Privacy policy.

01

Who we are

Harbor is operated by Zonko Labs Private Limited. Our product sits between AI agents and the services you already use — Slack, GitHub, Google Workspace, and others — brokering access through OAuth and per-tool authorization. References to “we”, “us”, or “Harbor” in this document mean Zonko Labs.

02

Data we collect

We keep the minimum data required to run the control plane:

• Account information. Name and email, provided via WorkOS SSO when you sign in.
• OAuth tokens. Access and refresh tokens issued by each provider you connect. Tokens are encrypted at rest and only decrypted in-memory to fulfill a tool call.
• Audit logs. A per-user record of every tool invocation: which agent called it, which scope it used, when it happened, and whether it succeeded.
• Provider-side data. When an agent executes a tool, responses flow through Harbor on their way back to the agent. We do not retain response bodies beyond what is required to satisfy the request and, where enabled, to populate the audit log.

Slack integration specifically

When you authorize Harbor’s Slack app, you grant 15 user-level scopes. These let Harbor act on your behalf — not as a bot — so your agent can see what you can see. Concretely:

• Search (search:read.public, search:read.private, search:read.mpim, search:read.im, search:read.files, search:read.users) — query Slack’s search indices across public channels, private channels you belong to, group DMs, DMs, files, and users.
• Message history (channels:history, groups:history, mpim:history, im:history) — read messages in channels, private groups, group DMs, and direct messages you are a member of.
• Posting (chat:write) — send messages as you, only when your agent invokes the tool.
• Canvases (canvases:read, canvases:write) — read and modify canvases available to you.
• User profile (users:read, users:read.email) — look up user profiles, including email, to resolve names and mentions.

Harbor’s Slack integration is pure outbound — event subscriptions and interactivity are disabled, so Slack never pushes data to us. Token rotation is enabled, which means short-lived tokens are refreshed automatically and stale credentials cannot be replayed.

03

How we use it

We use your data exclusively to fulfill the tool calls your agent makes, and to give you a truthful record of what happened. We do not train models on your data. We do not sell it. We do not share it with third parties beyond the provider APIs you explicitly connected (e.g. calls to Slack go to Slack).

04

Per-tool authorization

OAuth is the floor, not the ceiling. Beyond the provider’s consent screen, Harbor asks you to authorize each tool — or a pattern of tools — before an agent can invoke it. You can review, narrow, or revoke these grants at any time from your dashboard. Revoking a grant takes effect immediately for subsequent calls.

05

Retention

OAuth tokens are held until you revoke the connection or the workspace is deleted, whichever comes first. Audit logs are retained for 90 days by default, then purged. Workspace admins can configure a shorter retention window. Account records are removed on account deletion, subject to any legal holds.

06

Subprocessors

Harbor runs on a small, deliberately short list of infrastructure providers:

• Cloudflare — Workers (compute), D1 (database), and R2 (object storage). Hosts the API, tokens, and audit logs.
• WorkOS — SSO and directory for sign-in.
• Sentry — error tracking. Payloads are scrubbed of tokens and message bodies before leaving our workers.

07

Your rights

You can revoke any OAuth connection, delete your account, or request an export of your data at any time. Email support@zonko.ai and we’ll respond within a reasonable window — typically a few business days.

08

GDPR and data residency

Harbor processes data across Cloudflare’s global edge network. EU-based users or workspaces that require EU data residency can request it by contacting support, and we will configure the workspace to route and store data within EU regions. Standard contractual clauses are available on request for customers that need them.

09

Children

Harbor is not intended for children. We do not knowingly collect data from anyone under 13, or under 16 where local law sets a higher age of digital consent. If you believe a minor has signed up, contact us and we will remove the account.

10

Changes to this policy

If we make material changes to this policy we will notify account holders by email before the changes take effect, and update the “Last updated” date at the top of this page. Minor editorial fixes may be made without notice.

11

Contact

Zonko Labs Private Limited. Questions, requests, or security reports go to support@zonko.ai.