Legal
Privacy Policy
Last updated: May 15, 2026
Harbor (“we,” “us,” “our”) is a SaaS platform that helps independent commission artists run their business — taking client inquiries, managing the commission lifecycle, and collecting payments. This Privacy Policy explains what we collect, why, how it's used, and the choices you have.
Who this applies to
- Artists — the people who sign up to use Harbor as the seller of their creative work.
- Buyers— the artist's clients, whose information Harbor processes on the artist's behalf when they submit applications, pay deposits, or book calls.
What we collect
From artists
- Account info: name, email, password hash (via Clerk), profile details you choose to add.
- Connected service tokens: OAuth credentials for Discord, Instagram, Stripe, Google Calendar, Zoom, and similar — used to perform the actions you authorize.
- Business content: your bio, services, pricing, FAQ, knowledge base entries, voice profile, automated message templates, and anything else you enter into the dashboard.
- Usage data: pages visited, actions taken, errors encountered. Stored for product improvement and debugging.
From buyers (collected by the artist using Harbor)
- Contact info: name, email, optional handle (Instagram/Discord username).
- Application content: project briefs, reference images, custom requests.
- Payment info: never directly handled by Harbor — collected by Stripe under their privacy policy. Harbor stores the resulting transaction ID and amount only.
- DM thread history: when Harbor operates inside an artist's Discord or Instagram on their behalf, the resulting messages are stored to maintain conversation continuity.
How we use it
- To provide the service: matching applications to commissions, creating Stripe Checkout sessions, sending Discord DMs from the artist's connected account, scheduling calls on the artist's calendar, etc.
- To improve the product: aggregate usage analytics, debugging logs, identifying broken flows.
- To communicate with artists: setup help, product updates, billing notices. We do not market to buyers — buyers receive only transactional messages tied to specific commissions.
- For AI-assisted features (Sean advisor, automated conversational replies, intent classification): your business knowledge base and message history are sent to Anthropic for processing under their data handling terms. We do not use buyer data to train models.
Third parties we share with
- Stripe — for payment processing. Stripe handles all card data; Harbor never sees it.
- Clerk — authentication. Stores artist credentials.
- Anthropic— the AI provider behind Sean and Harbor's conversational replies. Conversation context is sent to Claude for processing.
- Resend — transactional email delivery.
- Discord, Meta (Instagram), Google, Zoom — when artists connect these, Harbor uses their APIs to perform authorized actions.
- Cloudflare R2 — object storage for reference images and other uploads.
- Sentry, PostHog — error monitoring and product analytics. PII is scrubbed before transmission.
- Supabase / Vercel / Railway — infrastructure hosts.
We do not sell your data. We do not share it with third parties for advertising purposes.
Mobile messaging (SMS)
When you text a business's Harbor number, we collect your mobile phone number and the contents of your messages in order to operate the SMS conversation — answering your questions, collecting project details, sending quotes and payment links, and providing order updates. This information is used only to deliver that messaging.
We do not sell or share your mobile phone number or SMS opt-in data with third parties or affiliates for their marketing or promotional purposes. Phone numbers and message content are shared only with our SMS carrier provider (Twilio) strictly to transmit the messages you exchange with the business. You can opt out at any time by replying STOP; reply HELP for help. Message and data rates may apply. See our Terms of Service for the full SMS program details.
Instagram and Meta Platform Data
When an artist connects their Instagram Business or Creator account to Harbor, we access data from Meta's Instagram Graph API on the artist's behalf. This section explains what we receive, how we use it, and how users can have it deleted. The data described here is “Platform Data” under Meta's Platform Terms, and we process it in accordance with Meta's Platform Terms, Developer Policies, and applicable law.
What we receive from Meta's APIs
- The artist's Instagram Business account ID, profile name, and the Facebook Page it is linked to (used to subscribe the Page to Harbor's message webhook).
- Incoming Instagram direct messages sent to the artist by buyers, including the message text, sender ID (Page-Scoped User ID), timestamp, and any attachments (images, voice notes, link previews).
- Outgoing messages Harbor sends on the artist's behalf in response to those conversations.
How we use Instagram data
- To auto-reply on the artist's behalf when a buyer DMs them about a commission (intake intent), with the disclosure required by Meta's policies that the message is automated.
- To create and update the corresponding application, commission, and message records in the artist's Harbor dashboard so they can manage the conversation in one place.
- To send status updates (deposit links, milestone notifications, delivery confirmations, review requests) back into the same Instagram DM thread the buyer started in.
- For AI-assisted reply generation: the recent message history of an Instagram thread is sent to our AI provider (Anthropic) so the bot can respond in the artist's voice and within their stated business knowledge. Buyer Instagram data is not used to train models.
How long we keep Instagram data
- As long as the artist's account is active and the Instagram integration is connected. If the integration is disconnected, Harbor stops processing new messages from that Instagram account immediately.
- Within 30 days of an account closure or data deletion request, all Instagram-derived message records and OAuth tokens tied to that account are permanently deleted (backups expire within 90 days).
Affiliation disclosure
Harbor is not affiliated with, endorsed by, or sponsored by Meta Platforms, Inc., Facebook, or Instagram. “Instagram” and “Facebook” are trademarks of Meta Platforms, Inc.
How to request data deletion
If you are an Instagram user whose data Harbor has processed (for example, because you DM'd an artist who uses Harbor), you have three ways to request deletion of your data:
- Email us. Send a request to privacy@harborstudio.aifrom the email or Instagram handle you want removed. We'll confirm within 7 days and complete deletion within 30 days.
- Visit our data deletion instructions page. harborstudio.ai/data-deletion walks through every available option, including the Facebook Apps and Websites flow.
- Remove Harbor from your Facebook Apps.In Facebook Settings → Apps and Websites, click “Remove” next to Harbor. Meta will notify our automated data deletion callback and we'll permanently delete the associated Instagram identity, OAuth tokens, and DM records from our systems.
How long we keep it
- Active artist accounts: as long as the account is open.
- Closed accounts: 30 days after deletion request, then permanently deleted (with backups expired within 90 days).
- Buyer data: retained as long as the artist's account is active, since it's the artist's business record. Buyers can request deletion via the artist or directly via privacy@harborstudio.ai.
- Logs and analytics: 13 months max.
Your rights
- Access, correct, or delete your personal data — email privacy@harborstudio.ai.
- Export your data — available from Settings (limited initial scope; full export on request).
- Opt out of non-essential analytics — coming soon. Until then, contact us to opt out manually.
- EU/UK residents: you also have rights under GDPR (data portability, right to object, etc.). Contact us to exercise these.
- California residents: rights under the CCPA — same email address.
Security
Data in transit is encrypted via HTTPS. Data at rest is encrypted by our hosting providers (Supabase, R2). OAuth tokens are stored in our database; production access is restricted. We follow common-sense security practices, but no system is perfectly secure — if we ever suffer a breach affecting user data, we will notify affected users within 72 hours.
Children
Harbor is not directed at children under 13 (or under 16 in the EU). If you believe we have collected information from a child, contact us and we'll delete it.
Changes to this policy
We'll update this page when our practices change. Material changes will be communicated by email to artists at least 30 days before they take effect.
Contact
Questions, requests, complaints: privacy@harborstudio.ai.
See also: Terms of Service.