Legal
Privacy Policy
Effective May 22, 2026
Harbor (the “Service”) is operated by Harbor Office, Inc., a Delaware corporation with its principal office at 4506 Laverne Ave, Klamath Falls, OR 97603 (“Harbor,” “we,” “us,” or “our”). This Privacy Policy describes how we collect, use, disclose, and safeguard information when therapy practices (“Customers”) and their patients interact with the Service.
Harbor handles Protected Health Information (PHI) on behalf of its Customers under the Health Insurance Portability and Accountability Act of 1996, as amended by HITECH (the “HIPAA Rules”). We act as a Business Associate to each Customer. A signed Business Associate Agreement (BAA) governs the permitted uses and disclosures of PHI and is referenced from this Policy.
1. Information we collect
We collect three categories of information:
(a) Customer account data — practice name, clinician name, NPI, business email, phone, billing address, and Stripe customer/subscription identifiers. We do not store full payment card numbers; payment processing is performed by Stripe.
(b) Protected Health Information (PHI) — patient demographics, appointment details, clinical notes, assessment scores (PHQ-9, GAD-7, C-SSRS), call and SMS transcripts, voicemail audio, intake form responses, and any other PHI the Customer chooses to enter, generate, or receive via the Service.
(c) Usage data — IP address, browser type, pages visited, and aggregate event counts collected via Google Tag Manager and (where enabled by the Customer) PostHog. We do not load behavioral session-replay tooling on the authenticated app surface.
2. How we use information
We use information to:
- Provide, operate, and improve the Service for the Customer that submitted it;
- Generate appointment confirmations, intake forms, and post-call summaries;
- Detect crisis language in real time and route 988 and clinician escalation as configured;
- Maintain audit logs of PHI access in support of HIPAA §164.312(b);
- Bill Customers and prevent fraud;
- Comply with legal obligations and respond to lawful requests.
We do not use PHI to train general-purpose AI models, sell PHI, or share PHI with advertising networks.
3. Subprocessors
We use the following subprocessors. Each that receives PHI has signed a BAA with Harbor where required (see status below).
| Subprocessor | Purpose | BAA |
|---|---|---|
| Amazon Web Services (AWS) | Hosting, RDS, KMS, Cognito, S3, Chime SDK, Bedrock | Executed |
| Paubox | HIPAA-aligned transactional email delivery | Executed |
| Stripe | Payment processing (Customer subscriptions only; no PHI) | Not applicable (no PHI) |
| SignalWire | Voice telephony and SMS transport | In progress — not yet executed |
| Retell AI | Real-time voice agent runtime | In progress — not yet executed |
| Anthropic | LLM inference for crisis analysis and note drafting | Zero-retention API tier (no PHI used for training) |
| Stedi | 270/271 eligibility and 837/835 claim transactions | Executed |
The voice transport and voice runtime subprocessors are integrated and live for our founding cohort, but their BAAs are in active negotiation. Customers whose risk posture requires all subprocessor BAAs be executed before go-live should request a status update before signing.
4. Data retention
Customer account data is retained for the life of the subscription plus 30 days. PHI is retained per the Customer’s retention configuration, with a default of seven (7) years from the date of last patient encounter to align with typical state behavioral-health record-retention requirements.
On Customer termination, Harbor returns or destroys all PHI within 30 days unless retention is required by law. Destruction follows NIST SP 800-88 media-sanitization guidance.
Call recordings and voicemail audio are retained for 90 days by default, configurable per practice.
5. Security
PHI is encrypted in transit (TLS 1.2+) and at rest (AWS KMS, customer-managed keys per HIPAA §164.312(a)(2)(iv)). Production access requires SSO with enforced MFA; standing access is limited to designated workforce members and is reviewed quarterly. See our Security page for technical and administrative safeguard detail mapped to the HIPAA Security Rule.
6. Breach notification
Harbor will notify the affected Customer of a suspected or confirmed Breach of Unsecured PHI without unreasonable delay and in no event later than the timeline specified in the executed BAA (typically within 30 days of discovery). Notification will include the information required by 45 CFR §164.410(c).
7. Your rights (Patient PHI)
Under the HIPAA Privacy Rule (45 CFR Part 164, Subpart E), patients have the right to request access to, amendment of, and an accounting of disclosures of PHI held about them. These requests are administered by the Covered Entity — your treating practice — not directly by Harbor. Patients should contact their practice to exercise these rights. Harbor will support the practice in responding within the regulatory timeline.
Patients may also request to opt out of non-treatment SMS by replying STOP to any message. Treatment-related messages (e.g., appointment confirmations) are permitted under the HIPAA Privacy Rule and may continue.
8. Cookies and tracking
The public marketing site at harboroffice.ai uses a small number of strictly necessary cookies plus Google Tag Manager for aggregate analytics. The authenticated application at lab.harboroffice.ai uses only session-management cookies and does not load any session-replay, heatmap, or third-party advertising tag. PHI never leaves the application boundary to an analytics vendor.
9. Children
The Service is used by therapy practices, some of which treat patients under 18. When a minor is the patient, the Customer is responsible for obtaining consent from a parent or legal guardian as required by their jurisdiction and clinical standards. Harbor does not knowingly collect information directly from children outside the treatment context established by the Customer.
10. Changes
We may update this Policy. Material changes will be communicated to Customers by email at least 30 days before they take effect.
11. Contact
Privacy questions, BAA requests, and data-rights inquiries:
Harbor Office, Inc.4506 Laverne Ave
Klamath Falls, OR 97603
chance@harboroffice.ai
See also: Terms of Service · HIPAA · Security