Product
Resources
Pricing
Sign up free
Menu open iconMenu close icon
legal
privacy policy
Effective June 1, 2026

Privacy Policy

Privacy and security are of utmost importance to Harvestr and we strive to ensure that our technical and organisational measures in place respect your data protection rights.

This Privacy Policy describes how we manage, process and store personal data submitted in the context of providing our services. "Personal data" refers to any information relating to an identified or identifiable natural person; an identifiable natural person being one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

This Privacy Policy does not apply to third party sites, if and where applicable.

Consent

In subscribing to our services or filling in a contact form on our website (harvestr.io) or other sites owned by Harvestr, you agree and accept that we may gather, process, store and/or use the personal data submitted in accordance with the rules set forth below.

By giving your consent to us, you also retain the right to have your personal data rectified, to be forgotten and/or to be erased.

PERSONAL DATA COLLECTED

1. Identity and contact details of the data controller

Personal data is collected on our website by Harvestr SAS, a Société par Actions Simplifiée registered under the laws of France under number 839 239 704 with the Créteil Trade & Companies Register, and having its registered office at 14 avenue du Général De Gaulle 94160 Saint-Mandé, France.

Data Protection Contact: For any questions or requests relating to the processing of your personal data, you may contact us at: security@harvestr.io.

2. Data collected on the site

When you subscribe to our services, the following data is collected and managed: email, first name, last name, Intracommunity VAT number where applicable, login, postal address, country, telephone number, IP address(es) and domain name.

By using our services, the following data is collected and managed: log-on data and browsing data where you authorise it, order history, complaints, incidents, information on subscriptions and messages on our site. Some data is collected automatically by reason of your activity on the site (see paragraph on cookies below). Please be advised that we may for the purpose of delivering our services have access to some personal information of your customers (for instance their email address).

The data submitted should not include any sensitive personal data, such as Government identifiers (i.e. social security, driving licence, or taxpayer identification numbers), complete credit card or complete personal bank card numbers, medical records or particulars connected with applications for care or treatment associated with private individuals.

3. Purposes of processing and legal basis

The principal purpose of collecting your personal data is to offer you a safe, optimum, efficient and personalised experience. To this end, you agree and accept that we may use your personal data to:

  • Provide our services and facilitate performance, including verifications relating to you;
  • Resolve any problems so as to improve the use of our site and services;
  • Personalise, assess, and improve our services, content and materials;
  • Analyse the volume and history of your use of our services;
  • Inform you about our services as well as our partners' services and/or promotional offers;
  • Prevent, detect and investigate any activities that are potentially prohibited, unlawful or contrary to good practice and ensure compliance with our terms of use;
  • Comply with legal and regulatory obligations.

We use the personal data submitted to us only in accordance with the applicable data protection legislation.

For our clients who have signed up on our website, we process your personal data for the performance of the contract between us to provide our services.

For our newsletter, case studies and marketing material sign ups, we process your personal data based on the express consent you provide for this specific purpose.

We may share non-personally identifiable information (such as visiting pages, exit pages, number of clicks, etc.) with third-parties to help us understand the usage patterns for certain services.

4. Newsletter and marketing emails

We use your contact information and information about how you use the Services to communicate directly with you, including by sending you newsletters, promotions or information about current and future products and services. You may opt out of receiving such communications at any time by (i) clicking the unsubscribe link included in all the emails you receive or (ii) contacting us as indicated in the "CONTACT US" section below.

5. Email statistics

Without systematically doing so, we may analyse and track the various rates (for example: click, open, bounce rates) and the number of emails sent which you open to assess performance rates on our emailing campaigns.

6. Testimonials

Harvestr may publish a list of Customers and Testimonials on its site with information on our customers' names and job titles. Harvestr undertakes to obtain the authorisation of every customer before publishing any testimonial on its website. If you wish to be removed from this list, you can send us an email to contact@harvestr.io and we will delete your information promptly.

