Privacy Policy

Effective date: July 1, 2026 for customers who signed up to the Service before April 15, 2026, April 15, 2026 for customers who signed up to the Service on or after April 15, 2026. For customers who signed up to the Service before April 15, 2026 you may refer to the previous version of the Privacy Policy until July 1, 2026. 

We are committed to protecting your privacy. This Privacy Policy applies to the Personal Data we collect and process in the course of our business. This Privacy Policy describes your choices and rights with respect to your Personal Data, including your rights of access and correction.

We update this Privacy Policy from time to time and encourage you to review this Privacy Policy periodically. We will post any Privacy Policy changes on this page and, if the changes are material, notify you directly.

Please note that we act in different roles when processing Personal Data. We act as a controller of your Personal Data when you sign up for our products and services, visit our websites, or interact with us through other channels. We act as a processor when we process Personal Data in connection with the Service on behalf of Customers. This Privacy Policy applies to the activities we perform as a data controller. The activities that we perform as a data processor are regulated by our Data Processing Agreement (“DPA”).

Unless otherwise defined in this Privacy Policy, all capitalized terms have the meanings given to them in the Terms of Service.

"Personal Data" means any information that identifies, relates to, describes, or could reasonably be linked to an identified or identifiable individual, as defined under applicable privacy and data protection laws.

1. Data Controller

The controller of your Personal Data is Bending Spoons S.p.A. an Italian technology company located at via Nino Bonnet 10, Milan, MI 20154.

2. What Information We Collect and Process

When you interact with us via our websites or any sites or services that link to this Privacy Policy (including getHarvest.com, harvestapp.com, and id.getharvest.com) or use the Service, we may collect Personal Data and other information from you, as described below.

1. Information You Provide to us:  We collect Personal Data when you visit our websites. For example, when you submit web forms or interact with our websites, such as through signing up for our blog, subscribing to our Service or requesting customer support.
   
   We collect Personal Data when you register to use the Service. The Personal Data collected during these interactions may vary based on what you choose to share with us, but it will generally include your name, billing and mailing address, email address, and phone number.
   
   We may also collect certain payment and financial information in connection with the Service. For example, we may ask you to provide a billing address, or a billing contact for your Harvest account. If you give us payment information, we use it solely as authorized by you in accordance with this Privacy Policy. Customers may also provide payment information, such as credit card number of bank account numbers, when purchasing services. We use secure third-party payment providers to manage payment processing, which is collected through a secure payment process. Accordingly, in addition to this Privacy Policy and our Terms of Service, information related to your purchases is also processed according to Stripe’s Services Agreement and Privacy Policy, available at https://stripe.com/privacy, and Braintree’s Privacy statement, available at https://www.braintreepayments.com.
   
   
2. Information We Collect and Process When You Use the Service: We collect usage data when Customers or End Users interact with the Service. Usage data includes metrics and information regarding your use and interaction with the Service, such as what product features you use the most, how often certain features in your account get triggered, peak hours of visits/usage, which page(s) are visited or functionalities are used. We generally engage third party providers to collect usage data.
   
   When you access or use the Service via our mobile application, we automatically collect information such as your device model and version, operating system, or device identifiers.
   
   We automatically collect and store information about your computer hardware and software when you visit our websites, use our product and services, or visit other sites or services that link to this Privacy Policy. This information can include your IP address, browser type, domain names, internet service provider (ISP), and the files viewed on our websites (e.g., HTML pages, graphics, etc.), your operating system, access times and referring website addresses.
   
   
3. Information We Collect From Other Sources: We may obtain Personal Data about you from other sources, including through third-party services and organizations.  For example, if you access our Service through a third-party application, we may collect Personal Data about you from that third-party application that you have made available via your privacy settings.
   
   We may provide a referral service that permits you to provide Personal Data about your friends, which allows you to share content, such as an invitation to use our Services. Please only share contact information of people you know personally (e.g., a relative, friend, or colleague).

3. How We Use Personal Data

1. To Provide our Services: We use your account information to provide our Services to you. 
   For example, we use Personal Data:
   
   • to create your account;
   • to process payments for paid use of the Service;
   • for auditing related to interactions, transactions, and other compliance activities;
   • to authenticate you when you log in;
   • to provide customer support; and
   • to determine billing, usage measurement, and entitlement consumption. 
     
     
   We may use information collected from third party service providers in combination with the Personal Data we collect for the purposes of providing you with the Service.
   
   These activities are based on the contract we have with you (Article 6.1.b GDPR).
   
