Privacy Policy (Harry AI)

Last updated: 14 January 2026

Applies to: the Harry AI web app and related services (the "Service")

1) Who we are (Data Controller)
Harry AI B.V. ("Harry AI", "we", "us") is the controller of your personal data.
- Trade name: Harry AI
- Company: ME Strategy
- Address: Van Nelleweg 1, Rotterdam, The Netherlands
- Email: privacy@askharry.org
- KvK: 71602615
2) What this policy covers
This policy explains how we collect, use, share, and protect personal data when you create an account, use the Service (chat, documents, web access, audio notes), and manage billing.
3) What data we collect
We collect data you provide, data created through your use of the Service, and limited technical data.
A. Account data
- Email address
- Name (if provided)
- Password (stored in hashed form via our authentication provider)
- Organization/workspace identifiers
B. Customer Content (workspace content)
- Chat messages and conversation history
- Documents you upload or add by URL
- Notes and transcripts you upload or generate (e.g., audio meeting notes)
- Prompts, instructions, and files you submit for processing
C. Usage & billing data
- Credit usage events, feature usage, timestamps
- Subscription plan, invoice metadata
- Billing details such as billing address and VAT number (if provided)
D. Technical data
- IP address, approximate location (country/region), device and browser information
- Logs needed for security, debugging, and preventing abuse
- Session identifiers and authentication tokens
E. Cookies
- We use essential cookies only (see section 12).
4) Why we process data (purposes)
We process your data to:
- Provide and operate the Service (chat, RAG, URL fetching, search, transcription)
- Authenticate users and keep you signed in
- Maintain projects/workspaces and your content
- Meter usage, enforce plan limits, and apply credit rollovers
- Process payments and manage subscriptions
- Provide customer support and service communications (e.g., billing, system notices)
- Improve performance, reliability, and safety of the Service
- Prevent fraud, abuse, and security incidents
- Comply with legal obligations (e.g., accounting and VAT)
5) Legal bases under GDPR
We rely on the following legal bases (GDPR Article 6):
- Contract performance (Art. 6(1)(b)): to deliver the Service you sign up for
- Legitimate interests (Art. 6(1)(f)): to secure the Service, prevent abuse, improve reliability and user experience
- Consent (Art. 6(1)(a)): for marketing communications where required (you can opt out anytime)
- Legal obligation (Art. 6(1)(c)): to meet accounting/tax and regulatory requirements
6) AI processing and how your content is used
When you use the Service, your inputs (and relevant workspace context, such as selected documents) may be sent to AI and processing providers to generate outputs (e.g., answers, summaries, structured notes).
We process Customer Content only to provide the requested features (e.g., answering a question, summarizing a PDF, transcribing an audio file).
Depending on your configuration and feature use (e.g., web search), data may be processed by third parties listed below.
Your Customer Content (chat messages, documents, notes) is NOT used to train AI models. We use enterprise API tiers and data processing agreements that contractually prohibit training on your data. Where providers offer zero-retention endpoints, we use those. Note: When you use web search features, your query may be processed by third-party search providers (Perplexity/Parallel) whose data practices are subject to their own policies.
7) Third-party processors (subprocessors)
Harry AI is built with EU data residency as a core principle. All customer workspace data and AI processing occurs within the EU.
Non-EU processing (optional features only):
- Web search: US-based search providers (only when web search feature is used)
Your workspace data (chat history, documents, audio notes, transcripts) is stored and processed exclusively in EU data centers. When you use AI features (chat, document analysis, transcription), all processing occurs in the EU.
Web search is the only feature that sends queries outside the EU.
For Data Processing Agreements and subprocessor details, contact privacy@askharry.org.
8) International data transfers
Some providers may process data outside the EEA (for example, certain web search services or model endpoints). Where international transfers occur, we use appropriate safeguards such as:
- Standard Contractual Clauses (SCCs)
- Additional technical and organizational measures (e.g., encryption in transit)
- Vendor assessments and contractual controls where feasible
9) Data retention
We keep data only as long as necessary for the purposes described:
- Chat history & workspace content: retained until you delete it or delete your account
- Documents: retained until you delete them (or delete your account)
- Audio notes / transcripts / generated notes: retained until deleted (or account deletion)
- Credit usage logs & billing records: typically retained for 7 years (tax/accounting compliance)
- Deleted accounts: we aim to delete or anonymize personal data within 30 days, except where we must retain certain records for legal obligations (e.g., invoices)
10) Your GDPR rights (Articles 15-22)
You have the right to:
- Access your data
- Correct inaccurate data
- Delete your data ("right to be forgotten")
- Restrict processing
- Data portability (export)
- Object to processing based on legitimate interests
- Withdraw consent (where processing is based on consent)
- Lodge a complaint with the Dutch supervisory authority: Autoriteit Persoonsgegevens
To exercise rights: privacy@askharry.org
Response time: within 30 days (may be extended where legally permitted)
11) Security measures
We use technical and organizational measures appropriate to the risk, including:
- Encryption in transit (TLS) and encryption at rest where supported by our infrastructure/providers
- Role-based access controls and least-privilege internal access
- Environment segregation and secure secret handling
- Logging and monitoring to detect abuse and security incidents
- Incident response procedures
No system is 100% secure; however, we work to continuously improve security.
Data breach notification:
In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority (Autoriteit Persoonsgegevens) as required by GDPR (typically within 72 hours of becoming aware of the breach). We will provide information about the nature of the breach, potential consequences, and measures taken to address it.
12) Cookies and similar technologies
We use essential cookies only to:
- Maintain your authenticated session (stay signed in)
- Protect against common web attacks (e.g., CSRF)
- Provide core app functionality
We do not use marketing cookies or tracking cookies for advertising. If we add optional analytics in the future, we will update this policy and obtain consent where required.
13) Children's privacy
The Service is intended for business users aged 18+. We do not knowingly collect data from children under 18.
14) Changes to this policy
We may update this policy from time to time. If changes are material, we will notify you (e.g., via email or in-app). Continued use of the Service after the effective date means you accept the updated policy.
15) Contact
Privacy questions or requests: privacy@askharry.org
- Trade name: Harry AI
- Company: ME Strategy
- Address: Van Nelleweg 1, Rotterdam, The Netherlands
- KvK: 71602615
- Privacy Officer: Privacy Team
For Terms & Conditions, see /terms.

1) Who we are (Data Controller)

2) What this policy covers

3) What data we collect

4) Why we process data (purposes)

5) Legal bases under GDPR

6) AI processing and how your content is used

7) Third-party processors (subprocessors)

8) International data transfers

9) Data retention

10) Your GDPR rights (Articles 15-22)

11) Security measures

12) Cookies and similar technologies

13) Children's privacy

14) Changes to this policy

15) Contact