Harbor

Privacy Policy

Last updated: March 29, 2026

1. Introduction

On Harbor, LLC (“Harbor,” “we,” “us,” or “our”) operates a private publishing platform (the “Service”) that allows children to create and share content with a parent-approved audience. This Privacy Policy describes what personal information we collect, how we use it, with whom we share it, and the rights you have regarding it.

For purposes of this policy, “Parent” means any parent, legal guardian, or authorized adult who creates and manages a Harbor account on behalf of a child; “Child Creator” means a child for whom a Parent has established a Publication; “Co-Manager” means an adult a Parent has invited to help manage a Publication; “Follower” means a person a Parent has approved to view a Publication; “Publication” means a private channel on Harbor featuring content by one or more Child Creators; and “Content” means all text posts, audio recordings, images, and other material created or uploaded to the Service. All of these individuals, together with anyone else who accesses the Service, are “Users.”

The Service is intended for use by adults (18 and over) who create and manage accounts on behalf of children. The Service is not directed to children under 18 except in their capacity as Child Creators using the Service through a Parent's account.

Please read this policy carefully. If you have questions, contact us at hello@onharbor.app.

2. Our Commitment to Children's Privacy

Harbor is designed to comply with the Children's Online Privacy Protection Act (COPPA) and is built around the protection of children's privacy. Here is what that means in practice:

  • No child accounts. Children do not create their own Harbor accounts. A Parent creates and controls the account.
  • Verifiable parental consent. Before we collect any personal information from a child, we obtain verifiable parental consent using the “Email Plus” method approved by the FTC. This means: (1) we send a direct notice to the Parent's email address explaining exactly what information we will collect and how it will be used; (2) the Parent must click a link in that email to affirmatively consent; and (3) we send a follow-up confirmation email after a reasonable delay, which includes instructions on how to revoke consent. No child data is stored until this consent process is complete.
  • Minimal collection. We collect only what is necessary to operate the Service for children. We do not collect email addresses, phone numbers, or social media identifiers directly from children.
  • Parents control everything. Parents approve every Follower, moderate every comment, and can review, edit, or delete any of their child's content and personal information at any time.
  • No advertising or behavioral profiling of children. We do not serve advertisements to children, do not build behavioral profiles of children, and do not share children's personal information with advertisers or data brokers.
  • Children's content is never used to train AI models. Content created by Child Creators — including text posts, audio recordings, and images — is not used as training data for any artificial intelligence system, including our own AI-powered features.
  • Right to review and delete. Parents can request to review, correct, restrict use of, or delete all personal information we hold about their child at any time by contacting us at hello@onharbor.app.
  • Consent revocation. Parents can revoke consent at any time by deleting their child's profile from their Harbor dashboard or by emailing us. Upon revocation, we will stop collecting the child's information and delete existing data within 30 days (and from backups within 90 days).

3. Information We Collect

From Parents and Account Holders

  • Account information: Your name and email address, provided when you register or sign in through our authentication provider, Clerk. Password management is handled entirely by Clerk; Harbor does not have access to your password.
  • Publication settings: Publication name, description, profile artwork, and configuration preferences you choose.
  • Communications: Any messages you send us, including support requests.

From Child Creators (through parent accounts)

  • Display name: A name or nickname provided by the Parent. This may be a first name, nickname, or pseudonym.
  • Date of birth: Used only to determine which age-appropriate features are available to the child. Stored securely and not shared with third parties or used for any other purpose.
  • Profile image: An optional photo or avatar the Parent uploads for the child.
  • Content: Text posts, audio recordings, and images created by the child and submitted for publication.
  • AI editing history: When the AI writing assistant is used, the child's original text and any AI-suggested revision are stored separately so the child's own work is always preserved and attributable. See Section 6 (Third-Party AI Processing) for more detail.

From Followers and Co-Managers

  • Account information: Name and email address provided during sign-up or sign-in through Clerk.
  • Activity: The Publications they follow and their interaction history, including comments and reactions left on posts.

