Legal

Privacy Policy

Last updated: April 5, 2026

What we collect

When you sign up, we store your name and email address from your Google account. We use this solely to identify your account and communicate with you about the service.

We do not request access to your email account. Newsletters reach us in one of two ways: a public RSS feed you select from our directory, or by being delivered to a unique forwarding address we issue you. Either way, the only messages we ever see are the ones you explicitly route to us — your inbox stays private.

How we use your data

  • Newsletter content is sent to AI language model providers (e.g. Anthropic, OpenAI) for summarization. Only the extracted newsletter text is sent — never your email address, headers, or metadata.
  • Summaries are sent to text-to-speech providers (e.g. Google Cloud, OpenAI) to generate audio. The resulting podcast episodes are stored and served only to you via your private RSS feed.
  • Payment information is handled entirely by Stripe. We store only your Stripe customer ID — never your card number or billing details.

Data we share

We share data only with the service providers necessary to operate the product:

  • Google — OAuth authentication (sign-in only; we do not access Gmail)
  • AI providers (Anthropic, OpenAI) — newsletter text for summarization
  • TTS providers (Google Cloud, OpenAI) — summary scripts for audio generation
  • Stripe — payment processing

We do not sell, rent, or share your personal data with anyone else. We do not use your data for advertising. We do not train AI models on your data.

Data retention

Podcast episodes are retained for 90 days by default. Newsletter content is processed in memory and not stored after the episode is generated. Your account data is retained as long as your account is active.

Account deletion

You can delete your account at any time from your billing page. Deletion immediately and permanently removes your account, episodes, source list, forwarding address, and cancels your subscription. This action cannot be undone.

Security

Session tokens are signed with HMAC-SHA256. CSRF protection is enforced on all state-changing requests. Inbound webhooks are authenticated via HMAC shared secret. All connections use TLS.

Your rights

You have the right to access, correct, or delete your personal data at any time. To exercise these rights, use the account deletion feature or contact us at support@harkwire.com.

Changes

We may update this policy from time to time. Material changes will be communicated via email or a notice in the app.

Contact

Questions about this policy? Email support@harkwire.com.