7. Third party disclosures

Personal data relating to you collected on our website are destined for Harvestr's own use and may be forwarded to Harvestr's partner companies so that we may obtain assistance and support in the context of carrying out our services. Harvestr ensures that it has in place clear data protection requirements for all of its third party providers.

Harvestr does not sell or rent your personal data to third parties for marketing purposes whatsoever.

In addition, Harvestr does not disclose your personal data to third parties, except if: (1) you (or your account administrator acting on your behalf) request or authorise disclosure thereof; (2) the disclosure is required to process transactions or supply services which you have requested; (3) Harvestr is compelled to do so by a government authority or a regulatory body, in the case of a court order, a summons to appear in court or any other similar requisition from a government or the judiciary, or to establish or defend a legal application; or (4) the third party is a subcontractor or sub-processor of Harvestr in the carrying out of services (see Subprocessors section below).

In accordance with Article 28 of the GDPR, access to your Personal Data by our sub-processors is subject to the signature of a written agreement which allows us to monitor and control the way our sub-processors handle your personal data.

8. Subprocessors

Harvestr uses a limited number of third-party service providers ("subprocessors") to assist in providing the Services. Each subprocessor is bound by a data processing agreement that restricts their processing of Customer Data to the specific purpose for which they are engaged.

The current list of subprocessors, including their names, purposes, and locations, is available at: https://app.vanta.com/harvestr.io/trust/i9wqjgv1tsq75cs6m4qs3k/subprocessors.

Harvestr will provide at least thirty (30) days' prior notice before engaging a new subprocessor or replacing an existing one, by updating the subprocessor list and notifying clients who have subscribed to subprocessor change notifications. If you have a legitimate objection to the use of a new subprocessor, you may raise it in accordance with the procedure set forth in the Data Processing Agreement (DPA).

9. Your data protection rights

You have a right of access, correction and removal of your personal data which you may exercise by sending us a support ticket directly on the support chat (either on the website or on the app) or by sending an email at security@harvestr.io. Your requests will be processed within a reasonable timeframe that cannot exceed 30 days as from the receipt by Harvestr of the request. Occasionally it may take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated in a timely manner. We may require that your request be accompanied by a photocopy of proof of identity or authority (copy of a valid ID document). This is a security measure to ensure that your personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to improve the efficiency of our response.

You are also able at any time to modify personal data by logging into your account and clicking on "User Settings".

You in particular benefit from the following rights:

1/ Access and communication of your personal data

You may at any time request access to your personal data processed by Harvestr.

Harvestr may oppose a given request should it be considered as being obviously abusive (such as, in particular, in the event of recurrent or systematic requests from a given user).

2/ Amendment/rectification of the personal data

You may request to amend, update, lock or delete your personal data that may be incorrect, partial or obsolete. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement. You may additionally define the guidelines applicable to your personal data in the event of your death.

3/ Right of opposition

You may exercise your opposition right for (i) legitimate reasons or (ii) to oppose the commercial use of your personal data.

You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data. Harvestr shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.

4/ Right to erasure

You have the right to obtain from Harvestr the erasure of your personal data without undue delay, in particular if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed. Upon such request, Harvestr shall, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to proceed with the erasure of any links to, or copy or replication of, those personal data.

5/ Right to restrict the processing

You have the right to obtain from Harvestr a restriction of processing where one of the following applies: (i) the accuracy of the personal data is contested by you, for a period enabling Harvestr to verify the accuracy of the personal data; (ii) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; (iii) Harvestr no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; (iv) you have objected to processing pending the verification whether the legitimate grounds of Harvestr override those of the data subject.

Harvestr undertakes to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. We shall inform you about those recipients if you request it.

6/ Data portability

You have the right to receive your personal data that you have provided to Harvestr, in a structured, commonly used and machine-readable format (such as JSON or CSV), and you have the right to transmit those data to another company without hindrance from Harvestr. You have the right to have the personal data transmitted directly from Harvestr to another company, where technically feasible.

