Last updated May 7, 2026 · v7.0 architecture
If you subscribe to our email list or purchase through Lemon Squeezy, we collect your email address via Kit for onboarding and product updates. You may unsubscribe at any time.
All payments are processed through Lemon Squeezy, our Merchant of Record. We do not store credit card information, bank details, or other sensitive payment data. Lemon Squeezy handles PCI compliance and payment security.
The Harvest Protocol Claude Code plugin authenticates against our Cloudflare Worker on every scoring call. We log: a one-way hash of your license key, the endpoint hit (e.g., /v1/score), the timestamp, and request latency. We do not log your tickers, your dollar amounts, your holdings, or any portfolio composition. We do not retain IPs in association with your license.
If you choose to register your own Alpha Vantage / Financial Modeling Prep / SEC EDGAR API keys with us via POST /v1/keys, we encrypt them at rest in Cloudflare KV using AES-GCM with a per-license-derived secret. We use these keys only to fetch the data you request through your scoring calls. You can rotate or delete your stored keys at any time via DELETE /v1/keys.
We use Cloudflare Web Analytics to track page views, traffic patterns, and basic user behavior on the marketing site (no personal identifiers). This helps us understand which content is most valuable. No tracking pixels, no third-party advertising networks, no behavioral profiling.
Telemetry is off by default. If you opt in, we record aggregated calibration data: methodology version, EV band, sweep type, a monthly-rotating salted cohort hash, predicted probability, outcome bucket (hit / miss / near-miss / pending), and time-to-resolution. We never capture: tickers, dollar amounts, IP addresses, persistent user identifiers, or sub-day timestamps. The cohort salt rotates monthly and is destroyed afterward, making historical re-identification structurally impossible.
Critical: We never collect your portfolio, holdings, income, net worth, or any specific financial data. The methodology runs in your own Claude session via your own API keys. Our Worker validates your license and runs the proprietary scoring math — but it never receives your portfolio composition, your dollar amounts, or the tickers you analyze. The Claude session does the data fetching using your BYO keys; you see the inputs and outputs; we see only that you made a scoring call.
Email addresses are used solely for:
• Onboarding sequences (post-purchase)
• Product updates and release notes
• Community announcements
• Support requests (if you contact us)
Concrete retention periods. We hold data only as long as needed for the purpose collected:
• Email address & list data: retained until you unsubscribe or request deletion, then purged within 30 days (except where a longer period is required by law, e.g., tax/transaction records held by our Merchant of Record).
• License-validation logs (hashed key, endpoint, timestamp, latency): rolling 12 months, then deleted.
• BYO API keys in Cloudflare KV: retained until you call DELETE /v1/keys or 90 days after your license lapses, whichever is first, then cryptographically destroyed.
• Opt-in methodology telemetry: aggregated only, contains no personal identifiers; the monthly cohort salt is destroyed after rotation, making historical re-identification structurally impossible.
You may request deletion at any time by unsubscribing or emailing hello@getharvestprotocol.com.
If you are in the EU, you have the right to:
• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion ("right to be forgotten")
• Request portability of your data
• Object to processing for marketing purposes
To exercise any of these rights, email hello@getharvestprotocol.com with "GDPR Request" in the subject line.
If you are a California resident, you have the right to:
• Know / Access: request the categories and specific pieces of personal information we have collected about you, the sources, the business purpose, and any third parties with whom it is shared
• Delete: request deletion of personal information we have collected from you
• Correct: request correction of inaccurate personal information
• Opt out of sale/sharing: see below
• Limit use of sensitive personal information
• Non-discrimination: we will not deny service, charge a different price, or provide a different quality of service because you exercised these rights
We do not sell your personal information, and we do not "share" it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. We do not use or disclose sensitive personal information beyond the purposes permitted by the CPRA. Notice at collection: we collect your email address (to deliver the product, onboarding, updates, and support), payment data (processed solely by our Merchant of Record, Lemon Squeezy — we never receive card data), and the limited technical license-validation data described above; we do not collect your portfolio, holdings, or financial data. We retain each category only for the periods stated in "Data Use & Retention" above.
To exercise any California right, email hello@getharvestprotocol.com with "California Privacy Request" in the subject line. We will acknowledge within 10 business days and respond within 45 calendar days (extendable once by 45 days with notice). You may use an authorized agent; we will verify your identity using the email associated with your account before responding.
Kit (formerly ConvertKit): Handles email list management. See their privacy policy at kit.com/privacy
Lemon Squeezy: Processes payments and handles file delivery. See their privacy policy at lemonsqueezy.com/privacy
Cloudflare: Provides analytics and CDN services. See their privacy policy at cloudflare.com/en-gb/privacy/
All data transmission uses HTTPS encryption. We store email addresses in encrypted form and restrict access to authorized personnel only. However, no online transmission is 100% secure — use strong passwords and enable two-factor authentication on your email and Claude accounts.
For privacy questions or to exercise your rights, email hello@getharvestprotocol.com with "Privacy Request" in the subject line.