Harny Privacy Policy

1. Who We Are

Harny is operated by Vexta Labs Inc., a company incorporated in British Columbia, Canada.

• Address: Burnaby, British Columbia, Canada
• Contact: support@harny.ai
• Data Protection Officer: Not appointed at this stage. For data-protection inquiries, contact support@harny.ai.

2. What This Page Is — and Isn't

Harny is infrastructure that the app you connected uses to process context for AI features. Your contractual relationship is with that app's developer, not with Harny directly. This page describes what Harny does with data that passes through our systems when you authorize a connection, so you can verify it before or after authorizing.

Currently, Harny does not maintain a direct account relationship with end users. You do not have a Harny account, and visiting this page does not create one.

3. What Data We Receive

Developer Account Data

If you are a developer using the Harny platform, we collect the account information you provide when you create your developer account: name, email address, and app configuration details. This data is collected through our authentication provider and stored for account management, billing, and platform communications.

End-User Data (via Connected Apps)

When you authorize a connection through an app that uses Harny, we receive data from your connected account. The specific data depends on the authorization you granted.

Google Account Data

We request the following Google scopes:

• https://www.googleapis.com/auth/gmail.readonly — read your Gmail messages and metadata in order to extract structured context facts (such as calendar invites you've received, order confirmations, recurring sender patterns, and relevant correspondence summaries) that the app you connected uses to make AI responses personalized to you. We do not store the message bodies themselves at rest (see Section 4 below).
• https://www.googleapis.com/auth/calendar.readonly — read your Google Calendar events and metadata in order to extract scheduling context (upcoming meetings, recurring events, time-zone awareness) that the app you connected uses to make AI responses more relevant and timely. We do not create, modify, or delete any calendar events.
• https://www.googleapis.com/auth/userinfo.email — verify the email address of the Google account you authorized so the app you connected knows which Google account is linked.

We retrieve messages from the most recent 90-day window at the time of initial connection, and continue to process new messages as they arrive while the connection remains active.

4. What We Store

When you authorize Harny to read from your connected account, the connected app's Harny integration extracts structured context facts from each message (for example, "user received flight delay notification for reservation ABC, 2-hour delay" rather than the verbatim email body). We store:

• Extracted structured facts— the entities, relationships, and structured information drawn from your messages
• Episode summaries— a short paraphrase of each message's meaning
• Vector embeddings— a non-reversible mathematical representation used for semantic search (cannot be converted back to the original text)
• Metadata anchors— message ID, timestamp, sender domain, byte size, and category tier
• Process audit trail— logs of the extraction process itself

We do not store: verbatim message bodies, HTML bodies, message subject lines, attachment contents, or any encrypted or encoded copy of raw message content. When raw access is needed for narrow operational debugging, the connected message is fetched fresh from the source API on demand, inspected, then discarded. Each such fetch is logged in an append-only audit trail.

5. How Long We Retain It

Structured facts, summaries, embeddings, and metadata are retained for as long as the connection exists. When the connection is revoked or a deletion request is received, extracted data is deleted within 30 days.

Aggregate, anonymized analytics derived from processed data (such as extraction quality metrics and platform-level usage patterns) may be retained longer. This aggregate data cannot be used to identify you or reconstruct your original messages.

6. Who We Share With

We share user data only with:

• Cloud infrastructure providersthat host and operate Harny's services. These providers process data on our instructions only and are bound by their own data-protection commitments.
• Large-language-model (LLM) providersfor the purpose of extracting structured context from messages. These providers' enterprise API agreements prohibit training their models on submitted content. Content is processed ephemerally and is not retained by the provider beyond the duration of the API call.
• The connected app's developer, in the form of the structured context facts the app requested. The app does not receive raw message bodies; it receives only the extracted facts and limited metadata (sender domain, timestamp, category tier).
• Authentication and integration services that handle authentication flows and connection brokering but do not receive your message content.

We do not share user data with advertising networks, data brokers, or any party for marketing purposes.

We do not sell user data under any jurisdiction's definition of "sale."

7. Cross-App Context

Currently, data processed through one app's Harny integration is not shared with other apps. Each app receives only the context facts derived from connections authorized specifically through that app.

8. Your Rights

You have the following rights regarding your data processed by Harny:

• Access: You may request a copy of the structured facts Harny holds about you. Contact the developer of the app you connected, or email support@harny.ai.
• Rectification: To update your data, re-authorize the connection through the app you use. Harny will process the updated source data on the next sync cycle.
• Erasure: You may request deletion of all your data from Harny (see Section 10 below for the deletion path).
• Restriction: You may request that we restrict processing of your data while a concern is being resolved. Contact support@harny.ai.
• Portability: You may request an export of your structured facts in a machine-readable format, where technically feasible. Contact support@harny.ai.
• Objection: You may object to processing by revoking the connection (see Section 10).
• Automated decisions:Harny's extraction process is automated but does not produce decisions with legal or similarly significant effects on you. The extracted context is used by the app you connected to inform AI responses — not to make decisions about your eligibility for services, credit, employment, or similar outcomes. You may contact support@harny.ai if you have concerns about how extracted context is being used.

