Privacy Policy
Last update: 23 June 2026
Welcome to Narrativa, owned and operated by Narrativa OÜ (“Narrativa”, “us” or “we”). This Privacy Policy describes how we collect, use, disclose, and protect personal information through our website, applications, chatbot, and other mechanisms associated with Narrativa (collectively, the “Service”). This Privacy Policy also applies to social media pages we control, email communications, or other communications where the link to this Privacy Policy is provided.
How do you accept this policy
By visiting the Narrativa website (the “Site”) or using the Service, including by registering, or by otherwise providing us with personally identifiable information (such as an email address), you agree to the terms and conditions of this Privacy Policy. Where we rely on consent as the legal basis for processing your personal data, we will obtain your explicit consent at the point of data collection.
Data controller
Narrativa OÜ is the data controller for the purposes of the GDPR and applicable data protection legislation. Our contact details are set out at the end of this Privacy Policy. Narrativa has not appointed a Data Protection Officer (“DPO”) as it does not carry out processing operations that require the designation of a DPO under Article 37 of the GDPR. Should this position change, this Privacy Policy will be updated accordingly. In the meantime, all data protection enquiries should be directed to [email protected].
Legal basis for processing
Under the applicable legislation, we process your personal data only where we have a lawful basis to do so. Our legal bases for processing include:
- Contract performance: processing necessary to perform a contract with you or to take steps at your request prior to entering into a contract.
- Legitimate interests: processing necessary for our legitimate interests (such as improving our Service, ensuring security, and conducting business analytics), provided those interests are not overridden by your rights and freedoms.
- Consent: where you have given clear consent for us to process your personal data for a specific purpose.
- Legal obligation: processing necessary to comply with a legal obligation to which we are subject.
Non-personal information that is collected
We collect information that is not personally identifiable in connection with use of the Site or the Service, such as device-related information. This information is collected for the purposes of operating the Service, ensuring security, and conducting analytics. Please note that certain technical data, such as IP addresses, may constitute personal data under the GDPR. Where such data constitutes personal data, it is processed in accordance with the provisions of this Privacy Policy applicable to personal information.
Personal information that is collected
If you choose to fill in our form, personal information is collected (email address). We also may collect personal information if you contact us or otherwise give it to us (e.g. in an email). Where you are a paying customer, we may also collect your name, address, phone number, credit card information, and organisation information for the purpose of processing your subscription or purchase.
Chatbot and artificial intelligent data
Our chatbot may use artificial intelligence technologies to generate responses.
- Responses are generated automatically
- Outputs may not always be accurate or complete
- Responses should not be relied upon as professional or regulatory advice
Chatbot interactions may be logged and reviewed for quality, security, and compliance purposes. We process chatbot interaction data on the basis of our legitimate interest in improving our Service and ensuring its security. Any personal data contained within chatbot interactions will be retained in accordance with our data retention policy set out below.
The chatbot does not engage in solely automated decision-making that produces legal effects or similarly significant effects on individuals within the meaning of Article 22 of the GDPR. Chatbot outputs are generated for informational purposes only and are not used as the sole basis for any decision affecting you.
How we use information we collect
We collect personal data you provide, along with technical and usage information from your interactions with the website. This data is used to operate the site, deliver requested services, improve performance, and maintain security. Processing is based on contract performance, our legitimate interests, your consent where required, and compliance with legal obligations.
Personal information
We may use personal information to enhance the visitor experience of the Service, to operate and maintain the Service, to investigate and understand how the Service is used, to monitor and protect the security and integrity of the Service, and to analyze our business.
The Company may also use the information you provide to contact you to further discuss your interest in the Services and to send you information regarding Narrativa.
We may disclose personal information as required by law or in response to service of legal process, such as a court order, summons subpoena, or the like.
We may share personal information with our corporate affiliates and with business partners who provide services related to the Service (such as website hosting or payment processing). These business partners act as data processors on our behalf and do not have the right to use this personal information for any purpose other than those related to the Service. All such processors are bound by data processing agreements that comply with Article 28 of the GDPR.
Information about our users, including personal information, may be disclosed or transferred to entities now or in the future affiliated with Narrativa or as part of any merger, acquisition, change of control, debt financing, insolvency, bankruptcy, or sale of our assets. Such information may be used in the businesses of any entity receiving it, subject to the obligations set out in this Privacy Policy and applicable data protection law. Except as provided above, we will not sell or transfer your personal information to third parties.
Analytics
We may use collected information to enhance the visitor experience of the Service, to operate and maintain the Service, to investigate and understand how our Service is used, to monitor and protect the security and integrity of the Service, and to analyze our business.
We analyze traffic to the site in various ways, including using a service called Google Analytics. We use information such as session statistics, approximate geolocalisation, and browser and device information to generate statistics and to measure activity to improve the usefulness of the Site and the Service. The legal basis for this processing is our legitimate interest in understanding how the Service is used and improving it.
Google Analytics is subject to the privacy policy of Google. By visiting the Site or using the Service, you are agreeing to the terms of the Google Privacy Policy that apply to Google Analytics. These terms can be found at “How Google uses data when you use our partners’ sites or apps”, located at https://www.google.com/policies/privacy/partners/, or any other URL Google may provide from time to time.
We reserve the right to change analytical service providers at any time without notice. Where a change of provider materially affects the processing of your personal data, we will update this Privacy Policy accordingly.
Cookies
We use essential cookies to make interactions with the Site easy and meaningful. When you visit the Site, our servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself by filling out a form, you remain anonymous to us.
For any non-essential cookies (such as analytics or marketing cookies), we will obtain your consent before placing them on your device, in accordance with applicable law. You may manage your cookie preferences at any time through the cookie settings on our Site.
