Legal
Privacy Policy
Last updated: June 11, 2026
This Privacy Policy describes how 7G TechLabs Inc., doing business as "Harnyss AI" ("Company," "we," "us") collects, uses, and protects personal information in connection with our platform ("Service"). It applies to processing for which we act as a data controller (see "Our Role" below).
Our Role: Controller and Processor
We act as a data controllerfor the information we collect to run our business and provide the Service to account holders — for example the account, billing, usage, and security information described in Section 1. This Privacy Policy covers that controller processing.
For Customer Data— the content, records, and any personal data a customer loads into or generates within their Workspace, including personal data about the customer's own users, contacts, or clients — we act as a data processoron the customer's behalf. That processing is governed by our Data Processing Agreement, the customer is the controller, and individuals whose data a customer loads should refer to that customer's own privacy notice.
1. Information We Collect (as Controller)
Account Information
When you create an account, we collect your email address, name, and optional profile information (such as an avatar). If you subscribe to a paid plan, payment processing is handled by Stripe — we do not store your credit card details.
Usage Data
We collect information about how you use the Service, including orchestration credit consumption, workflow execution metrics, agent performance data, and feature usage patterns. This data is used for billing, analytics, and to improve the Service.
Technical and Security Data
We automatically collect technical information such as IP address, browser and device information, and access timestamps. We also log security events — including sign-in, sign-out, and failed sign-in attempts — for audit logging and abuse detection.
Customer Data (the content and records you create within your Workspace) is processed by us as a processor on your behalf and is governed by our DPA (see "Our Role" above), not by the controller obligations in this Policy.
2. How We Use Information, and Legal Bases
As a controller, we use the information we collect to:
- Provide the Service: process your requests, execute workflows, manage agents, and deliver AI-generated outputs
- Billing: calculate credit usage, process payments, and manage subscriptions via Stripe
- Communications: send transactional emails (welcome, trial expiration, payment notices, account and security notifications) via Resend
- Security: protect against unauthorized access, detect fraud and abuse, and maintain platform integrity
- Improvement: analyze usage patterns to improve Service features and performance
- Legal compliance: meet legal obligations and respond to lawful requests
Where the EU GDPR or UK GDPR applies, we rely on the following legal bases:
| Purpose | Legal basis |
|---|---|
| Providing and operating the Service; managing your account | Performance of a contract |
| Billing, payments, and subscription management | Performance of a contract |
| Transactional and service communications | Performance of a contract; legitimate interests |
| Security, fraud prevention, and abuse detection | Legitimate interests; legal obligation |
| Service analytics and improvement | Legitimate interests |
| Compliance with legal obligations and lawful requests | Legal obligation |
Where we rely on legitimate interests, you may object to the processing as described in Section 9.
3. AI Processing
The Service uses AI models to generate content and make operational decisions. For its own platform operations (such as triage and classification), the Service uses Anthropic. When your agents execute tasks, relevant Workspace context (brand context, knowledge base entries, task instructions) may be sent to the configured AI provider for processing.
You may configure your own AI model-provider keys (bring-your-own-key) — for example to use OpenAI for a model or for semantic-search embeddings. In that case, data is sent to the provider you configure, under your own account, and that provider's terms and settings govern its use of the data. The Anthropic API does not use API data to train its models by default; for any provider you configure, you are responsible for that provider's data-use settings. We do not use Customer Data to train our own models.
4. Google APIs and User Data
If you connect a Google account to Harnyss, this section governs how we handle data accessed via Google APIs.
Google User Data and Limited Use. Harnyss's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We use Google user data only to provide and improve user-facing features that are visible in the Harnyss application.
- We do not transfer Google user data to third parties except (a) as necessary to provide or improve those features, (b) to comply with applicable law, or (c) as part of a merger, acquisition, or sale of assets with notice to users.
- We do not use Google user data for serving advertisements, including retargeting or personalised / interest-based advertising.
- We do not allow humans to read Google user data, except (a) with the user's affirmative consent for specific data, (b) for security purposes (e.g., investigating abuse), (c) to comply with applicable law, or (d) where the data is aggregated and used for internal operations in compliance with the Limited Use policy.
Google services we connect to and why. Harnyss requests only the scopes required to deliver the agent capabilities you have enabled. Each scope is tied to a specific user-facing feature, and we ask for the narrowest version of each scope that lets the feature work.
- Calendar (
auth/calendar) — read and create events for scheduling agents and meeting-reminder workflows you ask an agent to run on your behalf. - Google Docs (
auth/documents) — read documents you provide as agent context and create new Docs (briefs, blog drafts, reports) when an agent's task produces a written deliverable. - Google Sheets (
auth/spreadsheets) — read sheets you provide as agent context and create new Sheets (reports, exports, structured data) when an agent's task produces a tabular deliverable. - Drive (
auth/drive.file) — non-sensitive scope that limits Harnyss to files we create on your behalf and files you explicitly open with Harnyss. We do not have access to the rest of your Drive. - Gmail (
auth/gmail.send) — send outbound email on your behalf when you explicitly direct an agent to send a specific message (for example, a customer follow-up generated at the end of a workflow, or a transactional notification you have configured an agent to send). This is the narrowest Gmail scope available. Harnyss does not read your inbox, does not access existing drafts, and does not modify existing messages. - Google Analytics (
auth/analytics.readonly) — read GA4 metrics (traffic, conversions, audience, real-time activity) so reporting agents can summarise site performance and surface alerts. - Google Ads (
auth/adwords) — read campaign performance and, where you authorise it, make campaign changes when an ad-management agent acts on your behalf. - Identity baseline (
openid,email,profile) — identify you when you sign in to Harnyss with Google.