   
2. To Communicate with You About our Services and Provide Customer Support: We use account information you provide to Harvest when signing up for our Services to send you transactional emails about billing, account management, and other administrative matters.
   
   We use your information to provide customer support and respond to your comments, feedback, or questions. We also may use it for resolving technical issues you encounter and analyzing product outages or bugs. 
   
   These activities are based on the contract we have with you (Article 6.1.b GDPR). When you give customer support permission to access your information, these activities are based on your consent (Article 6.1.a GDPR).
   
   
3. To Improve and Personalize Our Services: We use log files and usage data about how you or your users interact with our product and service to develop and improve our product and service. For example, we use usage data to assess trends and usage across the product to help us determine what new features or integrations our users may be interested in. We also use Personal Data to personalize our service offering to you.
   
   We and our service providers may also collect or generate aggregated and/or de-identified Personal Data and use the aggregated and/or de-identified information to analyze the effectiveness of our Services, to improve and add features to our Services, to train AI models to provide and improve the AI Services, and for any other lawful purpose. In addition, we may share aggregated and/or de-identified information with our business partners and other third parties. We may collect or generate aggregated and/or de-identified information through our Services, through cookies, and through other means described in this Privacy Policy.
   
   We may publish data about how our product and services are being used across our customer base. When we share statistical information externally in this way, the data will be aggregated and we will not identify individual users or customers.
   
   These activities are based on our legitimate interest to improve and personalize our Services (Article 6.1.f GDPR).
   
   
4. To Secure and Protect our Product and Users: We use your Personal Data to investigate and help prevent security incidents. We may also use this information to meet legal requirements. We use your information to verify user accounts, new product sign-ups, and to detect and prevent product abuse. This includes authenticating and verifying individual identities, including requests to exercise your rights under this Privacy Policy. We also use Personal Data to ensure quality control and safety, ensure compliance with our Terms of Service, prevent fraud, criminal activity, or misuses of our Service, and to ensure the security of our IT systems, architecture and networks.
   
   We use log files to provide general statistics regarding use of the websites by you, including how you use our websites, what country you are logging in from (for analytics, export control and regulatory purposes) and to help improve the navigation experience. Your IP addresses are also collected and logged for security and debugging purposes, for example to track access patterns, investigate security events and incidents. For these purposes we may associate automatically-collected data to other personal data provided by you.
   
   These activities are based on our legitimate interest to ensure the quality and the proper functioning of our Services (Article 6.1.f GDPR).
   
   
5. To Market and Promote our Services: We use Personal Data to advertise, market, and promote our products, services, and other offerings. For example, we use information like your email address to send information we think may be of interest to you. We may also send you marketing communications relating to our business, such as newsletter, promotions, surveys, or contests.
   
   These activities are based on your consent (Article 6.1.a GDPR). However, when we use your email to send you information about products and services related to or similar to our Service(“soft opt-in”), the legal basis is our legitimate interest (Article 6.1.f GDPR).
   
   You may opt out of receiving this promotional content by following the instructions contained in each communication that we send to you. If you unsubscribe, we will continue to contact you regarding administrative matters, and to respond to your requests.
   
   
6. For Compliance with Legal Obligations: We may use your Personal Data to comply with our legal obligations, including requests from public authorities, and to prove we have complied with them.
   
   When this activity is required by a specific legal obligation, your Personal Data may be used to the extent legally required (Article 6.1.c GDPR). When the applicable law leaves some discretion in assessing the appropriate way to comply with it, your Personal Data is used based on our legitimate interest to prove our compliance (Article 6.1.f GDPR).
   
   
7. For Defense and Corporate Operations: Your Personal Data may be used to establish, exercise, or defend our rights and those of our employees, and to carry out corporate transactions or operations. For example, your data may be processed in the event of bankruptcy, merger, acquisition, reorganization, and sale of assets or assignments, and the due diligence related to any such transactions.
   
   This activity is based on our legitimate interest to establish, exercise, or defend our rights, and to carry out corporate transactions or operations (Article 6.1.f GDPR).
   
   
8. For other Purposes if We Obtain Your Consent: We may use your Personal Data for other purposes when you give us consent to do so.
   

4. How We Share and Disclose Your Personal Data

Your Personal Data may be transmitted to trusted and reliable third parties. This happens only when there are lawful grounds for the transmission.

The types of third parties to which your data may be transmitted are as follows:

1. Organizational Sharing:  If you access or use our Services in connection with a license or subscription we provide to one of our Customers or another third party, we may share your Personal Data with them. For example, if you are an End User accessing our Services for the benefit of a Customer.
   
