Privacy Policy

How we collect, use, and protect your information.

Effective Date: March 30, 2026 · Last Updated: June 11, 2026

Overview

Harbor Light is an AI-powered email monitoring and protection service delivered via Telegram and SMS. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data.

We built Harbor Light with the same care we'd want for our own family. Your privacy and safety are at the core of everything we do.

Information We Collect

Account Information

When you are enrolled in Harbor Light (by invitation from an administrator, family member, or staff), we collect:

Email Account Access

When you connect an email account, we request access through OAuth — the same secure sign-in protocol used when you sign in to apps with Google or Microsoft. For Gmail and Outlook accounts, your email password is never sent to or stored on our servers. For other email providers (such as Yahoo, iCloud, or work email) that do not support OAuth, we store your IMAP/SMTP credentials encrypted at rest using industry-standard encryption.

We request only the permissions necessary to provide the service:

The specific permissions requested are shown during the sign-in process by Google or Microsoft, and you can review them before granting access.

Conversation History

Messages you exchange with your AI companion, Grace, are stored for conversation continuity. Conversations are capped and automatically summarized to maintain context while managing storage.

Email Analysis Data

When we analyze your incoming emails, we store analysis results: threat scores, summaries, sender information, and metadata. Full email content is not permanently stored — only analysis results and content hashes used for deduplication.

Harbor Light staff and administrators cannot read your emails. Our system is designed so that only you can view your email content through your personal, verified dashboard. Staff can see limited metadata (sender and subject) for emails that were flagged or quarantined, solely for the purpose of troubleshooting false positives.

Account Security Monitoring

As part of our threat protection, we monitor for signs that your email account may have been compromised. This includes two layers:

We store a record of your account settings baseline and any detected security signals for alerting and pattern analysis. IMAP accounts (Yahoo, iCloud, etc.) do not support settings monitoring — only email-based detection is available for those providers.

Memories & Contacts

Facts learned during conversations — such as your bank name, doctor, pharmacy, or family members — are stored as "memories" for personalization and scam detection. You can ask your companion to forget any memory at any time. Contacts (trusted senders, blocked senders) are maintained with trust levels.

Calendar Event Cache

Calendar events extracted from emails are temporarily cached for duplicate detection, with a 90-day retention period.

Digest History

Your daily morning digest summaries are stored for up to 365 days so your companion can reference past summaries when you ask.

How We Use Your Information

Third-Party Services

We use the following third-party services to provide our product:

AI Processing

Your conversation messages and email content (including the body of incoming emails during threat analysis) are sent to a third-party AI service (Anthropic) for processing. Anthropic's usage policies prohibit training on API data. Your data is processed and discarded — it is not retained by the AI provider for model improvement.

If you send a photo or screenshot (for example, a picture of a letter or a suspicious text message) for the companion to read, that image is also transmitted to Anthropic for analysis. As with all API data, it is processed and discarded — it is not retained by the AI provider for training or model improvement.

URL Safety Checking

URLs found in your emails are checked against industry threat databases. Only the URL is sent — no email content, sender information, or personal data.

Phone Reputation Services

When you ask about a phone number, we check it against spam and fraud databases. Only the phone number is sent — no personal information.

Telegram

If you use Telegram, messages are delivered through the Telegram Bot API. Telegram's privacy policy applies to message delivery.

Twilio (SMS Messaging)

If you use SMS, messages are delivered through Twilio. Twilio's privacy policy applies to message delivery. Your phone number is shared with Twilio solely for the purpose of delivering messages and is not used for marketing by Twilio. You can opt out of SMS messages at any time by replying STOP.

SMS Program Disclosures: Harbor Light's SMS program sends transactional account notifications only — no marketing or promotional messages. Message frequency varies based on the user's email volume, typically 3–10 messages per day. Message and data rates may apply. Reply HELP for help, STOP to cancel.

SMS Opt-in Data Sharing: No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties. Information that we collect from you in connection with the SMS messaging program will be used solely to provide the SMS messaging service.

Google OAuth / Microsoft OAuth

We use Google and Microsoft's standard OAuth 2.0 flows to connect your email account. We request only the scopes listed above. For details on how Google user data specifically is handled, see the next section.

Google User Data

When you connect a Gmail account, Harbor Light accesses your Google user data through official Google APIs, using only the permissions you grant on Google's consent screen. This section describes exactly how that data is accessed, used, stored, and shared.

What We Access

PermissionWhat It AllowsWhy We Need It
gmail.modify Read your Gmail messages and move them between labels/folders Analyze incoming email for scams and phishing; quarantine dangerous messages so they're out of your inbox before you see them; optionally tidy newsletters and promotions into their own folder and, if you opt in, move older promotions and quarantined messages to your Trash
gmail.send Send email from your address Send replies, forwards, and new messages that you compose and approve, plus unsubscribe requests you trigger — nothing is ever sent without your direction
calendar.events View and create events on your calendar Add appointments found in your email and accept meeting invitations when you ask

How We Use It

Google user data is used solely to provide the features described on this page and on our home page: threat analysis and quarantine of incoming email, your daily digest, conversational answers about your email and calendar, and messages you choose to send. We do not use Google user data for advertising, and we do not sell it to anyone.

How We Store It

Your OAuth tokens are encrypted at rest on our private server. Full email content is not permanently stored — emails are processed for analysis and only the results (threat scores, summaries, sender information, and content hashes for deduplication) are retained, per the Data Retention table below.

How We Share It

We do not transfer Google user data to third parties except as necessary to provide the service: email content is processed by our AI provider (Anthropic), whose policies prohibit using it for model training; URLs found in your email are checked against third-party threat databases (only the URL is sent — see Third-Party Services above); and we may disclose data if required by law. Harbor Light staff cannot read your email; humans access Google user data only with your explicit permission (for example, a support request), or where necessary for security or legal compliance.

Limited Use Disclosure

Harbor Light's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We do not use Google user data to develop, improve, or train generalized artificial intelligence or machine learning models.

Data Storage & Security

In the event of a security breach that affects your email account credentials or personal data, we will notify affected users without unreasonable delay and in accordance with applicable law.

Data Retention

Data TypeRetention Period
ConversationsRolling cap, automatically summarized and pruned
User memoriesLimited per user, periodically reviewed for staleness
Email analysis logsUp to two years, for ongoing threat pattern analysis
Account security signalsUp to two years, alongside email analysis logs
Protection reportsGenerated on demand from analysis logs; not separately stored
Digest historyUp to one year
Calendar event cacheUp to 90 days
OAuth tokensUntil you disconnect or token expires
Security advisoriesAuto-expired and cleaned up

Your Rights

Children's Privacy

Harbor Light is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us so we can delete it.

Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through your messaging channel (Telegram or SMS) before the changes take effect. Continued use of the service after notification constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or want to exercise any of your rights, contact us at:

Email: [email protected]

Website: harborlight.io