Last updated: April 12, 2026.
Two categories:
Account data: to provide service, send you product updates (you can opt out), bill you. Nothing else.
Customer content: to deliver email on your behalf, generate personalization, and provide analytics. We do not use customer content to train our models unless you explicitly opt in (and we credit your account if you do).
Sub-processors, listed in our DPA:
We don't sell data. We don't share with advertisers. If we ever changed that we'd ask you first.
US tenancy: Oregon. EU tenancy: Frankfurt. Single-tenant Fleet: deployed in your VPC, in any AWS region you choose.
Account data: as long as you have an account, plus 90 days for billing reconciliation. Customer content: for as long as your account is active. Engagement events older than 24 months are auto-archived (still accessible via export API).
You can access, correct, delete, or export your data at any time from the dashboard, or by emailing privacy@notificationharbor.com. We respond within 5 business days. EU/UK residents: you may also file a complaint with your local supervisory authority.
We use a single first-party session cookie on the dashboard. The marketing site uses Plausible (cookie-free, GDPR-compliant analytics). No third-party cookies, no tracking pixels.
SOC 2 Type II. Encryption in transit (TLS 1.3) and at rest (AES-256). Annual third-party penetration testing. Reports available under NDA.
Harbor is not for users under 16. We don't knowingly collect data from minors. If you believe a minor's data is in our system, email privacy@notificationharbor.com and we'll delete it.
Material changes announced 30 days in advance via email. Minor wording changes logged in the document history (link below — coming soon).
Privacy questions: privacy@notificationharbor.com. DPO inquiries (EU): same address.