Effective Date: March 27, 2026
This Privacy Policy explains how Harvest collects, uses, shares, and protects your information.
Harvest Financial Technologies, Inc. ("Harvest," "we," "us," or "our") is committed to protecting the privacy of our users. This Privacy Policy (this "Policy") describes how we collect, use, disclose, store, and protect personal information and Financial Data when you access or use the Harvest platform, including our website at www.harvestfinance.com, mobile application, SMS-based interactions, and all related services (collectively, the "Service").
This Policy is incorporated into and forms part of our Terms of Service. By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Policy. If you do not agree with this Policy, you must immediately discontinue use of the Service.
Harvest reserves the right to modify this Policy at any time. We will notify you of material changes as described in Section 19 below. Your continued use of the Service after the effective date of any modification constitutes your acceptance of the revised Policy.
Harvest has designated a Privacy Team responsible for overseeing compliance with this Policy and applicable privacy laws. You may contact the Privacy Team at any time at [email protected] or at the mailing address listed in Section 21 of this Policy. The Privacy Team serves as the primary point of contact for all privacy-related inquiries, data subject requests, and regulatory communications.
Harvest is committed to collecting and processing only the personal information that is reasonably necessary to provide, maintain, and improve the Service, and to fulfill the purposes described in this Policy. We periodically review our data collection practices to ensure that the scope of information collected remains proportionate to the services provided. Notwithstanding this commitment, you acknowledge that the Service's core functionality requires extensive access to Financial Data, transaction history, and behavioral information, and that restricting access to such data may materially limit or eliminate the Service's ability to deliver accurate recommendations and execute Authorized Actions.
We collect information from and about you in several ways, as described below. The types and scope of information collected depend on how you interact with the Service and which features you enable.
When you create an account, configure the Service, or communicate with us, you may provide the following categories of information:
When you connect your financial accounts through Plaid, Inc. or other third-party data aggregation services, we receive the following categories of Financial Data:
Plaid Integration Notice: Your use of Plaid is subject to Plaid's End User Privacy Policy, available at https://plaid.com/legal/#end-user-privacy-policy. By connecting your financial accounts through the Service, you acknowledge that you have reviewed Plaid's privacy practices. Harvest does not control Plaid's data handling and is not responsible for Plaid's privacy practices. When you disconnect a financial account through the Service, Harvest will promptly revoke the corresponding Plaid access token. For information about how to revoke Plaid's access to your data directly, visit Plaid's consumer portal at my.plaid.com.
Certain Service features — including bill negotiation, subscription management, and travel rebooking — may require Harvest to interact with Third-Party Providers on your behalf. To facilitate these interactions, you may provide or authorize Harvest to use:
Non-financial Third-Party Provider credentials are encrypted using AES-256 encryption at rest and transmitted only via TLS 1.3. Unlike financial account credentials (which are handled exclusively by Plaid), non-financial credentials may be stored on Harvest's servers for the duration necessary to complete the Authorized Action, after which they are deleted within seventy-two (72) hours unless you authorize ongoing access. You may revoke stored credentials at any time through your account settings.
When you access or use the Service, we automatically collect certain technical and usage information through cookies, pixels, software development kits (SDKs), and similar technologies:
When Harvest contacts Third-Party Providers on your behalf for bill negotiation or other Authorized Actions, such communications may be recorded and/or transcribed by Harvest's automated systems and/or by the Third-Party Provider.
We may receive information about you from third-party sources, including: (a) identity verification services to confirm your identity and prevent fraud; (b) public databases and commercially available data sources to supplement account information; (c) marketing partners and analytics providers to help us understand user demographics and improve the Service; and (d) retail partners and price comparison services to provide accurate product pricing and availability data.
Using the information described above, Harvest's algorithms and machine learning models may derive or infer additional information about you, including but not limited to: spending patterns and trends, financial health indicators, price sensitivity profiles, product preferences, optimal shopping strategies, credit card usage optimization opportunities, and predictive savings estimates.
