How :Harvey:’s Building a Culture of Privacy

Privacy, security, and responsible AI are a priority and embedded in everything we do at Harvey. Some of our earliest legal hires were privacy and AI attorneys like myself, and we’ve invested heavily ensuring that we develop Harvey in a thoughtful, secure, and privacy-forward way.

In today’s rapidly evolving tech environment, privacy is not just a compliance requirement, it’s a core value and a competitive differentiator. As a domain-specific AI platform serving global law firms and Fortune 500 enterprises, Harvey recognizes that trust is built on a foundation of robust privacy practices.

At Harvey, our commitment to privacy and security starts at the very top. Leadership treats these principles as foundational rather than optional, which sets a clear tone for the rest of the company and it makes it easier for everyone to follow suit. Our co-founders Winston Weinberg and Gabe Pereyra have consistently championed privacy and security, not just as business requirements, but as core to our company identity.

My first week at Harvey, I attended an all-hands where Winston put privacy and security front and center. He opened the meeting by speaking about gaining customer trust through building a secure platform and respecting user privacy. That moment made clear: This wasn’t lip service, it was leadership in action.

This top-down commitment creates space for privacy to be part of every function, not just Legal. From Go-To-Market (GTM) to Product, privacy is considered a shared responsibility. Our legal and privacy teams regularly engage across the organization to reinforce our obligations and the trust our customers place in us. It’s not always easy or fast, but the investment is paying off.

One standout example is how our product team approached building multi-model capabilities. During the due diligence process, our product teams could advocate for the privacy and security requirements because they know the non-negotiables: No training on customer data, zero-day data retention, and no human review. That kind of alignment doesn’t happen by accident. It’s the result of a culture where privacy is built in from the start.

Transparency is an important part of any privacy program. We were one of the first AI companies to become certified under the Data Privacy Framework and to affirm our adherence to its principles. Furthermore, we make our privacy commitments clear in our Data Processing Addendum (DPA), which outlines how we protect and handle our customers’ data. Our DPA reflects the expectations of our customers who hold us to a high standard.

We hold our AI providers to the same high standards. Each one must commit to, among other things, three key principles that safeguard our customers’ data:

Putting customer needs first means taking their concerns seriously and acting on them. In the EU, for example, some customers were hesitant to have their data processed in the U.S. In response, our engineering team built the infrastructure and processes needed to support EU- and Swiss-only processing, ensuring that the customer data and content (e.g., prompts, output, and documents) remains within the region. This commitment to respecting regional privacy preferences has since been extended to customers in Australia, enabling localized data processing that aligns with their needs and expectations.

From the beginning, we’ve found meaningful ways for customers to directly control their data. Customers define their own data retention periods, with options as short as three hours, allowing them to tailor data handling to their specific risk profiles and internal governance requirements. Beyond retention settings, users can delete their data within the app at any time.

Harvey has customers around the world, so understanding the varied regulatory frameworks and requirements is a priority. I’ve spent most of my legal career working outside of the US, and still spend time every year working in the UK.

In 2025, the global regulatory landscape remains highly dynamic, with jurisdictions rapidly advancing new laws and guidance on both privacy and AI. A major focus for my team is staying ahead of these changes, especially in the EU, Switzerland, and the UK. We continuously monitor regulatory trends and engage with local legal experts to ensure that Harvey’s practices align with evolving obligations and best practices.

The privacy landscape is constantly changing, and so is Harvey’s approach. Regular internal reviews, feedback loops, and engagement with cross-functional security experts ensure that privacy practices evolve alongside new threats and technologies.

At Harvey, privacy is more than a policy: It’s a culture. By embedding privacy into our products, processes, and people, Harvey is setting the standard for legal AI.