Privacy Policy

1. Who We Are

HararAI ("HararAI," "we," "us," or "our") is an Australian business that provides an AI-native business operating system for local service businesses. This Privacy Policy describes how we collect, use, disclose, and protect personal information when you visit hararai.com, sign up for an account, use our platform, or interact with our services.

For the purposes of the Australian Privacy Act 1988 (Cth) and the General Data Protection Regulation (GDPR), HararAI acts as a "data controller" for personal information relating to our customers and website visitors, and as a "data processor" for end-user data our customers upload, import, or capture through the platform (e.g., their contacts, leads, conversations).

2. Information We Collect

Information you provide:

• Account information: name, email, phone number, business name, industry, password (stored hashed)
• Payment information: handled directly by Stripe, Inc. We never store credit card numbers; we receive only a tokenized reference and transaction metadata
• Business data you import into the platform: contacts, appointments, pipeline records, CRM notes, uploaded files
• Communications: messages, emails, SMS, and voice calls you send or receive through our platform, including recordings and transcripts of AI-handled calls
• Content you publish: social media posts, ad creatives, campaign copy, images, and videos

Information from connected third-party accounts (OAuth):

If you connect a third-party account to HararAI, we collect only the data required to deliver the feature you enabled. Specifically:

• Meta (Facebook, Instagram, WhatsApp): Pages you manage, posts and insights, direct messages, Instagram Business account details, Facebook Lead Ads submissions, WhatsApp Business phone numbers and conversations, ad account performance data, and access tokens. This data is collected and used in accordance with the Meta Platform Terms and Meta Developer Policies.
• Google: Profile information, Google Business Profile listings and reviews, Google Ads accounts and campaign performance, Google Calendar events, Google Analytics data (when authorized by you)
• LinkedIn: Your professional profile, Company Pages you administer, and permission to publish content to LinkedIn on your behalf
• Other integrations (QuickBooks, Xero, Stripe Connect, etc.): limited to the specific scopes you authorize during connection

Automatically collected information:

• Device and technical data: IP address, browser type and version, operating system, referring URLs, timestamps
• Usage data: pages visited, features used, clicks, session duration
• Cookies and similar technologies (see Section 7)

3. How We Use Your Information

We use personal information to:

• Provide, operate, and improve the HararAI platform
• Authenticate you and secure your account
• Process payments, manage subscriptions, and send billing notifications
• Operate AI-powered features, including the AI phone agent, conversation analysis, auto-drafted replies, lead scoring, and content generation
• Deliver messages (email, SMS, voice, social media DMs, WhatsApp) on your behalf
• Publish content (social posts, ads, reviews responses) to your connected accounts at your instruction
• Provide customer support and respond to your inquiries
• Send transactional and service-related notifications
• With your consent, send marketing communications about new features, pricing updates, and educational content (you can opt out at any time)
• Monitor platform health, detect and prevent abuse, fraud, and security incidents
• Comply with legal obligations and respond to lawful requests

Legal basis (GDPR): We process personal data under one or more of the following bases: performance of a contract, legitimate interests (e.g., platform security, fraud prevention), your consent, and compliance with legal obligations.

4. AI Features, Call Recording, and Voice Data

Our AI phone agent handles inbound and outbound calls on behalf of your business. When this feature is enabled:

• The AI agent discloses at the start of every call that the caller is speaking with an AI assistant and that the call may be recorded
• All AI-handled calls are recorded and transcribed for service delivery, quality assurance, and compliance
• Recordings and transcripts are stored securely in encrypted storage and associated only with your organization's workspace
• Voice data is processed by Twilio (telephony infrastructure), Vapi.ai (managed voice platform), and Anthropic (Claude AI for reasoning and dialogue). Each provider is contractually bound by data processing agreements
• You are responsible for ensuring that call recording complies with the laws of every jurisdiction in which calls originate or are received (one-party, two-party consent, etc.)
• Callers can opt out of AI handling and be transferred to a human at any time; they can also request that their call recording be deleted by emailing privacy@hararai.com

5. Meta Platform Data (Facebook, Instagram, WhatsApp)

When you connect a Meta account to HararAI, we access and process only the data you have explicitly authorized through Facebook Login and Meta's permission system. We comply with all applicable Meta Platform Terms, Developer Policies, and the Meta Data Use Policy.

