GDPR & Privacy — HARBOUR AI

Data Controller & Processor Status

Under UK GDPR (as retained by the Data Protection Act 2018), a data controller is the entity that determines the purposes and means of processing personal data. A data processor acts on behalf of a controller and must be bound by a written Data Processing Agreement (DPA) under Article 28.

When your organisation deploys and uses HARBOUR AI:

Your organisation is the sole data controller for all data processed through the application.
LOOSEKEY (the developer) is not a data processor — we receive no data from your use of the application.
No Article 28 DPA with LOOSEKEY is required — there is no processing relationship to govern.
Your organisation retains full control, accountability, and responsibility under UK GDPR.

This is the critical distinction from cloud-based AI tools. When your staff use ChatGPT, Microsoft Copilot, or Google Gemini, those providers become processors (or independent controllers) of whatever data is submitted. That triggers Article 28 obligations, international transfer assessments, and ICO scrutiny. With HARBOUR AI, none of that applies.

Data Flows — What Goes Where

The table below documents every data type handled by HARBOUR AI and its destination. All data is stored under ~/.harbour-ai/ on the device running the application.

DATA TYPE	WHERE IT GOES	LEAVES DEVICE?
Chat messages and conversations	`~/.harbour-ai/harbour-ai.db` (SQLite, local)	NEVER
Uploaded documents (RAG / Knowledge Base)	`~/.harbour-ai/uploads/` and `~/.harbour-ai/rag/`	NEVER
User accounts and passwords	`~/.harbour-ai/harbour-ai.db` — passwords hashed with PBKDF2-SHA256	NEVER
Agent memory (saved facts)	`~/.harbour-ai/harbour-ai.db`	NEVER
AI inference (prompts sent to model)	Local Ollama instance at `localhost:11434` — never leaves the device	NEVER
Application logs	`~/.harbour-ai/harbour-ai.log`	NEVER
Web search queries (optional)	DuckDuckGo or local SearXNG — query text only, no account or session data	Query text only (can be disabled)
Licence key activation	Railway licence server — one-time on first launch only	Licence key + machine ID only — no personal or business data

No telemetry. No analytics. No crash reporting. No usage data. The application contains no tracking code of any kind. The source code is publicly auditable at github.com/LOOSEKEY/HARBOUR-AI.

UK GDPR Article 5 Principles

Article 5 of UK GDPR (Data Protection Act 2018, Schedule 1) sets out six data protection principles. Here is how HARBOUR AI satisfies each one by design.

ART. 5(1)(A)

LAWFULNESS, FAIRNESS & TRANSPARENCY

All processing occurs on the user's own machine. The user has full visibility and control over all stored data. No hidden processing takes place.

ART. 5(1)(B)

PURPOSE LIMITATION

Data is processed solely to provide AI assistant functionality within the application. It is not used for model training, analytics, or any secondary purpose.

ART. 5(1)(C)

DATA MINIMISATION

HARBOUR AI stores only what is necessary for functionality. No background data collection. No analytics. No marketing data. The optional PII Auto-Redaction feature (Admin → PII) provides a technical enforcement layer: 11 UK PII types (NHS numbers, NI numbers, postcodes, phone numbers, email addresses, financial identifiers, dates of birth, passport and driving licence numbers) are detected and replaced with [REDACTED:TYPE] before any message reaches the AI model.

ART. 5(1)(D)

ACCURACY

Users can view, edit, and delete all stored data through the application interface or by directly accessing ~/.harbour-ai/.

ART. 5(1)(E)

STORAGE LIMITATION

Users control retention entirely. Data can be deleted at any time. Removing ~/.harbour-ai/ deletes all data completely and permanently.

ART. 5(1)(F)

INTEGRITY & CONFIDENTIALITY

All data is stored locally. Passwords are hashed using PBKDF2-SHA256 (260,000 iterations). The application does not transmit data over any external network during normal use. The Tamper-Proof Audit Trail (v1.0.97+) cryptographically chains every log entry via SHA-256 hash anchored at GENESIS — any modification, deletion, or insertion of rows is immediately detectable. Admins can verify the full chain at any time from the Admin → Audit panel.

