Privacy policy

This page explains what personal data Harbor Gang ("we", "us") collects when you use Lighthouse at lighthouse.harborgang.com or via the MCP endpoint at /mcp/. Harbor Gang is based in Kyiv with a remote EU footprint; processing is governed by the EU General Data Protection Regulation (GDPR).

What we collect

• Account data. When you sign in via Auth0, we receive your email address, display name, and (when available) profile picture from your identity provider. We store these in our database keyed by your Auth0 subject identifier so we can recognise you on return visits.
• Subscription data. If you upgrade to Pro or Team, Paddle.com Market Limited acts as our Merchant of Record. Paddle processes your payment details, handles tax, and issues invoices — we never see your card number. We store the Paddle customer and subscription identifiers plus your current tier and renewal date.
• Search usage. Each call to /search is counted toward your daily rate-limit. The counter is keyed by your user identifier (signed-in users) or IP address (anonymous), with the UTC date. We do not log or retain the query text itself.
• Operational logs. Our servers log request paths, HTTP status codes, and approximate latency for ~14 days for debugging. These logs are not personally indexed.

What we don't do

• We don't sell personal data.
• We don't place advertising cookies or third-party trackers.
• We don't share query content with third parties for training.
• We don't log the contents of your search queries beyond the anonymised aggregate counters described above.

Cookies

Lighthouse sets a single session cookie (lh_session) on sign-in. It carries a signed JWT identifying you to the server. See our cookie notice for details.

Where data lives

User profiles and subscription state are stored in a Neon Postgres instance hosted in the European Union. Authentication is handled by Auth0 (Okta, Inc., US-based; standard contractual clauses cover the transfer). Payment processing happens at Paddle (UK/EU). Hosting and compute run on DigitalOcean's Frankfurt region.

Retention

• Account data: kept while your account is active and for up to 90 days after the last sign-in, then deleted unless legal retention applies.
• Subscription records: retained for 7 years to satisfy accounting and tax obligations.
• Daily usage counters: rolled up monthly; raw daily rows are kept 90 days.
• Operational logs: 14 days.

Your rights

Under GDPR you have the right to access, correct, port, restrict, or delete personal data we hold about you, and to object to processing. Email hello@harborgang.com with your request and we'll respond within 30 days. You also have the right to lodge a complaint with the supervisory authority in your country of residence.

Sub-processors

The processors we rely on, by purpose:

• Auth0 (Okta, Inc.) — authentication
• Paddle.com Market Limited — billing & tax (Merchant of Record)
• Neon, Inc. — managed Postgres database
• DigitalOcean, LLC — compute & networking
• OpenAI, LLC — embeddings and reranker for search

Changes

We'll post material changes to this notice on this page with an updated effective date. For substantive changes, signed-in users will receive an email notice in advance.

Contact

Questions about this notice or to exercise your rights: hello@harborgang.com.