Privacy Policy
Effective Date: February 2, 2026
Last Updated: February 2, 2026
1. Introduction
Welcome to Crow’s Nest (“we,” “our,” or “us”). Crow’s Nest is a budget tracking and project management application that integrates with Harvest’s time tracking platform to help you plan capacity and manage project budgets.
This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our service at https://mycrowsnest.app (the “Service”). Please read this policy carefully.
By using Crow’s Nest, you agree to the collection and use of information in accordance with this Privacy Policy.
2. Data Controller
Service Name: Crow’s Nest
Website: https://mycrowsnest.app
Contact Email: [email protected]
For privacy-related inquiries, please contact us at the email above.
3. Personal Data We Collect
3.1 Information You Provide Directly
Account Information:
- Email address (required for account creation)
- Work week preferences (daily hour allocations)
Project Planning Data:
- Budget allocations for projects
- Task items and completion status
- Custom project notes and configurations
3.2 Information Collected via Harvest OAuth
When you connect your Harvest account, we collect:
Harvest Authentication Data:
- Harvest Account ID
- OAuth access token (encrypted)
- OAuth refresh token (encrypted)
- Token expiration timestamp
- Provider identifier (OAuth)
- Unique identifier (UID)
Harvest Business Data:
- Client names and status
- Project names, codes, rates, and dates
- Time tracking reports (hours worked per project/week)
- Project billing information (hourly rates, fixed fee status)
Important: We use the harvest:all OAuth scope. We do NOT access your Harvest invoices or financial transaction data.
3.3 Information Collected Automatically
Technical Data:
- IP address
- User agent (browser and device information)
- Session identifiers
- Timestamps of actions
Usage Data:
- Pages visited
- Features used (tracked as “events”)
- Actions performed (e.g., “email_verification_requested”, “email_verified”)
3.4 Cookies and Tracking Technologies
We use the following cookies:
| Cookie Name | Purpose | Duration | Type |
|---|---|---|---|
_crowsnest_session |
Session management, authentication | Session (until browser closes) | Essential |
focus_mode |
Save user preference for focus mode UI | 30 days | Functional |
Essential cookies are required for the Service to function and cannot be disabled. Functional cookies enhance your experience and can be cleared from your browser settings.
We do NOT use third-party advertising or analytics cookies.
4. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), UK, or Switzerland, we process your personal data under the following legal bases:
| Data Type | Legal Basis | Purpose |
|---|---|---|
| Account information (email) | Contract (GDPR Art. 6(1)(b)) | Necessary to provide the Service |
| Harvest OAuth data | Contract (GDPR Art. 6(1)(b)) | Authentication and core functionality of the Service |
| Session and technical data | Legitimate Interest (GDPR Art. 6(1)(f)) | Security, fraud prevention, service optimization |
| Event logging | Legitimate Interest (GDPR Art. 6(1)(f)) | Debugging, customer support, security monitoring |
Our legitimate interests do not override your fundamental rights and freedoms. You may object to processing based on legitimate interest (see Section 8).
5. How We Use Your Personal Data
We use your personal data for the following purposes:
Service Delivery:
- Create and manage your account
- Authenticate your identity via Harvest OAuth
- Connect to your Harvest account
- Synchronize Harvest data (clients, projects, time reports)
- Display capacity planning visualizations
- Track budget allocations and project status
- Provide weekly work hour planning
Service Operations:
- Send transactional emails (account verification, notifications)
- Provide customer support
- Monitor system performance and errors (via RorVsWild)
- Prevent fraud and abuse
- Ensure security of the Service
Legal Compliance:
- Comply with legal obligations
- Respond to lawful requests from authorities
- Enforce our Terms of Service
We do NOT use your data for:
- Third-party advertising
- Selling or renting data to third parties
- Marketing beyond essential service communications
- Training machine learning models for other products
6. Data Sharing and Disclosure
6.1 Third-Party Service Providers
We share personal data with the following service providers under strict data processing agreements:
| Service Provider | Purpose | Data Shared | Location | Safeguards |
|---|---|---|---|---|
| Harvest (Getharvest.com) | Time tracking integration (source of data) | OAuth tokens, API requests | USA | OAuth 2.0, HTTPS, Harvest Terms of Service |
| RorVsWild | Performance monitoring | Error logs, performance metrics (sanitized) | France (EU) | DPA, GDPR compliant, encrypted transit |
| Hetzner Online GmbH | Application hosting infrastructure | All application data | Germany (EU) | Encryption at rest and in transit, access controls, DPA, ISO 27001 certified, GDPR compliant |
6.2 Legal Requirements
We may disclose your personal data if required to do so by law or in response to:
- Valid legal process (subpoenas, court orders)
- Government or regulatory requests
- Investigating potential violations of our Terms of Service
- Protecting the rights, property, or safety of Crow’s Nest, our users, or the public
When legally permitted, we will notify you before disclosing your data to authorities.