Article 5(2) — Accountability: Because HARBOUR AI processes no data outside the user's device, the deploying organisation retains full accountability and control. Internal policies, staff training, and device security measures are the primary accountability instruments — not contractual obligations with LOOSEKEY.

Data Subject Rights (Articles 15–22)

UK GDPR grants individuals a suite of rights over their personal data. Because all HARBOUR AI data is stored locally on your organisation's own device or server, your organisation can fulfil all of these rights directly — no request to LOOSEKEY is needed or relevant.

RIGHT OF ACCESS
ART. 15

All data is directly accessible in ~/.harbour-ai/harbour-ai.db. Chat export is also available from the Sessions panel (JSON, Markdown, or PDF).

RIGHT TO RECTIFICATION
ART. 16

Data can be edited within the application — in conversation history, agent memory (MEM panel), and the knowledge base (KB panel).

RIGHT TO ERASURE
ART. 17

Delete individual items in-app (conversations, memory facts, uploaded documents). Delete all data by removing ~/.harbour-ai/ from the device.

RIGHT TO RESTRICTION
ART. 18

Achieved by disabling specific features in harbour-config.json — e.g. disabling web search, memory, or the knowledge base.

RIGHT TO PORTABILITY
ART. 20

Chat histories are exportable as Markdown or JSON from the Sessions panel. The underlying SQLite database is a portable, standard format.

RIGHT TO OBJECT
ART. 21

Achieved by disabling specific agents, memory injection, or web search — all configurable without requiring any action from LOOSEKEY.

Third-Party Services

HARBOUR AI uses the following third-party services in limited, specific circumstances only. None of these involve personal data or conversation content.

SERVICE	WHEN USED	DATA SENT	UK GDPR BASIS
Railway licence server (harbour-ai-production.up.railway.app)	First launch only — one-time licence activation	Licence key + machine ID only. No personal data.	Performance of contract (Art. 6(1)(b))
DuckDuckGo	Only when web search is enabled and local SearXNG is not configured	Search query text. No account, session, or identifying data.	Legitimate interests (Art. 6(1)(f)) — user-controlled, can be disabled
Ollama (local)	Every AI query	Runs entirely on localhost. Nothing leaves the device.	N/A — fully local, no external processing
GitHub Releases	Auto-updates only — checking for new versions	Version check request only. Standard HTTPS request headers.	Legitimate interests (Art. 6(1)(f)) — keeping software secure

ELIMINATING WEB SEARCH DATA ENTIRELY

Run a local SearXNG instance and configure it in settings. When SearXNG is active, DuckDuckGo is never contacted:

Self-hosted SearXNG: docker run -d -p 8080:8080 searxng/searxng
Then set the SearXNG URL in HARBOUR AI settings. All web searches route through your local instance.

DISABLING WEB SEARCH ENTIRELY

Web search can be switched off completely, making HARBOUR AI a fully air-gapped application with zero external network calls after initial licence activation:

In harbour-config.json: "features": { "web_search_enabled": false }

ICO AI Guidance Alignment (2024–26)

The UK Information Commissioner's Office (ICO) has published extensive guidance on the use of generative AI in organisations. This guidance has been issued in phases from 2023 through 2026. The key publications and how HARBOUR AI addresses each are set out below.

ICO GENERATIVE AI GUIDANCE (2024)

The ICO's 2024 guidance on generative AI (building on its 2023 call for evidence) identifies the following requirements for organisations using AI tools that process personal data:

Lawful basis for processing: Because personal data never leaves your organisation's device, HARBOUR AI's AI processing does not require a separate lawful basis assessment in relation to third-party exposure.
International transfers: No international transfers occur. The AI model runs locally via Ollama. No data crosses borders.
Processor agreements: Not required — LOOSEKEY is not a processor. See Section 1.
Model training on user data: The local Ollama models do not learn from or retain your conversation data. Each conversation is stateless from the model's perspective.
Transparency to data subjects: Your organisation can accurately state that AI is used on-device only, with no third-party processing of personal data.