   
2. Vendors and Service Providers: We may share Personal Data with vendors, and service providers to assist us in meeting business operations needs and to perform certain services and functions - for instance, to provide hosting services, cloud services, other information technology services, email and newsletter services, customer support services, web analytic services, and payment processing. A list of our Sub-Processors can be found here. Pursuant to our instructions, these parties will access, process or store Personal Data in the course of performing their duties to us. We take commercially reasonable steps to ensure our service providers adhere to the security standards we apply to your Personal Data, and to limit their use and other processing of your Personal Data to the performance of their services for us.
   
   
3. Business Partners: We may share your Personal Data with business partners to provide you with a product or service you have requested. We may also share your Personal Data with business partners with whom we jointly offer products or services. For example, we may share your Personal Data with trusted business partners to provide customer support and help us perform statistical analysis.
   
   
4. Affiliates: We may share your Personal Data with our corporate affiliates.
   
   
5. Advertising Partners: We may share your Personal Data with third-party advertising partners. These third-party advertising partners may set cookies and other tracking tools on our Services to collect information regarding your activities and your device (e.g., your IP address, cookie identifiers, page(s) visited, location, time of day). These advertising partners may use this information (and similar information collected from other services) for purposes of delivering personalized advertisements to you when you visit digital properties within their networks. This practice is commonly referred to as “interest-based advertising”, “personalized advertising”, or “targeted advertising.”
   
   
6. To Protect Us or Others; Legal Requirements: When required by law or legal process—such as a court order, subpoena, or other legal mandate—we will disclose information. Additionally, unless otherwise prohibited by law, we may disclose information at our discretion if we believe it is necessary to protect our rights or property, ensure your safety or the safety of others, investigate fraud, protect against legal liability, respond to a government request, or safeguard the privacy of you, our affiliates, or other third parties.
   
   
7. Enforcement of Rights:  To enforce our Terms of Service or to protect our operations or users.
   
   
8. Business Transfers: If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of all or a portion of our assets, or transition of service to another provider, your Personal Data and other information may be shared in the diligence process with counterparties and others assisting with the transaction and transferred to a successor or affiliate as part of that transaction along with other assets.

Additionally, we may share your Personal Data if it’s required to fulfill a legal obligation, or if you give us your consent to do so.

5. Public Information and Third Parties

1. Harvest Blog: We have public blogs on our websites. Any information you provide in these areas may be read, collected, and used by anyone. If your Personal Data appears on our blogs and if you would like to remove it, you can send your request to privacy@getharvest.com. In some cases, we may not be able to remove your Personal Data, in which case we will let you know if we are unable to do so and why.
   
   
2. Third Parties: We are not responsible for, and this Privacy Policy does not cover your use of any third-party widgets, features, or websites or links to third-party websites or services. We do not endorse such third parties and encourage you to carefully read the privacy policy of any third-party site you visit or service you use.
   
   
3. Testimonials: We publish customer testimonials on our website, which may contain Personal Data. We obtain consent to post the customer’s name along with their testimonial. To request the removal of your Personal Data from a testimonial, please email us at privacy@getharvest.com.
   
   
4. Social Media Widgets: Our websites include social media features. These features may collect your IP address, which page(s) you are visiting, and may set cookies to make sure the features function properly. Social media features and widgets are either hosted by a third party or hosted directly on our site. Your interactions with those features are governed by the privacy policy of the companies providing them.
   
   
5. Third-Party Integrations: We may offer integrations with third-party products, applications, or other functionality not operated or controlled by us (“Third-Party Integrations”). If a Third-Party Integration is with Google (for example, where we offer Google Calendar, Google SSO, and Google Workspaces integrations), then generally, the data we access from Google is listed in the integration flow, and our use of such data is explained on our integration page. Where applicable, our collection and use of data received from Google’s APIs is informed by Google’s Limited Use Requirements.  We do not control the services provided under these third-parties and encourage you to read their respective terms and privacy policies and/or notices carefully before using these third-party integrations.

6. Security

We follow generally accepted industry standards to protect your Personal Data. We take precautions—including administrative, technical, and physical measures—designed to safeguard your Personal Data against loss, theft, misuse, unauthorized access, disclosure, alteration, and destruction. These precautions, which are outlined in our Security Policy, include encryption, access controls, and incident management.

However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security. Therefore, you should take special care in deciding what information you send to us via the Service or e-mail. Please keep this in mind when disclosing any Personal Data to us via the Internet. In addition, we are not responsible for circumvention of any privacy settings or security measures contained on the Service, or third-party websites.

