← Back to dashboard

Privacy Policy

Last updated: April 2026

1. Controller and Contact

Harbor is operated by WeRate Oy (Business ID 3266878-5), a Finnish company, and is the data controller for this policy.

Contact: jesper@hostharbor.fi. We have not appointed a Data Protection Officer.

2. Purposes and Legal Basis

  • Account and identity management (Article 6(1)(b)).
  • Application hosting, domains, DNS, AI builder, SEO tools, support operations (Article 6(1)(b)).
  • Payments and invoicing via Stripe (Article 6(1)(b)).
  • Security, anti-abuse monitoring, incident response (Article 6(1)(f)).
  • Legal obligations such as bookkeeping, tax, and registry duties (Article 6(1)(c)).
  • Optional, consent-based integrations or analytics (Article 6(1)(a)).

3. Categories of Data

  • Identity and account data.
  • Billing and tax data.
  • Domain and WHOIS data.
  • Integration tokens and environment variables (encrypted).
  • Application/deployment and builder data.
  • Support assistant messages and contact-form data.
  • Usage logs, IP, and technical metadata.

4. Recipients and Subprocessors

  • Hetzner
  • Coolify
  • OpenProvider
  • Stripe
  • GitHub
  • Resend
  • OpenRouter and model providers
  • Google APIs
  • S3-compatible object storage
  • IndexNow
  • PageShot
  • Cloudflare Turnstile / hCaptcha

5. Retention

  • Account data: kept while active; then deleted/anonymized unless lawful retention applies.
  • Payment records: 6 years under Finnish Accounting Act.
  • Audit logs: kept as required by legal and security needs.
  • Support assistant: default 30 days.
  • Contact forms: up to 180 days.
  • Metrics/samples: about 30 days.

6. Your Rights

  • Access, rectification, erasure, restriction, portability, objection (Articles 15-21 GDPR).
  • Withdraw consent at any time (Article 7).
  • Complain to the Finnish Data Protection Ombudsman or local EEA authority.

7. Cookies and Similar Technologies

Harbor uses essential cookies/local storage for authentication, security, and consent state only. Optional technologies are only used with explicit consent.

8. International Transfers

Core infrastructure is in the EU. Third-country transfers rely on SCCs and EU-U.S. DPF where applicable.

9. AI and Automated Processing

AI output is assistive. It does not create legally binding automated decisions under Article 22 GDPR.

10. Security

Harbor applies TLS, encryption, access control, and audit logs. We follow GDPR breach timelines when required.

11. Mandatory vs Voluntary Data

Account, billing, and domain registration data are required. Optional profile information can be omitted.

12. Changes

This policy is updated over time. Material updates are published with a new date.

13. Contact

WeRate Oy (Business ID 3266878-5), Finland. jesper@hostharbor.fi

Terms of Service →