Privacy Policy

7G TechLabs Inc., doing business as “Harnyss AI” and “Harnyss” (“Harnyss”, “we”, “us”) operates a bring-your-own-key (BYOK) platform for autonomous business operations. This policy explains what data we collect, why we collect it, and how we handle it. We've written it to be readable, not to bury things in legalese.

By using Harnyss, you agree to the practices described here. If you don't agree, please don't use the service.

Account data. When you sign up, we collect your name, email address, and company name. If you add payment details, those are handled by Stripe — we never see raw card numbers.

Usage data. We log which features you use, agent actions taken, workflow runs, credit consumption, and approval events. This powers your audit trail and our product analytics.

Technical data. IP addresses, browser type, device identifiers, and error logs collected automatically when you use the platform.

Connected-account data.When you connect a third-party account (Google, etc.), we receive the data scoped by the permissions you grant during OAuth. The full list of Google scopes and what each is used for is in the “Google APIs and user data” section below.

What we do NOT collect. We do not store your LLM API keys persistently. We do not intercept or log model traffic between your agents and your LLM provider. We do not have access to the content of your LLM calls.

We use collected data to provide and improve the Harnyss platform, send transactional and product communications, generate your usage reports and audit logs, detect and prevent abuse, and comply with legal obligations.

We do not sell your data. We do not use your data to train AI models — ours or anyone else's. We do not share your data with third parties except as described below.

We work with a small number of sub-processors to operate the platform. Each is bound by data processing agreements that restrict how they may use your data.

• Anthropic — LLM provider that processes prompts and responses passed through the Harnyss agent runtime.
• Supabase — Postgres database, authentication, and OAuth token storage.
• Railway — application hosting and runtime infrastructure.
• Resend — transactional email delivery (account notifications, agent-triggered email actions).
• Sentry — error monitoring and stack-trace capture. Stack traces may include incidental context from any code path that errors, including those touching connected-account data.
• Stripe — payment processing. Stripe never sees agent data; only billing details.

An up-to-date sub-processor list is available on request at privacy@harnyss.ai.

If you connect a Google account to Harnyss, this section governs how we handle data accessed via Google APIs.

Google User Data and Limited Use. Harnyss's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We use Google user data only to provide and improve user-facing features that are visible in the Harnyss application.
• We do not transfer Google user data to third parties except (a) as necessary to provide or improve those features, (b) to comply with applicable law, or (c) as part of a merger, acquisition, or sale of assets with notice to users.
• We do not use Google user data for serving advertisements, including retargeting or personalised / interest-based advertising.
• We do not allow humans to read Google user data, except (a) with the user's affirmative consent for specific data, (b) for security purposes (e.g., investigating abuse), (c) to comply with applicable law, or (d) where the data is aggregated and used for internal operations in compliance with the Limited Use policy.

Google services we connect to and why. Harnyss requests only the scopes required to deliver the agent capabilities you have enabled. Each scope is tied to a specific user-facing feature, and we ask for the narrowest version of each scope that lets the feature work.

• Calendar (auth/calendar) — read and create events for scheduling agents and meeting-reminder workflows you ask an agent to run on your behalf.
• Google Docs (auth/documents) — read documents you provide as agent context and create new Docs (briefs, blog drafts, reports) when an agent's task produces a written deliverable.
• Google Sheets (auth/spreadsheets) — read sheets you provide as agent context and create new Sheets (reports, exports, structured data) when an agent's task produces a tabular deliverable.
• Drive (auth/drive.file) — non-sensitive scope that limits Harnyss to files we create on your behalf and files you explicitly open with Harnyss. We do not have access to the rest of your Drive.
• Gmail (auth/gmail.send) — send outbound email on your behalf when you explicitly direct an agent to send a specific message (for example, a customer follow-up generated at the end of a workflow, or a transactional notification you have configured an agent to send). This is the narrowest Gmail scope available. Harnyss does not read your inbox, does not access existing drafts, and does not modify existing messages.
• Google Analytics (auth/analytics.readonly) — read GA4 metrics (traffic, conversions, audience, real-time activity) so reporting agents can summarise site performance and surface alerts.
• Google Ads (auth/adwords) — read campaign performance and, where you authorise it, make campaign changes when an ad-management agent acts on your behalf.
• Identity baseline (openid, email, profile) — identify you when you sign in to Harnyss with Google.

Storage, sharing, and transfer. OAuth refresh tokens are stored encrypted at rest using AES-256-GCM in our primary Postgres database (Supabase, hosted in AWS us-east-1). We only decrypt them in memory at the moment an agent needs to make a Google API call on your behalf — they are never written to logs, task payloads, or any client-facing response.

For files an agent creates in your Google account (Docs, Sheets, or Drive files), we store metadata only — the file ID, title, owning workspace, and creation timestamp. The file content stays in your Google Drive.

We do not store Gmail message content on Harnyss servers. When an agent sends an email via auth/gmail.send, the message is handed off to Gmail and we do not retain the body, the recipient list, or a draft copy on our side. The fact that an outbound send occurred is recorded in your workspace audit log so you can see what an agent did on your behalf.

Google data is never sold, shared with advertisers, or used to train any machine-learning model — ours or anyone else's.

Sub-processors with access to Google data are: Anthropic (processes prompts that may contain Google-derived content), Supabase (database hosting and OAuth token storage), Railway (application hosting and runtime), Resend (transactional email delivery, used only when an email-based agent action requires it), and Sentry (error monitoring; stack traces from code paths that handle Google data may incidentally include Google-derived context).

Revoking access and deletion.You can revoke Harnyss's access to your Google account at any time at https://myaccount.google.com/permissions. When you disconnect an integration or delete your workspace, we delete the associated OAuth tokens immediately and purge cached Google data within 30 days.

Account and usage data is retained for the life of your account plus 90 days after deletion. Audit logs are retained for 12 months on the Growth plan and 24 months on Scale and Enterprise. Cached data from connected third-party accounts (including Google) is purged within 30 days of disconnection or workspace deletion. You can request deletion at any time.

Depending on your location, you may have rights to access, correct, delete, or export your personal data; object to or restrict certain processing; and lodge a complaint with a supervisory authority.

To exercise any of these rights, email privacy@harnyss.ai. We respond within 30 days.

All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Access to production systems is restricted by role and audited. We are actively pursuing SOC 2 Type II certification. See our Security page for full details.

We'll notify you of material changes by email and by updating the date at the top of this page. Continued use of the service after changes constitutes acceptance.

Questions about this policy? Email privacy@harnyss.ai.