6.3 Business Transfers
In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the successor entity. You will be notified via email and/or prominent notice on our Service of any such change in ownership or control.
6.4 International Data Transfers
For EU/EEA Users:
Harvest is based in the United States. When you connect your Harvest account, your data is transferred from Harvest (USA) to our servers. We ensure appropriate safeguards through:
- Compliance with Harvest’s Terms of Service (Section 7 - Confidentiality)
- Standard Contractual Clauses (SCCs) where applicable
- Encryption in transit (HTTPS/TLS)
- Encryption at rest for sensitive data
Your Harvest data is subject to Harvest’s own Privacy Policy. We encourage you to review it at: https://www.getharvest.com/privacy
6.5 No Sale of Personal Data
We do NOT sell, rent, or trade your personal data to third parties for monetary or other valuable consideration.
California Residents: We have not sold personal information in the past 12 months and do not sell personal information.
7. Data Retention
We retain your personal data for as long as your account is active or as needed to provide the Service.
| Data Type | Retention Period | Reason |
|---|---|---|
| Account information | Until account deletion + 30 days | Service provision, legal compliance |
| Harvest OAuth tokens | Until disconnection or expiration | Service functionality |
| Harvest business data (clients, projects) | Until account deletion or manual sync removal | Service functionality |
| Session data | 30 days after session expires | Security, debugging |
| Event logs | 2 years | Security auditing, customer support |
| Deleted account data | 30 days (soft delete) | Allow account recovery |
After account deletion:
- Personal data is permanently deleted within 30 days
- Anonymized usage statistics may be retained indefinitely
- Backup data is purged according to backup retention schedules (90 days maximum)
Inactive accounts: Accounts inactive for 24+ months may be deleted after email notification.
8. Your Rights
8.1 Rights for EU/EEA/UK Users (GDPR)
You have the following rights under the General Data Protection Regulation:
Right of Access (Art. 15):
Request a copy of all personal data we hold about you.
Right to Rectification (Art. 16):
Correct inaccurate or incomplete personal data.
Right to Erasure / “Right to be Forgotten” (Art. 17):
Request deletion of your personal data when:
- No longer necessary for the purposes collected
- You withdraw consent (where processing is based on consent)
- You object to processing based on legitimate interest
- Data was unlawfully processed
Right to Restriction of Processing (Art. 18):
Request limitation of processing under certain conditions.
Right to Data Portability (Art. 20):
Receive your personal data in a structured, machine-readable format (JSON/CSV).
Right to Object (Art. 21):
Object to processing based on legitimate interests or for direct marketing.
Rights Related to Automated Decision-Making (Art. 22):
We do not use automated decision-making or profiling that produces legal effects.
Right to Withdraw Consent:
Where processing is based on consent, you may withdraw at any time.
Right to Lodge a Complaint:
You may file a complaint with your national data protection authority if you believe we have violated your rights.
How to Exercise Your Rights:
Email [email protected] with your request. We will respond within 30 days.
8.2 Rights for California Residents (CCPA/CPRA)
California residents have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:
Right to Know:
Request disclosure of:
- Categories of personal information collected
- Specific pieces of personal information collected
- Categories of sources
- Business purposes for collection
- Categories of third parties with whom we share data
Right to Delete:
Request deletion of personal information we collected from you, subject to certain exceptions.
Right to Opt-Out of Sale:
We do not sell personal information. No opt-out is necessary.
Right to Non-Discrimination:
We will not discriminate against you for exercising your CCPA rights (e.g., denying service, charging different prices).
Right to Correct:
Request correction of inaccurate personal information.
Right to Limit Use of Sensitive Personal Information:
We do not use or disclose sensitive personal information beyond what is necessary for service provision.
How to Exercise Your Rights:
- Email: [email protected]
- Include “CCPA Request” in the subject line
- We will respond within 45 days (may extend by 45 days with notice)
Verification Process:
To protect your privacy, we will verify your identity by:
- Confirming the email address associated with your account
- Sending a verification link to your registered email
- Requiring login authentication
Authorized Agents:
You may designate an authorized agent to make requests on your behalf by providing written authorization.
8.3 How to Exercise Your Rights
Account Settings:
You can update your email directly in your account settings.
Data Export:
Request a data export by emailing [email protected]. We will provide your data in JSON or CSV format.
Account Deletion:
Delete your account via account settings or by emailing [email protected]. Deletion is permanent after 30 days.
Disconnect Harvest:
Revoke Harvest OAuth access in your account settings. This will remove Harvest tokens and stop data synchronization.
