Legal
Data Protection Policy
Last updated: 9 April 2026
1. Who We Are
HARi CRM is operated by Blackdurian Limited, Hong Kong. We act as data controller for your account information and as data processor for data you store in HARi CRM (contacts, deals, etc.) — you are the data controller for that data. We do not rent or sell your data.
2. Data We Collect
Identity
Name, company name
Contact
Email, phone number
Financial
Payment details (via Stripe)
Technical
IP, browser, OS, device
Usage
Features used, session data
Profile
Settings, preferences, language
We do not collect sensitive personal data (race, religion, health). If you store such data, you are responsible for ensuring appropriate legal basis.
3. Service Providers
| Provider | Location | Purpose |
|---|---|---|
| OVHcloud | France (EU) | Hosting |
| Stripe | International | Payments |
| xAI | International | AI features |
| Plunk / Resend | International | Email delivery |
All providers are bound by data processing agreements.
4. Security Measures
Encryption
TLS in transit, bcrypt for passwords
Isolation
Database-per-tenant architecture
Access Control
Role-based permissions, least privilege
Backups
Daily automated, encrypted storage
5. Data Retention
| Data | Retention |
|---|---|
| Active accounts | Duration of subscription |
| After closure | 30 days, then deleted |
| Billing records | 7 years (HK tax law) |
| Server logs | 90 days |
6. Your Rights
Under GDPR (EU) and PDPO (Hong Kong), you may: access your data, rectify inaccuracies, erase your data, object to processing, restrict processing, request data portability, and withdraw consent for marketing. We respond within 30 days at no charge.
7. International Transfers & HK PDPO Section 33
HARi is operated by Blackdurian Limited, a Hong Kong company. To deliver our service we transfer your personal data to sub-processors located outside Hong Kong: OVHcloud in France (primary database and file hosting), Stripe in the United States (payment processing), Plunk / Resend in the United States (transactional and marketing email delivery), and xAI in the United States (AI-powered features such as contact enrichment and conversation analysis).
HK PDPO Section 33 regulates cross-border personal data transfers. As of April 2026, Section 33 is not yet fully in force, but HARi voluntarily follows its principles as recommended by the Privacy Commissioner for Personal Data. We rely primarily on the contractual necessity basis: these transfers are required to perform our contract with you — we cannot operate the HARi service without hosting, billing, email delivery, or AI features. Each sub-processor is bound by data processing agreements that impose GDPR-equivalent obligations, including purpose limitation, data minimisation, and breach notification.
Hong Kong has not published a formal whitelist of jurisdictions offering "comparable" protection under PDPO. France and the broader EU are governed by the GDPR, widely considered the international benchmark for data protection. Our US sub-processors participate in enterprise privacy programs and, where HARi has executed them, are bound by Standard Contractual Clauses (SCCs) consistent with EU adequacy requirements. If you do not consent to the cross-border transfer of your personal data, you may request that HARi delete your data and cease processing by writing to hello@haricrm.com. HARi monitors PDPO legislative developments and will update this disclosure when Section 33 enters into force.
Questions about data protection? Contact hello@haricrm.com
HARi CRM is a product of Blackdurian Limited, Hong Kong.