ICO CHILDREN'S CODE (AGE APPROPRIATE DESIGN CODE)

The ICO's Children's Code (effective since September 2021, updated guidance 2023–24) applies to online services likely to be accessed by children under 18. For organisations in the education sector using HARBOUR AI:

HARBOUR AI is a B2B desktop application deployed by organisations, not a consumer online service. The Children's Code does not directly apply to HARBOUR AI itself.
Schools and educational organisations deploying HARBOUR AI remain responsible for ensuring their internal data governance (including pupil data policies) meets the Children's Code where applicable to their own services.
HARBOUR AI's Education Sector Pack includes memory facts and templates aligned with KCSIE 2023, ICO Children's Code, and the ICO's guidance on student data under UK GDPR.

ICO'S AI AND DATA PROTECTION AUDIT FRAMEWORK (2025–26)

The ICO commenced formal AI audits of high-risk AI deployments from 2025. HARBOUR AI's architecture is designed to minimise audit risk:

No automated decision-making with significant effects on individuals (Art. 22) — HARBOUR AI provides information to staff, who make decisions independently.
No profiling of individuals — the application processes only what users actively submit in sessions.
No AI training on personal data — Ollama models are static; user data does not modify the model weights.
Full auditability — all data is stored in a standard SQLite database accessible to your organisation's DPO or IT team.

UK AI REGULATORY FRAMEWORK (2026)

The UK government's AI regulation approach (as of 2026) remains sector-led and principles-based rather than a single AI Act equivalent to the EU. Key principles from the AI Safety Institute's framework and DSIT guidance are addressed as follows:

Safety: HARBOUR AI runs open-weight models (e.g. Llama 3.1) locally — model behaviour is transparent and auditable.
Transparency: Users know they are interacting with AI agents. All agent responses are clearly attributed.
Fairness: Model selection is under the deploying organisation's control — organisations can choose models aligned with their fairness requirements.
Accountability: The deploying organisation controls and is accountable for all outputs. LOOSEKEY has no visibility of any queries or outputs.

DPIA requirement: A DPIA may still be required by your organisation under UK GDPR Article 35 if the deployment is likely to result in high risk — for example, if staff will input special category data (health, legal, HR records). A template DPIA is provided in Section 7 below.

DPIA Template

For organisations that need to complete a Data Protection Impact Assessment before deploying HARBOUR AI, use the template below as a starting point. Complete with your organisation's specific context and have your DPO review and sign off.

DPIA — HARBOUR AI LOCAL AI PLATFORM

PROCESSING ACTIVITY

Use of HARBOUR AI local AI desktop application for staff productivity, document analysis, and internal knowledge management.

NATURE OF PROCESSING

Local AI inference, document analysis (RAG), conversation storage, agent memory — all processed and stored on-premise on the organisation's own device(s).

SCOPE & CONTEXT

Used by [number] staff. Deployed on [device type / server]. Data types include [internal documents / HR records / client files — complete as applicable].

PURPOSE

Productivity tooling — drafting, summarisation, Q&A, document review. Not used for automated decision-making about individuals.

NECESSITY & PROPORTIONALITY

Processing is limited to what staff actively submit. No background collection. All processing is on-device. Fully air-gappable if web search is disabled.

RISKS IDENTIFIED

1. Unauthorised physical or network access to the device running HARBOUR AI.
2. Staff inputting personal data of third parties (clients, patients, pupils) into chat sessions beyond what is necessary.
3. Model generating inaccurate outputs that staff act on without verification.

MITIGATIONS

1. Standard device security (full-disk encryption, access controls, network segmentation) addresses physical/network risk.
2. Staff training: advise employees not to input identifiable personal data of third parties unless necessary and proportionate.
3. User training: AI outputs should be reviewed and verified before acting — HARBOUR AI is an assistant, not a decision-maker.
4. Application-level: multi-user deployments use password-authenticated accounts.

