Privacy Policy

Last updated: 30 May 2025

At Harmonica, we take your privacy seriously. This Privacy Policy explains how we treat your personal data when you use our Services. By using Harmonica's Services, you accept the practices outlined in this Privacy Policy and consent to our collection, use, and sharing of your information as described here.

Your use of our Services is subject to our Terms of Use, which incorporates this Privacy Policy. We may update this Privacy Policy as our Services evolve. We will notify you of material changes through our website, email, or other means. If you continue to use the Services after changes are posted, you agree to the updated Privacy Policy.

Our Values

Trust is the foundation of Harmonica's platform and includes trusting us to do the right thing with your information. Three main values guide us as we develop our products and services. These values should help you better understand how we think about your information and privacy.

Your information belongs to you

We carefully analyze what types of information we need to provide our services, and we limit the information we collect to only what we really need to deliver and improve our products. Where possible, we delete or anonymize information when we no longer need it. When building and improving our products, we build them with privacy and security in mind. Our guiding principle is that your information belongs to you, and we aim to only use your information to enhance your experience and improve our services.

We protect your information from others

We do not share your information with others unless you give us permission to do so, or we are legally required to do so.

We are transparent about how we use your information

We aim to provide clear information about our data practices and to provide you with tools to control your information and protect your privacy.

What this Privacy Policy Covers

This Privacy Policy covers how we treat Personal Data that we gather when you access or use our Services. "Personal Data" means any information that identifies or relates to a particular individual and also includes information referred to as "personally identifiable information" or "personal information" under applicable data privacy laws, rules or regulations. This Privacy Policy does not cover the practices of companies we don't own or control or people we don't manage.

Important Note: Session Hosts vs. Session Participants

Harmonica serves two distinct types of users with different data handling procedures:

Session Hosts: Users who create accounts, sign in to our platform, and organize async workshops or deliberation sessions. Session Hosts have full control over their data and can delete their accounts and all associated session data (including all participant responses) through their account settings.

Session Participants: Users who participate in workshops or deliberation sessions without creating accounts or signing in. Session Participants cannot directly delete their data through the platform and must contact us directly at hello@harmonica.chat to request data deletion.

Personal Data

Categories of Personal Data We Collect

This chart details the categories of Personal Data that we may collect and may have collected over the past 12 months:

Category of Personal DataExamples of Personal Data We CollectCategories of Third Parties With Whom We Share this Personal DataProfile or Contact DataFirst and last name, EmailService Providers, Analytics Partners, Parties You Authorize, Access or AuthenticatePayment DataFinancial account information, Payment card type, Last 4 digits of payment card, Billing address, phone number, and emailService Providers (specifically our payment processing partner)Device/IP DataIP address, IP-address-based location information, Device ID, Type of device/operating system/browser used to access the ServicesAnalytics Partners, Parties You Authorize, Access or AuthenticateWeb AnalyticsWeb page interactions, Referring webpage/source through which you accessed the ServicesAnalytics Partners, Parties You Authorize, Access or AuthenticateSocial Network DataSocial media profilesService Providers, Parties You Authorize, Access or AuthenticateProfessional or Employment-Related DataJob title and role, Employer, Company informationService Providers, Parties You Authorize, Access or AuthenticateWorkshop and Session DataWorkshop content, discussion posts, deliberation materials, participant responses, voting data, collaboration files and documents, session configurations and settingsService Providers, Analytics Partners, Parties You Authorize, Access or AuthenticateOther Identifying Information that You Voluntarily Choose to ProvideIdentifying information in emails, letters, texts, or other communication you send us, Session data including but not limited to participant feedback, discussion content, and outcomes, Any other identifying information you authorize Harmonica to access or elect to share with Harmonica, Any derivatives of such data, including but not limited to AI-generated summaries and insightsService Providers, Analytics Partners, Parties You Authorize, Access or Authenticate

AI Processing Data

Notwithstanding the foregoing, to the extent we use AI technologies to process your Personal Data, our use of such Personal Data will be limited to providing and improving our workshop facilitation services. We do not use your workshop content to train general AI models or share it with AI providers for model development purposes.

