HarborOS

Legal

Privacy Policy

What data we collect, why, and your rights.

Last updated · May 17, 2026

Overview

HarborOS, Inc. (“HarborOS,” “we,” “us”) operates the HarborOS platform, a contract intelligence and financial operations system for SaaS finance teams. This Privacy Policy describes what information we collect, how we use it, and your rights regarding that information. This policy applies to our web application at app.harboros.co, our marketing site at harboros.co, and related services.

What We Collect

Account Information

When you create an account, we collect your name, email address, and organization name. If you subscribe to a paid plan, our payment processor (Stripe) collects billing information on our behalf. We do not store credit card numbers directly.

Customer Data

You may upload or import contracts, financial records, forecasts, renewal data, and related business information into the Service. This Customer Data is yours. We process it solely to provide the Service.

Integration Data

When you connect third-party services (such as Salesforce, HubSpot, Google Drive, or Microsoft OneDrive), we access data from those services within the scopes you explicitly authorize. We do not request broader access than necessary to provide the features you enable.

Usage Data

We collect standard usage information including pages visited, features used, browser type, device type, IP address, and referring URL. This data helps us improve the Service and diagnose issues.

How We Use It

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Process transactions and send billing communications
  • Respond to support requests
  • Send product updates and operational notices
  • Detect and prevent fraud, abuse, or security incidents
  • Comply with legal obligations

We do not sell your personal information. We do not use Customer Data to train machine learning models. AI features within HarborOS (such as contract extraction or variance narratives) process your data in real time to deliver results and do not retain that data for training purposes.

Third-Party Integrations

HarborOS connects to third-party services through OAuth-based authorization. When you authorize an integration:

  • We access only the data scopes you approve during the authorization flow
  • For Google Drive, we use the drive.file scope, which limits access to files you explicitly open or create through HarborOS
  • You can revoke any integration at any time through your HarborOS settings or through the third-party service directly
  • We do not store raw OAuth tokens in our application database; token management is handled by our integration provider (Nango)

Third-party services are governed by their own privacy policies. We encourage you to review them.

Sub-Processors

ProviderPurposeLocation
SupabaseDatabase & authenticationUnited States
CloudflareHosting, CDN, edge computeGlobal
StripePayment processingUnited States
NangoOAuth integration managementUnited States
AnthropicAI-assisted contract extraction & analysisUnited States

We will update this list if we add sub-processors and notify customers of material changes.

Cookies & Analytics

We use cookies and similar technologies for authentication, session management, and analytics. Specifically:

  • Essential cookies: Required for authentication and security. Cannot be disabled.
  • Analytics cookies: Help us understand how the Service is used. You may opt out through your browser settings.

We do not use advertising cookies or third-party tracking pixels. We do not participate in ad networks or cross-site tracking.

Data Retention

We retain your account information and Customer Data for as long as your account is active. After account termination, you have 30 days to export your data. We delete Customer Data from active systems within 90 days of the export window closing. Backup copies may persist for up to an additional 90 days before being purged. Usage logs and analytics data are retained in aggregate form and are not individually identifiable after 12 months.

Security

We implement industry-standard security measures including encryption in transit (TLS 1.2+) and at rest, role-based access controls, audit logging, and regular security reviews. No system is perfectly secure, but we take reasonable and appropriate measures to protect your data. If we become aware of a security breach affecting your data, we will notify you in accordance with applicable law.

Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate information
  • Delete your personal information
  • Export your data in a portable format
  • Object to or restrict certain processing
  • Withdraw consent where processing is based on consent

To exercise any of these rights, contact us at privacy@harboros.co. We will respond within 30 days.

Children's Privacy

HarborOS is a business-to-business service and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a child, we will delete it promptly.

International Transfers

Your data may be processed in the United States and other countries where our sub-processors operate. We ensure appropriate safeguards are in place for international data transfers, including standard contractual clauses where applicable.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service at least 30 days before they take effect. The “Last updated” date at the top reflects the most recent revision.

Contact

Questions about this Privacy Policy? Contact us at privacy@harboros.co.

HarborOS, Inc.
privacy@harboros.co

More legal

Terms of ServiceThe agreement that governs your use of HarborOS.Read Refund Policy30-day money-back guarantee on Pro subscriptions.Read