For Customer Data stored in the Services, you may export your data at any time using the export functionality available within your account, or by contacting support at contact@harvestr.io.

7/ Complaint

If you consider that Harvestr does not comply with its obligations in terms of data protection, you have the right to lodge a complaint with a supervisory authority, the relevant regulatory body being the CNIL (Commission Nationale de l'Informatique et des Libertés), at the following address: 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, France.

In the event of any complaint, please contact us in priority: security@harvestr.io or by mail to: Harvestr SAS, 14 avenue du Général De Gaulle 94160 Saint-Mandé, France.

You may at any time withdraw your consent as to the use of your personal data where we are relying on such consent to process your personal data. Please note that such withdrawal will not affect the lawfulness of any processing carried out before you withdrew your consent. If you withdraw your consent or fail to provide the requested personal data, we may not be able to provide you with whole or part of the service. We will advise you if this is the case at the time you withdraw your consent.

10. Cookies and Tracking

As a general rule, Harvestr uses cookies and tracking to improve and personalise its Website and/or measure its audience. Cookies are files saved on your computer's hard drive when browsing on the Internet and in particular on our site. A cookie is not used to gather your personal data without your knowledge but instead to record information on site browsing which can be read directly by Harvestr on your subsequent visits and searches on the site.

Types of cookies used

The cookies used by Harvestr are intended to enable or facilitate communication, to enable the services requested by users to be supplied, to recognise users when they re-visit the site, to secure payments which users may make, to register the language spoken by users or other preferences necessary for the service requested to be supplied.

Harvestr also uses analytics and tracking tools to measure website and digital data to gain customer insights, to carry out analyses on browsing experience so as to improve content, and to send targeted advertisements.

Cookie management

By default, cookies are not installed automatically (with the exception of those cookies needed to run the site and Harvestr's services, and you are informed of their installation by a banner). In accordance with the regulations that apply, Harvestr will require your authorisation before implanting any other kind of cookie on your hard drive.

You may manage your cookie preferences at any time through our cookie consent banner, which is accessible from any page on the Website. Through this banner, you can review the categories of cookies in use, accept or decline non-essential cookies, and update your preferences.

You may also manage cookies directly through your browser settings. Most modern browsers allow you to view, manage and delete cookies. Please refer to your browser's help documentation for instructions specific to your browser.

You can choose to decline acceptance of all non-essential cookies, but your ability to browse certain pages of the site may be reduced.

Duration of cookies

Cookies are placed on the User's terminal for a maximum period of 13 months from the date of the User's consent. After this period, consent will be re-obtained.

AI FEATURES AND DATA PROCESSING

1. How AI Features process your data

The Services include AI-powered features such as automated feedback categorization, AI feedback analysis, and related machine learning capabilities ("AI Features"). When you or your authorized users activate AI Features, Customer Data (such as feedback messages, tags, and categories) is processed by our AI systems to generate automated categorizations, insights, and recommendations.

2. No training on Customer Data

Harvestr does not use Customer Data to train, improve, or fine-tune its general-purpose AI or machine learning models. Your data is processed solely for the purpose of delivering the AI Features within your account. No Customer Data is shared across accounts or used to benefit other clients.

3. Third-party AI providers

AI Features may rely on third-party AI service providers acting as subprocessors. These providers are listed in Harvestr's subprocessor list (see Section 8 of "Personal Data Collected" above) and are bound by data processing agreements that prohibit them from using Customer Data for model training, improvement, or any purpose other than delivering the Services.

4. AI processing location

All AI processing of Customer Data occurs within infrastructure located in the European Union, or where a third-party AI provider is used, in accordance with the international data transfer safeguards described in the "Location of Data Storage and Transfers" section below.

5. Opting out of AI Features

AI features that require activation (such as AI feedback categorization) are only triggered when explicitly enabled by the Client or its authorized users. Disabling AI Features does not affect the availability or functionality of the core Services. You may enable or disable AI Features at any time from your account settings.

