Harbor

Legal

Privacy Policy

Last updated: November 7, 2026

Harbor (“we,” “us,” “our”) is a SaaS platform that helps independent commission artists run their business — taking client inquiries, managing the commission lifecycle, and collecting payments. This Privacy Policy explains what we collect, why, how it's used, and the choices you have.

Who this applies to

  • Artists — the people who sign up to use Harbor as the seller of their creative work.
  • Buyers — the artist's clients, whose information Harbor processes on the artist's behalf when they submit applications, pay deposits, or book calls.

What we collect

From artists

  • Account info: name, email, password hash (via Clerk), profile details you choose to add.
  • Connected service tokens: OAuth credentials for Discord, Instagram, Stripe, Google Calendar, Zoom, and similar — used to perform the actions you authorize.
  • Business content: your bio, services, pricing, FAQ, knowledge base entries, voice profile, bot message templates, and anything else you enter into the dashboard.
  • Usage data: pages visited, actions taken, errors encountered. Stored for product improvement and debugging.

From buyers (collected by the artist using Harbor)

  • Contact info: name, email, optional handle (Instagram/Discord username).
  • Application content: project briefs, reference images, custom requests.
  • Payment info: never directly handled by Harbor — collected by Stripe under their privacy policy. Harbor stores the resulting transaction ID and amount only.
  • DM thread history: when an artist's bot operates inside their Discord or Instagram, the resulting messages are stored to maintain conversation continuity.

How we use it

  • To provide the service: matching applications to commissions, creating Stripe Checkout sessions, sending Discord DMs from the artist's bot, scheduling calls on the artist's calendar, etc.
  • To improve the product: aggregate usage analytics, debugging logs, identifying broken flows.
  • To communicate with artists: setup help, product updates, billing notices. We do not market to buyers — buyers receive only transactional messages tied to specific commissions.
  • For AI-assisted features (Sean advisor, bot conversational replies, intent classification): your business knowledge base and message history are sent to Anthropic for processing under their data handling terms. We do not use buyer data to train models.

Third parties we share with

  • Stripe — for payment processing. Stripe handles all card data; Harbor never sees it.
  • Clerk — authentication. Stores artist credentials.
  • Anthropic — the AI provider behind Sean and the conversational bot. Conversation context is sent to Claude for processing.
  • Resend — transactional email delivery.
  • Discord, Meta (Instagram), Google, Zoom — when artists connect these, Harbor uses their APIs to perform authorized actions.
  • Cloudflare R2 — object storage for reference images and other uploads.
  • Sentry, PostHog — error monitoring and product analytics. PII is scrubbed before transmission.
  • Supabase / Vercel / Railway — infrastructure hosts.

We do not sell your data. We do not share it with third parties for advertising purposes.

How long we keep it

  • Active artist accounts: as long as the account is open.
  • Closed accounts: 30 days after deletion request, then permanently deleted (with backups expired within 90 days).
  • Buyer data: retained as long as the artist's account is active, since it's the artist's business record. Buyers can request deletion via the artist or directly via privacy@harborstudio.ai.
  • Logs and analytics: 13 months max.

Your rights

  • Access, correct, or delete your personal data — email privacy@harborstudio.ai.
  • Export your data — available from Settings (limited initial scope; full export on request).
  • Opt out of non-essential analytics — coming soon. Until then, contact us to opt out manually.
  • EU/UK residents: you also have rights under GDPR (data portability, right to object, etc.). Contact us to exercise these.
  • California residents: rights under the CCPA — same email address.

Security

Data in transit is encrypted via HTTPS. Data at rest is encrypted by our hosting providers (Supabase, R2). OAuth tokens are stored in our database; production access is restricted. We follow common-sense security practices, but no system is perfectly secure — if we ever suffer a breach affecting user data, we will notify affected users within 72 hours.

Children

Harbor is not directed at children under 13 (or under 16 in the EU). If you believe we have collected information from a child, contact us and we'll delete it.

Changes to this policy

We'll update this page when our practices change. Material changes will be communicated by email to artists at least 30 days before they take effect.

Contact

Questions, requests, complaints: privacy@harborstudio.ai.

See also: Terms of Service.