This Privacy Policy explains how Harlo ("Harlo", "we", "us", or "our") collects, uses, shares, and protects personal information in connection with our AI voice and chat agent platform, websites, APIs, and related services (collectively, the "Services"). It applies to information we process as a business and, where applicable, distinguishes our role as a controller (for our own business and website) from our role as a processor/service provider (when handling data on behalf of our business customers).
When you visit our website, create an account, or communicate with us, Harlo acts as a controller of your personal information. When our business customers ("Customers") use the Services to operate AI agents that interact with their own end users ("End Users"), Harlo generally acts as a processor/service provider that handles personal information on the Customer's behalf and under their instructions. In that case, the Customer is the controller, and their own privacy notice governs how End User data is collected and used. End Users should direct requests about such data to the relevant Customer.
| Category | Examples |
|---|---|
| Account & contact data | Name, email, phone number, company, role, billing details, and login credentials. |
| Configuration data | Tenant and agent settings, prompts, routing rules, integration credentials and secret references, and business information you provide. |
| Communications content | Call audio, chat messages, transcripts, summaries, tool-invocation records, and metadata such as timestamps, phone numbers, channel, and call disposition. |
| Usage & device data | Log data, IP address, browser/device identifiers, feature usage, and diagnostic events. |
| Billing & usage metering | Call minutes, transcription seconds, character and token counts, and derived cost estimates. |
| Support data | Information you provide when contacting us for support or sales. |
The Services answer phone calls and conduct chat and audio conversations on behalf of Customers. Depending on Customer configuration and applicable law, we may process and store audio, transcripts, and AI-generated summaries of these interactions. Where call-recording features are enabled, recording may be consent-gated, and audio captured before consent is granted is not retained. Customers are responsible for configuring consent settings, providing legally required notices, and ensuring a lawful basis for recording, transcription, and analysis in all relevant jurisdictions.
We do not sell personal information, and we do not use End User communications content to train general-purpose foundation models without appropriate authorization.
Where the GDPR or UK GDPR applies and Harlo acts as a controller, we rely on the following legal bases: performance of a contract (to provide the Services you request); legitimate interests (to secure, improve, and operate the Services, balanced against your rights); consent (where required, e.g., certain cookies or marketing); and compliance with legal obligations. Where Harlo acts as a processor, the Customer is responsible for establishing the appropriate legal basis for processing End User data.
We share personal information only as needed to provide the Services and as described here:
We engage trusted third parties to deliver the Services, which may include:
Subprocessors are bound by contractual obligations to protect personal information and to process it only as instructed. A current list of subprocessors is available on request by emailing privacy@askharlo.ai.
The Services use automated speech recognition and large language models to understand and respond to conversations. Conversation content may be transmitted to model providers to generate responses and summaries. AI output may be inaccurate; it is not a substitute for professional advice. Decisions that produce legal or similarly significant effects should involve human review. Where applicable law grants rights regarding automated decision-making, you may exercise them as described below.
We retain personal information for as long as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. Retention periods for call records, transcripts, and recordings are generally governed by Customer configuration and contractual terms. When Harlo acts as a processor, we delete or return Customer Data following termination, subject to a limited export and backup-expiry window. Where a Customer has not specified a retention period, our default is to retain call records, transcripts, and recordings for 12 months, after which they are deleted or de-identified, unless a longer period is required to comply with legal obligations, resolve disputes, or enforce our agreements.
We implement technical and organizational measures designed to protect personal information, including encryption in transit, access controls, tenant isolation, secret management (storing pointers rather than secret values where possible), and logging that avoids capturing secret values. No system is perfectly secure, and we cannot guarantee absolute security. You are responsible for safeguarding your credentials and configuring your account securely.
Our platform and data are primarily hosted in the United States, and we and our subprocessors may process personal information there and in other countries where our service providers operate. Where we transfer personal data from the EEA, the UK, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (together with the UK International Data Transfer Addendum) or other lawful transfer mechanisms.
Depending on your location, you may have rights to access, correct, delete, or port your personal information; to object to or restrict certain processing; to withdraw consent; and to lodge a complaint with a supervisory authority. Residents of certain U.S. states may have rights to know, delete, correct, and opt out of "sale" or "sharing" and targeted advertising (we do not sell personal information). To exercise rights, contact us using the details below. Where Harlo processes data on a Customer's behalf, we will direct End User requests to, or assist, the relevant Customer.
The Services are not directed to children, and we do not knowingly collect personal information from children under the age defined by applicable law. If you believe a child has provided us personal information, please contact us so we can take appropriate action.
Our website and dashboards use cookies and similar technologies for authentication, preferences, security, and analytics. Essential cookies needed to operate the site are always active. For non-essential analytics cookies we ask for your consent first: when you visit our marketing site you'll see a consent banner, and analytics remain disabled until you choose "Accept." We implement this using Google Consent Mode, which keeps analytics storage denied by default until you opt in.
When you accept, we use the following website-analytics services:
You can withdraw consent at any time by clearing this site's stored data in your browser (which removes your saved choice and shows the banner again) or by adjusting your browser's cookie settings.
We may update this Privacy Policy from time to time. We will post the updated version with a revised "Last updated" date and, for material changes, provide additional notice where required. Your continued use of the Services after changes take effect constitutes acceptance of the updated policy.
For privacy questions or to exercise your rights, contact:
Harlo
Privacy: privacy@askharlo.ai
Our registered company name and postal address are available on request.