• We do not sell, rent, or transfer Meta data to any data broker, ad network, or third party
• We do not use Meta data to build advertising profiles, train general-purpose AI models, or enrich identity datasets
• We store Meta access tokens in encrypted form and refresh them as needed only to maintain the features you have enabled
• You can revoke our access at any time via Facebook Business Integrations. Upon revocation or deletion request, all associated Meta data is removed from our systems within 30 days

6. Payment Processing (Stripe)

All payment processing is handled by Stripe, Inc. When you enter payment information, it is transmitted directly to Stripe's PCI-DSS-compliant infrastructure. HararAI receives only a tokenized reference (a payment method ID), the last four digits of the card, and basic transaction details (amount, date, status). We never store, process, or have access to full payment card numbers, CVV codes, or bank account credentials. Stripe's privacy practices are governed by the Stripe Privacy Policy.

7. Cookies and Similar Technologies

We use first-party cookies and similar technologies (local storage, session storage) to:

• Maintain your authenticated session
• Remember your preferences and interface settings
• Measure and analyze platform usage so we can improve it
• Prevent fraud, spam, and abuse

We do not use third-party advertising cookies on the logged-in platform. Our marketing website may use analytics cookies (e.g., PostHog, Plausible) to understand traffic patterns; these are configured with IP anonymization where supported. You can control or delete cookies via your browser settings.

8. Third-Party Sub-Processors

We engage the following sub-processors to deliver the platform. Each is contractually bound by a Data Processing Agreement that requires equivalent data protection standards:

• Stripe, Inc. — payment processing
• Twilio, Inc. — voice calls, SMS, and WhatsApp infrastructure
• Vapi.ai — managed AI voice platform
• Anthropic PBC — Claude AI model access
• Google LLC — OAuth, Google Workspace APIs, Google Calendar, Google Business Profile, Google Ads, Google Analytics
• Meta Platforms, Inc. — Facebook, Instagram, and WhatsApp API access
• LinkedIn Corporation — LinkedIn API access
• Resend, Inc. — transactional email delivery
• Vercel Inc. — front-end hosting and CDN
• Railway Corp. — back-end hosting, compute, and managed PostgreSQL
• Cloudflare, Inc. — DNS, DDoS protection, and edge security

A current list of sub-processors is maintained on this page. We will notify customers in advance of adding or replacing any sub-processor that handles personal data.

9. International Data Transfers

HararAI is based in Australia. Some sub-processors are located in the United States, the European Union, and other jurisdictions. Where we transfer personal data internationally, we rely on appropriate safeguards including the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent mechanisms under the Australian Privacy Act's Australian Privacy Principle 8.

10. Data Retention

• Account and business data is retained for the duration of your subscription
• After account cancellation, data is retained for 30 days in cold storage to allow reactivation, then permanently deleted
• Invoices and payment records are retained for 7 years to comply with Australian Taxation Office obligations
• Call recordings and AI transcripts are retained for 12 months by default; you can configure a shorter retention window in your workspace settings
• Backups are retained for 30 days on a rolling basis and are encrypted at rest
• You may request earlier deletion at any time (see Section 13)

11. Data Security

We implement industry-standard technical and organizational measures to protect your data, including TLS 1.2+ for data in transit, AES-256 encryption at rest, secure password hashing (bcrypt/argon2), multi-factor authentication, strict role-based access controls, database-level tenant isolation, regular security audits, automated vulnerability scanning, and least-privilege engineering access with audit logging. While no system can guarantee absolute security, we continuously invest in hardening our infrastructure.

12. Data Breach Notification

In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches scheme. EU/UK individuals will be notified in accordance with Articles 33 and 34 of the GDPR within 72 hours of becoming aware of the breach, where feasible.

13. Your Rights

Subject to applicable law, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Delete your data (see our Data Deletion Instructions)
• Export your data in a portable, machine-readable format (JSON or CSV)
• Restrict or object to processing in certain circumstances
• Withdraw consent where processing is based on consent
• Opt out of marketing communications at any time via the unsubscribe link in any marketing email or by contacting us
• Lodge a complaint with a supervisory authority — the OAIC in Australia (oaic.gov.au) or your local EU/UK Data Protection Authority

To exercise any of these rights, email privacy@hararai.com. We respond within 30 days (or sooner, where law requires).

14. Children's Privacy

The HararAI platform is intended for business use and is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we discover that we have collected such information, we will delete it promptly. If you believe a child has provided us with personal data, contact us at privacy@hararai.com.

15. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, law, or platform. Material changes will be communicated by email or an in-app notice at least 14 days before they take effect. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

16. Contact Us

For any privacy-related questions or to exercise your rights, contact our Data Protection Officer:

• Email: privacy@hararai.com
• General support: support@hararai.com
• Postal: HararAI, Australia (full address on request)