For purposes of applicable privacy laws, including the CCPA/CPRA, inferences drawn from your personal information constitute personal information and are treated accordingly with respect to your rights under Section 13 of this Policy. Notwithstanding the foregoing, the algorithms, models, methodologies, and analytical processes used to generate such inferences constitute Harvest's proprietary intellectual property and trade secrets as defined in our Terms of Service, and no right of access or portability shall extend to the underlying technology or logic used to generate inferences.
Harvest uses the information we collect for the following purposes:
(a) Connecting to your financial accounts and aggregating Financial Data; (b) analyzing your transactions, subscriptions, credit card benefits, and spending patterns; (c) generating personalized recommendations for grocery shopping, cross-platform purchasing, bill negotiation, credit card optimization, travel rebooking, and savings goals; (d) executing Authorized Actions on your behalf, including placing orders, negotiating bills, canceling subscriptions, and initiating fund transfers; (e) sending proactive alerts, notifications, and approval requests via SMS, email, push notification, and in-app messaging; and (f) processing payments and managing your subscription.
(a) Analyzing usage patterns, feature adoption, and user behavior to improve existing features and develop new ones; (b) training, testing, and improving machine learning models, recommendation algorithms, natural language processing systems, and automated negotiation capabilities; (c) conducting internal research and analytics to better understand user needs, market trends, and optimization opportunities; and (d) benchmarking and measuring Service performance, accuracy, and effectiveness.
Harvest uses artificial intelligence and machine learning technologies extensively to deliver the Service. Your information, including Financial Data, transaction history, behavioral data, and interaction patterns, may be used to: (a) train and refine models that power personalized recommendations, price predictions, and savings optimization; (b) improve natural language understanding for SMS-based interactions and automated negotiation systems; (c) develop predictive analytics capabilities, including spending forecasts, price trend analysis, and savings projections; (d) enhance fraud detection and security systems; and (e) create anonymized and aggregated datasets for model training and validation.
You acknowledge that the quality and accuracy of the Service's recommendations depend directly on the availability and completeness of your data. Restricting data access may materially impact the Service's ability to provide accurate and relevant recommendations.
You may request that your personal information and Financial Data not be used for the training of Harvest's machine learning models by contacting [email protected] with the subject line "ML Training Opt-Out." Upon receipt of a verified opt-out request, Harvest will exclude your data from future model training cycles within thirty (30) days. Opting out of ML training will not affect your ability to use the Service, but you acknowledge that: (a) models previously trained on anonymized or aggregated data that included your information will not be retrained; (b) the accuracy and personalization of recommendations provided to you may be reduced; and (c) certain features that rely on continuously-learning models may perform less effectively for your account.
The Service uses automated decision-making and profiling to: (a) generate personalized financial recommendations; (b) identify optimization opportunities across your financial accounts; (c) determine which Authorized Actions to suggest; (d) prioritize alerts and notifications; and (e) assess risk and detect potential fraud.
These automated processes analyze your Financial Data, transaction history, and behavioral patterns to produce outputs that may affect the products recommended to you, the savings opportunities identified, and the actions suggested by the Service. You retain the right to review and approve all material Authorized Actions before execution, as described in our Terms of Service.
To the extent required by applicable law (including the CPRA and applicable state privacy laws), you may opt out of automated decision-making that produces legal or similarly significant effects by contacting [email protected]. Opting out of automated decision-making may substantially limit or eliminate the Service's core functionality, as the Service is fundamentally powered by automated analysis and algorithmic recommendations.
(a) Customizing the Service experience based on your preferences, financial profile, and usage patterns; (b) tailoring recommendations, alerts, and communications to your specific needs and circumstances; and (c) adapting the frequency, timing, and content of communications based on your interaction history.
(a) Responding to your inquiries, support requests, and feedback; (b) sending service-related communications, including account notifications, security alerts, and feature updates; (c) delivering marketing communications about Harvest products, features, and promotions, where permitted by applicable law; and (d) conducting surveys, gathering feedback, and facilitating user research.
