Haven shows you where your sensitive data lives, who can see it, and what's worth fixing — across every cloud account and device you use. Classification happens on your device. Our cloud cannot see your content, not as a promise, but as architecture.
A 15-year-old Gmail has 150,000 messages. A decade of Drive has tens of thousands of files. No human will audit that — and yet the sensitive data is all there: tax returns, medical records, plaintext passwords, API keys, driver's license scans. The industry has a name for this in the enterprise. Consumers have nothing.
How many documents contain your SSN, your driver's license, your bank account numbers, your medical records — actually?
Spread across Gmail, Drive, iCloud, OneDrive, Dropbox, local folders, screenshot archives, and forgotten backups.
Former coworkers. Ex-partners. Defunct vendor accounts. Publicly-shared links from 2017 that still work today.
Remediation requires navigating six cloud platforms with six different sharing controls. Haven turns it into one list.
Grant Haven read access to Gmail, Drive, iCloud, OneDrive, or Dropbox — or let it watch a folder on your desktop. OAuth tokens stay in your system keychain. We never see them.
A small AI model on your device classifies every email and file: tax documents, medical records, API keys, credentials, ID scans. Findings are stored encrypted on the same device.
Review findings ranked by severity. Delete an email, revoke a share, move a file to vault — every action is reversible for 30 days. Your posture score climbs as you resolve things.
If our cloud is breached tomorrow, an attacker gets aggregate counts and encrypted blobs they can't decrypt. That's the entire security posture — and it's structural, not a policy.
Haven never uploads message bodies, attachments, filenames, or sender data. Inference runs on your machine.
Your findings database is encrypted with a key derived from your OS keychain. The cloud never holds the key.
The scanner is open source. Our network traffic is documented. We want hostile journalists to inspect it.
Your dashboard opens with a single posture score and the handful of things worth fixing today. Filter by source, select in bulk, act with one click — and know that every action has a 30-day undo.
When a feature request collides with one of these, the principle wins. We believe these are the difference between a security product and a security theater product.
Classification, findings storage, and remediation all happen locally. Only anonymous aggregates and encrypted blobs cross the trust boundary.
A user afraid to click a remediation button is a user we've failed. Delete, revoke, move — all have working one-click undo.
Deep scans take hours — fine. But the scanner prioritizes high-signal items so your first "holy shit" moment lands in the onboarding session, not overnight.
No alarming red banners. No proprietary crypto. No dark patterns to inflate perceived risk. Users who feel manipulated will churn and tell others.
We describe the nature of findings ("a tax return", "a plaintext password") — never the content itself. Safer for shoulder-surfing, and it reinforces the trust posture.
Most consumer security decisions are made by one "household CTO" protecting several people. Family plans, per-person dashboards, estate-planning — not enterprise afterthoughts.
Every "local vs. cloud" decision defaults to local. The cloud holds only what it strictly must — identity, billing, encrypted sync.
The core classification library is publicly auditable. We cannot ask you to trust our claims if you have to take our word for how the scanner works.
Prices below are our working hypothesis for launch. First 1,000 paying users will be grandfathered regardless of final pricing.
The enterprise already had a name for this: Data Security Posture Management. Cyera built a two-billion-dollar company answering it for businesses. Every consumer I know has the same blind spot — 15 years of email, six cloud services, old shares with people they can't remember — and no tools worth the name. Haven is the version of that product I've been quietly wanting for myself. The architecture is the whole pitch: we literally cannot see your data. If you're the person in your family who worries about this, I'd love for you to try it first.
We send waitlist subscribers substantive updates — breach post-mortems, architectural decisions, and the odd philosophical detour. Not marketing spam.
Early users shape the product — from onboarding to pricing. We send substantive updates twice a month. You can unsubscribe in one click.
We'll send you build updates, not marketing spam. First note drops within a week.