HARRIS ("we", "our", "us") is operated by Horizon Frame Limited, a company registered in England and Wales. This privacy policy explains how we collect, use, and protect your data when you use our AI marketing platform.
Organisation details: company name, website URLs, business descriptions
Platform connections: when you connect Meta (Facebook/Instagram), Google, or other platforms via OAuth, we receive access tokens, page IDs, ad account IDs, and related identifiers
Campaign data: ad campaigns, content, images, and performance metrics retrieved from connected platforms
Usage data: API calls, agent execution logs, and cost tracking
2. How We Use Your Data
To manage advertising campaigns on your behalf across connected platforms
To publish content to your connected social media accounts
To display analytics and performance dashboards
To run AI agents that automate marketing tasks you configure
To track platform API costs associated with your account
3. Data From Meta (Facebook & Instagram)
When you connect your Meta account, we access:
Your Facebook Pages and their access tokens (to post content and read analytics)
Your Instagram Business accounts linked to those Pages
Your Ad Accounts (to create and manage ad campaigns)
Your Pixels (to track campaign conversions)
Page and post insights (reach, engagement, impressions)
We only access data you explicitly authorise via the OAuth consent screen. We do not sell, share, or use your Meta data for any purpose other than providing our services to you.
4. How We Store Your Data
All credentials and access tokens are encrypted at rest using AES-256-GCM
Data is stored on Cloudflare's infrastructure (D1 database, R2 storage, KV)
All data is scoped to your organisation and website — no cross-tenant access
We do not store your platform passwords; we use OAuth tokens which you can revoke at any time
5. Lawful Basis for Processing
Under GDPR Article 6, we process your data on the following legal bases:
Contract (Art. 6(1)(b)): Account management, campaign generation, and platform management — necessary to provide our services
Consent (Art. 6(1)(a)): Platform connections (via OAuth), email processing — you explicitly authorise these
Legitimate Interest (Art. 6(1)(f)): Cost tracking, execution tracing, and service improvement — balanced against your rights
6. Data Retention
We retain your data according to the following schedule:
Account data: retained while your account is active; deleted upon account deletion
Platform credentials: deleted immediately when you disconnect a platform
Campaign and content data: up to 12 months, then automatically deleted
Execution traces: 30 days, then automatically deleted
Agent messages: 7 days, then automatically deleted
Cost tracking: 12 months for billing purposes
Email processing logs: 12 months, then automatically deleted
Automated retention enforcement runs daily to ensure data is deleted per these schedules.
7. Your Rights
Under GDPR and UK data protection law, you have the right to:
Access your personal data — download a full export via Dashboard > Settings > Privacy > Export Data, or GET /api/user/data-export
Rectify inaccurate data — update your profile in Dashboard > Settings
Erase your data ("right to be forgotten") — delete your account via Dashboard > Settings > Privacy > Delete Account, or POST /api/user/delete-account
Restrict processing — pause all agent processing via POST /api/user/restrict-processing
Data portability — receive your data in JSON format via the export endpoint
Object to processing — file an objection via POST /api/user/object; our DPO will respond within 30 days
Withdraw consent at any time by disconnecting platforms, restricting processing, or deleting your account
We will respond to all data subject requests within 30 days as required by GDPR.
8. Data Deletion
You can request deletion of your data at any time:
Through the dashboard: Settings > Privacy > Delete Account
Your data is processed through the following sub-processors:
Cloudflare: hosting, database (D1), storage (R2), caching (KV) — data processor for all platform data
Anthropic (Claude): AI content generation and analysis — business context only, PII is stripped before transmission
OpenAI (GPT-4o): AI image generation and content — business context only, PII is stripped before transmission
Perplexity: market research queries — no personal data sent
Ideogram: image generation — prompt text only, no personal data
GitHub: code and PR review for connected repositories
Meta (Facebook/Instagram): only when you connect — manages your own ad/page data via your authorised token
Google: only when you connect — Gmail processing and Google Ads via your authorised credentials
We do not sell your data to any third party. AI providers process data under their API terms, which prohibit using API inputs for model training.
10. AI Processing Disclosure
Our AI agents process your business context (campaign briefs, target markets, brand voice) through third-party AI models. Before transmission, we automatically strip personally identifiable information (PII) including email addresses, phone numbers, and postal codes. AI-generated content always requires your review and approval before publication.
11. International Data Transfers
Your data may be transferred to and processed in countries outside the UK/EEA, including the United States (where Cloudflare, Anthropic, and OpenAI operate). These transfers are protected by Standard Contractual Clauses (SCCs) and the providers' data processing agreements.
12. Cookies
We use two strictly necessary cookies to maintain your session:
We do not use tracking cookies, advertising cookies, or third-party analytics. No cookie consent banner is required as these are strictly necessary for authentication.
13. Data Breach Notification
In the event of a personal data breach, we will notify the Information Commissioner's Office (ICO) within 72 hours where required under GDPR Article 33. If the breach poses a high risk to your rights and freedoms, we will notify affected individuals directly.
14. Contact
For any privacy-related questions or data subject requests: