Privacy Policy

1. Who we are

Harwick is a private lead-management workspace for real estate teams. Workspaces connect their own Instagram and Facebook pages, CRM (Follow Up Boss), calendar (Google Calendar), and voice/SMS providers so Harwick AI can capture inbound leads, qualify them through conversation, route them to the right agent, and sync qualified leads to the team's system of record.

Harwick is operated by the Harwick team. To contact us about privacy, email support@harwick.lol.

2. Data we collect

We collect only the data needed to operate the service.

• Workspace account data: name, email, role, workspace membership.
• Meta-connected page data: Facebook Page ID and name, Instagram Business Account ID and handle, page access tokens (encrypted at rest), and post/comment context for posts your team publishes.
• Conversation data from connected channels: Instagram and Facebook DMs and comments to and from your connected pages, including message content, sender ID, and timestamps. We also process voice call transcripts when you connect Retell, and SMS message content when you connect Twilio.
• Lead data: contact info, source, qualification answers, intent score, assignment, status, and conversation history.
• Calendar availability: when a member connects Google Calendar, we read FreeBusy windows and write showing events to their primary calendar. We do not read event titles or attendee lists.
• Integration credentials: OAuth tokens and API keys for Meta, Google Calendar, Follow Up Boss, Twilio, Retell, and Stripe, encrypted with AES-256 before storage.
• Operational telemetry: audit logs, AI tool calls, automation policy decisions, error events, and provider failures, used to operate and improve the service.

3. How we use data

• To capture inbound leads from your connected channels and run the Harwick AI runtime that qualifies, routes, and surfaces them.
• To sync qualified leads to your connected CRM (Follow Up Boss) when you authorize that action.
• To support workspace members in viewing and acting on lead activity.
• To meter usage for billing and to apply plan-level limits.
• To detect provider failures, RLS policy violations, and abuse, and to keep the platform safe.

We do not sell data. We do not use Meta-derived data to advertise to your end users.

3a. Meta Platform Data

"Meta Platform Data" means data, including Facebook user data, Page data, Instagram Business Account data, messages, comments, and any insights, derived from Meta's APIs and made available to Harwick when a workspace connects its Facebook Page or Instagram Business Account.

• We use Meta Platform Data only to operate the lead-management features the workspace explicitly enables — capturing inbound DMs and comments, qualifying and routing leads, drafting and sending replies on behalf of the workspace, and syncing qualified leads to the workspace's CRM.
• We do not sell, license, rent, or transfer Meta Platform Data to any third party for advertising, data brokerage, ad-targeting, audience-building, or any commercial purpose unrelated to the service the workspace is using.
• We do not use Meta Platform Data to train, fine-tune, or improve any generalized, foundation, or third-party AI model. The sub-processors that handle Meta Platform Data are configured with training disabled (see the OpenAI line in Sub-processors).
• We retain Meta Platform Data only as long as a workspace remains connected, plus the standard 30-day deletion window. When a workspace disconnects its Meta integration, associated tokens are revoked and conversation data linked to that integration is purged within 30 days unless legally required to retain.
• We host Meta Platform Data in the United States on Supabase (Postgres) and Vercel infrastructure, encrypted at rest with AES-256 and in transit with TLS 1.2+.
• Members of the workspace that connected the account, plus the Harwick operations team for support and abuse response, are the only parties with access. Access by Harwick staff is logged.

4. Sub-processors

Harwick uses the following providers to deliver the service:

• Supabase — managed Postgres + auth + storage.
• Vercel — application hosting and edge runtime.
• OpenAI — language-model inference for the Harwick AI runtime. We do not enable training on customer data.
• Stripe — billing.
• Twilio — SMS messaging when enabled by the workspace.
• Retell — voice agent provisioning and call handling when enabled by the workspace.
• Google — Calendar API for FreeBusy and event creation when a member connects their Google account.
• Follow Up Boss — CRM sync when a workspace connects FUB.

5. Data retention

Active workspace data is retained while the workspace is active. Audit logs are retained for at least 12 months for security and compliance. When a workspace is deleted or a user requests deletion, we remove personal data within 30 days, except where a longer retention is required by law.

6. Your rights and how to delete your data

You can request deletion of your data at any time. Detailed instructions, including the request endpoint Meta uses for app-level deletion requests, are at harwick.lol/data-deletion. You can also email support@harwick.lol from the address associated with your account.

Depending on your jurisdiction (for example, GDPR in the EU/UK, CCPA in California) you may also have rights to access, correct, port, or restrict processing of your data. Email us to exercise those rights.

7. Security

Data in transit is encrypted with TLS. Integration credentials and OAuth tokens are encrypted at rest with AES-256. Access to production systems is restricted, audited, and bounded by row-level security on the database. We follow standard industry practice for incident detection and response.

8. Children

Harwick is a B2B service and is not directed to children under 13.

9. Changes

We will update this policy when material changes occur and update the "Last updated" date above. Continued use of Harwick after a change means you accept the updated policy.