(a) Detecting, investigating, and preventing fraud, unauthorized access, and other security threats; (b) verifying your identity and authenticating account access; (c) complying with applicable laws, regulations, legal processes, and governmental requests; (d) enforcing our Terms of Service and other agreements; (e) protecting the rights, property, and safety of Harvest, our users, and the public; and (f) responding to law enforcement requests and legal proceedings as required by law.
Harvest may create aggregated, de-identified, or anonymized data from your information by removing or altering identifying characteristics using techniques that meet or exceed the de-identification standards set forth in the CCPA (Cal. Civ. Code §1798.140(m)) and CPRA. Such data is not subject to this Policy to the extent it is no longer reasonably capable of being associated with, or used to identify, a particular individual, and may be used by Harvest for any lawful business purpose, including but not limited to: industry research, market analysis, benchmarking, product development, publication of aggregate trends, and sharing with third parties for commercial purposes. Harvest implements technical safeguards and contractual restrictions to prevent re-identification of de-identified data.
Harvest processes your information based on the following legal grounds, as applicable:
We use cookies (small text files placed on your device) and similar technologies to operate and improve the Service. The types of cookies we use include:
| Cookie Type | Purpose | Duration |
|---|---|---|
| Strictly Necessary | Essential for Service functionality, authentication, security, and session management. Cannot be disabled. | Session / 1 year |
| Performance & Analytics | Measure Service usage, feature adoption, error rates, and performance. | Up to 2 years |
| Functional | Remember your preferences, settings, language, and customizations. | Up to 2 years |
| Targeting & Advertising | Deliver relevant Harvest marketing across platforms. May be shared with advertising partners. | Up to 2 years |
We use web beacons (pixels), JavaScript tags, and mobile SDKs to collect usage data, measure the effectiveness of our communications, and deliver relevant advertising. These technologies may be provided by third-party analytics and advertising services, including but not limited to Google Analytics, Mixpanel, Amplitude, Segment, AppsFlyer, and Meta Pixel.
Harvest may collect and combine device attributes (including but not limited to browser type, operating system, installed fonts, screen resolution, language settings, and time zone) to create a device fingerprint for fraud detection, security, and analytics purposes.
Harvest may use deterministic identifiers (such as email address or phone number) and probabilistic methods to associate your activity across multiple devices and browsers.
Harvest provides a cookie preference center accessible at www.harvestfinance.com/cookie-preferences and through a persistent link in the Service footer, where you may manage your cookie and tracking preferences. You may disable non-essential cookies at any time through the preference center. Strictly Necessary cookies cannot be disabled.
Harvest does not currently respond to Do Not Track (DNT) signals. Harvest does honor the Global Privacy Control (GPC) signal as required by applicable law, including the CCPA/CPRA and the Colorado Privacy Act. When Harvest detects a GPC signal, it will be treated as a valid opt-out of the "sale" and "sharing" of personal information for the browser or device from which the signal is sent.
Harvest does not sell your personal information as defined under the CCPA/CPRA. Harvest may share certain personal information with third parties for cross-context behavioral advertising purposes, as described in Section 6.3 below. You may opt out of such sharing as described in Section 12.
We share information with third-party service providers who perform services on our behalf, including but not limited to: (a) Plaid, Inc. and other financial data aggregation providers; (b) cloud hosting and infrastructure providers (e.g., Amazon Web Services, Google Cloud Platform); (c) payment processors; (d) analytics and performance monitoring services; (e) communication platforms for SMS, email, and push notifications; (f) customer support tools; and (g) security and fraud prevention services. These service providers are bound by data processing agreements that restrict their use of your information to performing services for Harvest and require them to maintain security standards consistent with this Policy.
To execute Authorized Actions on your behalf, we may share certain information with Third-Party Providers, including: (a) retailers, to place orders and fulfill purchases; (b) telecommunications, utility, insurance, and other service providers, to conduct bill negotiations; (c) travel providers, to initiate rebookings and price adjustments; and (d) financial institutions, to facilitate fund transfers. The information shared is limited to what is reasonably necessary to perform the specific Authorized Action you have approved.
