Privacy Policy

1. Who We Are and Scope

Harper is operated by HERBOZON INC ("Harper," "Company," "we," "us," or "our"). This Privacy Policy applies to our website, dashboard, APIs, integrations, and related services made available through Harper.

This policy does not replace the privacy policy of each merchant using Harper. If you are a merchant customer (an end-user of a merchant store), your primary relationship is with that merchant.

2. Controller vs. Processor Roles

Harper handles different datasets under different legal roles:

Harper as Controller / Business: for merchant account data (for example: signup, billing, support, and product administration data) and for visitor data on our own site(s).
Harper as Processor / Service Provider: for end-user attribution, event, and conversion data collected on merchant properties and sent to Harper at merchant direction.
Merchant as Controller / Business: for their customers' data collected on merchant stores, checkout pages, and connected channels. Merchants are responsible for their own notices, consent management, and lawful basis.

If you are an end-user of a merchant store, please contact that merchant first for privacy requests. We support merchants with request handling where required by contract and law.

Where required, Harper and merchants may enter data protection terms (including data processing terms) that define processing instructions, roles, and safeguards.

3. Information We Collect

A. Merchant account and business data

Account details: name, email, password hash, role, and login/security activity.
Store and integration data: store domain, platform type, API keys, and authorized integration tokens.
Billing and subscription data: plan, status, invoices, order usage counts, and payment-related records through payment processors.
Support and operational communications: messages, logs, and attachments shared during support.

B. End-user attribution and event data (merchant properties)

Event metadata: event type, value, timestamp, order references, URL, and referrer.
Identifiers and attribution signals: session IDs, durable IDs, fbclid, fbc, fbp, gclid, ttclid, scid, and UTM parameters.
Technical data: IP address, user-agent, device/browser characteristics, and derived fingerprint hashes.
Commerce data received from integrations: order and customer fields (for example name, email, phone, shipping region, product/line-item data), including hashed fields where required for ad platform matching.

C. Third-party and integration sources

Merchant-connected commerce platforms (for example Shopify and WooCommerce webhooks/APIs).
Advertising and analytics integrations (for example Meta, Google Ads/GA4, TikTok, Snapchat), depending on merchant configuration.
Payment and billing providers, email/SMS providers, and other service partners used to operate Harper.

4. Tracking Technologies and Event Collection

Harper uses a mix of client-side and server-side collection methods for attribution and diagnostics, including:

First-party cookies and storage on merchant properties (where merchants deploy Harper scripts/plugins).
Server-to-server APIs and webhook ingestion from connected commerce platforms.
No-script pixel or beacon fallback endpoints to record minimal event payloads.
API key authorization, event queueing, deduplication, and timestamped processing logs.

Identifier / Cookie	Purpose	Typical Lifetime
`_wtid`	Durable user identifier for cross-session attribution stitching.	Up to 365 days
`_attr_pending`	Temporary pending attribution capture on landing requests.	Up to 24 hours
`wt_session_id`	Session continuity and event stitching.	Up to 365 days
`wt_fbclid`, `wt_gclid`, `wt_ttclid`, `wt_scid`, `wt_utm_*`	Campaign and click-attribution context.	Typically 28-90 days
`wt_fbp`, `wt_fbc`	Meta browser/click matching support for CAPI workflows.	Typically up to 90 days

Cookie behavior can vary by merchant implementation and configuration. See our Cookie Policy for more detail.

5. How We Use Information

Collect and process the minimum personal data reasonably required for the configured service use cases.
Use personal data only for disclosed purposes and not for unrelated secondary purposes.
Respect merchant-provided consent and opt-out signals in supported integrations and processing workflows.
Provide, secure, and improve Harper services and integrations.
Process attribution, conversion, and diagnostics workflows configured by merchants.
Support server-to-server ad event delivery and deduplication logic.
Operate billing, subscription, fraud prevention, and account management systems.
Respond to support requests, legal requests, and enforce platform terms.

For an explicit data inventory and purpose mapping, see our Data Protection Details.

6. Legal Bases (EEA/UK)

Contract: to deliver requested services and integrations.
Legitimate Interests: service security, fraud defense, reliability, and product improvement.
Legal Obligation: tax, accounting, and regulatory compliance.
Consent: where required (for example, certain marketing or cookie-based activities).

7. How We Share Information

We may disclose information to:

Service providers that host, secure, support, and operate Harper (for example infrastructure, email, and payment partners).
Merchant-connected ad and analytics platforms when events are sent at merchant direction.
Professional advisers, auditors, and regulators where required.
A buyer/successor in a merger, acquisition, restructuring, or asset transaction.

We do not sell end-user personal information for Harper's own monetary gain, and we do not share end-user personal information for Harper's own cross-context behavioral advertising.

8. AI-Assisted Processing

If merchants enable AI-assisted recovery features, Harper may use a third-party model API (currently OpenAI API) to draft recovery-message content.