RESIDUAL RISK

LOW — equivalent to any locally-stored business productivity application such as Microsoft Word or a local database. Lower risk than cloud-based AI tools.

DPO CONSULTATION

ICO prior consultation (Art. 36) is not required given the low residual risk assessment. Internal DPO sign-off recommended for completeness.

DPO SIGN-OFF

[DPO name] | [Date] | [Signature]

Regulated Sector Suitability

The table below summarises HARBOUR AI's compatibility with the key regulatory frameworks for each professional sector. HARBOUR AI includes dedicated Sector Packs for Legal, Accountancy, HR, and Education — each including relevant compliance memory facts and templates.

SECTOR	RELEVANT FRAMEWORK	STATUS
Legal Solicitors, barristers, in-house counsel	SRA Code of Conduct 2019 (client confidentiality); SRA guidance on AI (2024); ICO AI guidance; UK GDPR	COMPATIBLE Client data never leaves the firm's device. No third-party AI processor. SRA AI guidance (2024) is satisfied — no client data shared with external AI.
Finance & Accountancy FCA-regulated, ICAEW, ACCA	FCA Handbook; FCA AI guidance (2024); ICAEW AI guidance; UK GDPR; MTD requirements	COMPATIBLE Financial data processed locally. Meets FCA expectations for AI governance and data security. No customer data reaches third-party AI services.
HR & Recruitment Employment law, special categories	UK GDPR Art. 9 (special categories); ICO employment guidance; Equality Act 2010	COMPATIBLE Employee and candidate data (special category) processed entirely on-premises. No cloud AI exposure. Art. 9 lawful basis considerations are internal.
Education Schools, MATs, FE colleges, universities	UK GDPR; KCSIE 2023; SEND Code of Practice 2015; Ofsted EIF 2023; ICO Children's Code; DfE Data Protection Toolkit	COMPATIBLE Pupil and student data never leaves school infrastructure. Meets DfE Data Protection Toolkit requirements for local processing. Education Sector Pack included.
Healthcare / NHS-adjacent Private clinics, allied health, social care	DSPT (Data Security and Protection Toolkit); NHS DSCRO guidance; UK GDPR special categories; ICO health sector guidance	COMPATIBLE Patient data (special category) processed entirely on the organisation's device. No transmission to third-party AI. DSPT requirements for data residency are met.
Public Sector Councils, housing, government	UK GDPR; FOIA 2000; Cabinet Office guidance on AI (2024); GDS standards	COMPATIBLE Public data stays on-premises. No commercial AI cloud dependency. Aligns with Cabinet Office principles for responsible AI use in public services.
Professional Services Consultancies, architects, surveyors	UK GDPR; sector-specific professional conduct rules; client confidentiality obligations	COMPATIBLE Client deliverables and confidential materials processed locally. Satisfies professional confidentiality obligations without contractual complexity.

This table is for general guidance only. Organisations in regulated sectors should consult their DPO, compliance officer, or legal counsel before deployment to assess sector-specific requirements.

Contact & Compliance Queries

For any compliance queries, DPIA assistance, or questions about how HARBOUR AI handles data, contact LOOSEKEY directly. Response within 2 working days.

DEVELOPER

LOOSEKEY

loosekeyz84@proton.me

SOURCE CODE github.com/LOOSEKEY/HARBOUR-AI

Fully open — audit the privacy claims directly

ICO REGISTER ico.org.uk/ESDWebPages/Search

Check data controller registration status

This document is provided for information only and should not be construed as legal advice. Organisations should consult their Data Protection Officer or qualified legal counsel when conducting their own GDPR assessments. HARBOUR AI GDPR Compliance Statement v2.1 — May 2026.

Privacy &
Compliance.

THE ONE-LINE VERDICT

Privacy & Compliance.