When Harvest contacts a Third-Party Provider on your behalf for bill negotiation, the following categories of information may be verbally disclosed or otherwise communicated to the Third-Party Provider's representatives during the interaction: (a) your name and account holder information; (b) your account number or other identifiers required by the provider; (c) your current plan, pricing, and billing details; (d) information necessary for identity verification, which may include the last four digits of your Social Security number if required by the provider; and (e) your authorization for Harvest to act on your behalf.
You acknowledge that once information is verbally disclosed to a Third-Party Provider's representative, Harvest cannot control how that provider uses, stores, or protects the disclosed information. Third-Party Providers are subject to their own privacy policies and practices. Harvest recommends that you review the privacy policies of your service providers.
We may share de-identified, aggregated, or pseudonymized identifiers and internet activity information with analytics and advertising partners to: (a) measure the effectiveness of our marketing campaigns; (b) understand user acquisition and retention; (c) deliver relevant Harvest advertising on third-party platforms; and (d) conduct market research. To the extent this sharing constitutes "sharing" as defined under the CPRA, you may opt out by: (i) using the "Do Not Share My Personal Information" link on our website; (ii) enabling the Global Privacy Control (GPC) signal; or (iii) contacting [email protected]. We do not share your name, email address, phone number, or Financial Data with advertising partners in individually identifiable form.
In connection with any merger, acquisition, financing, reorganization, bankruptcy, receivership, dissolution, sale of all or substantially all of Harvest's assets, or similar transaction, your information may be transferred to the acquiring or surviving entity. We will notify you via email and/or a prominent notice on the Service of any change in ownership, to the extent required by applicable law.
We may disclose your information if we believe in good faith that such disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or governmental request; (b) enforce our Terms of Service or other agreements; (c) detect, investigate, prevent, or address fraud, security, or technical issues; (d) protect the rights, property, or safety of Harvest, our users, or the public; or (e) respond to an emergency involving danger of death or serious physical injury.
Harvest maintains a list of material sub-processors (third-party service providers that process personal information on Harvest's behalf) at www.harvestfinance.com/sub-processors. This list is updated at least quarterly and includes the sub-processor name, purpose, and data categories processed. All sub-processors are bound by data processing agreements requiring them to: (a) process personal information only as instructed by Harvest; (b) implement appropriate technical and organizational security measures; (c) notify Harvest of any security incident without undue delay; and (d) delete or return personal information upon termination of the engagement.
We may share your information for other purposes not described in this Policy with your express consent.
No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. SMS opt-in data and consent will not be shared with any third parties.
The following table summarizes the categories of personal information disclosed by Harvest in the preceding twelve (12) months, the categories of recipients, and the purposes for such disclosures:
| Category of PI | Categories of Recipients | Purpose |
|---|---|---|
| Identifiers (name, email, phone, IP, device IDs) | Service providers, analytics partners, advertising partners (pseudonymized only) | Service operations, analytics, marketing |
| Financial Data (accounts, transactions, balances, credit card data) | Plaid, cloud providers, retailers, bill negotiation targets | Service delivery, Authorized Actions |
| Commercial Information (purchases, subscriptions, spending) | Service providers, retailers, analytics partners (aggregated) | Service delivery, optimization, analytics |
| Internet Activity (usage data, clickstream, feature interaction) | Analytics providers, advertising partners (pseudonymized) | Analytics, personalization, advertising |
| Geolocation (approximate, from IP) | Analytics providers, fraud detection services | Analytics, security |
| Communications Content (SMS messages, support interactions) | Cloud providers, customer support tools | Service delivery, support, quality assurance |
| Negotiation Recordings/Transcripts | Cloud providers (storage only) | Quality assurance, dispute resolution |
| Inferences (spending patterns, financial health, preferences) | Not disclosed in identifiable form | Internal use only |
| Sensitive PI (financial credentials) | Plaid (financial); Harvest servers (non-financial, encrypted, temporary) | Account connectivity, Authorized Actions |
Harvest retains personal information for the periods described below, or for as long as your account is active, whichever is longer:
| Category of Information | Retention Period | Basis |
|---|---|---|
