Privacy Center

Last updated: July 13, 2026

What changes have you made to the Privacy Policy on July 13, 2026?

We have updated our Privacy Policy to enhance clarity and provide additional details regarding how we collect and process personal data and the rights you may have under applicable privacy laws. These enhancements include:

  • Additional terms applicable to our use of personal data belonging to individuals in Australia.
  • Updating the description of the data used and legal bases we rely on for certain processing activities.
  • Providing additional information about processing we engage in to target ads and how you can opt-out or (where applicable) revoke consent for that processing.
  • Updating descriptions of rights you may have under certain privacy laws.

What publicly available information does :Harvey: access to develop its AI platform?

Harvey accesses publicly available legal information like judgments, public filings, statutes and legislation, and public briefs to improve its AI platform. The public information that we use is similar to the information that most law firms access on a daily basis to help serve their clients.

Some of the publicly available information we use may relate to an individual and, in some jurisdictions, is considered Personal Data. Harvey processes this data only to provide context to a customer query so that our AI platform can provide more relevant responses. We do not intentionally use the publicly available information to identify an individual.

What personal data does the :Harvey: Privacy Policy apply to?

Our Privacy Policy describes how we process Personal Data as a Data Controller for our own business purposes. It does not apply to Customer Data and Content we process as a Data Processor on behalf of our Customers.

What is Customer Data and Content?

Harvey defines Customer Data as documents uploaded to the Service by Harvey Customers. Content includes both the queries Customers input to the Service and the corresponding outputs from Harvey. In most cases, we talk about these terms together, as Customer Data and Content.

Does :Harvey: train AI models on Customer Data and Content?

We understand and appreciate that Customers trust Harvey with highly confidential information. Harvey does not use Customer Data or Content to train AI models, or to improve our products and services. We also do not access Customer Data or Content except (i) to provide or support the Harvey Service or (ii) to comply with the law or a binding order of a governmental body.

Do :Harvey:’s AI providers train on Customer Data and Content?

Harvey’s AI provider Subprocessors are contractually prohibited from using Customer Data or Content to train, develop, or improve their models or services.

We also require our AI provider Subprocessors not to retain or log Customer Data or Content for human review. When our Subprocessors need to retain Customer Data and Content to provide a particular Service feature, these features are disabled by default and can only be enabled by account administrators. The scope of retention required in these exceptional circumstances is addressed in our Service Terms.

With whom does :Harvey: share Personal Data for advertising?

We work with third-party advertising partners, including analytics providers and ad networks, to serve and measure the impact of ads on our behalf. We share data via pixels, cookies, and similar technologies placed on our Websites and via our advertising partners’ APIs. Where required by law, we do so with Your consent. You can opt out or revoke consent for sharing for ad targeting at any time on the Your Privacy Choices page of our website. The data we share and the partners we work with for these purposes may include:

Third-party service

Data that we may share or make available

Learn more

Google

website activity, IP address, device and browser characteristics, timestamps of visits, email.

https://policies.google.com/privacy

LinkedIn

name, website activity, IP address, device and browser characteristics, timestamps of visits, email.

https://www.linkedin.com/legal/privacy-policy

Meta

website activity, IP address, device and browser characteristics, timestamps of visits, email.

https://www.facebook.com/privacy/policy/

Microsoft

website activity, IP address, device and browser characteristics, timestamps of visits, email.

https://www.microsoft.com/en-us/privacy/privacystatement

What rights do I have under U.S. State Privacy Laws?

Each state may provide different privacy rights. For more information on which rights may be available in your state, consult the table below.

Right to know/confirmation of processing

California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, Virginia

Right to access

California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, Virginia

Right to correction

California, Colorado, Connecticut, Delaware, Indiana, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, Virginia

Right to data portability

California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, Virginia

Right to deletion

California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, Virginia

Right to opt-out of processing for targeted advertising

Colorado, Connecticut, Delaware, Indiana, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, Virginia

Right to opt-out from a sale of personal data

California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, Virginia

Right to opt-out from profiling for certain decisions with legal or similarly significant effects

California, Colorado, Connecticut, Delaware, Indiana, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Virginia

Right to non-discrimination for exercising your rights

California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, Virginia

Right to appeal the refusal of a request to exercise your rights

Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Virginia

Right to confirm the third parties or categories of third parties to which personal data has been disclosed or sold

Connecticut, Delaware, Maryland, Minnesota, Oregon

Right to opt-out from sharing for cross-context behavioral advertising

California


Data Processing Addendum (DPA) FAQs

What is the scope of your DPA?

Our Data Processing Addendum (DPA) includes terms that address how we process data we collect from our Customers and authorized users of the Harvey Service. It primarily addresses how we process Customer Data and Content as a Data Processor on behalf of our Customers.

What is a Subprocessor and does :Harvey: use Subprocessors?

A Subprocessor is any subcontractor or vendor that Harvey engages and that has access to, or otherwise processes, Customer Data or Content. These entities provide services that help us to deliver the Harvey platform.

Please find our current Subprocessors, their location, and a description of the processing activities they undertake on our behalf on our Subprocessors List. Note that Harvey also maintains a separate service provider page for vendors that support Harvey operationally but do not process Customer Data or Content. That list is available on the Service Provider List available on our Trust Center.

What are :Harvey:’s security measures?

Harvey maintains appropriate technical and organizational measures to protect Customer Data and Content. These are set out in the Harvey Security Addendum.

Please see our Trust Center for more information about security at Harvey.

What transfer mechanisms does :Harvey: use when transferring data from the EU/UK/Switzerland?

Harvey is self-certified under the Data Privacy Framework, which it relies on for transfers of personal data from the EEA, the UK, and Switzerland to the U.S. Our DPA and Data Transfer Addendum also incorporate the EEA SCCs (including adaptations to facilitate transfers from Switzerland) and the UK International Data Transfer Addendum as fallback transfer mechanisms.