This Privacy Policy describes how Harlow Technologies, Inc. (“Harlow,” “we,” “us,” or “our”) collects, uses, discloses, transfers, retains, and protects personal information in connection with the Harlow website at tryharlow.com, the Harlow Badge wearable, the Harlow application, our APIs, and any related services (collectively, the “Service”). It also explains the choices you have, the rights you can exercise, and how to contact us.
We have written this policy to be specific and operational rather than generic. If anything below is unclear, please write to us at vlad@tryharlow.com or support@tryharlow.com. Our mailing address is 822 S Van Ness Ave, San Francisco, CA 94110, United States.
1. Scope and roles
Harlow provides a wearable badge and software that hotel staff use to turn spoken instructions into completed work across the systems a property already runs (such as a property management system, messaging platforms, point-of-sale systems, and payment providers). Computer use agents operate those systems on the hotel’s behalf through the same screens staff use today. When a hotel uses Harlow:
- The hotel acts as the “controller” (or “business” under U.S. law) for personal information about its guests, staff, and prospects, and decides what data is processed and for what purpose.
- Harlow acts as a “processor” (or “service provider” under U.S. law) for that information and processes it only on documented instructions from the hotel and as set out in our agreement with the hotel and its data processing addendum.
- For our own website, marketing, sales, support, billing, and account administration, we act as the controller of the limited information we collect from visitors and authorized users.
If you are a hotel guest and you have questions about how your personal information is handled, please contact the hotel that hosted your stay first. We will support the hotel in responding to your request as required by law.
2. Information we collect
2.1 Information you provide directly
- Account and identity. Name, work email, phone number, organization, role, password (stored as a salted hash), profile photo if you choose to add one, and authentication identifiers if you sign in with single sign-on.
- Property and portfolio details. Property name, address, brand, room inventory, languages spoken, opening hours, departments, and operational policies you configure inside the product.
- Billing and tax information. Billing contact, billing address, purchase order references, VAT or tax identifiers, and bank or card details processed by our payment provider. We do not store full card numbers on our servers.
- Sales and support content. Information shared in demo requests, emails to vlad@tryharlow.com or support@tryharlow.com, calls or video meetings you book with us, survey responses, and feedback.
2.2 Information we receive from systems you connect
When you connect a property to Harlow, you authorize us to access specific data from the systems you choose. The exact data depends on the integration, but typically includes:
- Reservations and folio data from your property management system, including arrival and departure dates, room assignments, rate plans, package codes, deposits, taxes, and notes.
- Guest profile data such as full name, email, phone, country, language preference, loyalty identifiers, and stay history that the hotel chooses to surface to Harlow.
- Badge voice utterances that staff choose to capture by pressing the badge (the microphone is off by default and records only while pressed), together with timestamps, staff identifiers, and the actions Harlow completes from those instructions.
- Conversational and operational content exchanged through connected channels (for example, WhatsApp, SMS, email, Teams) and written into connected systems, together with the metadata required to route, attribute, and audit those exchanges.
- Operational records such as housekeeping tasks, maintenance tickets, F&B orders, transport requests, and the actions Harlow takes on your behalf.
- Authentication tokens (typically OAuth tokens or scoped API keys) that allow Harlow to call those systems on your behalf. We do not receive the passwords for those systems.
2.3 Information collected automatically
- Device and connection data such as IP address, approximate region derived from IP, browser type, operating system, and language preference.
- Usage data such as the pages of the application you visit, the features you use, the actions you take, the timing and duration of those actions, and the requests you make to our API.
- Diagnostic data such as crash reports, latency measurements, request identifiers, and error messages, used to keep the Service reliable.
- Cookies and similar technologies as described in Section 7 below.
2.4 Information from third parties
We may receive limited information from publicly available sources, business contact providers, and our own service providers (for example, fraud prevention signals from our payment processor, email deliverability data from our email provider, or contact information from CRM enrichment partners) to operate, secure, and improve the Service.
3. How we use information
We use the information described above to:
- Provide the Service. Operate the Harlow Badge and platform on behalf of each hotel: capture staff instructions, read and write to connected systems through computer use agents, route work to the right team, draft replies where configured, escalate to staff, and complete the workflows configured inside the product.
- Authenticate and secure accounts. Verify identity, enforce role and scope-based access, detect anomalous activity, prevent fraud and abuse, and investigate suspected security incidents.
- Communicate with you. Send service messages such as security alerts, billing notices, product updates, policy changes, and responses to your support requests.
