Privacy Policy

Last updated: February 1, 2026

This Privacy Policy explains how Harmny Inc. ("Harmny," "we," "us," or "our") collects, uses, discloses, and protects information about you when you use our website, platform, and related services (collectively, the "Services"). By using our Services, you agree to the practices described in this policy.

1. Information We Collect

We collect information in three ways: information you provide directly, information we collect automatically, and information we receive from third parties.

Information you provide:

• Account registration data: name, work email address, job title, and organization name
• Profile information: photo, biography, and career history you choose to add
• Performance and career data: goals, reviews, ratings, and feedback entered into the platform
• Communications: messages you send to our support team or through in-platform messaging
• Payment information: billing address and payment card details (processed by our payment provider; we do not store raw card numbers)

Information collected automatically:

• Log data: IP address, browser type, operating system, referring URLs, and pages visited
• Device identifiers and session tokens
• Usage data: features accessed, actions taken, and timestamps
• Cookies and similar tracking technologies (see our Cookie Policy)

Information from Google:

If you choose to sign in with Google, connect your Google Calendar, or connect your Google Search Console account, we receive the following data from Google:

• Google Sign-In: your Google account email address, display name, and profile picture (via the openid, email, and profile scopes). This data is used solely to create or authenticate your Harmny account.
• Google Calendar: if you optionally connect your Google Calendar, we access your calendar events (via the calendar.events scope) to sync 1:1 meetings between Harmny and your Google Calendar. We create, update, and delete calendar events only for meetings you schedule within Harmny. We also read calendar events to display your upcoming schedule within the platform. Calendar data is not stored permanently — only a refresh token is stored to maintain the connection. You can disconnect your Google Calendar at any time from your account settings, which immediately deletes the stored refresh token.
• Google Search Console: if you optionally connect Google Search Console to power organic-search analytics in the Tasks app, we access read-only Search Console data (via the webmasters.readonly scope) for the sites you choose to enable. The data we read is limited to: aggregate search analytics (clicks, impressions, CTR, average position) broken down by the dimensions you select per connector (query, page, country, device, search type), plus the list of Search Console properties you own so you can pick which site to connect. We use this data only to display it inside your organization's own reports in Harmny. We backfill up to 90 days of history on the first connection and then sync daily. Raw dimension rows are retained for 12 months on a rolling window; aggregated daily values are retained for the life of the connector. We store an encrypted refresh token (AES-256-GCM) to maintain the connection — your Google account password and access token are never persisted. We do not modify any data in your Search Console account, do not access any other Google products via this connection, and do not share Search Console data with any third party. You can disconnect at any time via Tasks → Integrations; disconnecting calls Google to revoke the refresh token, deletes the local credential record, and stops further syncing.

Harmny's use and transfer of information received from Google's OAuth-protected APIs — specifically the Google Sign-In, Google Calendar (calendar.events), and Google Search Console (webmasters.readonly) scopes described above — adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google data for advertising, do not sell it to third parties, and do not use it to train AI models.

Public data sources:

Harmny also optionally reads publicly available business data from Google's Places API (New) when an org admin adds a "Google Business — Reviews" connector to a report. For each Place ID the admin configures, we read four fields: display name, total review count, average star rating, and business status (operational / closed). This is the same data that Google Maps shows publicly for the business; no user identity or private information is involved on Google's side. We capture a snapshot on the schedule your organization configures (default: once per day) and store the snapshots inside your organization's own reports.

Authentication for the Places API is via a Google Cloud API key the admin provides; the key is encrypted at rest with AES-256-GCM and can be rotated or removed at any time via Tasks → Integrations. We do not modify any data in Google Business Profile, do not write any data back to Google, and do not share Places API data with any third party. Because this is a public-data API and no user identity is involved on Google's side, the Limited Use requirements described above apply only to the OAuth-protected Sign-In, Calendar, and Search Console scopes — not to the Places API.

