Legal
Privacy Policy
Last updated: April 18, 2026
Blackdurian Limited ("we", "us") is committed to protecting your privacy. This policy explains how we collect, use, and protect personal data when you use HARi CRM and visit our websites. Data Controller: Blackdurian Limited, Hong Kong.
1. Information We Collect
Information You Provide
Account data (name, email, company, password), billing data (card details via Stripe), and business data (contacts, deals, tasks you create).
Collected Automatically
Technical data (IP, browser, OS), usage data (pages visited, features used, session duration), and device data (screen size, language).
From Third Parties
AI enrichment via x.ai (when you trigger it), email metadata from Gmail/Outlook (when you connect).
2. How We Use Your Data
| Purpose | Legal Basis |
|---|---|
| Provide and operate HARi CRM | Contract |
| Process payments | Contract |
| Send service notifications | Legitimate interest |
| Improve our services | Legitimate interest |
| Prevent fraud and abuse | Legitimate interest |
| Legal and regulatory compliance | Legal obligation |
We do not sell your data. We do not use your business data for any purpose other than providing the Services to you.
3. Data Sharing
| Provider | Purpose |
|---|---|
| OVHcloud (France) | Server hosting |
| Stripe | Payment processing |
| x.ai | AI features (on-demand) |
| Plunk | Transactional email |
We do not share data with advertising networks or data brokers.
4. Security and Storage
Your data is stored on servers operated by OVHcloud in France (EU). We implement encryption in transit (TLS), password hashing (bcrypt), database-per-tenant isolation, role-based access control, and regular automated backups.
5. Data Retention
| Data | Retention |
|---|---|
| Active accounts | Duration of subscription |
| After workspace closure | 30-day grace period, then hard-deleted (database, uploads, exports, AI logs) |
| Audit log | 13 months (monthly partitions, auto-purged) |
| Billing records | 7 years (HK tax law) |
| Server logs | 90 days |
6. Cookies
HARi CRM uses minimal essential cookies: access_token (auth session, 1 hour), hari_theme (light/dark preference), hari_locale (language). We do not use third-party tracking cookies or Google Analytics in the application.
7. Your Rights
HARi CRM is designed to make EU GDPR and Hong Kong PDPO (DPP6) rights actionable directly from inside the product. Workspace administrators can exercise the following rights without contacting us:
| Right | How |
|---|---|
| Export all data on a specific contact, company, or deal | Settings › GDPR › Export Record. Delivers a JSON package with all records, messages, audit entries, attachments, activity, and email send log for that data subject. |
| Export your entire workspace | Settings › GDPR › Request Workspace Export. We prepare a full ZIP of every entity, message, audit entry and attachment and email you a signed download link valid for 24 hours. |
| Permanently erase personal data on a contact | Settings › GDPR › Erase Record. Anonymises personal fields (name, email, phone, tax ID, job title, notes, LinkedIn, bio, salary, date of birth, gender, IP) while preserving relational integrity for your business records. |
| Close your workspace | Settings › Billing › Close Workspace. Starts a 30-day grace period, after which the database, uploads, exports and AI logs are hard-deleted from our S3 bundle and servers. |
| Correct or update your data | Edit any record directly in the app, or update your own profile in Settings › Profile. |
Individual users (including non-admin team members and data subjects whose information is stored by a customer using HARi CRM) can exercise their access, correction, erasure, objection and consent-withdrawal rights by writing to hello@haricrm.com. We respond to all requests within 30 days, in line with GDPR Articles 15–22 and PDPO DPP6.
EU residents may file complaints with their local data protection authority. Hong Kong residents may contact the PCPD at pcpd.org.hk. For practical guidance on PDPO compliance, read our guide to PDPO compliance for Hong Kong SMEs.
8. International Transfers
Your data may be processed outside your country of residence. When transferring data outside the EU, we implement appropriate safeguards including standard contractual clauses.
Questions about privacy? Contact hello@haricrm.com
HARi CRM is a product of Blackdurian Limited, Hong Kong.