THIRD PARTY DATA

In the context of using our services, namely managing customer feedback and creating contact lists, Harvestr has access to the contact lists you create, as well as the subject and content of the messages stored in your account.

This data is stored on secure servers and only a limited number of people are authorised to access your messages, in particular for the purpose of providing support services.

You are easily able to recover your contact lists from your Harvestr account at any time by clicking on the "export" button. You may also modify and/or delete contacts at any time from your account.

In no case does Harvestr sell, share or rent out your contact lists to third parties, nor does it use them for any purposes other than those set forth in this policy. We will use the information from your contact lists only for legal requirements, to invoice and collect summaries for our own statistics and for the purposes of providing you with customer support services.

As creator of the messages and contact lists, you are considered the data controller within the meaning of the GDPR, and Harvestr is acting only as a data processor. In this capacity, you are responsible in particular for:

  • Making all the declarations necessary to the relevant data protection authority;
  • Complying with all current regulations in force, including the data protection laws;
  • Obtaining the explicit consent of the persons concerned when collecting their personal data;
  • Ensuring your authority to use the personal data collected in accordance with the defined end purposes and refraining from any unauthorised use.

If a recipient of your emails sent via our services requests us to modify or delete his/her personal data, we will honor that request after proper verification and will inform you of it.

DATA RETENTION PERIODS

Harvestr collects your personal data for the purpose of carrying out its contractual obligations as well as information about how and when you use our services and we retain this data in active databases, log files or other types of files so long as you use our services.

Harvestr only stores your data for the time needed to provide to you our services, and in no event no longer than ninety (90) days after closing your account (unless otherwise required by law). During this 90-day period, you may request an export of your data in a structured, commonly used, and machine-readable format (JSON or CSV).

You are able to access your personal data for as long as you hold an active account with us. Your event data (statistics, for example) will be deleted every 13 months during active use of your account. Other data may be deleted at any time during active use of your account in accordance with the provisions set forth above.

LOCATION OF DATA STORAGE AND TRANSFERS

The host servers on which Harvestr processes and stores its databases are located exclusively within the European Union.

Harvestr will inform you immediately, to the extent we are legally authorised to do so, in case of any application or order originating from an administrative or judicial authority relating to your personal data.

In order to perform our services, we may transfer some of your Personal Data to third party service providers located or using servers located outside the European Union (the "EU") and the European Economic Area (the "EEA"). In such a case, we make sure that the transfer is subject to appropriate safeguards, in particular:

  • The recipient country has been the subject of an adequacy decision by the European Commission recognizing an adequate level of protection for personal data; or
  • Standard Contractual Clauses (SCCs) approved by the European Commission have been entered into with the data recipient, ensuring an equivalent level of protection for your Personal Data; or
  • The recipient is certified under the EU-US Data Privacy Framework, where applicable to transfers to the United States.

For more information on the specific safeguards applied to international data transfers, you may contact us at security@harvestr.io.

SECURITY

Within the framework of its services, Harvestr attributes the very highest importance to the security and integrity of its customers' personal data.

Certifications and audits

We have regular external audits and penetration tests, and we are compliant with the international SOC 2 standard. More details are available on our Trust Center.

Technical and organizational measures

In accordance with the GDPR, Harvestr undertakes to take all pertinent precautions in order to preserve the security of the data and, in particular, to protect them against any accidental or unlawful destruction, accidental loss, corruption, unauthorised circulation or access, as well as against any other form of unlawful processing or disclosure to unauthorised persons.

To this end, Harvestr implements industry standard security measures to protect personal data from unauthorised disclosure. In using industry recommended methods of encoding, Harvestr takes the measures necessary to protect information connected with payments and credit cards.