| Account Registration Info | Duration of account + 90 days | Contractual necessity |
| Financial Data (transactions, balances) | Duration of account + 90 days | Service delivery |
| Credit Card and Subscription Data | Duration of account + 90 days | Service delivery |
| Investment Data | Duration of account + 90 days | Service delivery |
| SMS Conversation Content | Duration of account + 90 days | Service delivery, compliance |
| Communications and Support Records | 3 years from last communication | Legal compliance, dispute resolution |
| Negotiation Recordings/Transcripts | 1 year from recording date | Quality assurance, dispute resolution |
| Non-Financial Provider Credentials | 72 hours after Authorized Action (or account duration if ongoing access) | Service execution |
| Device and Usage Data | 2 years from collection | Analytics, security |
| Location Data | 1 year from collection | Analytics, fraud detection |
| Marketing Interaction Data | 2 years from collection or opt-out | Marketing analytics |
| Payment and Billing Records | 7 years from transaction | Tax and accounting obligations |
| Anonymized/Aggregated Data | Indefinite | Not subject to deletion requests |
Upon account deletion or termination, Harvest will delete or anonymize your personal information within ninety (90) days, subject to the following exceptions:
Information stored in backup systems and archival storage may persist for up to an additional one hundred eighty (180) days following deletion from active systems. Harvest makes commercially reasonable efforts to ensure backed-up data is not actively used for processing during this period.
Harvest implements administrative, technical, and physical safeguards designed to protect your information from unauthorized access, use, alteration, and destruction. Our security measures include but are not limited to:
Notwithstanding these measures, no method of electronic transmission or storage is completely secure. Harvest cannot guarantee absolute security and shall not be liable for any unauthorized access, breach, or loss of data arising from circumstances beyond Harvest's reasonable control, including but not limited to sophisticated cyberattacks, zero-day vulnerabilities, force majeure events, or user negligence.
In the event that Harvest becomes aware of a security incident resulting in the unauthorized access, acquisition, or disclosure of personal information that is unencrypted or where the encryption key has also been acquired or is reasonably believed to have been compromised, Harvest will: (a) investigate the nature and scope of the incident; (b) take appropriate steps to contain and remediate the incident; and (c) notify affected users and applicable regulatory authorities as required by applicable state and federal law.
Notification will be provided through the communication channels associated with your account (email and/or SMS) within the timeframe required by the applicable jurisdiction. Harvest reserves the right to delay notification: (a) if requested by law enforcement; (b) if immediate disclosure would impede an ongoing criminal investigation; or (c) if necessary to restore the integrity of the Service before notification.
This Section does not create any notification obligation beyond what is required by applicable law. Harvest's liability for security incidents is governed by the limitation of liability provisions in our Terms of Service.
You may access, update, or correct your account information at any time through the Service's account settings.
You may request a copy of the personal information Harvest holds about you by contacting [email protected]. Harvest will provide your data in JSON and/or CSV format (at your election) within thirty (30) days, or within such longer period as may be permitted by applicable law. Harvest reserves the right to charge a reasonable fee for requests that are manifestly unfounded, excessive, or repetitive. The right of portability does not extend to Harvest's proprietary algorithms, models, or analytical methodologies.
You may request deletion of your personal information by contacting [email protected] or through your account settings. Harvest will verify your identity using information already on file (e.g., matching your request to the email address or phone number associated with your account, or requesting you confirm recent account activity). Upon receipt of a verified deletion request, Harvest will delete or anonymize your personal information in accordance with Section 8 of this Policy.
You may request correction of inaccurate personal information held by Harvest by contacting [email protected]. Harvest will use commercially reasonable efforts to correct verified inaccuracies within thirty (30) days.
You may opt out of marketing emails by clicking the "unsubscribe" link in any marketing email. You may opt out of marketing SMS by texting STOP. Text HELP for help. Service-related communications necessary for account operation will continue.
You may opt out of the sharing of your personal information for cross-context behavioral advertising by: (a) visiting www.harvestfinance.com/do-not-share; (b) enabling the Global Privacy Control (GPC) signal; (c) adjusting preferences in the cookie preference center; or (d) contacting [email protected].