7. Cookies and Similar Technologies

1. Cookies: When you visit our websites or use our Services, we store "cookies," which are strings of code, on your computer sent to your browser by a website you visit. Cookies can be stored on your computer for different periods of time. Some cookies expire after a certain amount of time, or upon logging out (session cookies). Others survive after your browser is closed until a defined expiration date is set in the cookie (as determined by the third party placing it) and help recognize your computer when you open your browser and browse the Internet again (persistent cookies). Most browsers allow you to block and delete cookies. However, if you block our cookies, our Services may not work properly.
   
   
2. Third Party Cookies: Third parties use session ID cookies to make it easier for you to navigate our websites. We use third-party services to provide the necessary hardware, software, networking, storage, and related technology required to run and improve our Services.
   
   
3. Web Beacons: Our third party partners may employ web beacons (also known as pixel tags) to track online user movement to help us better understand what content is effective. Web beacons are tiny graphics with a unique identifier that are embedded in websites and in newsletter emails. With web beacons, our third party partners may collect information about you, such as your IP address, your browser or email client type, and other similar details. We use the data from our third party partners to improve our Services.
   
   
4. Use of Web Beacons, Cookies, and other technologies (collectively, “Technologies”): Our uses of these Technologies will fall into the following categories:
   
   ●  Operationally Necessary: This includes Technologies that allow you access to our Services, applications, and tools that are required to identify irregular website behavior, prevent fraudulent activity, improve security, or allow you to make use of our functionality;
   ●  Performance-Related: We may use Technologies to assess the performance of our Services, including as part of our analytic practices to help us understand how individuals use our Services (see Analytics below);
   ●  Functionality-Related: We may use Technologies that allow us to offer you enhanced functionality when accessing or using our Services. This may include identifying you when you sign into our Services or keeping track of your specified preferences, interests, or past items viewed;
   ●  Advertising- or Targeting-Related: We may use first party or third-party Technologies to deliver content, including ads relevant to your interests, on our Services or on third-party digital properties.
   
   
5. Analytics: We may use certain third-party analytics providers, including Google Analytics, a web analytics service provided by Google, Inc. Google Analytics uses cookies to help us analyze how users use our Services and enhance your experience when you use our Services. For more information on how Google uses this data, go to www.google.com/policies/privacy/partners/. To learn more about how to opt-out of Google Analytics’ use of your information, please go to http://tools.google.com/dlpage/gaoptout.
   
   
6. Online Tracking and Do Not Track Signals: We and our third-party service providers, including Google, may use cookies, pixels or other tracking technologies to collect information about your browsing activities over time and across different websites following your use of the Service and use that information to send targeted advertisements. Our Service currently does not respond to “Do Not Track” (“DNT”) signals and operates as described in this Privacy Policy whether or not a DNT signal is received. If we do respond to DNT signals in the future, we will update this Privacy Policy to describe how we do so.
   
   
7. Your Choices: On most web browsers, you will find a “help” section on the toolbar. Please refer to this section for information on how to receive a notification when you are receiving a new cookie and how to turn cookies off. Please see the links below for guidance on how to modify your web browser’s settings on the most popular browsers:
   
    Microsoft Edge
    Mozilla Firefox
    Google Chrome
    Apple Safari
   
   Please note that if you limit the ability of websites to set cookies, you may be unable to access certain parts of the Service and you may not be able to benefit from the full functionality of the Service.
   
   Advertising networks may collect Personal Data through the use of cookies. Most advertising networks offer you a way to opt out of targeted advertising. If you would like to find out more information, please visit the Network Advertising Initiative’s online resources at http://www.networkadvertising.org and follow the opt-out instructions there.
   
   If you access the Service on your mobile device, you may not be able to control tracking technologies through the settings.

8. Children

Our Service is not directed to children who are under the age of 18.  We do not knowingly collect Personal Data from children under the age of 18. If you have reason to believe that a child under the age of 18 has provided Personal Data to us through the Service, please contact us at privacy@getharvest.com and we will endeavor to delete this personal information from our databases unless we have a legal obligation to keep it, and terminate the child’s account, if applicable.

9. California Consumer Privacy Act (CCPA)

If you are a California resident, please refer to the California Consumer Privacy Act (CCPA) Notice for more information about our practices and requests you may make under the CCPA.

To exercise your rights, you may either:

• Complete our CCPA Webform; or
• Contact us by email at privacy@getharvest.com.

10. Supplemental Notice for Nevada Residents

If you are a resident of Nevada, you have the right to opt-out of the sale of certain Personal Data to third parties who intend to license or sell that Personal Data. Please note that we do not currently sell your Personal Data as sales are defined in Nevada Revised Statutes Chapter 603A. If you have any questions, please contact us as set forth in “Contact Us” below.