Current implementation sends limited context such as cart value, item names, and recovery-attempt counts.
Current implementation is designed not to intentionally send direct customer identifiers (for example email/phone) in this prompt flow.
AI outputs are used for merchant communication drafting and not for Harper advertising profiling.

9. International Data Transfers

Harper operates internationally. Data may be processed in India (our operating location), the United States, and other jurisdictions where our processors or merchant-selected integrations operate.

Where required, we apply contractual and organizational safeguards for cross-border transfers.

10. Data Retention

We retain personal data only for as long as needed for service delivery, contractual commitments, dispute handling, and legal obligations.

Account and store records: typically for account life and a reasonable period after closure.
Billing/tax records: retained for statutory periods.
Durable identifiers: generally up to 12 months from last refresh.
Temporary pending attribution cookies: generally up to 24 hours.
Support of deletion workflows: we support deletion requests and merchant-initiated end-user deletion handling.

11. Security

We use commercially reasonable technical and organizational controls, including access controls, signed webhook verification, token protection/encryption, hashing for matching workflows, and security monitoring.

Encryption in transit and at rest for production systems handling personal data.
Encrypted backups with access controls and restricted restoration permissions.
Logical separation of test and production environments and datasets.
Role-based, least-privilege access to personal data for authorized staff only.
Strong credential controls, including password requirements and additional access safeguards where enabled.
Security logging and monitoring, including access-event logging for security review and incident investigation.
A documented security incident response policy and workflow covering detection, triage, containment, remediation, and required notifications.
Data-loss prevention through layered controls such as access restrictions, monitoring, backup strategy, and recovery procedures.

No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

12. Privacy Rights and Choices

Depending on your location and role, you may have rights to access, correction, deletion, restriction, portability, objection, and withdrawal of consent.

If you are an end-user of a merchant store, please submit your request to the merchant first. We act on verified merchant instructions when we process data as a processor/service provider.

Harper does not use personal data to make solely automated decisions that produce legal or similarly significant effects on individuals.

EEA/UK Rights

You may also lodge a complaint with your local supervisory authority.
You may withdraw consent where processing is based on consent.

US State Privacy Disclosures (including California)

Category	Examples	Business Purpose	Disclosed To	Sold/Shared By Harper For Its Own Benefit
Identifiers	Name, email, account IDs, device/cookie IDs, click IDs	Account operation, attribution, support, fraud/security	Processors, merchant-connected integrations	No
Commercial Data	Orders, revenue, subscription/billing records	Attribution reporting, billing, analytics	Payment and service providers, merchant systems	No
Internet/Network Activity	Page URLs, referrers, event logs, user-agent, IP	Attribution, diagnostics, abuse prevention	Processors and merchant-selected channels	No
Geolocation (Approximate)	Country/region inferred from IP	Regional controls, analytics, fraud checks	Processors	No
Inferences	Attribution models, identity stitching, fraud scores	Measurement and service integrity	Processors; merchants via product outputs	No

California residents may request disclosure/access/deletion/correction subject to verification and legal limits.
Do Not Sell or Share My Personal Information: Harper does not sell or share personal information for Harper's own cross-context behavioral advertising.
California Shine the Light: We do not share personal information with third parties for their own direct marketing purposes.
Nevada and Utah residents may exercise applicable opt-out rights as provided by state law.
Where required by applicable state law, you may designate an authorized agent and/or appeal a denied privacy request.
We will not discriminate against you for exercising eligible privacy rights.

13. Do Not Track (DNT)

Some browsers offer a "Do Not Track" signal. Harper does not currently respond to browser DNT signals as a universal opt-out mechanism. Where applicable, we rely on consent/configuration signals provided by merchants and users.

14. Marketing Communications and Opt-Out

You can opt out of non-essential marketing emails by using the unsubscribe link in the message or by emailing us with "Opt-Out" in the subject line.

We may still send essential transactional or service communications (for example billing, security, and account notices).

15. Children's Privacy

Harper is not directed to children. We do not knowingly collect personal data from children under 13, or under 16 in EEA/UK jurisdictions (unless local law permits a lower age). If you believe a child has provided personal data, contact us and we will review and take required action.

16. Third-Party Websites and Services

Harper may link to or interoperate with third-party websites and services. Their privacy practices are governed by their own policies, not this Privacy Policy.

17. Changes to This Policy

We may update this Privacy Policy periodically. Material changes become effective when posted unless otherwise stated.

18. Severability

If any provision of this Privacy Policy is held invalid or unenforceable, the remaining provisions remain in full force and effect.

19. Company Information and Contact

Company: HERBOZON INC

Operating Address (India): Shop No 1, Ram Nagar Ambala Cantt Station, Near Ekta Vihar, Ambala, Haryana, 133001, India

Email: contact@getharper.co

Phone: +91 7009000988

Privacy request methods: Email us or send a written request to the address above.