- Support and improve the Service. Diagnose issues, measure performance, develop new features, evaluate and tune the quality of automated replies and actions, and monitor reliability.
- Comply with the law. Meet our regulatory, tax, accounting, and legal-process obligations, and respond to lawful government and law-enforcement requests.
- Marketing (limited). Send messages about Harlow features and events to people who request information from us or have an existing business relationship, with an unsubscribe link in every commercial message.
4. Legal bases (EEA and UK)
If you are in the European Economic Area, the United Kingdom, or Switzerland, we process personal information under one or more of the following legal bases:
- Performance of a contract with the hotel that authorizes us, or with you when you create an account.
- Legitimate interests in operating, securing, and improving the Service, in preventing fraud, and in promoting Harlow to existing business contacts, balanced against the rights and interests of the people involved.
- Compliance with a legal obligation to which Harlow is subject.
- Consent where required by law (for example, for certain marketing communications or non-essential cookies). Where we rely on consent, you can withdraw it at any time.
5. AI features and how we use your data with model providers
Harlow uses third-party large language model providers, including OpenAI and Anthropic, to power features that require language understanding or generation, and may use additional model providers over time. When the product needs to call a model, we send the minimum content necessary to fulfill the request (for example, the relevant message thread, property policies, and tool descriptions).
We do not allow our model providers to use your content to train their foundation models. We rely on the business or enterprise APIs of these providers, which are configured to disable training on customer data. Inputs and outputs may be retained by these providers for short periods to support abuse monitoring and system reliability, after which they are deleted in accordance with the provider’s policy.
We do not train shared, generalized AI models on your guest data for the benefit of other customers. Where Harlow tunes models or prompts to improve the Service, this work is performed on aggregated, sampled, or de-identified data, and on data we are explicitly permitted to use under your contract.
6. How and with whom we share information
We share personal information only as needed to operate the Service, comply with the law, or with your direction. We do not sell personal information, and we do not share it with third parties for cross-context behavioral advertising.
- Subprocessors and service providers that help us host, secure, operate, and support the Service. Categories include: cloud infrastructure (compute, storage, databases), language-model providers (such as OpenAI and Anthropic), telephony and messaging providers (for inbound and outbound calls and SMS), email delivery providers, error monitoring and observability providers, payment processors (such as Stripe), customer support tooling, and analytics for product usage on first-party domains.
- Connected systems you authorize such as your PMS, channel manager, messaging platforms, POS, and payment providers. The hotel controls which systems are connected and what data is exchanged.
- Professional advisors such as auditors, accountants, and lawyers, under appropriate confidentiality obligations.
- Legal and safety when we believe disclosure is reasonably necessary to comply with law or legal process, to enforce our agreements, to prevent fraud or abuse, or to protect the rights, property, or safety of Harlow, our customers, or others.
- Business transfers in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, subject to standard confidentiality protections and notice as required by law.
A current list of our material subprocessors is available on request from support@tryharlow.com.
7. Cookies and similar technologies
We use a small number of first-party cookies and similar technologies to operate the Service and our website:
- Strictly necessary cookies for authentication, session management, load balancing, and security (for example, CSRF protection).
- Preference cookies to remember choices such as your language, time zone, and recently viewed items.
- Aggregate analytics on first-party domains to understand which features are used and where the product can be improved. Where required by law, analytics that are not strictly necessary are loaded only after consent.
You can use your browser controls to block or delete cookies. Blocking strictly necessary cookies may stop the application from working correctly.
8. International data transfers
Harlow is headquartered in San Francisco, California, and our infrastructure may be located in the United States, the European Union, or other regions where our cloud providers operate. When personal information is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses, the United Kingdom’s International Data Transfer Addendum, the Swiss FDPIC’s recognition of the SCCs, and additional technical and organizational measures where appropriate.
Where a hotel requires data residency in a specific region, we will discuss the available regional configurations in writing.
9. Data retention
We retain personal information for as long as needed to provide the Service to the hotel that authorized us, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. Specific guidance:
- Account and configuration data is retained for the duration of the subscription and for a limited period after termination, after which it is deleted or de-identified.
- Guest content and conversational data is retained according to the retention window the hotel configures, subject to a default ceiling that we will confirm in your order form or DPA.
- Logs and security telemetry are typically retained for up to twelve months for security investigation and reliability purposes.
- Backups are encrypted and rotated on a defined schedule, after which the underlying data is no longer recoverable.
