Harvey AI: Privacy, Training & Output Ownership
Tier-by-tier analysis of Harvey AI's data handling, training policies, and commercial output rights. Updated 2026-01-18.
Quick Answer
Harvey AI is a premier legal-tech platform engineered for professional services, offering robust confidentiality protections that align with strict ethical standards. It is currently one of the few platforms providing the contractual 'no-training' and 'zero-retention' guarantees necessary for protecting attorney-client privilege.
Harvey AI is the recommended standard for professionals handling highly sensitive or privileged data who require a secure, non-training AI environment.
Privacy & Data Analysis
Sensitive Data
Yes
Used for Training
No
Output Ownership
User
Sensitive Data
Harvey provides enterprise-grade workspace isolation and zero-retention options specifically designed to maintain legal privilege and confidentiality.
Training
The platform contractually guarantees that no customer inputs, outputs, or uploaded documents are used to train their models or those of their providers.
Harvey provides a binding contractual guarantee via its Security Addendum that customer data is never used to train underlying large language models. This non-training commitment extends to Harvey's third-party model providers, ensuring that sensitive legal strategies and proprietary client information do not leak into the public model's weights or future iterations.
Output Ownership
Users retain all rights, title, and intellectual property interests in their customer data, inputs, and generated outputs.
Under the Platform Agreement, the user (or the firm) retains full ownership and intellectual property rights over all inputs provided and outputs generated by the service. This is a critical feature for legal and medical professionals to ensure that the work product remains the property of the practitioner or the client, avoiding any claims of joint ownership by the AI provider.
Data Retention
Data retention is highly customizable; Harvey allows firms to set their own data lifecycle policies, including 'zero-day' retention where data is purged immediately after the output is generated. This minimizes the footprint of sensitive data and reduces the risk of exposure in the event of a security incident.
Security Measures
The platform maintains SOC 2 Type II and ISO 27001 certifications. Data is protected with AES-256 encryption at rest and TLS 1.2+ encryption in transit, supported by rigorous access controls, regular penetration testing, and isolated processing environments for each client workspace.
Your Rights & Control
Users maintain the right to access, export, and delete their data at any time through the platform's administrative controls. Harvey complies with global standards including GDPR and CCPA, providing transparent subprocessor disclosures and automated tools for managing data subject requests.
Special Considerations
While the core platform is highly secure, professionals should exercise caution with specific integrations like 'Email Harvey,' which may have different compliance profiles (e.g., non-HIPAA compliant status for specific subprocessors) compared to the main 'Vault' and 'Workflow' environments.
FAQ: Harvey AI
Does Harvey AI train on my inputs?
Harvey AI: The platform contractually guarantees that no customer inputs, outputs, or uploaded documents are used to train their models or those of their providers. Harvey provides a binding contractual guarantee via its Security Addendum that customer data is never used to train underlying large language models. This non-training commitment extends to Harvey's third-party model providers, ensuring that sensitive legal strategies and proprietary client information do not leak into the public model's weights or future iterations.
Can I use Harvey AI with confidential or client data?
Harvey AI: Harvey provides enterprise-grade workspace isolation and zero-retention options specifically designed to maintain legal privilege and confidentiality.
Who owns the output I generate with Harvey AI?
Harvey AI: Users retain all rights, title, and intellectual property interests in their customer data, inputs, and generated outputs. Under the Platform Agreement, the user (or the firm) retains full ownership and intellectual property rights over all inputs provided and outputs generated by the service. This is a critical feature for legal and medical professionals to ensure that the work product remains the property of the practitioner or the client, avoiding any claims of joint ownership by the AI provider.
What is Harvey AI's data retention policy?
Harvey AI: Data retention is highly customizable; Harvey allows firms to set their own data lifecycle policies, including 'zero-day' retention where data is purged immediately after the output is generated. This minimizes the footprint of sensitive data and reduces the risk of exposure in the event of a security incident.
Does Harvey AI meet ABA Model Rule 1.6 confidentiality for lawyers handling client data?
Yes, at the strongest tier. See the AI Privacy Guide at https://hoaglaw.ai/resources/ai-privacy-guide for the full comparison.
Need an AI-aware contract review or governance policy?
Hoag Law.ai builds AI-aware MSAs, DPAs, and internal governance frameworks for startups, flat-rate from $2,500/month. If you're evaluating Harvey AI for your team, let's talk.
Book a free call