Automatically collected from all Users

  • Device and browser information: Browser type, operating system, and device type.
  • Log data: IP address, access timestamps, and referring URLs, retained by our hosting provider (Vercel) for up to 90 days for security and debugging purposes.
  • Usage information: Pages visited, features used, and actions taken within the Service, used to operate and improve the Service. We may use third-party analytics services to help us understand how the Service is used. Any such provider will be listed in our service providers section and will be contractually prohibited from using this data for their own advertising or marketing purposes.
  • Cookies: We set essential, first-party session cookies required for authentication and maintaining a logged-in state. These cookies expire at the end of your session or when you sign out. We do not use advertising cookies or tracking pixels. We may use analytics cookies from third-party providers as described above; these cookies collect anonymized usage information and are not used for advertising. You can disable cookies in your browser settings, but doing so will prevent you from signing in to the Service.

4. How We Use Information

We use the information we collect to:

  • Create and manage accounts and Publications
  • Authenticate Users and maintain secure sessions
  • Display published Content to approved Followers
  • Enable age-appropriate features for Child Creators based on their date of birth
  • Send email notifications to Parents about pending content reviews, new follower requests, new comments, and Service updates
  • Respond to support requests and communicate with Users
  • Produce aggregated, de-identified analytics (for example, aggregate counts of posts published or features used) to understand how the Service is used and to improve it. This aggregated data cannot be used to identify any individual User or Child Creator.
  • Investigate and address violations of our Terms of Service
  • Comply with legal obligations

We do not use personal information for advertising. We do not sell or rent personal information to any third party.

5. How We Share Information

With Followers you approve

Content published by a Child Creator is shared only with Followers who have been explicitly approved by the Parent. Harbor Content is not publicly discoverable, is not indexed by search engines, and is accessible only to people the Parent has approved.

With Co-Managers you invite

If a Parent invites a Co-Manager, that person will have access to the Publication's content and settings as configured by the Parent. The Parent controls the scope and duration of Co-Manager access.

With service providers

We use the following trusted third-party service providers to operate the Service. Each is contractually limited to using data only as necessary to provide their services to us, and is not permitted to use personal information for their own marketing or advertising.

  • Clerk (authentication): manages account sign-in and credential storage. Clerk's own privacy policy governs the credentials they hold.
  • Supabase (database): hosts the database containing account, Publication, and Content data, stored in encrypted form.
  • Cloudflare R2 (file storage): stores audio recordings, images, and other media in private buckets. Files are accessible only via short-lived signed URLs generated at the moment of access for authenticated, authorized Users.
  • Vercel (application hosting): runs the Harbor web application and retains server request logs for up to 90 days.
  • Resend (email delivery): sends transactional emails such as invitation links, comment notifications, and follower request alerts.
  • Inngest (background job processing): handles asynchronous tasks such as audio file transcoding. Inngest processes media data transiently and does not retain it beyond the processing task.
  • Google (Gemini API) (AI processing): when AI writing or image features are used, the relevant text or prompt is transmitted to Google's Gemini API for processing. See Section 6 below.

Third-party content embedded in posts

Posts may contain links or embedded content from third-party services (for example, YouTube videos). When a Follower loads such embedded content, the third-party service may collect information directly from that Follower's browser in accordance with its own privacy policy. Harbor does not control and is not responsible for the data practices of third-party services whose content appears in posts. Parents should be aware of this when approving Content that includes embedded third-party media.

For legal compliance

We may disclose personal information if we believe in good faith that such disclosure is necessary to comply with a legal obligation, respond to a valid legal process (such as a court order or subpoena), protect the safety of any person, or protect Harbor's legal rights. Where legally permitted, we will attempt to notify the affected User before making such a disclosure.

In connection with a business transfer

If Harbor is acquired by or merges with another company, personal information may be transferred as part of that transaction. We will notify Users by email and by a prominent notice on the Service before any transfer occurs and before personal information becomes subject to a materially different privacy policy.

6. Third-Party AI Processing

When a User invokes an AI feature (writing suggestions or image generation), the relevant text or prompt is transmitted to Google's Gemini API for processing. Harbor uses a paid Google AI Studio plan, under which Google does not use API inputs or outputs to train its AI models. Harbor does not store raw AI prompts beyond what is necessary to display results within the Service, and does not use any Content created by Child Creators to train, fine-tune, or evaluate any AI model.