Storage, sharing, and transfer. OAuth refresh tokens are stored encrypted at rest using AES-256-GCM in our primary Postgres database (Supabase, hosted in AWS us-east-1). We only decrypt them in memory at the moment an agent needs to make a Google API call on your behalf — they are never written to logs, task payloads, or any client-facing response.
For files an agent creates in your Google account (Docs, Sheets, or Drive files), we store metadata only — the file ID, title, owning workspace, and creation timestamp. The file content stays in your Google Drive.
We do not store Gmail message content on Harnyss servers. When an agent sends an email via auth/gmail.send, the message is handed off to Gmail and we do not retain the body, the recipient list, or a draft copy on our side. The fact that an outbound send occurred is recorded in your workspace audit log so you can see what an agent did on your behalf.
Google data is never sold, shared with advertisers, or used to train any machine-learning model — ours or anyone else's.
Sub-processors with access to Google data are: Anthropic (processes prompts that may contain Google-derived content), Supabase (database hosting and OAuth token storage), Railway (application hosting and runtime), Resend (transactional email delivery, used only when an email-based agent action requires it), and Sentry (error monitoring; stack traces from code paths that handle Google data may incidentally include Google-derived context).
Revoking access and deletion.You can revoke Harnyss's access to your Google account at any time at https://myaccount.google.com/permissions. When you disconnect an integration or delete your workspace, we delete the associated OAuth tokens immediately and purge cached Google data within 30 days.
5. Data Isolation
Each Workspace is isolated through row-level security policies. Your Customer Data is not accessible to other customers or Workspaces. API keys and provider credentials are encrypted at rest using AES-256-GCM and decrypted only in memory for authorized operations.
6. Sharing and Sub-processors
We share your information only in these circumstances:
- Sub-processors: Supabase (database, authentication, and storage), Railway (hosting), Anthropic (platform AI), Stripe (payments), Resend (email), and Sentry (error monitoring). A current list with purposes is in our DPA (Annex 3). AI providers you configure yourself (bring-your-own-key) are your own and are not our sub-processors.
- Legal requirements: when required by law, subpoena, or court order
- Business transfers: in connection with a merger, acquisition, or sale of assets
We do not sell your personal information.
7. Data Retention
We retain your data for as long as your account is active and as needed to provide the Service. Operational data is retained on a tiered schedule (generally 30 to 365 days), and our security audit log is retained for at least one year. When you delete your account, we permanently delete your data within 30 days, except where retention is required by law.
8. Security
We implement industry-standard security measures including:
- Encrypted data in transit (TLS, with HSTS) and at rest
- AES-256-GCM encryption for sensitive credentials
- Row-level security for Workspace isolation
- Managed authentication with secure sessions, an 8-hour idle-session timeout, failed-login / brute-force detection, and rate limiting
- An append-only audit log of security-relevant actions
- Error monitoring (scrubbed of sensitive data) and automated platform health and anomaly detection for rapid incident response
Our technical and organizational measures are described in more detail in our DPA (Annex 2).
9. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access, correct, or delete your personal information
- Receive a portable copy of your data
- Object to or restrict certain processing, including processing based on our legitimate interests
- Withdraw consent where processing is based on consent
- Lodge a complaint with your data protection supervisory authority — in the UK, the Information Commissioner's Office (ICO)
To exercise these rights, contact privacy@harnyss.ai. We will respond within the period required by applicable law (generally within 30 days). For Customer Data we process as a processor, we will refer your request to the relevant customer (the controller).
10. Cookies
We use only essential cookies and do not use third-party tracking or advertising cookies:
- Authentication— secure session cookies set by our authentication provider (Supabase) to keep you signed in.
bo-last-active— records your last activity time to enforce the 8-hour idle-session timeout.bo-ws-check— a workspace check cookie that optimizes navigation performance.
11. Children's Privacy
The Service is not directed at individuals under 16 years of age. We do not knowingly collect personal information from children.
12. International Transfers
We and our sub-processors may process information in the United States and other countries. Where personal data is transferred from the United Kingdom or the European Economic Area to a country without an adequacy decision, we rely on an appropriate safeguard — the European Commission's Standard Contractual Clauses for EEA transfers and the UK International Data Transfer Agreement (or UK Addendum to the SCCs) for UK transfers — as described in our DPA. A copy of the relevant safeguards is available on request.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service at least 30 days before they take effect.
14. Contact and Representatives
For privacy questions or requests, contact us at privacy@harnyss.ai.
UK Representative (UK GDPR Art. 27): to be appointed where required for UK or EEA data subjects; in the interim, please direct enquiries to privacy@harnyss.ai. EU Representative (EU GDPR Art. 27): to be appointed if and when EEA data subjects are in scope.