Harvestr undertakes to put in place the following organisational and technical safety measures: (i) means allowing to ensure the confidentiality (data pseudonymisation, encryption, etc.), the integrity, availability and permanent resiliency of the processing systems and services; (ii) means allowing to restore the availability of the personal data and access to such data within an appropriate timeframe in the event of material or technical issue; (iii) processes allowing to regularly test, analyse and evaluate the efficiency of the technical and organizational safety in place to ensure the safety of the data processing; (iv) only making the personal data available to its officers duly authorised on the basis of their functions and role, to the extent strictly necessary to the due performance of their functions (need to know basis).

Such measures shall comply with the GDPR provisions.

Harvestr shall be responsible for the compliance with these provisions and more generally the GDPR by its employees and affiliates (and their employees).

Additionally, Harvestr in particular undertakes to (i) process the data solely for the purpose(s) mentioned in this Privacy Policy, (ii) guarantee the confidentiality of the personal data processed, (iii) ensure that the persons authorised to process the personal data hereunder have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and receive the appropriate personal data protection training, and (iv) take into consideration, in terms of its tools, products, applications or services, the principles of data protection by design and by default.

Moreover, in order to avoid in particular all unauthorised access, to guarantee accuracy and the proper use of the data, Harvestr has put the appropriate electronic, physical and managerial procedures in place with a view to safeguarding and preserving the data gathered through its services.

Breach notification

Notwithstanding the above, there is no absolute safety from piracy or hackers. In the event a breach of security were to affect you, Harvestr undertakes to inform you thereof without undue delay (that cannot exceed 48 hours as from our knowledge of the breach) and to use its best efforts to take all possible measures to neutralise the intrusion and minimise the impacts. The notification will be accompanied by any appropriate documentation to allow, if necessary, the notification to be made to any regulatory body. This notification will describe in clear and plain language the nature of the personal data breach and at least: (i) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects involved and the categories and approximate number of personal data records concerned; (ii) communicate the name and contact details of the data protection contact or other contact point where more information can be obtained; (iii) describe the likely consequences of the personal data breach; and (iv) describe the measures taken or proposed to be taken by Harvestr to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

We undertake to notify the competent supervisory authority (the CNIL) of the personal data breaches without undue delay and, where feasible, not later than 72 hours after having become aware of them, unless the breach in question is unlikely to result in a risk to the rights and freedoms of natural persons.

Should you suffer any loss by reason of the exploitation by a third party of a security breach, Harvestr undertakes to provide you with every assistance necessary so you are able to assert your rights. Moreover if, by some exceptional case, the direct loss incurred arose due to fault or gross negligence by Harvestr, you will be able to seek compensation within the limit of liability referred to in our Terms and Conditions.

You should keep in mind that any user, customer or hacker who discovers and takes advantage of a breach in security renders him or herself liable to criminal prosecution and that Harvestr will take all measures, including filing a complaint and/or bringing court action, to preserve the data and the rights of its users and of itself and to limit the impacts.

Where we have given you (or where you have chosen) a password that enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

DATA PROCESSING ADDENDUM

Where Harvestr processes personal data on behalf of a Client in the course of providing the Services, the processing is governed by Harvestr's Data Processing Agreement (DPA), which is available upon request. The DPA forms an integral part of the agreement between Harvestr and the Client and sets out the respective obligations of the parties with respect to the processing of personal data, including the subject matter, duration, nature and purpose of the processing, the type of personal data, and the categories of data subjects.

PRIVACY POLICY CHANGES

Harvestr reserves the right to update this Privacy Policy at any time, in particular pursuant to any changes made to the laws and regulations in force. Any modifications made will be notified to you via our Website or by email, to the extent possible, thirty (30) days at least before any changes come into force. We would recommend that you check these rules from time to time to stay informed of our procedures and rules relating to your personal information.

CONTACT US

If you have questions, you can email us at: security@harvestr.io or by mail to: Harvestr SAS, 14 avenue du Général De Gaulle 94160 Saint-Mandé, France.