7. Audio Recordings

Audio recordings created by Child Creators are stored as ordinary media files (MP3) and are treated as personal information subject to all of the protections described in this policy. We do not extract, analyze, or store voice characteristics, voiceprints, or other biometric identifiers from audio files. Audio files are stored in private, encrypted cloud storage and are accessible only to authenticated, authorized Users. Parents may delete any audio recording at any time, and we will delete it from active storage within 30 days and from encrypted backups within 90 days.

Residents of Illinois, Texas, Washington, and other states with biometric privacy laws should be aware that we do not collect biometric identifiers or biometric information as defined under those laws. If you have questions about our handling of audio data under your state's law, contact us at hello@onharbor.app.

8. Data Storage and Security

All data is stored using industry-standard cloud infrastructure with encryption in transit (TLS) and encryption at rest. Media files are stored in private cloud storage and are accessible only via time-limited signed URLs generated at the moment of access for authenticated, authorized Users.

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. No security system is impenetrable. In the event of a security breach that affects your personal information, we will notify affected Users as required by applicable law.

International data transfers

Harbor is operated from the United States, and our service providers maintain infrastructure in the United States and, in some cases, other countries. By using the Service, you acknowledge that your personal information may be transferred to and processed in the United States or other jurisdictions whose data protection laws may differ from those in your country of residence.

9. Data Retention

We retain personal information for as long as your account is active and for a limited period afterward as needed to fulfill the purposes described in this policy or as required by law. More specifically:

  • Active account data: retained for the duration of the account
  • Published Content: retained until deleted by the Parent or until the account is closed
  • Deleted Content: removed from active storage within 30 days of deletion; may persist in encrypted backups for up to 90 days, after which it is permanently deleted
  • Account closure: upon a Parent's request to close their account, we will delete all associated personal information and Content within 30 days, except where retention is required by law
  • Server logs: retained for up to 90 days for security and debugging purposes

10. Your Rights

COPPA rights — all Parents

If you are a Parent or guardian, you have the right to: review the personal information we have collected about your child; correct inaccurate information; request that we stop collecting or using your child's personal information; and request deletion of your child's personal information.

Note that requesting we stop all data collection for your child will prevent Harbor from being able to provide the Service for that child. If you delete a child's profile from a Publication, all associated personal information and Content will be deleted in accordance with our retention schedule above.

To exercise these rights, contact us at hello@onharbor.app. We will respond within 30 days. We will ask you to verify your identity by confirming information associated with your registered account before fulfilling a request.

California residents

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA/CPRA) to know what personal information we collect and how it is used, to request deletion, to correct inaccurate information, and to opt out of the sale or sharing of personal information. Harbor does not sell or share personal information for cross-context behavioral advertising, and does not engage in any sharing that would require opt-in consent under the CPRA for consumers under 16.

Harbor does not disclose personal information to third parties for their own direct marketing purposes. California residents seeking information under California Business & Professions Code §1798.83 (Shine the Light) may contact us at hello@onharbor.app and we will confirm that no such disclosure has occurred.

Other U.S. residents

Users in Virginia, Colorado, Connecticut, Texas, and other states with comprehensive privacy laws have similar rights of access, correction, deletion, and opt-out of sale. Contact us at hello@onharbor.app to make a request.

International users

If you are located in the European Economic Area, United Kingdom, or another jurisdiction with comprehensive data protection laws, you may have additional rights including access, rectification, erasure, restriction of processing, data portability, and the right to object. Contact us at hello@onharbor.app to make a request.

11. Do Not Track

Some browsers offer a “Do Not Track” (DNT) signal that requests that a website not track the user. The Service does not currently alter its data collection or use practices in response to DNT signals, as there is no uniform standard for how such signals should be interpreted. If a standard is established in the future, we will revisit this approach.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and notify Account Holders by email before the changes take effect. For any changes that affect how we handle children's personal information, we will provide advance notice to Parents and, where required by COPPA or other applicable law, obtain fresh consent before the changes take effect.

13. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or your personal information — especially regarding a child's privacy — please contact us:

On Harbor, LLC
2804 Gateway Oaks Dr. #100
Sacramento, CA 95833
Email: hello@onharbor.app