9. Data Security
We implement technical and organizational measures to protect your personal data:
Technical Measures:
- Encryption in Transit: HTTPS/TLS 1.3 for all connections
- Encryption at Rest: OAuth tokens stored using Rails encrypted attributes
- OAuth Security: Secure token storage, automatic token refresh, token expiration handling
- Database Security: SQLite with file-level permissions, backups encrypted
- Session Security: HTTP-only, secure cookies; session invalidation on logout
Organizational Measures:
- Access Controls: Role-based access; principle of least privilege
- Employee Training: Security awareness training for team members
- Confidentiality Agreements: All team members sign NDAs
- Incident Response Plan: Procedures for detecting and responding to breaches
- Regular Audits: Quarterly security reviews and dependency updates
- Vulnerability Scanning: Automated security scanning with Brakeman
Data Breach Notification:
In the event of a data breach affecting your personal data, we will:
- Notify affected users within 72 hours of discovery (GDPR requirement)
- Notify relevant supervisory authorities as required by law
- Provide information on the nature of the breach and mitigation steps
- Post a public notice if the breach affects a large number of users
Limitations:
No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. You are responsible for maintaining the security of your Harvest account credentials.
10. Children’s Privacy
Crow’s Nest is not intended for use by individuals under the age of 16 (or 13 in the United States).
We do not knowingly collect personal data from children under 16/13. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [email protected]. We will promptly delete such information.
11. Third-Party Links
Our Service may contain links to third-party websites, including Harvest. We are not responsible for the privacy practices of these external sites. We encourage you to review the privacy policies of any third-party sites you visit.
Harvest Privacy Policy: https://www.getharvest.com/privacy
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in:
- Our practices
- Legal requirements
- Service features
- User feedback
Notification of Changes:
- Material Changes: We will notify you via email at least 30 days before the effective date
- Non-Material Changes: Updated on this page with a new “Last Updated” date
- Continued Use: Your continued use of the Service after changes become effective constitutes acceptance
Version History:
Previous versions of this Privacy Policy are available upon request.
13. Contact Information
For questions, concerns, or requests regarding this Privacy Policy or our data practices:
Email: [email protected]
Subject Line: “Privacy Inquiry” or “Data Subject Request”
Response Time:
- General inquiries: 5 business days
- Data subject rights requests: 30 days (GDPR), 45 days (CCPA)
- Security incidents: Immediate acknowledgment, investigation within 72 hours
Supervisory Authority (EU/EEA Users):
If you are located in the EU/EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your national data protection authority.
Appendix A: Data Categories Summary (CCPA)
Categories of Personal Information Collected (Last 12 Months):
| Category | Collected? | Examples | Business Purpose |
|---|---|---|---|
| A. Identifiers | Yes | Email address, OAuth UID, IP address | Account management, authentication |
| B. Personal information (Cal. Civ. Code § 1798.80(e)) | Yes | Email, name (from Harvest) | Account creation, communication |
| C. Protected classification characteristics | No | - | - |
| D. Commercial information | Yes | Project billing rates, time tracking data | Service functionality |
| E. Biometric information | No | - | - |
| F. Internet or network activity | Yes | User agent, IP address, pages visited | Security, service optimization |
| G. Geolocation data | No | - | - |
| H. Sensory data | No | - | - |
| I. Professional or employment information | Yes | Harvest clients, projects, time data | Service functionality |
| J. Non-public education information | No | - | - |
| K. Inferences | No | - | - |
Sources of Personal Information:
- Directly from you (account registration, settings)
- Automatically from your device (cookies, logs)
- From Harvest via OAuth (business data)
Business Purposes for Collection:
- Providing the Service
- Security and fraud prevention
- Customer support
- Legal compliance
- Service improvement
Third Parties We Share With:
- Harvest (OAuth authentication)
- RorVsWild (performance monitoring)
- Hosting providers
Sale of Personal Information:
We do NOT sell personal information.
Appendix B: Glossary
Personal Data: Information relating to an identified or identifiable natural person.
Data Controller: The entity that determines the purposes and means of processing personal data. Crow’s Nest is the data controller for your account data.
Data Processor: An entity that processes personal data on behalf of the data controller. Harvest acts as a data source; RorVsWild acts as a processor for monitoring data.
OAuth: An open standard for authorization that allows you to grant Crow’s Nest access to your Harvest data without sharing your Harvest password.
GDPR: General Data Protection Regulation (EU Regulation 2016/679), governing data protection in the EU/EEA.
CCPA/CPRA: California Consumer Privacy Act and California Privacy Rights Act, governing data protection for California residents.
Encryption at Rest: Data stored on disk in encrypted form.
Encryption in Transit: Data transmitted over networks using encryption (HTTPS/TLS).
HTTPS/TLS: Secure communication protocols that encrypt data between your browser and our servers.
Document Version: 1.0
Effective Date: February 2, 2026
Next Review: August 2, 2026