To the extent required by the CPRA, you may direct Harvest to limit the use and disclosure of your sensitive personal information (including Financial Data processed through Plaid) to uses that are necessary to perform the Service. You may submit such a request at www.harvestfinance.com/limit-sensitive-info or by contacting [email protected]. Limiting the use of sensitive personal information may materially impact the Service's core features.
As described in Section 3.3.1, you may opt out of having your data used for machine learning model training by contacting [email protected].
As described in Section 3.4, you may opt out of automated decision-making that produces legal or similarly significant effects by contacting [email protected], to the extent required by applicable law.
You may disconnect any financial account from the Service at any time through your account settings. Upon disconnection, Harvest will promptly revoke the corresponding Plaid access token. Disconnecting an account will prevent Harvest from accessing new data from that account but will not delete historical data previously collected, except upon a separate deletion request. For instructions on revoking Plaid's access directly, visit my.plaid.com.
Where provided by applicable law, you may request that Harvest restrict the processing of your personal information or object to certain processing activities. Harvest will honor such requests to the extent required by law.
For all rights requests (access, deletion, correction, portability, opt-out), Harvest will verify your identity before processing the request. Verification methods include: (a) matching the request to the email address or phone number associated with your account; (b) requesting confirmation of recent account activity or transaction details; or (c) for requests submitted by authorized agents, requiring written authorization and direct confirmation from the account holder. If Harvest cannot verify your identity, the request may be denied.
If you are a California resident, you have certain rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). This Section provides additional disclosures required under California law.
The following table discloses the categories of personal information Harvest has collected in the preceding twelve (12) months:
| CCPA Category | Sources | Business Purpose | Retention |
|---|---|---|---|
| A. Identifiers | You; Plaid; analytics providers; Third-Party Providers | Service operations, security, communications, marketing | Account + 90 days |
| B. Personal Info (§1798.80(e)) | You; Plaid; financial institutions | Service delivery, identity verification | Account + 90 days |
| C. Protected Classifications | You (age at registration) | Eligibility verification | Account + 90 days |
| D. Commercial Information | Plaid; retailers; Third-Party Providers | Service delivery, optimization, recommendations | Account + 90 days |
| F. Internet Activity | Automatically collected; analytics SDKs | Analytics, personalization, advertising | 2 years |
| G. Geolocation | Automatically collected (IP-based) | Analytics, fraud detection | 1 year |
| H. Audio/Visual (negotiation recordings) | Harvest automated systems | Quality assurance, dispute resolution, ML training | 1 year |
| K. Inferences | Derived by Harvest algorithms | Service delivery, personalization, ML training | Account + 90 days |
| L. Sensitive PI | Plaid (financial); you (non-financial provider credentials) | Account connectivity, Authorized Actions | Plaid: not stored; Non-financial: 72 hours |
Sale: Harvest does not "sell" personal information as defined under the CCPA/CPRA.
Sharing: Harvest may "share" (as defined under CPRA) certain pseudonymized identifiers (Category A) and internet activity data (Category F) with advertising partners for cross-context behavioral advertising. No Financial Data (Categories B, D, or L) is shared for advertising purposes. You may opt out of sharing via the mechanisms described in Section 11.6.
As a California resident, you have the right to: (a) know what personal information is collected, used, and disclosed (right to know); (b) request deletion of your personal information (right to delete); (c) correct inaccurate personal information (right to correct); (d) opt out of the "sale" or "sharing" of personal information (right to opt out); (e) limit the use and disclosure of sensitive personal information (right to limit); and (f) not be discriminated or retaliated against for exercising your privacy rights (right to non-discrimination).
To exercise your California privacy rights: (a) visit www.harvestfinance.com/privacy-rights; (b) email [email protected]; or (c) use the "Privacy Rights" section in your account settings. We will respond to verified requests within forty-five (45) calendar days, with the possibility of a forty-five (45) day extension where reasonably necessary, upon notice to you.
