Privacy and Cookies Policy

1. Introduction

Harado.ai ("Harado.ai," "we," "our," or "us") respects your privacy and is committed to protecting your personal data. This Privacy and Cookies Policy ("Policy") explains how we collect, use, disclose, and safeguard your information when you access or use our software-as-a-service (SaaS) platform (the "Service"), which enables users to create, manage, and collaborate on business plans using the Harada method, including AI-assisted features for grid generation, milestone suggestions, and related tools. The Service is accessible via our website at www.harado.ai (the "Website") and any associated mobile applications or APIs.

This Policy applies to all users of the Service and Website, including visitors, registered users, and those accessing the Service through an organization or entity ("Organization"). It covers personally identifiable information ("Personal Data") that can identify you as an individual, as well as non-personally identifiable information that may become personal when combined with other data.

By using the Service or Website, you consent to the practices described in this Policy. If you do not agree, please do not use the Service or Website. This Policy is incorporated into our Terms & Conditions (available at www.harado.ai/terms), and capitalized terms not defined herein have the meanings given in the Terms & Conditions.

We process Personal Data in compliance with the General Data Protection Regulation ("GDPR") for users in the EEA, UK, or Switzerland; the UAE Federal Decree-Law No. 45/2021 on the Protection of Personal Data ("PDPL"); the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"); and other applicable laws. If you are in a jurisdiction with specific privacy laws, additional rights and provisions may apply, as detailed below.

We may update this Policy from time to time. If changes are material, we will notify you via email or through the Service. Your continued use after the effective date constitutes acceptance of the revised Policy.

2. Information We Collect

We collect information from you directly, automatically, and from third parties. The types of information include:

2.1 Personal Data You Provide Directly

• Account Information: When you register, we collect your email address and password. If you use third-party authentication (e.g., Google), we receive your name and email from that provider.
• User Content: Business plans, grids, milestones, text, files, and other materials you upload or create on the Service.
• Communications: Information from emails, support tickets, feedback forms, or surveys, including any attachments.
• Other Voluntary Data: Preferences, demographic details, or information provided during feature usage.

2.2 Information Collected Automatically

• Usage Data: Details on how you interact with the Service, such as features accessed, actions taken, and AI-generated outputs reviewed or edited.
• Device and Technical Data: IP address, browser type, operating system, device identifiers, and connection type.
• Location Data: Approximate location derived from IP address (we do not collect precise geolocation without consent).
• Log Data: Access times, referring/exit pages, and error logs.
• Cookies and Tracking Technologies: See Section 7 for details.

2.3 Information from Third Parties

• Authentication Providers: Data from third-party authentication services (e.g., Google), subject to their privacy policies.
• Public Sources: Aggregated or publicly available data for analytics or enhancement.
• Other Users: If invited to a workspace, we may receive your contact details from the Organization or other users.

We do not intentionally collect sensitive Personal Data (e.g., health, racial/ethnic origin, political opinions, religious beliefs) unless you voluntarily provide it in User Content. If you do, you consent to its processing as described herein, subject to heightened protections under GDPR (where it requires explicit consent) and PDPL.

3. How We Use Your Information

We process your information for legitimate business purposes, based on lawful bases such as consent, contract performance, legitimate interests (e.g., Service improvement, security), or legal obligations. Specific uses include:

• Providing and improving the Service (e.g., generating Harada grids, enabling collaboration, tracking progress).
• Personalizing your experience (e.g., AI suggestions tailored to your inputs).
• Managing accounts and authentication.
• Communicating with you (e.g., service updates, support responses).
• Analyzing usage for insights, research, and product development (e.g., training AI models on anonymized data to enhance accuracy).
• Security and fraud prevention.
• Compliance with laws and legal processes.

For AI Features: We use your inputs and interactions to generate outputs and may use anonymized or aggregated data to train and improve AI models. We do not use your Personal Data for training without consent, and outputs are not shared externally except as permitted.

Under GDPR, our lawful bases include: (a) consent for marketing and non-essential cookies; (b) contract for Service provision; (c) legitimate interests for analytics and improvements (balanced against your rights); and (d) legal obligations for compliance.

