Legal

Privacy Policy

Effective date: July 1, 2026

The short version: Harbor is built for therapists. We store your data and your clients' records securely in the United States, we never use client information to train AI models, and we never sell data to third parties. Full details below.

Who this policy covers

This Privacy Policy applies to Harbor, an electronic health record (EHR) platform operated by MainCharacter, Inc. It covers information we collect from licensed mental health professionals ("you" or "therapist") who create an account, and the client records therapists enter into the platform.

Harbor is not a consumer product. If you are a therapy client, your therapist is the party responsible for your records. Contact them directly with questions about your personal health information.

What we collect

We collect two categories of information:

  • Account information. When you sign up, we collect your name, email address, professional license information, and payment details (processed by our payment provider; we do not store full card numbers).
  • Client records you enter. Session notes, intake forms, scheduling data, superbills, and any other clinical information you add to Harbor belongs to you. We store it to provide the service.
  • Usage data. We collect basic product analytics such as which features you use, page load times, and error logs. This data is aggregated and used to improve Harbor.

We do not collect information from your clients directly. We do not place tracking pixels on your client-facing materials.

How we use your information

We use account information to operate your account, process payments, send service-related communications, and respond to support requests.

We use client records solely to provide the features of Harbor to you. We do not analyze, mine, or otherwise process client records for any purpose beyond delivering the service you paid for.

We use usage data to understand how Harbor is being used so we can fix bugs and improve the product.

HIPAA compliance

Harbor is designed to meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA). As a covered entity using Harbor to store and manage protected health information (PHI), you may need a Business Associate Agreement (BAA) in place with us.

We will sign a BAA with any therapist who requests one. Email contact@mainchar.ai to request yours. A signed BAA is required before using Harbor to store PHI.

We implement the administrative, physical, and technical safeguards required under the HIPAA Security Rule. Details on our technical controls are available on our Security page.

Where your data is stored

All data is stored in the United States on Google Cloud Platform infrastructure. We do not transfer or replicate data outside the US. Our storage regions are selected to comply with US data residency requirements.

AI features and your client data

Harbor offers optional AI-assisted features such as note drafting assistance. These features are opt-in and turned off by default.

Client records are never used to train AI models. Client records are never sent to any AI pipeline unless you explicitly activate an AI feature for a specific session. Even then, data is processed transiently and is not retained by the AI system or used to improve any model.

We do not share client records with any third-party AI provider for purposes other than the specific, user-initiated action you requested.

Sharing and third parties

We do not sell your data or your clients' data. We share data only in the following limited circumstances:

  • Service providers. We use a small number of third-party vendors (payment processing, infrastructure) who are contractually bound to handle data only as instructed and not to use it for their own purposes.
  • Legal obligations. We may disclose information if required by law, subpoena, or court order, and we will notify you when permitted by law to do so.
  • Business transfers. If Harbor is acquired or merged, your data may transfer to the successor entity, which will remain bound by this policy or provide you advance notice of any changes.

Data retention and deletion

We retain your account information and client records for as long as your account is active. When you cancel your account, you have 30 days to export your data in a standard format.

After the 30-day window, we delete your account data from our production systems. Encrypted backups are purged on a rolling 90-day cycle. Certain billing records are retained for up to seven years as required by financial regulations.

To request early deletion of your account or specific records, contact contact@mainchar.ai.

Your rights

As a Harbor subscriber, you can:

  • Access all data in your account at any time through the Harbor interface.
  • Export your records and client data in standard formats (PDF, CSV) at any time.
  • Request correction of inaccurate account information.
  • Delete your account and request removal of your data.
  • Opt out of non-essential communications.

Cookies and tracking

Harbor uses session cookies for authentication. We use a minimal set of analytics cookies to understand product usage. We do not use advertising cookies or cross-site trackers. You can disable cookies in your browser, though some features of Harbor require session cookies to function.

Changes to this policy

We may update this policy as Harbor evolves. We will notify you by email at least 14 days before material changes take effect. The effective date at the top of this page reflects the most recent update. Continued use of Harbor after the effective date constitutes acceptance of the updated policy.

Contact us

Questions about privacy or data handling can be directed to:

MainCharacter, Inc.
contact@mainchar.ai