11. International Data Transfers

We may transfer your Personal Data outside the European Economic Area (“EEA”) as necessary for the purposes described in this Privacy Policy, and Personal Data may be transmitted to our service providers supporting our business operations (described above). 

If we transfer Personal Data which originates in the EEA, Switzerland, and/or the United Kingdom the transfer is always based on appropriate safeguards in accordance with applicable privacy laws, including the EU Standard Contractual Clauses developed by the European Commission, the decisions of adequacy of the European Commission, or binding corporate rules.

For more information about the safeguards we use for international transfers of your Personal Data, please contact us as set forth below.

12. Privacy Rights

In accordance with applicable law, you may have the right to exercise certain privacy rights, including one or more of the rights listed below:

• Right not to provide consent or to withdraw consent. We may seek to rely on your consent in order to process certain Personal Data. Where we do so, you have the right not to provide your consent or to withdraw your consent at any time. This does not affect the lawfulness of the processing based on consent before its withdrawal.
• Right of access and/or portability. You may have the right to obtain and/or access the Personal Data that we hold about you and, in some limited circumstances, have that data provided to you so that you can provide or “port” that data to another provider.
• Right of erasure (or deletion). In certain circumstances, you may have the right to the erasure of Personal Data.
• Right to object to processing. You may have the right to request that we stop processing your Personal Data and/or to stop sending you marketing communications.
• Right to rectification. You may have the right to require us to correct any inaccurate or incomplete Personal Data; in some cases we may provide self-service tools that enable you to update your Personal Data.
• Right to restrict processing. You may have the right to request that we restrict processing of your Personal Data in certain circumstances.
• Right to Opt-Out of Certain Processing Activities. You may have the right to request to opt-out of certain processing activities, including, as applicable, if we process your personal information for “targeted advertising” (as “targeted advertising” is defined by applicable privacy laws). We do not engage in “profiling” in furtherance of certain “decisions that produce legal or similarly significant effects” concerning you (as such terms are defined by applicable privacy laws);
• Appeal our Decision to decline to process your request.  If applicable laws grant you an appeal right and you would like to appeal our decision with respect to your request, you may do so by informing us of this and providing us with information supporting your appeal.
• Right to lodge a complaint to your local Data Protection Authority. If you are an EEA resident, you have the right to submit a complaint to a data protection authority about our collection and use of your Personal Data.

How to Exercise Your Rights. To exercise any of the rights above, contact us at privacy@getharvest.com, and we will process such requests in accordance with applicable laws. Please identify yourself and specify your request. We may ask you to provide additional verification information to verify your identity.

If applicable laws grant you an appeal right and you would like to appeal our decision with respect to your request, you may do so by informing us of the appeal request and providing us with information supporting your appeal.

13. Data Retention

We retain the Personal Data that we process on your behalf as long as your account is active, as needed to provide our Services or fulfill the purpose(s) for which it was collected, and as necessary to comply with our legal obligations, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, protect against fraud, and enforce our agreements.

To determine the appropriate retention period for Personal Data, we may consider applicable legal requirements, the amount, nature, and sensitivity of the Personal Data, certain risk factors, the purposes for which we process your Personal Data, and whether we can achieve those purposes through other means.

14. Correcting and Updating Personal Data

If you are our Customer and would like to access, correct, or delete Personal Data that you provided, you may do this by signing in to our Services and making the change through our self-service tools or by emailing us at privacy@getharvest.com as described in the Privacy Rights section.

Our customers’ respective privacy policies govern their collection and use of their own End User data. Any questions or requests relating to updating and correcting End User data should be directed to our customer.

Any such party who no longer wishes to be contacted by an entity that uses our Services, should contact that entity directly.

15. Updates to this Privacy Policy

Our Services and our business may change from time to time. As a result, we may change this Privacy Policy at any time, so please review it frequently. When we do, we will post an updated version on this page, unless another type of notice is required by the applicable law. By using our Service you agree to have read and understood our Privacy Policy.

16. How to Contact Us

If you have any questions regarding this Privacy Policy or to exercise your rights as detailed in this Privacy Policy, please contact us by email at privacy@getharvest.com, or please write to the following address:

Bending Spoons S.p.A.
via Nino Bonnet 10
Milan, MI 20154
Italy

You can also contact our Data Protection Officer at dpo@bendingspoons.com.

Last Updated - April 15, 2026

Previous Version - April 14, 2026

Previous version - December 31, 2025

Previous version - March 2, 2025