- Billing records are retained for the period required by tax and accounting law in the relevant jurisdiction.
10. Security
We treat security as a continuous priority, not a checkbox. Harlow uses administrative, technical, and organizational safeguards designed to protect personal information against unauthorized access, alteration, disclosure, and loss. These include, among others:
- Encryption. Data is encrypted in transit using TLS 1.2 or higher, and at rest using AES-256 or equivalent algorithms.
- Tenant isolation. Each property’s data is logically isolated from other customers and accessed through scoped credentials.
- Least privilege. Employee and integration access is granted on a need-to-know basis, with role-based access controls and short-lived credentials.
- Authentication. Multi-factor authentication is enforced for administrative access, and single sign-on is supported for customer accounts.
- Monitoring and logging. Production systems are continuously monitored, and access and configuration changes are logged and retained for review.
- Vulnerability management. We perform regular vulnerability scans, code reviews, dependency scanning, and remediation tracking, and we engage independent third parties for periodic penetration tests.
- Internal audits. We run our own internal control reviews on a quarterly cadence, in addition to the external assessments described below.
- Compliance program. Harlow is GDPR compliant by design, SOC 2 Type II audited, and aligned with ISO/IEC 27001 controls (certification in progress).
- Incident response. We maintain a documented incident response plan and will notify affected customers of confirmed personal data breaches without undue delay and within the timeframes required by applicable law.
No system can be guaranteed to be one hundred percent secure. We will continue to invest in safeguards and to be transparent about how we operate.
11. Your rights
Depending on where you live, you may have the right to:
- Access the personal information we hold about you.
- Correct information that is inaccurate or incomplete.
- Delete personal information, subject to legal exceptions.
- Restrict or object to certain processing.
- Receive a portable copy of certain personal information.
- Withdraw consent where we rely on it.
- Lodge a complaint with your local data protection authority.
If you are an authorized user of a hotel’s Harlow workspace, you can exercise many of these rights directly inside the product or by contacting your hotel administrator. If you are a hotel guest, please contact the hotel that hosted your stay; we will support them in responding to your request as required by law. You can also contact us directly at vlad@tryharlow.com or support@tryharlow.com.
12. Notice for U.S. residents (including California)
Harlow does not sell personal information and does not share personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA/CPRA”). When we act as a service provider on behalf of a hotel, we use personal information only for the limited purposes set out in our agreement with that hotel and as permitted by law.
California residents and residents of other U.S. states with comparable laws have the right to know what personal information we have collected about them, to request deletion or correction, to limit the use of sensitive personal information, and to opt out of any sale or sharing (we do not engage in either). You may exercise these rights by writing to support@tryharlow.com. We do not discriminate against you for exercising your rights.
13. Notice for European users
The controller of personal information processed about visitors to our website and authorized users of our application is Harlow Technologies, Inc., 822 S Van Ness Ave, San Francisco, CA 94110, United States. You can contact us about EU and UK data protection matters at vlad@tryharlow.com. You also have the right to lodge a complaint with your local supervisory authority. Where Harlow processes personal information on behalf of a hotel, the hotel is the controller and is the first point of contact for data subject requests.
14. Notice for hotel guests
If you have communicated with a hotel through Harlow (for example, by WhatsApp, SMS, email, web chat, or telephone), the hotel is the controller of your personal information and decides what is processed and how. Harlow processes that information on behalf of the hotel under a written agreement. To exercise rights related to your stay, please contact the hotel directly. We will support the hotel in responding to your request as required by law.
15. Children
The Service is not directed to children under sixteen, and we do not knowingly collect personal information from children. If you believe we have collected such information, please contact us at support@tryharlow.com and we will take appropriate steps to delete it.
16. Automated decision-making
Some Harlow features generate suggested replies, summaries, and recommended actions. The hotel decides which of these are sent or executed automatically and which require human approval. Where automated decisions could produce legal or similarly significant effects on a person, the hotel is responsible for configuring human review and for honoring any rights that apply under local law.
17. Third-party links
The Service and our website may link to third-party websites or services that we do not operate. This Privacy Policy does not apply to those services, and we are not responsible for their content or practices.
18. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our Service, the law, or our practices. We will post the revised version on this page and update the “Last updated” date above. For material changes, we will provide reasonable advance notice through the Service or by email.
19. Contact
For privacy questions, data subject requests, security reports, or any other feedback about this policy, please contact us: