Privacy Policy

Data handling you can inspect before you send anything.

HARNEXA public surfaces default to browser-local scoring, synthetic demos, and founder-reviewed handoffs. This page maps what stays local, what is stored only with consent, and which processors touch each surface.

Last updated: 21 June 2026

What each public surface does with data

The buyer journey is intentionally narrow: score readiness, inspect proof, attach context, then request founder review. Storage is visible and consented.

SurfaceDefault data stateStorageTrigger
PRISM readiness scan

Browser-local score, maturity band, and recommended path.

Nothing is stored unless the visitor sends a consented result packet.

Default public use

Consented PRISM readiness submissions

readiness score, recommended path, company, work email, role, workflow, and commerce stack.

Supabase readiness_submissions insert-only table with no public readback.

Explicit consent checkbox and Send result action

ATLAS inquiry packet

Name, email, selected offer, attached proof context, role, workflow, and message.

Prepared in the visitor email client and founder inbox; no hidden public form database.

Request diagnostic action

PHANTOM demo and trust dossier

Synthetic account, proposed action, audit trail, CLEAR baseline, and proof packet context.

Browser copy/download and URL handoff parameters only.

Inspect proof, copy packet, or carry context into booking

Vercel Analytics

Analytics data - anonymised page views and interaction events via Vercel Analytics. No cookies are set; no personal identifiers are stored.

Aggregate website performance and conversion baseline.

Page view or public CTA interaction

Public surfaces never execute client operations

HARNEXA can demonstrate governed commerce workflows publicly, but the public site is not an execution surface. Client systems require signed scope, explicit credentials, private runtime controls, and human approval gates.

  • No public MCP execution.
  • No public customer credential intake.
  • No autonomous checkout, order submission, refund, discount, payment, or client-system write.
  • No lead, analytics, or readiness persistence to the Vercel filesystem.
  • No claim that HARNEXA certifies EU AI Act compliance.
Review path
  1. Run PRISM locally.
  2. Send a consented packet only if you want founder review.
  3. Attach proof from /trust, /passport, or /demo.
  4. HARNEXA reviews manually before any proposal or deployment work.

Processors and operating roles

Processor exposure stays proportional to the route. The public site uses hosting and analytics infrastructure; consented readiness packets use Supabase; private runtime systems stay token-gated and out of the public journey.

Vercel Inc.

Hosting and analytics. Data processed in the EU via the cdg1 Paris region where possible.

Public page requests, server logs, anonymised analytics events.

Privacy policy
Supabase

Consented readiness packet storage and governance database infrastructure.

Only explicit PRISM packet fields when the visitor sends them.

Privacy policy
Render

Private token-gated runtime hosting for PHANTOM and operator workflows when enabled.

Synthetic demo/runtime telemetry unless a signed client scope authorises more.

Privacy policy

Privacy Policy

The following legal notice covers the personal data HARNEXA may process when you use the site, send a PRISM packet, or contact HARNEXA.

1. Who we are

HARNEXA AI is a governed agentic deployment studio operated by Raul Rausell, based in Catalonia, Spain (EU). Contact: raul@harnexa.ai.

2. What data we collect and why

We collect minimal data to operate this website and respond to inquiries:

  • Consented PRISM readiness submissions - readiness score, recommended path, company, work email, role, workflow, and commerce stack when you explicitly send a result packet to HARNEXA. Legal basis: Art. 6(1)(a) GDPR (consent) and Art. 6(1)(b) GDPR where follow-up is requested.
  • Inquiry data - name, email, and message when you contact us. Legal basis: Art. 6(1)(b) GDPR (performance of a contract or pre-contractual steps).
  • Analytics data - anonymised page views and interaction events via Vercel Analytics. No cookies are set; no personal identifiers are stored. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in understanding site usage).
  • Server logs - IP addresses and request metadata retained by Vercel infrastructure for up to 30 days for security and operational purposes. Legal basis: Art. 6(1)(f) GDPR.

3. Data retention

Inquiry correspondence is retained for up to 24 months unless a longer period is required by applicable law or you request deletion. Consented PRISM readiness packets are reviewed as founder pipeline evidence and can be deleted on request. Anonymised analytics aggregates are retained indefinitely. Server logs are retained for 30 days.

4. Third-party processors

5. Your rights

Under GDPR you have the right to access, rectify, erase, restrict processing of, and port your personal data. You also have the right to object to processing based on legitimate interest. To exercise any right, email raul@harnexa.ai. We will respond within 30 days.

6. International transfers

We prefer EU-resident infrastructure. Where data is transferred outside the EEA, for example by third-party processors, transfers are covered by Standard Contractual Clauses or an adequacy decision.

7. Complaints

You have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD) at aepd.es.

8. Changes to this policy

We may update this policy. The last updated date at the top reflects the most recent revision. Material changes will be communicated via the site banner.

This is a technical summary. Consult qualified legal counsel for a complete GDPR compliance assessment.