

A user afraid to click a remediation button is a user we've failed. Delete, revoke, move — all have working one-click undo.

03

Progressive value within 60 seconds.

Deep scans take hours — fine. But the scanner prioritizes high-signal items so your first "holy shit" moment lands in the onboarding session, not overnight.

04

No security theater.

No alarming red banners. No proprietary crypto. No dark patterns to inflate perceived risk. Users who feel manipulated will churn and tell others.

05

Paraphrase over quotation.

We describe the nature of findings ("a tax return", "a plaintext password") — never the content itself. Safer for shoulder-surfing, and it reinforces the trust posture.

06

Family is a first-class primitive.

Most consumer security decisions are made by one "household CTO" protecting several people. Family plans, per-person dashboards, estate-planning — not enterprise afterthoughts.

07

The cloud is thin. The agent is heavy.

Every "local vs. cloud" decision defaults to local. The cloud holds only what it strictly must — identity, billing, encrypted sync.

08

Open-source the scanner.

The core classification library is publicly auditable. We cannot ask you to trust our claims if you have to take our word for how the scanner works.

Pricing hypothesis · subject to waitlist feedback

Simple pricing. Honest trade-offs.

Prices below are our working hypothesis for launch. First 1,000 paying users will be grandfathered regardless of final pricing.

Individual
Haven for one
$14
/ month
For the person who already has a password manager and a growing sense of unease about their inbox.
  • Unlimited cloud sources
  • Desktop agent (Mac & Windows)
  • 30-day undo on every action
  • iOS & Android companion apps
Join the waitlist
Family · 5 seats
Haven for households
$24
/ month
For the one person in your household who keeps the digital lights on for everyone else.
  • Everything in Individual, ×5
  • Household posture overview
  • "Help a parent" remediation walk-through
  • Legacy contact / estate planning
Join the waitlist
Coming later
Haven for AI Agents
$24
/ month · est.
See what every AI agent connected to your accounts can actually read — and revoke with one click.
  • ChatGPT, Claude, Gemini audit
  • Scope-narrowing re-grants
  • Real-time new-grant alerts
  • Autonomous remediation policies
Notify me when available
From the founder
The enterprise already had a name for this: Data Security Posture Management. Cyera built a two-billion-dollar company answering it for businesses. Every consumer I know has the same blind spot — 15 years of email, six cloud services, old shares with people they can't remember — and no tools worth the name. Haven is the version of that product I've been quietly wanting for myself. The architecture is the whole pitch: we literally cannot see your data. If you're the person in your family who worries about this, I'd love for you to try it first.
Tom · Founder · April 2026
The Haven journal

Essays on personal data stewardship.

We send waitlist subscribers substantive updates — breach post-mortems, architectural decisions, and the odd philosophical detour. Not marketing spam.

Join the waitlist

Help us build this the right way.

Early users shape the product — from onboarding to pricing. We send substantive updates twice a month. You can unsubscribe in one click.

No spam. No tracking. No dark-pattern urgency. Plausible analytics only.

You're on the list.

We'll send you build updates, not marketing spam. First note drops within a week.