Because Harny operates as infrastructure beneath the app you use, these rights are currently exercised either through that app's developer or by contacting Harny directly at support@harny.ai. We respond to verifiable requests within 30 days.

9. Google API Services User Data Policy / Limited Use Compliance

Harny's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

1. We do not use Google user data to serve advertisements, including re-targeting, personalized advertising, or interest-based advertising.
2. We do not transfer Google user data to third parties except as necessary to provide or improve the integration the user authorized (the specific exceptions are listed in Section 6 above) and only under contractual terms that bind those third parties to equivalent restrictions.
3. We do not allow humans to read Google user data except (a) with the user's affirmative consent for specific messages, (b) when necessary for security purposes (such as investigating abuse), or (c) when necessary to comply with applicable law.
4. We do not use Google user data to develop, improve, or train generalized AI/ML models. Our use of third-party LLM providers (Section 6) is solely for extracting structured context from user-authorized data on a per-request basis, under enterprise API agreements that prohibit the provider from training on submitted content.

10. How to Request Deletion of Your Data

The Harny integration is invisible to you in normal use — you interact with the app you signed up for, not with Harny directly. To request deletion of your data from Harny:

1. Contact the developer of the app you connected. They can revoke the Harny integration on your account, which removes Harny's access immediately and triggers data deletion within 30 days.
2. If you cannot reach the app developer, or want a deletion path that does not depend on them, email support@harny.ai with: (a) the email address you authorized, (b) the name of the app you connected, and (c) "deletion request" in the subject. We will execute the deletion within 30 days and email you when complete.
3. Revoke Google access directly at https://myaccount.google.com/permissions. This immediately stops Harny from receiving any further data from your Google account. Existing extracted data still requires the deletion request above to remove from Harny's storage.

11. International Data Transfers

Harny's infrastructure currently operates from the United States. When you use a Harny-powered app from outside the US (including from the European Economic Area, the United Kingdom, or Switzerland), the data extracted from your authorized accounts will be processed in the US.

We rely on the following legal mechanisms for these transfers:

• EU/UK/CH to US:Standard Contractual Clauses (SCCs) with our cloud infrastructure and LLM providers, per the European Commission's 2021 modernized SCCs and the UK ICO's International Data Transfer Addendum.
• Adequacy decisions: Where applicable, such as an adequacy decision covering the receiving jurisdiction.

12. Children

Harny does not knowingly process data of users under 13 years of age. The apps you connected are responsible for age-appropriate use of their products. If you believe data belonging to a child under 13 has been processed by Harny, contact support@harny.ai and we will delete it promptly.

13. Cookies and Tracking on harny.ai

The harny.ai website currently sets no cookies. We do not use Google Analytics, Facebook Pixel, advertising trackers, or cross-site marketing cookies.

If cookies are introduced in the future (for example, for bot-management or analytics purposes), this section will be updated before they are deployed.

The legal pages on harny.ai (this Privacy Policy and the Terms of Service) will never load marketing or advertising cookies.

14. Changes to This Policy

We will update the "Last Updated" date at the top of this page when we make changes. For material changes that affect your rights or how we handle your data, we will provide notice at least 30 days before the change takes effect by disclosing the change to the developers of apps that use Harny, who will inform their users through their own communication channels.

Previous versions of this policy are maintained in our version history and available upon request.

15. Contact

For questions about this Privacy Policy or your data:

• Email: support@harny.ai
• Response time: We aim to respond within 30 days to verifiable requests.

If you are unsatisfied with our response, you may lodge a complaint with your local data protection authority.

16. Lawful Basis for Processing (EEA/UK Users)

For users located in the European Economic Area or United Kingdom, we process your data on the following legal bases:

• Legitimate interest(GDPR Art 6(1)(f)) — the developer of the app you use has a legitimate interest in providing personalized AI features to you, and you authorized the connection that enables this processing. Our processing is limited to extracting structured context and does not involve profiling with legal or similarly significant effects.
• Contract performance(GDPR Art 6(1)(b)) — where the processing is necessary to perform the service you authorized through the app you connected.

We do not rely on consent as our lawful basis for processing. Your authorization of the connection through the app's OAuth flow is a functional authorization, not a GDPR consent mechanism. The lawful basis flows from the developer's relationship with you.

17. Canadian Privacy Law (PIPEDA)

Vexta Labs Inc. is incorporated in British Columbia, Canada. The Personal Information Protection and Electronic Documents Act (PIPEDA) and British Columbia's Personal Information Protection Act (PIPA) govern our collection, use, and disclosure of personal information in the course of commercial activities.

Under PIPEDA and PIPA:

• Purpose: We collect and process personal information solely for the purpose of providing the context-extraction service described in this policy. We do not use personal information for purposes unrelated to this service.
• Consent: Your authorization of the OAuth connection through the app you use constitutes meaningful consent to the processing described in this policy.
• Access and correction: You may request access to the personal information we hold about you, or request correction, by contacting support@harny.ai.
• Complaints: If you have concerns about our handling of your personal information, you may contact the Office of the Privacy Commissioner of Canada (www.priv.gc.ca) or the Office of the Information and Privacy Commissioner for British Columbia (www.oipc.bc.ca).