Harmoneya is a financial command center for studios and agencies. We take privacy seriously because the data you trust us with — bank transactions, invoices, client information, tax records — is the financial backbone of your business. This policy explains what we collect, why, who we share it with, and your rights.
We comply with the EU General Data Protection Regulation (GDPR) and applicable national laws (including Poland's UODO). This page is written in plain language; the legal basis we rely on under GDPR is noted in each section.
What we collect
Account data
When you sign up we collect your name and email address for account identification, plus a hashed authentication artifact (no password is ever stored — we use magic-link email auth and Google OAuth). Legal basis: contract (Art. 6(1)(b) GDPR).
Organization data
Information you enter about your organization: name, country, base currency, locale, timezone, VAT number, tax jurisdiction, address, and branding. This is needed to render invoices and run the app on your behalf. Legal basis: contract.
Financial and operational data
- Invoices and invoice line items you create.
- Clients you add (name, contact details, optional tax ID).
- Projects, tasks, comments, and approvals you create within Harmoneya.
- Transactions imported from connected bank accounts and parsed from emails.
Integration data
When you connect an integration we store the minimum needed to keep it working:
- Salt Edge (Open Banking) — a customer ID and connection ID, plus a 90-day PSD2 consent expiry timestamp. Bank credentials never touch our servers; you authenticate directly with your bank.
- Gmail / iCloud Mail — encrypted OAuth tokens or app passwords used only to read inbound supplier-invoice emails. We do not read marketing email or personal correspondence.
- KSeF (Polish e-invoicing) — your encrypted KSeF token, NIP, and certificate fingerprint, used to fetch invoices from the Polish Ministry of Finance.
Legal basis: contract.
AI chat
Messages you send through the in-app AI assistant, plus the operational context needed to answer them (e.g. a summary of overdue invoices), are sent to our model provider (Anthropic) for inference. We do not use your data to train models, and Anthropic does not retain it for training under our contract. Legal basis: contract.
Technical data
Server logs (request paths, IP addresses, timestamps, error traces) for security and reliability. We do not load third-party analytics scripts in the app. Legal basis: legitimate interest (Art. 6(1)(f) GDPR) — running and securing the service.
How we use your data
- To provide the service you signed up for (the core "contract" basis above).
- To send transactional email — invoice delivery, magic-link sign-in, expiring-consent reminders, billing receipts.
- To detect abuse, debug errors, and protect the service.
- To comply with legal obligations (tax records, lawful requests from authorities).
We do not sell your data, run targeted advertising on it, share it with data brokers, or use it to train AI models.
Subprocessors
We use the following third-party services to run Harmoneya. Each receives only the data needed for its role and is bound by a data-processing agreement.
- Vercel — application hosting (US/EU).
- Neon — managed Postgres database (EU region).
- Resend — transactional email delivery.
- Anthropic — AI inference for the in-app assistant.
- Salt Edge — Open Banking (PSD2) account aggregation, AISP-licensed.
- Google — Gmail OAuth (only for connected mailboxes).
- Polish Ministry of Finance (KSeF) — Polish e-invoicing system, only for organizations that have explicitly connected KSeF.
Data retention
We keep your data while your account is active. You can delete your account at any time from Settings; we erase your personal data within 30 days of deletion, except where we are legally required to retain it (e.g. tax records under Polish or EU law, typically up to 5 years).
Server logs are retained for up to 90 days. Backups are retained for up to 30 days.
Your rights
Under GDPR you have the right to:
- Access — request a copy of the personal data we hold about you.
- Export — receive your data in a machine-readable format.
- Rectify — correct inaccurate data.
- Delete — ask us to erase your data (right to be forgotten).
- Restrict or object — pause processing while a dispute is resolved.
- Withdraw consent — for any processing that relies on consent.
- Lodge a complaint with your supervisory authority (in Poland: the President of the Personal Data Protection Office, UODO).
To exercise any of these rights, email privacy@harmoneya.com. We will respond within 30 days.
Security
All traffic is served over HTTPS. Sensitive integration tokens (OAuth refresh tokens, KSeF tokens, IMAP credentials) are encrypted at rest with a server-side key. Database backups are encrypted. Access to production systems is limited to a small number of employees with two-factor authentication on their administrative accounts.
International transfers
Some of our subprocessors are based outside the European Economic Area. Where applicable we rely on the EU Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework to ensure equivalent protection.
Children
Harmoneya is built for businesses and is not directed at people under 16. We do not knowingly collect data from children.
Changes to this policy
We may update this policy as the product evolves. Material changes will be announced via email and in-app notice at least 30 days before they take effect.
Contact
For privacy questions or to exercise your rights, email privacy@harmoneya.com.