You may designate an authorized agent to make privacy requests on your behalf by providing the agent with written authorization and submitting proof of authorization to [email protected]. Harvest may require additional verification directly from you.
Harvest may offer financial incentives (such as reduced subscription fees or enhanced features) to users who permit certain data uses. Any such incentive will be clearly disclosed before your participation, participation is voluntary, and you may withdraw at any time. The value of the incentive is reasonably related to the value of the data, as determined by Harvest based on revenue generated and expenses related to collection and retention.
Under California Civil Code Section 1789.3, California consumers may contact the Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs by mail at 1625 North Market Blvd., Sacramento, CA 95834, or by telephone at (916) 445-1254 or (800) 952-5210.
The following states have enacted comprehensive privacy laws granting their residents specific rights regarding personal data. To exercise any right, contact [email protected]. If your request is denied, you may appeal to [email protected] within thirty (30) days of the denial. Harvest will respond to appeals within the timeframe required by the applicable state law.
Virginia residents may access, correct, delete, and obtain a portable copy of their personal data, and opt out of targeted advertising, sale, and profiling that produces legal or similarly significant effects. Harvest will respond to appeals within sixty (60) days. If your appeal is denied, you may contact the Virginia Attorney General at www.oag.state.va.us.
Colorado residents may access, correct, delete, and obtain a portable copy of their personal data, and opt out of targeted advertising, sale, and profiling. Harvest honors the Global Privacy Control (GPC) as required. Harvest will respond to appeals within forty-five (45) days. If your appeal is denied, you may contact the Colorado Attorney General at coag.gov/file-complaint.
Connecticut residents may access, correct, delete, and obtain a portable copy of their personal data, and opt out of targeted advertising, sale, and certain profiling. Harvest will respond to appeals within sixty (60) days. If your appeal is denied, you may contact the Connecticut Attorney General at portal.ct.gov/AG.
Texas residents may access, correct, delete, and obtain a portable copy of their personal data, and opt out of targeted advertising, sale, and profiling. Harvest will respond to appeals within sixty (60) days. If your appeal is denied, you may contact the Texas Attorney General at texasattorneygeneral.gov.
Oregon residents may access, correct, delete, and obtain a list of third parties to whom Harvest has disclosed their personal data. Harvest will respond to appeals within forty-five (45) days.
Montana residents may access, correct, delete, and obtain a portable copy of their personal data, and opt out of targeted advertising, sale, and certain profiling. Harvest will respond to appeals within sixty (60) days.
New Hampshire residents may access, correct, delete, and obtain a portable copy of their personal data, and opt out of targeted advertising, sale, and profiling. Harvest will respond to appeals within sixty (60) days.
New Jersey residents may access, correct, delete, and obtain a portable copy of their personal data, and opt out of targeted advertising and sale. Harvest will respond to appeals within forty-five (45) days.
Delaware residents may access, correct, delete, and obtain a portable copy of their personal data, and opt out of targeted advertising, sale, and profiling. Harvest will respond to appeals within sixty (60) days.
Iowa residents may access, delete, and obtain a portable copy of their personal data, and opt out of targeted advertising and the sale of personal data. Harvest will respond within ninety (90) days.
Nebraska residents may access, correct, delete, and obtain a portable copy of their personal data, and opt out of targeted advertising, sale, and profiling. Harvest will respond to appeals within sixty (60) days.
Indiana residents may access, correct, delete, and obtain a portable copy of their personal data, and opt out of targeted advertising, sale, and profiling. Harvest will respond to appeals within sixty (60) days.
If you are a New York resident, nothing in this Policy shall limit any rights you may have under the New York General Business Law, including Section 349 (deceptive trade practices) and Section 350 (false advertising), to the extent non-waivable.
Harvest complies with the Illinois Consumer Fraud and Deceptive Business Practices Act (815 ILCS 505). Harvest does not currently collect biometric information as defined under BIPA. If Harvest introduces biometric data collection, it will provide required notices and obtain consent prior to collection.
To the extent that Harvest is deemed a "financial institution" under the Gramm-Leach-Bliley Act (15 U.S.C. §§6801-6809) and its implementing regulations, including Regulation P (12 C.F.R. Part 1016), this Section provides the required privacy notice.
