Legal

Privacy Policy

Last updated: 19 June 2026
This policy explains what personal data Harmonova ("we", "us") collects, why we collect it, how we use and protect it, and the rights you have. It is written to reflect our obligations under the EU and UK General Data Protection Regulation (GDPR), the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs), and the California Consumer Privacy Act as amended (CCPA/CPRA), among other applicable laws.

01 Who we are

Harmonova operates the website, platform, and services. For the purposes of data protection law, Harmonova is the data controller for personal data we process about visitors, account holders, and prospective customers. When we process data on behalf of a customer through the platform, we act as a data processor for that customer; see our Data Protection page for how that works.

02 What data we collect

We collect the following categories of data:

  • Account data — name, email address, company name, role, and login credentials.
  • Billing data — billing contact, billing address, and payment information (payment card details are handled by our payment processor, not stored by us).
  • Usage and API data — records of how you use the Service, including API requests, queries, features used, and timestamps.
  • Technical data — IP address, browser and device information, and information collected through cookies and similar technologies.
  • Content you submit — product descriptions, HS codes, prices, shipment details, and similar data submitted to obtain a duty or landed-cost calculation. This data is generally commercial rather than personal; where it contains personal data, we handle it under this policy and, for customer-submitted data, under our agreement with the customer.
  • Communications — messages you send us, support requests, and survey responses.

03 How we collect it

We collect data: directly from you, when you create an account, use the Service, contact us, or subscribe to communications; automatically, through strictly necessary cookies, privacy-first analytics, and server logs as you use the Service; and from third parties, such as our payment processor and (where applicable) business partners who refer you to us.

04 Why we use it and our lawful basis

We use personal data for the purposes below. Where GDPR applies, the lawful basis for each is noted.

Purposes for processing personal data and the GDPR lawful basis for each
PurposeLawful basis (GDPR)
Provide, operate, and maintain the Service and your accountPerformance of a contract
Process payments and manage billingPerformance of a contract; legal obligation
Respond to support requests and communicate with youPerformance of a contract; legitimate interests
Improve, secure, and develop the ServiceLegitimate interests
Send marketing communicationsConsent (where required); legitimate interests
Comply with legal, tax, and accounting obligationsLegal obligation
Detect, prevent, and address fraud, abuse, and security issuesLegitimate interests; legal obligation

Where we rely on legitimate interests, we have considered and balanced those interests against your rights. You can object to processing based on legitimate interests — see Section 10.

05 Cookies and tracking

We use only strictly necessary cookies — set by our hosting, content-delivery, and bot-protection providers to keep the site working and secure (for example, the human-verification check on our contact form). We do not use advertising cookies or cross-site tracking.

To understand how the site is used, we use Cloudflare Web Analytics — a privacy-first measurement tool that does not use cookies, does not fingerprint or track you across sites, and reports only aggregate, non-identifying data. Because it sets no cookies and collects no personal information, no consent banner is required. You can control or block cookies at any time through your browser settings.

06 How we share data

We do not sell your personal data. We share personal data only as follows:

  • Service providers and sub-processors — vendors who help us run the Service, such as hosting, payment processing, analytics, and email delivery providers. These providers process data on our behalf under contracts that require appropriate protection. Our current sub-processors are listed on our Data Protection page.
  • Legal and safety — where required by law, legal process, or to protect rights, safety, or the integrity of the Service.
  • Business transfers — in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate confidentiality protections.

07 International transfers

We may process and store data in countries other than where you are located. Where we transfer personal data out of the EEA, the UK, or Australia, we use appropriate safeguards, such as Standard Contractual Clauses or transfers to countries recognised as providing adequate protection, to help ensure your data remains protected.

08 How long we keep data

We keep personal data only for as long as necessary for the purposes described in this policy, including to provide the Service, comply with legal, tax, and accounting obligations, resolve disputes, and enforce our agreements. When data is no longer needed, we delete or anonymise it.

09 How we protect data

We use technical and organisational measures designed to protect personal data, including encryption in transit and at rest, access controls, and monitoring. No method of transmission or storage is completely secure, so while we work to protect your data, we cannot guarantee absolute security. More detail is on our Data Protection page.

10 Your rights

Depending on where you live, you may have some or all of the following rights:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — ask us to delete your data in certain circumstances.
  • Restriction and objection — ask us to restrict, or object to, certain processing, including processing based on legitimate interests and direct marketing.
  • Portability — receive certain data in a portable format.
  • Withdraw consent — withdraw consent at any time where we rely on it.

If you are in the EEA or UK, you may lodge a complaint with your local supervisory authority. If you are in Australia, you have rights under the Australian Privacy Principles and may complain to the Office of the Australian Information Commissioner (OAIC). If you are a California resident, you have rights under the CCPA/CPRA, including to know, delete, correct, and opt out of the "sale" or "sharing" of personal information, and not to be discriminated against for exercising those rights; note that we do not sell personal information.

To exercise any right, contact us using the details below. We will respond within the time required by applicable law and may need to verify your identity first.

11 Children

The Service is intended for businesses and is not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us personal data, please contact us and we will take appropriate steps to delete it.

12 Changes to this policy

We may update this policy from time to time. We will post the updated policy with a new "last updated" date and, where the changes are material, take additional steps to notify you as required by law.

13 Contact us

For any privacy question or request, contact Harmonova at [email protected].