Overview
Harbor Light is an AI-powered email monitoring and protection service delivered via Telegram and SMS. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data.
We built Harbor Light with the same care we'd want for our own family. Your privacy and safety are at the core of everything we do.
Information We Collect
Account Information
When you are enrolled in Harbor Light (by invitation from an administrator, family member, or staff), we collect:
- Display name
- Phone number (for SMS users, used to deliver text messages to you) or Telegram chat ID (for Telegram users)
- Timezone and city/state (for scheduling and weather)
- Date of birth (optional, for personalization)
- Language preference
Email Account Access
When you connect an email account, we request access through OAuth — the same secure sign-in protocol used when you sign in to apps with Google or Microsoft. For Gmail and Outlook accounts, your email password is never sent to or stored on our servers. For other email providers (such as Yahoo, iCloud, or work email) that do not support OAuth, we store your IMAP/SMTP credentials encrypted at rest using industry-standard encryption.
We request only the permissions necessary to provide the service:
- Read your emails — to analyze incoming messages for threats
- Move emails — to quarantine dangerous messages into a separate folder or label; if you choose, to tidy newsletters and promotions into their own folder; and, if you opt in, to move older messages out of the Promotions and Quarantine folders to your email provider's Trash on a schedule you select (recoverable per your provider's normal Trash retention)
- Send email on your behalf — replies, forwards, new messages, and unsubscribe-by-email requests, all sent from your account at your direction (Grace always asks before sending)
- Access your calendar — to read and create events from email invitations
The specific permissions requested are shown during the sign-in process by Google or Microsoft, and you can review them before granting access.
Conversation History
Messages you exchange with your AI companion, Grace, are stored for conversation continuity. Conversations are capped and automatically summarized to maintain context while managing storage.
Email Analysis Data
When we analyze your incoming emails, we store analysis results: threat scores, summaries, sender information, and metadata. Full email content is not permanently stored — only analysis results and content hashes used for deduplication.
Harbor Light staff and administrators cannot read your emails. Our system is designed so that only you can view your email content through your personal, verified dashboard. Staff can see limited metadata (sender and subject) for emails that were flagged or quarantined, solely for the purpose of troubleshooting false positives.
Account Security Monitoring
As part of our threat protection, we monitor for signs that your email account may have been compromised. This includes two layers:
- Email-based detection — analyzing incoming emails for security signals such as password change confirmations, two-factor authentication changes, and unusual login notifications
- Account settings monitoring — for Gmail and Outlook accounts, we periodically check your account settings (forwarding rules, email filters, and send-as aliases) through the same secure API access you granted when connecting your account. A baseline of your settings is captured when you first connect, and changes are monitored going forward to detect unauthorized modifications.
We store a record of your account settings baseline and any detected security signals for alerting and pattern analysis. IMAP accounts (Yahoo, iCloud, etc.) do not support settings monitoring — only email-based detection is available for those providers.
Memories & Contacts
Facts learned during conversations — such as your bank name, doctor, pharmacy, or family members — are stored as "memories" for personalization and scam detection. You can ask your companion to forget any memory at any time. Contacts (trusted senders, blocked senders) are maintained with trust levels.
Calendar Event Cache
Calendar events extracted from emails are temporarily cached for duplicate detection, with a 90-day retention period.
Digest History
Your daily morning digest summaries are stored for up to 365 days so your companion can reference past summaries when you ask.
How We Use Your Information
- Threat analysis — Analyzing incoming emails for scam indicators, phishing attempts, and account takeover signals
- Account security monitoring — Detecting signs of email account compromise by analyzing incoming security notifications
- Daily digests — Generating your personalized morning email summary
- Conversational assistance — Answering your questions about your email, calendar, and contacts
- Calendar management — Adding appointments from emails to your calendar and sending event reminders
- Safe link checking — Checking the links in your email for safety before you click them, as part of the browser-based dashboard
- Protection reports — Generating on-demand summaries of emails analyzed, threats detected, and protection activity
- Family alerts — Sending protection summaries and threat alerts to family members you designate
- Platform security — Anonymized threat pattern analysis across the platform to improve detection for all users (no personal information is shared between users)
Third-Party Services
We use the following third-party services to provide our product:
AI Processing
Your conversation messages and email content (including the body of incoming emails during threat analysis) are sent to a third-party AI service (Anthropic) for processing. Anthropic's usage policies prohibit training on API data. Your data is processed and discarded — it is not retained by the AI provider for model improvement.
If you send a photo or screenshot (for example, a picture of a letter or a suspicious text message) for the companion to read, that image is also transmitted to Anthropic for analysis. As with all API data, it is processed and discarded — it is not retained by the AI provider for training or model improvement.
URL Safety Checking
URLs found in your emails are checked against industry threat databases. Only the URL is sent — no email content, sender information, or personal data.
Phone Reputation Services
When you ask about a phone number, we check it against spam and fraud databases. Only the phone number is sent — no personal information.
Telegram
If you use Telegram, messages are delivered through the Telegram Bot API. Telegram's privacy policy applies to message delivery.
Twilio (SMS Messaging)
If you use SMS, messages are delivered through Twilio. Twilio's privacy policy applies to message delivery. Your phone number is shared with Twilio solely for the purpose of delivering messages and is not used for marketing by Twilio. You can opt out of SMS messages at any time by replying STOP.
SMS Program Disclosures: Harbor Light's SMS program sends transactional account notifications only — no marketing or promotional messages. Message frequency varies based on the user's email volume, typically 3–10 messages per day. Message and data rates may apply. Reply HELP for help, STOP to cancel.
SMS Opt-in Data Sharing: No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties. Information that we collect from you in connection with the SMS messaging program will be used solely to provide the SMS messaging service.
Google OAuth / Microsoft OAuth
We use Google and Microsoft's standard OAuth 2.0 flows to connect your email account. We request only the scopes listed above. For details on how Google user data specifically is handled, see the next section.
Google User Data
When you connect a Gmail account, Harbor Light accesses your Google user data through official Google APIs, using only the permissions you grant on Google's consent screen. This section describes exactly how that data is accessed, used, stored, and shared.
What We Access
| Permission | What It Allows | Why We Need It |
|---|---|---|
gmail.modify |
Read your Gmail messages and move them between labels/folders | Analyze incoming email for scams and phishing; quarantine dangerous messages so they're out of your inbox before you see them; optionally tidy newsletters and promotions into their own folder and, if you opt in, move older promotions and quarantined messages to your Trash |
gmail.send |
Send email from your address | Send replies, forwards, and new messages that you compose and approve, plus unsubscribe requests you trigger — nothing is ever sent without your direction |
calendar.events |
View and create events on your calendar | Add appointments found in your email and accept meeting invitations when you ask |
How We Use It
Google user data is used solely to provide the features described on this page and on our home page: threat analysis and quarantine of incoming email, your daily digest, conversational answers about your email and calendar, and messages you choose to send. We do not use Google user data for advertising, and we do not sell it to anyone.
How We Store It
Your OAuth tokens are encrypted at rest on our private server. Full email content is not permanently stored — emails are processed for analysis and only the results (threat scores, summaries, sender information, and content hashes for deduplication) are retained, per the Data Retention table below.
How We Share It
We do not transfer Google user data to third parties except as necessary to provide the service: email content is processed by our AI provider (Anthropic), whose policies prohibit using it for model training; URLs found in your email are checked against third-party threat databases (only the URL is sent — see Third-Party Services above); and we may disclose data if required by law. Harbor Light staff cannot read your email; humans access Google user data only with your explicit permission (for example, a support request), or where necessary for security or legal compliance.
Limited Use Disclosure
Harbor Light's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
We do not use Google user data to develop, improve, or train generalized artificial intelligence or machine learning models.
Data Storage & Security
- All data is stored on a dedicated, private server — not in a shared cloud database
- OAuth tokens and IMAP credentials are encrypted at rest using industry-standard encryption
- All connections use HTTPS with modern TLS encryption
- User sessions expire after inactivity
- CSRF protection on all state-changing operations
- Staff and administrators cannot access your email content — only you can view your emails through your verified dashboard
- Daily automated database backups with 7-day retention
- Weekly full-server backups
In the event of a security breach that affects your email account credentials or personal data, we will notify affected users without unreasonable delay and in accordance with applicable law.
Data Retention
| Data Type | Retention Period |
|---|---|
| Conversations | Rolling cap, automatically summarized and pruned |
| User memories | Limited per user, periodically reviewed for staleness |
| Email analysis logs | Up to two years, for ongoing threat pattern analysis |
| Account security signals | Up to two years, alongside email analysis logs |
| Protection reports | Generated on demand from analysis logs; not separately stored |
| Digest history | Up to one year |
| Calendar event cache | Up to 90 days |
| OAuth tokens | Until you disconnect or token expires |
| Security advisories | Auto-expired and cleaned up |
Your Rights
- Disconnect email accounts — You can disconnect any email account at any time by asking your companion or through the admin dashboard
- Revoke OAuth access — You can revoke Harbor Light's access directly from your Google Account or Microsoft Account settings
- Request data deletion — Contact us to request deletion of your data. We will remove your account information, conversations, memories, and analysis logs within 30 days of your request
- Data export — Contact us to request an export of your stored data
- Forget memories — Ask your companion to forget any specific memory at any time during conversation
- Opt out of SMS — Reply STOP to any SMS message to immediately stop text message delivery
Children's Privacy
Harbor Light is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us so we can delete it.
Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you through your messaging channel (Telegram or SMS) before the changes take effect. Continued use of the service after notification constitutes acceptance of the updated policy.
Contact Us
If you have questions about this Privacy Policy or want to exercise any of your rights, contact us at:
Email: [email protected]
Website: harborlight.io