4. Sharing Your Information

We do not sell your Personal Data (as defined under CCPA/CPRA or GDPR). We share information only as follows:

• Service Providers: With vendors (e.g., Supabase for database and authentication, Cloudflare for AI features, analytics providers) who assist us, bound by confidentiality and data protection agreements.
• Affiliates: Within our corporate group for internal operations.
• Organizations: For Managed Users, your data is accessible to the Organization controlling the workspace.
• Business Transfers: In mergers, acquisitions, or asset sales, with the successor adhering to this Policy.
• Legal Requirements: To comply with laws, subpoenas, or to protect rights, safety, or property.
• With Consent: For any other purpose with your explicit permission.

5. Data Retention

We retain Personal Data as long as necessary for the purposes outlined, or longer if required by law. Usage Data is retained for analytics up to 24 months. Upon account deletion, we delete or anonymize data within 30 days (or 45 days under CCPA/CPRA), except for backups (retained up to 90 days).

6. Security

We implement reasonable administrative, technical, and physical safeguards (e.g., encryption, access controls, regular audits) to protect your data, in line with GDPR Article 32 and PDPL requirements. However, no system is completely secure; we cannot guarantee against breaches. You are responsible for securing your account credentials.

In case of a data breach, we will notify affected users and authorities as required by law (e.g., within 72 hours to supervisory authorities and users under GDPR; promptly under PDPL and CCPA/CPRA if high risk).

7. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance functionality, analyze usage, and provide authentication. Cookies are small text files stored on your device.

7.1 Types of Cookies We Use

• Essential Cookies: Necessary for Service operation, including authentication session cookies (set by Supabase) that keep you logged in. These cookies are required for the Service to function.
• Analytics Cookies: We use our own analytics system to track usage patterns and improve the Service. This data is stored anonymously and helps us understand how features are used.
• Functionality Cookies: Remember your preferences such as expanded/collapsed states in the grid view.

7.2 Third-Party Services

We use the following third-party services that may set cookies:

• Supabase: For authentication and database services. Supabase sets session cookies to maintain your login state.
• Cloudflare: For AI features and content delivery. May set cookies for performance and security.

7.3 Managing Cookies

You can manage cookies via your browser settings. Most browsers allow you to refuse cookies or alert you when cookies are being sent. However, disabling essential cookies will prevent you from using the Service, as they are necessary for authentication and core functionality.

Note: We do not use third-party advertising cookies or tracking pixels for advertising purposes. We do not share your data with advertising networks.

8. Your Privacy Rights and Data Protection

You have rights depending on your location. We respond to verified requests within 30-45 days (extendable under GDPR), free of charge (up to twice per year under CCPA/CPRA).

Universal Rights

• Access to your Personal Data
• Rectification of inaccurate data
• Erasure ("Right to be Forgotten")
• Restriction of processing
• Data portability
• Objection to processing
• Withdrawal of consent
• Not to be subject to solely automated decisions with legal effects

How to Exercise: Submit requests to hello@harado.ai with verification (e.g., email confirmation).

8.1 GDPR-Specific Rights (EEA, UK, Switzerland)

If GDPR applies (e.g., you are in the EEA/UK or we process your data there), you have the above rights. Processing bases include consent, contract, legitimate interests, and legal obligations. Lodge complaints with your supervisory authority (e.g., ICO in UK, CNIL in France).

8.2 PDPL-Specific Rights (UAE)

Under PDPL, you have similar rights to access, correct, erase, restrict, port, object, and withdraw consent. Complaints can be lodged with the UAE Data Office.

8.3 CCPA/CPRA-Specific Rights (California Residents)

Rights to know, delete, opt-out of sales/sharing (we do not sell/share as defined), limit sensitive data use, and non-discrimination. We do not use Personal Data for automated profiling with legal effects without safeguards.

9. International Data Transfers

As a UAE-based company with global users, data may be transferred outside your jurisdiction. For transfers from the EEA/UK to non-adequate countries (e.g., UAE, US), we rely on EU Standard Contractual Clauses, UK International Data Transfer Agreements, or equivalent safeguards. Under PDPL, transfers require adequate protection or safeguards as determined by the UAE Data Office. Contact us for copies of safeguards.

10. Children's Privacy

The Service is not intended for children under 16 (or applicable age in your jurisdiction, e.g., 13 under COPPA in US, 18 under UAE child protection laws). We do not knowingly collect Personal Data from children without parental/guardian consent. If we learn of such collection, we will delete it promptly. Parents/guardians: Contact hello@harado.ai for concerns.

11. Changes to This Policy

See Introduction for update process.

12. Contact Us

For questions or requests, email hello@harado.ai.

Data Protection Officer (for GDPR/PDPL): hello@harado.ai