Your code reaches millions of kids. Is it designed to protect them?

bash — 80x24
$ npx runhalo scan .
Copied!
halo v1.2.1 COPPA Risk Scanner
Scanning 847 files...
 
HIGH coppa-audio-007 src/lib/audio-recorder.js:26
Unauthorized Audio Recording: getUserMedia({audio: true})
Penalty: $53,088 per violation per child
MED coppa-ext-017 src/components/header.jsx:70
Unwarned External Links: Missing "You are leaving..." modal
MED coppa-ui-008 src/pages/signup.tsx:42
Missing Privacy Policy on Registration Form
-------------------------------------------
3 potential issues found across 847 files
1 high · 2 medium · 0 low

Free & Open Source | 25 COPPA rules | View on GitHub

100+ Repos Scanned
3,500+ Violations Found
180 Compliance Rules
17 Regulatory Packs

We scanned the top 100 child-directed apps. The results are alarming.

3,569

Direct violations of existing and upcoming COPPA 2.0 standards found across open-source and public mobile codebases.

$189M per day

Potential statutory penalties based on the FTC's maximum per-violation rate applied to active user cohorts.

Data collection 31%
Dark patterns 24%
Age verification 18%
Tracking 15%
Retention 8%
Parental controls 4%
COPPA 2.0 takes effect April 22, 2026. Penalties up to $53,088 per violation per day.

How It Works

1

Run the scan

npx runhalo scan . — No signup. No config. Results in under two minutes.

2

Review findings

Every finding includes the regulation cited, severity level, developmental context, and a fix suggestion.

3

Ship with confidence

Add Halo to your CI/CD pipeline. GitHub Action runs on every PR.

Where Compliance Meets Code

Static analysis, AI-powered review, and compliance tracking. One CLI.

terminal

CLI Scanner

npx runhalo scan . — scans any codebase for children's privacy violations. Supports JavaScript, TypeScript, Python, Ruby, Go, Java, Swift, and more. Results in seconds, runs locally.

account_tree

CI/CD Integration

One YAML block in your pipeline. Compliance checks run on every pull request. Non-compliant code gets flagged before it merges.

data_object

Editor Plugin

Privacy violations highlighted in your editor as you work. Available on the VS Code Marketplace.

psychology

AI-Powered Review

Each finding is assessed by Halo's AI that filters false positives and provides fix suggestions with regulatory context. Free tier: 2 reviews/day.

settings

Configurable Rules

Select jurisdictions, set severity thresholds, exclude paths, and tune detection sensitivity. One config file: .halorc.json.

description

Compliance Reports

Generate compliance scorecards with A-F grading. JSON export included. PDF, SARIF, and HTML reports.

180+ rules. 13 jurisdictions. The regulations that matter.

Updated regularly by our compliance engineering team. One scan, global coverage.

USA
COPPA 2.0

25 rules

UK
AADC (Code)

15 rules

EU
EU DSA

10 rules

California
AADCA

15 rules

Australia
Online Safety

12 rules

Australia
Safety by Design

6 rules

Canada
PIPEDA

8 rules

Brazil
LGPD Child

6 rules

USA
Utah SB142

5 rules

EU
EU AI Act

15 rules

EU
GDPR-K

10 rules

INT'L
AI Code Audit

6 rules

INT'L
Ethical Design

5 rules

INT'L
Dark Patterns

12 rules

INT'L
Consent Flows

10 rules

INT'L
Data Retention

8 rules

Global
Age Verification

12 rules

New rules ship regularly. One scan, global coverage.

Why we built Halo

Children spend more time inside software than they do in classrooms. The apps they use every day are built by engineers who rarely see the regulatory landscape they're shipping into.

We built Halo because we believe the gap between what the law requires and what engineering teams actually know is the single biggest risk to children online. Not malice. Blind spots.

COPPA was written in 1998. The 2.0 update extends protections to kids under 17, with penalties up to $53,088 per violation per day. Most engineering teams have never read it. Most codebases have never been audited against it.

Halo is preventive mental health infrastructure at the code level. We scan source code the way a regulator would, looking for dark patterns, unauthorized data collection, missing consent flows, and age verification gaps. Teams fix issues before they ship, not after an enforcement action.

Built by Mindful Media in Santa Monica, California 🌴😎

Protecting millions of kids online. For less than movie night.

Start scanning for free. Upgrade when you need more.

Free

$0

For individual developers and open source projects.

  • check Children's privacy rules (US)
  • check AI false positive filtering
  • check CLI + VS Code extension
  • check JSON compliance reports
Get Started
Popular

Pro

$29/mo

For teams building products children use.

  • check Everything in Free, plus:
  • check All 180+ rules across 13 jurisdictions
  • check AI-powered review
  • check PDF, SARIF, and HTML reports
  • check GitHub Action for CI/CD
  • check Priority support

Business

$99/mo

For teams that need compliance attestation and audit readiness.

  • check Everything in Pro, plus:
  • check Compliance attestation certificates
  • check Recurring scans with drift alerts
  • check Multi-repo workspace
  • check Immutable audit trail
  • check Team collaboration

All plans include the open-source CLI. Cancel anytime.

Frequently Asked Questions

When does COPPA 2.0 take effect?

expand_more
April 22, 2026. The updated rule extends protections to children under 17 and introduces new requirements around biometric data, push notifications, and ed-tech data use. Penalties are up to $53,088 per violation per day.

Is Halo free?

expand_more
Yes. The free plan includes children's privacy rules for the US, AI false positive filtering, the CLI, and the VS Code extension. Pro ($29/mo) unlocks all 180+ rules across 13 jurisdictions, full reports, and CI/CD integration. Business ($99/mo) adds compliance attestation, recurring scans, and team collaboration.

What does Halo scan for?

expand_more
Children's privacy violations: unauthorized data collection, missing consent flows, tracking SDKs without child-directed flags, age verification gaps, dark patterns, and data retention issues. Halo covers regulations across the US, UK, EU, Australia, and more.

How is Halo different from other code scanning tools?

expand_more
Most code scanning tools look for security vulnerabilities like SQL injection, XSS, and dependency CVEs. Important, but not the same problem. Halo is the only tool that scans source code for children's regulatory compliance: dark patterns, unauthorized data collection, missing consent flows, and age verification gaps. It reads your code the way a regulator would. Complementary to your existing security toolchain, not a replacement.

What languages does Halo support?

expand_more
JavaScript, TypeScript, Python, Ruby, Go, Java, Swift, and more. Halo analyzes code patterns that appear across frameworks and languages, so it works with most modern tech stacks.

Is my source code uploaded to your servers?

expand_more
No. Halo scans run locally on your machine. Only scan results (violation counts, rule IDs, compliance scores) are sent to the dashboard when you choose to upload. Your source code never leaves your environment.

Can I use Halo in my CI/CD pipeline?

expand_more
Yes. The Halo GitHub Action runs compliance checks on every pull request. One YAML block in your workflow file. Non-compliant code gets flagged before it merges. Available on Pro and Business plans.

Ready to protect kids?

Two minutes. Free. Before the FTC finds out for you.

$ npx runhalo scan .
Get Started Free
Talk to an Expert