Categories of Sources of Personal Data

We may collect Personal Data about you from the following categories of sources:

You

  • When you provide such information directly to us.
    • When you create an account (Session Hosts only) or participate in our Services.
    • When you voluntarily provide information in free-form text boxes through the Services or through responses to surveys or questionnaires.
    • When you send us an email or otherwise contact us.
  • When you use the Services and such information is collected automatically.
    • Through Cookies (defined in the "Tracking Tools and Opt-Out" section below).
    • If you use a location-enabled browser, we may receive information about your location.
    • If you download and install certain applications and software we make available, we may receive and collect information transmitted from your computing device for the purpose of providing you the relevant Services.

Third Parties

  • Vendors
    • We may use analytics providers to analyze how you interact and engage with the Services, or third parties may help us provide you with customer support.
    • We may use vendors to obtain information to generate leads and create user profiles.
  • Third Party Accounts
    • If you provide your social network account credentials to us or otherwise sign in to the Services through a third-party site or service (Session Hosts only), some content and/or information in those accounts may be transmitted into your account with us.

Our Business Purposes for Collecting or Disclosing Personal Data

Providing, Customizing and Improving the Services

  • Creating and managing your account or other user profiles (Session Hosts only).
  • Processing orders or other transactions; billing.
  • Providing you with the products, services or information you request.
  • Meeting or fulfilling the reason you provided the information to us.
  • Providing support and assistance for the Services.
  • Improving the Services, including testing, research, internal analytics and product development.
  • Personalizing the Services, website content and communications based on your preferences.
  • Doing fraud protection, security and debugging.
  • Carrying out other business purposes stated when collecting your Personal Data or as otherwise set forth in applicable data privacy laws.
  • Facilitating async workshops and deliberations.
  • Generating AI-powered insights and summaries from workshop content.
  • Enabling cross-pollination and consensus-building features.

Marketing the Services

  • Marketing and selling the Services (primarily to Session Hosts).

Corresponding with You

  • Responding to correspondence that we receive from you, contacting you when necessary or requested, and sending you information about Harmonica or the Services.
  • Sending emails and other communications according to your preferences or that display content that we think will interest you.

Meeting Legal Requirements and Enforcing Legal Terms

  • Fulfilling our legal obligations under applicable law, regulation, court order or other legal process, such as preventing, detecting and investigating security incidents and potentially illegal or prohibited activities.
  • Protecting the rights, property or safety of you, Harmonica or another party.
  • Enforcing any agreements with you.
  • Responding to claims that any posting or other content violates third-party rights.
  • Resolving disputes.

We will not collect additional categories of Personal Data or use the Personal Data we collected for materially different, unrelated or incompatible purposes without providing you notice.

How We Disclose Your Personal Data

We carefully analyze what types of information we need to provide our services, and we try to limit the information we collect to only what we really need. Where possible, we delete or anonymize this information when we no longer need it. When building and improving our products, our engineers work closely with our privacy and security teams to build with privacy in mind. In all of this work our guiding principle is that your information belongs to you, and we aim to only use your information to your benefit.

We may disclose your Personal Data to the categories of service providers and other parties listed in this section. Depending on state laws that may be applicable to you, some of these disclosures may constitute a "sale" of your Personal Data. For more information, please refer to the state-specific sections below.

Service Providers. These parties help us provide the Services or perform business functions on our behalf. They include:

  • Hosting, technology and communication providers.
  • Security and fraud prevention consultants.
  • Support and customer service vendors.
  • Product fulfillment and delivery providers.
  • AI processing providers for workshop analysis and insights.
  • Payment processors.
    • Our payment processing partner (Stripe) collects your voluntarily-provided payment card information necessary to process your payment.
    • Please see our payment processor's terms of service and privacy policy for information on its use and storage of your Personal Data.

Analytics Partners. These parties provide analytics on web traffic or usage of the Services. They include:

  • Companies that track how users found or were referred to the Services.
  • Companies that track how users interact with the Services.

Parties You Authorize, Access or Authenticate

  • Organizations through which you access our Services (such as your employer)
  • Third parties you access through the services.
  • Social media services.
  • Other users in your organization or workshop groups.

