Privacy Policy
Last updated: 24 June 2026.
This policy explains what personal data Harnests collects, how we use it, who we share it with, where it's stored, and what rights you have. It is written for visitors and customers anywhere in the world but is primarily designed around the UK GDPR and the Data Protection Act 2018. Where you live elsewhere, equivalent rights under your local law also apply.
Who is the controller
Harnests (harnests.com) is operated by [Operator Full Name], a sole trader based in the United Kingdom. The operator is the data controller for personal data you submit through this site.
Contact for any privacy question, request, or complaint: hello@harnests.com.
What we collect and why
We try to collect as little as possible. The categories are:
Account data. Email address, a salted password hash (Argon2id), display name, and account creation timestamp. Lawful basis: contract (we need this to give you an account).
Job inputs. The text and form fields you submit when running an AI job — for example, the brief you type into a "LinkedIn headline" tool. Lawful basis: contract (we need this to run the job you paid for).
Job outputs. The AI-generated result returned to you. We store these so you can copy them again later from your account. Lawful basis: contract.
Order and billing data. Order id, job slug, amount in GBP, status, and a payment-processor reference. We do not store full card numbers or CVV — those go directly to our payment processor (see "Sub-processors" below). Lawful basis: contract + legal obligation (tax and accounting records).
Technical data. When you make a request, your browser sends an IP address and user-agent string. We use these in-memory to rate-limit abusive traffic. Our hosting provider keeps standard access logs on our behalf for a short period for security and debugging. Lawful basis: legitimate interests (operating and securing the service).
We do not use advertising trackers, third-party analytics SDKs that build cross-site profiles, or any cookie that isn't essential to the service. We do not sell personal data and we do not share it with data brokers. We do not make automated decisions about you that produce legal or similarly significant effects (UK GDPR Article 22).
How AI providers use your inputs
Harnests runs your jobs on third-party AI APIs. Depending on the SKU, your inputs and outputs may be sent to any of the providers listed under "Sub-processors" below. The provider processes the input to produce the output and returns it to us. We do not train AI models ourselves, and we do not give any third party permission to train their public models on your inputs. Each provider's standard API terms set their own retention period for abuse-monitoring (typically up to 30 days); see each provider's privacy notice (linked at their own site) for detail.
Sub-processors
We use a small number of third parties to operate the service. Each is a "sub-processor" under data-protection terminology. Different jobs in the catalogue route to different providers; the runtime may also fall back from one provider to another if a request fails.
Anthropic, PBC (United States) — text generation (Claude).
OpenAI, OpCo, LLC (United States) — text and image generation (GPT and DALL·E).
Google LLC (United States) — text generation (Gemini, via the Google AI Studio REST API).
Groq, Inc. (United States) — text generation (Llama, served on Groq's inference hardware).
fal.ai, Inc. (United States) — image generation (Flux family).
Together Computer, Inc. (United States) — text and image generation fallback (Llama and Flux family).
Razorpay Software Limited (formerly Razorpay Software Private Limited; India) — payment processor. Razorpay handles card details directly via PCI-DSS compliant tokenisation; we never see card numbers. We receive only a payment reference, the amount, and the status.
Cloud hosting and email. We use standard hosting, database, and transactional-email providers to serve the site and send receipts. Current providers and their locations can be obtained on request from hello@harnests.com and we will keep this page updated if the list materially changes.
International transfers
Because Harnests is operated by a UK sole trader, uses US-based AI providers, and processes payments through an Indian payment processor, your data necessarily crosses borders. We rely on the transfer mechanisms permitted under UK GDPR Articles 45 and 46.
For transfers from the UK to the United States, we rely, in each case, on whichever of the following applies to the particular provider: (a) the provider's certification under the UK Extension to the EU-US Data Privacy Framework, where available; or (b) the UK International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses together with the UK Addendum, executed as part of the provider's standard data-processing terms. We carry out a transfer-risk assessment before adopting each provider.
For transfers from the UK to India (Razorpay), we rely on the UK IDTA or equivalent contractual safeguards together with Razorpay's obligations under the Indian Digital Personal Data Protection Act 2023 and the PCI-DSS standard as a regulated payment processor. The only data that leaves the UK for India is the limited information Razorpay needs to take a payment.
We minimise what is sent in each case (no card data leaves Razorpay, no billing data is sent to AI providers).
How long we keep things
Job inputs and outputs: kept against your account so you can re-copy them. If you close your account (by emailing the address below), your inputs and outputs are deleted within 30 days.
Account data: kept while your account is open. After closure, deleted within 30 days except where retention is required by law.
Order and billing records: retained for 6 years after the end of the relevant tax year, as required by UK HMRC tax rules.
Server and security logs: kept by our hosting provider for a short window for security and debugging (typically up to 90 days), then rotated.
Your rights
Wherever you are based, you can ask us to:
Confirm what personal data we hold about you and get a copy of it; correct anything inaccurate; delete your account and associated job history; restrict or object to certain processing; export your data in a portable form; withdraw consent where we relied on consent (this won't affect processing already done).
To exercise any of these, email hello@harnests.com. We'll respond within 30 days. We don't charge for these requests unless they are manifestly unfounded or excessive.
If you are in the UK or EU/EEA and aren't happy with our response, you can complain to the UK Information Commissioner's Office (ico.org.uk) or your local data- protection authority. If you are in India, you may contact the Data Protection Board of India under the Digital Personal Data Protection Act 2023.
Cookies
We use a single strictly-necessary cookie (harnests_session) to keep you signed in. It is HTTP-only, SameSite=Lax, and (in production) Secure. We don't use advertising cookies, third-party analytics cookies, or any non- essential tracker. No consent banner is required under the UK Privacy and Electronic Communications Regulations for strictly- necessary cookies, but if we ever add anything else (for example, a first-party analytics tool), we'll ask first.
Children
Harnests is not directed at children under 13 (or under 16 in the EU/EEA). We don't knowingly collect personal data from anyone in that age range. If you believe a child has signed up, contact us and we'll delete the account.
Security
Data in transit is protected with TLS. Passwords are stored as salted Argon2id hashes, never in plain text. Access to production systems is limited to the operator. Where our hosting and database providers offer encryption at rest and encrypted backups by default, we rely on those provider-level controls. No system is perfect — if you spot a security issue, please email hello@harnests.com and we'll respond promptly.
Changes
If we change this policy in a way that affects how we handle data we've already collected, we'll email account holders and post the change here with a new "last updated" date.