Information from Yandex Metrica:

If you optionally connect Yandex Metrica to power web-analytics reports in the Tasks app, we access your Yandex account data under the metrika:read scope. The data we read is limited to: aggregate daily statistics (sessions, unique users, pageviews, bounce rate, average session duration) for the Metrica counters you select. We use this data only to display it inside your organization's own reports in Harmny. We backfill up to 90 days of history on the first connection and then sync daily. Daily metric values are retained for the life of the connector. We store an encrypted refresh token (AES-256-GCM) to maintain the connection — your Yandex password and access token are never persisted. We do not modify any data in your Yandex Metrica account and do not share Yandex Metrica data with any third party. You can disconnect at any time via Tasks → Integrations; disconnecting calls Yandex to revoke the token, deletes the local credential record, and stops further syncing.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and improve the Harmny platform
• Process transactions and send related billing information
• Send administrative messages, including product updates, security alerts, and support responses
• Send marketing communications where you have opted in or where permitted by law
• Monitor and analyze usage patterns to improve product performance and user experience
• Detect, prevent, and respond to fraud, abuse, or security incidents
• Comply with legal obligations and enforce our Terms of Service

We do not use your data to train AI models or sell it to third parties for advertising purposes.

3. How We Share Your Information

We may share your information with:

• Your organization: data you enter into Harmny is visible to authorized personnel in your organization according to the role-based permissions your administrator configures
• Service providers: trusted sub-processors who help us deliver the Services (cloud hosting, email delivery, payment processing, error monitoring). All sub-processors are contractually bound to protect your data
• Legal requirements: when required by law, court order, or to protect the rights, property, or safety of Harmny, our customers, or the public
• Business transfers: in connection with a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before this occurs

4. Data Retention

We retain your personal data for as long as your organization maintains an active Harmny account. If your account is closed or your organization cancels its subscription, we will provide a data export and permanently delete all personal data within 30 days of the account closure date, unless a longer retention period is required by applicable law.

Anonymized, aggregated data (such as usage statistics) may be retained indefinitely as it cannot be used to identify you.

5. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you
• Correction: request that we correct inaccurate or incomplete data
• Deletion: request that we delete your personal data, subject to legal retention requirements
• Portability: receive your data in a structured, machine-readable format
• Objection: object to processing based on legitimate interests
• Restriction: request that we restrict processing in certain circumstances
• Opt-out: unsubscribe from marketing emails at any time via the unsubscribe link in each message
• Revoke Google access: disconnect your Google Calendar from Harmny at any time via Settings → Integrations; disconnect Google Search Console accounts or delete saved Google Places API keys via Tasks → Integrations. You can also revoke Harmny's OAuth access from your Google Account permissions page. Revoking or deleting immediately stops all syncing and removes the stored credentials (encrypted refresh token or API key). Already-imported data is retained in your reports until you remove the connector or delete the data points; Search Console raw dimension rows automatically expire after 12 months.
• Revoke Yandex access: disconnect Yandex Metrica accounts at any time via Tasks → Integrations. Disconnecting calls Yandex to revoke the refresh token and deletes the local credential record. You can also revoke Harmny's access from your Yandex Account settings. Already-imported metric data is retained in your reports until you remove the connector.

To exercise these rights, contact us at [email protected]. We will respond within 30 days. Some requests may need to be directed to your organization's Harmny administrator, as Harmny acts as a data processor on behalf of your employer.

6. Security

We implement industry-standard technical and organizational measures to protect your data, including TLS 1.3 encryption in transit, AES-256 encryption at rest, role-based access controls, and regular third-party security audits. For full details, see our Security page.

7. International Transfers

Harmny is based in the United States. If you are located outside the US, your data may be transferred to and processed in the United States or other countries. For transfers from the European Economic Area, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. Enterprise customers may request a data residency configuration for EU data to remain in our EU region.

8. Children

Harmny is designed for professional use by adults. We do not knowingly collect personal data from individuals under the age of 16. If you believe we have inadvertently collected such data, please contact us immediately and we will delete it.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by displaying a notice in the platform at least 30 days before the changes take effect. Continued use of our Services after the effective date constitutes your acceptance of the updated policy.

10. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact:

• Email: [email protected]
• EU Representative: Harmny EU Ltd., Am Hauptbahnhof 12, 60329 Frankfurt am Main, Germany