Legal Obligations

We may share any Personal Data that we collect with third parties in conjunction with any of the activities set forth under "Meeting Legal Requirements and Enforcing Legal Terms" in the "Our Commercial or Business Purposes for Collecting Personal Data" section above.

Business Transfers

All of your Personal Data that we collect may be transferred to a third party if we undergo a merger, acquisition, bankruptcy or other transaction in which that third party assumes control of our business (in whole or in part). Should one of these events occur, we will make reasonable efforts to notify you before your information becomes subject to different privacy and security policies and practices.

Data that is Not Personal Data

We may create aggregated, de-identified or anonymized data from the Personal Data we collect, including by removing information that makes the data personally identifiable to a particular user. We may use such aggregated, de-identified or anonymized data and share it with third parties for our lawful business purposes, including to analyze, build and improve the Services and promote our business, provided that we will not share such data in a manner that could identify you.

Tracking Tools and Opt-Out

The Services use cookies and similar technologies such as pixel tags, web beacons, clear GIFs and JavaScript (collectively, "Cookies") to enable our servers to recognize your web browser, tell us how and when you visit and use our Services, analyze trends, learn about our user base and operate and improve our Services. Cookies are small pieces of data– usually text files – placed on your computer, tablet, phone or similar device when you use that device to access our Services. We may also supplement the information we collect from you with information received from third parties, including third parties that have placed their own Cookies on your device(s).

We use the following types of Cookies:

  • Essential Cookies. Essential Cookies are required for providing you with features or services that you have requested. For example, certain Cookies enable you to log into secure areas of our Services (Session Hosts only). Disabling these Cookies may make certain features and services unavailable.
  • Functional Cookies. Functional Cookies are used to record your choices and settings regarding our Services, maintain your preferences over time and recognize you when you return to our Services. These Cookies help us to personalize our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
  • Performance/Analytical Cookies. Performance/Analytical Cookies allow us to understand how visitors use our Services. They do this by collecting information about the number of visitors to the Services, what pages visitors view on our Services and how long visitors are viewing pages on the Services. Performance/Analytical Cookies also help us measure the performance of our advertising campaigns in order to help us improve our campaigns and the Services' content for those who engage with our advertising.

You can decide whether or not to accept Cookies through your internet browser's settings. Most browsers have an option for turning off the Cookie feature, which will prevent your browser from accepting new Cookies, as well as (depending on the sophistication of your browser software) allow you to decide on acceptance of each new Cookie in a variety of ways. You can also delete all Cookies that are already on your device. If you do this, however, you may have to manually adjust some preferences every time you visit our website and some of the Services and functionalities may not work.

Data Security

We always want you to feel confident about providing us with your personal data. We have therefore taken appropriate security measures to protect your personal data against unauthorized access, alteration, and erasure. Even though we work hard to protect your data, no security measures are perfect or impenetrable. Should a security breach occur that may materially impact you or your personal data, e.g., risk of fraud or identity theft, we will contact you to explain what action you can take to mitigate potential adverse effects of the breach.

You should also help protect your data by appropriately selecting and protecting your password and/or other sign-on mechanism (Session Hosts only); limiting access to your computer or device and browser; and signing off after you have finished accessing your account. We strongly advise you to be cautious and to protect your own personal data. You are responsible for keeping your passwords confidential and avoiding others from observing your personal data when using our services in public spaces.

Automatic Data Deletion Policies

We have implemented automatic data deletion policies to ensure your personal data is not retained longer than necessary:

Session Host Data Deletion

  • Account Deletion: When a Session Host deletes their account through their account settings, all associated data including profile information, payment data, and all session data (including all participant responses) is automatically scheduled for deletion within 30 days.
  • Session Deletion: When a Session Host deletes a specific session through their account settings, all data associated with that session, including all participant responses, is automatically scheduled for deletion within 30 days.
  • Inactive Account Deletion: Session Host accounts that remain inactive (no login) for more than 2 years will be automatically scheduled for deletion, with 30 days advance notice sent to the registered email address.