Harvest collects nonpublic personal information ("NPI") from: (a) information you provide (name, phone, email, financial goals); (b) transaction information (account balances, transaction history, payment records); and (c) third-party sources including Plaid (account details, credit card data, subscription information).
Harvest does not disclose NPI to nonaffiliated third parties except as permitted or required by law, including: (a) service providers bound by confidentiality agreements; (b) transaction processing; (c) legal compliance; and (d) as otherwise permitted under GLBA and Regulation P.
Because Harvest shares NPI only as permitted by law for service delivery and legal compliance, and does not share NPI for marketing with nonaffiliated third parties, no separate opt-out is required. If practices change, you will be notified and provided an opt-out opportunity.
Harvest maintains physical, electronic, and procedural safeguards that comply with applicable federal standards to guard your NPI, as described in Section 9.
Harvest is subject to the enforcement authority of the Federal Trade Commission (FTC) under Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices in or affecting commerce. Harvest's data collection, use, and sharing practices as described in this Policy are designed to be consistent with FTC guidance regarding transparency, consumer choice, and data security. Harvest does not engage in unfair or deceptive data practices and commits to honoring the representations made in this Policy.
The Service is not directed to individuals under eighteen (18). Harvest does not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected such information, we will delete it promptly. Contact [email protected] if you believe we have collected information from a child under 18.
The Service is designed for users in the United States. If you access the Service from outside the United States, you consent to the transfer, storage, and processing of your information in the United States. Harvest does not represent that the Service complies with privacy laws outside the United States.
To the extent that Harvest transfers personal information from a jurisdiction with cross-border data transfer restrictions, Harvest will implement appropriate safeguards, which may include standard contractual clauses, data processing agreements, or other recognized mechanisms.
As described in Section 2.5, Harvest may record or transcribe communications conducted on your behalf with Third-Party Providers. Harvest complies with applicable federal and state wiretapping and electronic surveillance laws, including but not limited to:
You consent to Harvest's recording of calls conducted on your behalf as described in this Section and in Section 2.5. If you do not wish calls to be recorded, you may contact [email protected] to request that the recording feature be disabled for your account, which may limit Harvest's ability to resolve disputes arising from bill negotiations.
Harvest reserves the right to modify this Policy at any time in its sole discretion. If we make material changes, we will provide notice by: (a) posting the revised Policy on our website with an updated effective date; (b) sending an email notification to the address associated with your account; and (c) displaying a notice within the Service.
Your continued use of the Service after the effective date of any modification constitutes your acceptance of the revised Policy. If you do not agree, your sole remedy is to discontinue use of the Service.
The Service may contain links to third-party websites, applications, or services not owned or controlled by Harvest. This Policy does not apply to third-party services. Harvest is not responsible for the privacy practices, content, or security of any third-party service.
If you have questions, concerns, or complaints about this Policy or Harvest's data practices, please contact us at:
Harvest Financial Technologies, Inc.
Attn: Privacy Team
Email (Privacy): [email protected]
Email (General): [email protected]
Email (Legal / Appeals): [email protected]
Email (Security): [email protected]
Website: www.harvestfinance.com/privacy
Cookie Preferences: www.harvestfinance.com/cookie-preferences
Privacy Rights Portal: www.harvestfinance.com/privacy-rights
Do Not Share: www.harvestfinance.com/do-not-share
Limit Sensitive Info: www.harvestfinance.com/limit-sensitive-info
Sub-Processor List: www.harvestfinance.com/sub-processors
For California-specific inquiries: California Attorney General at oag.ca.gov.
For Colorado-specific inquiries: Colorado Attorney General at coag.gov/file-complaint.
For Connecticut-specific inquiries: Connecticut Attorney General at portal.ct.gov/AG.
For Texas-specific inquiries: Texas Attorney General at texasattorneygeneral.gov.
For Virginia-specific inquiries: Virginia Attorney General at www.oag.state.va.us.
Last updated: March 27, 2026