Session Participant Data Deletion

  • Automatic Deletion: Personal data of Session Participants (responses, contributions, and associated metadata) is automatically scheduled for deletion 1 year after the session ends, unless the Session Host deletes the session earlier.
  • Manual Deletion Requests: Session Participants can request immediate deletion of their data by contacting us at hello@harmonica.chat. We will process such requests within 30 days.

Data Deletion Process

When data is scheduled for deletion:

  1. Data is immediately marked for deletion and becomes inaccessible through our Services
  2. Data is permanently removed from our active systems within 30 days
  3. Data is permanently removed from our backup systems within 90 days
  4. Aggregated, anonymized data may be retained indefinitely for improving our Services

Exceptions to Automatic Deletion

Data may be retained beyond the automatic deletion periods only when:

  • Required by law or legal obligation
  • Necessary for pending legal proceedings
  • Required for fraud prevention or security purposes
  • Part of aggregated, anonymized datasets that cannot identify individuals

Data Retention

We retain your personal data only for as long as necessary for the purposes for which we originally collected the data in accordance with this Privacy Policy. When we no longer need to save your data, we will remove it from our systems, databases, and backups according to our automatic deletion policies outlined above.

If return or destruction is incidentally prohibited by a valid legal order, Harmonica shall take measures to inform you and block such personal data from any further processing (except to the extent necessary for its continued hosting or processing required by applicable law) and shall continue to appropriately protect the personal data remaining in its possession, custody, or control.

For example:

  • We retain Session Host profile information, credentials, and session data for as long as they have an account with us or according to our automatic deletion policies.
  • We retain payment data for as long as we need to process purchases or subscriptions.
  • We retain device/IP data for as long as we need it to ensure that our systems are working appropriately, effectively and efficiently.
  • We retain Session Participant data for up to 1 year after session completion or until the Session Host deletes the session, whichever comes first.
  • We retain Aggregated Data in order to improve Harmonica's products, software and services, including after termination of accounts or the Services.
  • Personal data processed to fulfill legal obligations will be stored for the required legal retention periods under Portuguese law.

Personal Data of Children

As noted in the Terms of Use, we do not knowingly collect or solicit Personal Data from children under 16 years of age; if you are a child under the age of 16, please do not attempt to register for or otherwise use the Services or send us any Personal Data. If we learn we have collected Personal Data from a child under 16 years of age, we will delete that information as quickly as possible. If you believe that a child under 16 years of age may have provided Personal Data to us, please contact us at hello@harmonica.chat.

Additional Privacy Rights

European Union and Data Subject Rights

If you are a resident of the European Union ("EU"), Lichtenstein, Norway or Iceland, you have rights under the General Data Protection Regulation (the "GDPR") with respect to your Personal Data, as outlined below.

For this section, we use the terms "Personal Data" and "processing" as they are defined in the GDPR, but "Personal Data" generally means information that can be used to individually identify a person, and "processing" generally covers actions that can be performed in connection with data such as collection, use, storage and disclosure. Anton Mikhailov will be the controller of your Personal Data processed in connection with the Services.

If there are any conflicts between this section and any other provision of this Privacy Policy, the policy or portion that is more protective of Personal Data shall control to the extent of such conflict. If you have any questions about this section or whether any of the following applies to you, please contact us at the email address provided in the Contact Information section.

Personal Data Use and Processing Grounds

The "Our Commercial or Business Purposes for Collecting Personal Data" section above explains how we use your Personal Data.

We will only process your Personal Data if we have a lawful basis for doing so. Lawful bases for processing include consent, contractual necessity and our "legitimate interests" or the legitimate interest of others, as further described below.

Contractual Necessity: We process the following categories of Personal Data as a matter of "contractual necessity", meaning that we need to process the data to perform under our Terms of Use with you, which enables us to provide you with the Services. When we process data due to contractual necessity, failure to provide such Personal Data will result in your inability to use some or all portions of the Services that require such data.

  • Profile or Contact Data
  • Payment Data
  • Professional or Employment-Related Data
  • Workshop and Session Data
  • Other Identifying Information that You Voluntarily Choose to Provide

Legitimate Interest: We process the following categories of Personal Data when we believe it furthers the legitimate interest of us or third parties:

  • Profile or Contact Data
  • Payment Data
  • Device/IP Data
  • Web Analytics
  • Professional or Employment-Related Data
  • Workshop and Session Data
  • Other Identifying Information that You Voluntarily Choose to Provide

We may also de-identify or anonymize Personal Data to further our legitimate interests. Examples of these legitimate interests include (as described in more detail above):

  • Providing, customizing and improving the Services.
  • Marketing the Services.
  • Corresponding with you.
  • Meeting legal requirements and enforcing legal terms.
  • Completing corporate transactions.

Consent: In some cases, we process Personal Data based on the consent you expressly grant to us at the time we collect such data. When we process Personal Data based on your consent, it will be expressly indicated to you at the point and time of collection.

Other Processing Grounds: From time to time we may also need to process Personal Data to comply with a legal obligation, if it is necessary to protect the vital interests of you or other data subjects, or if it is necessary for a task carried out in the public interest.

Data Subject Rights

You have certain rights with respect to your Personal Data, including those set forth below. For more information about these rights, or to submit a request, please email us at hello@harmonica.chat with the subject line: "GDPR Request: [nature of request]". Your request must include enough information for us to verify your identity, relationship with Harmonica, and the nature of your request. In some circumstances, we may not be able to fully comply with your request, such as if we are unable to verify your identity, your request it is frivolous or extremely impractical, if it jeopardizes the rights of others, or if it is not required by law, but in those circumstances, we will still respond to notify you of such a decision.

Access: You can request more information about the Personal Data we hold about you and request a copy of such Personal Data. Session Hosts can also access certain of their Personal Data by logging on to their account.

Rectification: If you believe that any Personal Data we are holding about you is incorrect or incomplete, you can request that we correct or supplement such data. Session Hosts can modify certain information directly through their account settings.

Erasure: Session Hosts can delete certain account-related information and entire sessions (including all participant data) within their account settings, which triggers our automatic deletion process. Session Participants and others can request that we erase Personal Data from our systems by emailing hello@harmonica.chat. In the event you would like to exercise your right for the erasure of your personal data, please send an email with the subject line "Erasure of Personal Data Request." We will confirm receipt of your request and take reasonable steps to ensure you are the data subject. Upon verification, we will complete the erasure without undue delay.

Withdrawal of Consent: If we are processing your Personal Data based on your consent (as indicated at the time of collection of such data), you have the right to withdraw your consent at any time. Please note, however, that if you exercise this right, you may have to then provide express consent on a case-by-case basis for the use or disclosure of certain of your Personal Data, if such use or disclosure is necessary to enable you to utilize some or all of our Services.

Portability: You can ask for a copy of your Personal Data in a machine-readable format. You can also request that we transmit the data to another controller where technically feasible.

Objection: You can contact us to let us know that you object to the further use or disclosure of your Personal Data for certain purposes, such as for direct marketing purposes.

Restriction of Processing: You can ask us to restrict further processing of your Personal Data.

Right to File Complaint: You have the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD) if you are not satisfied with our processing of your personal data.

Transfers of Personal Data

Harmonica will process your personal data within the EU/EEA. However, we occasionally need to transfer personal data to third countries, either directly or through our sub-processors. If we engage in such transfer, we will ensure that there is a legal basis for the transfer and that the level of protection is equivalent to that applicable within the EU/EEA, either by ensuring that the country has an adequate level of protection, that we have taken adequate protective measures such as the European Commission's standard contractual clauses, that you have given your explicit consent or that the transfer is necessary with regards to the purposes set out in relevant data protection legislation.

Changes to the Privacy Policy

We have the right to make changes to this Privacy Policy at any time. When we make changes that are not purely editorial, such as formatting, typographical error corrections, or other changes that do not materially affect you, we will inform you of these changes and what they mean for you before they become effective.

Contact Information

Do not hesitate to contact us if you have any questions about this Privacy Policy, our processing of your personal data, or if you wish to exercise your rights.

Anton Mikhailov

Service Provider (Self-employed professional)

NIF: 318706814

Rua Sociedade Recreativa 1 de Maio, 17, 1 dto

2430-193 Marinha Grande

Portugal

Email: hello@harmonica.chat

Website: www.harmonica.chat