Chatbox
We use essential cookies to keep this chat running smoothly and securely. These cookies help us recognize your browser and maintain your session. They don’t identify you personally.
Sharing and disclosure
We may share personal data with:
- Third-party service providers and subprocessors
- Corporate affiliates
- Legal authorities
All subprocessors are contractually bound to protect personal data and process it only in accordance with our documented instructions and in compliance with the applicable regulations.
Do not track
Currently, various browsers offer a “do not track” or “DNT” option that relies on a technology known as a DNT header, which sends a signal to Web sites visited by the user about the user’s browser DNT preference setting. We do not currently commit to responding to browsers’ DNT signals concerning the Site, in part, because no common industry standard for DNT has been adopted by industry groups, technology companies or regulators, including no consistent standard of interpreting user intent. However, we will make efforts to continue to monitor developments around DNT browser technology and the implementation of a standard.
How you can access or change the personal information that we have collected
Once you have registered with us, you can access your profile, review the information that is stored, and revise that information. Upon receipt of a valid erasure request, we will delete your personal data from our active systems without undue delay. Residual copies held in backup systems will be overwritten in accordance with our normal backup rotation cycle, which does not exceed 30 days. During this interim period, backup data will not be actively processed and will remain subject to appropriate security safeguards. If you would like to exercise any of your data subject rights (set out below), please contact us at [email protected].
Customer data
Customer data is all the information, including personal information, text, images, location data or any other files that the customers provide, or are provided on your behalf, to the Company through your use of the Service. You are responsible for ensuring that any personal information you provide to us through the Service has been collected and provided in accordance with applicable data protection law. Where you provide us with personal data relating to third parties, you warrant that you have all necessary consents or other lawful bases to do so.
The Company will not collect this personal information. We will only process the personal information for the provision of the Service and it will not be processed for any other purposes.
Children
We do not target, market to, or knowingly collect personal information from children under the age of thirteen (13) years. If we become aware that we have collected personal data from a child under thirteen below the applicable age threshold without the appropriate and the required parental consent, we will take steps to delete that information promptly.
Data retention
We retain your personal information for 2 years from the date of your last interaction with the Service, after which it is destroyed. Where we are required to retain personal data for longer to comply with legal obligations (such as tax or accounting requirements), we will do so only for the period required by law.
Data security
We use industry-standard physical, managerial, and technical safeguards to preserve the integrity and security of your personal information, including encryption, access controls, and regular security assessments. We cannot, however, ensure the security of any information you transmit to the Service, and you do so at your own risk. Depending on where you live, you may have a legal right to receive notice of a security breach in writing or by emailing us at [email protected].
Depending on your location, you may have certain rights with respect to your personal data under applicable law. This section sets out your rights under the GDPR (if you are located in the EEA, the United Kingdom, or Switzerland) and under the CCPA/CPRA (if you are a California resident). Where rights overlap, a single request will satisfy both frameworks.
Rights available to EEA, UK, and Swiss residents (GDPR)
If you are located in the European Economic Area (“EEA”), the United Kingdom, or Switzerland, you have the following rights under the GDPR (and equivalent UK and Swiss legislation) with respect to your personal data:
- Right of access: the right to obtain confirmation as to whether your personal data is being processed and, where that is the case, access to the personal data.
- Right to rectification: the right to obtain rectification of inaccurate personal data without undue delay.
- Right to erasure: the right to obtain the erasure of your personal data in certain circumstances (the “right to be forgotten”).
- Right to restriction of processing: the right to restrict processing in certain circumstances.
- Right to data portability: the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
- Right to object: the right to object to processing based on legitimate interests or for direct marketing purposes.
- Right to withdraw consent: where processing is based on consent, the right to withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
- Right to lodge a complaint: the right to lodge a complaint with a supervisory authority. In Estonia, the competent authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).
We will respond to your request within one (1) month of receipt, unless the complexity or number of requests requires an extension of up to two (2) further months, in which case we will inform you accordingly.
Rights available to California residents (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, “CCPA”), provides you with the following additional rights. This subsection supplements the information contained elsewhere in this Privacy Policy.
- Right to know and access: request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which personal information is collected, the business or commercial purpose for collecting the personal information, and the categories of third parties with whom we share personal information.
- Right to delete: request that we delete personal information we have collected from you, subject to certain exceptions.
- Right to correct: request that we correct inaccurate personal information that we maintain about you.
- Right to opt out of sale or sharing: as noted below, we do not sell or share your personal information for cross-context behavioural advertising.
- Right to non-discrimination: the right not to receive discriminatory treatment for exercising any of your CCPA rights.
We will respond to verifiable consumer requests within forty-five (45) days of receipt, unless we require an extension of up to an additional forty-five (45) days, in which case we will inform you of the extension and the reason for it. You may also designate an authorised agent to make a request on your behalf.
Additional CCPA/CPRA disclosures
In the preceding twelve (12) months, we have collected the following categories of personal information: identifiers (such as name, email address, and IP address); commercial information (such as subscription and purchase history); internet or other electronic network activity information (such as browsing history on our Site and interactions with the Service); and geolocation data (approximate location inferred from IP address).
We collect personal information directly from you, automatically through your use of the Service, and from third-party service providers (such as analytics providers). We collect personal information for the purposes described in the “How We Use Information We Collect” section above.
Narrativa does not sell your personal information. Narrativa does not share your personal information for cross-context behavioural advertising purposes. Narrativa does not collect or process sensitive personal information as defined under the CCPA (such as social security numbers, financial account credentials, precise geolocation, racial or ethnic origin, or biometric data) for the purpose of inferring characteristics about you.
We retain the categories of personal information described above for the periods set out in the “Data Retention” section of this Privacy Policy.
How to exercise your rights
To exercise any of the above rights described above, regardless of your location, please contact us at [email protected]. For CCPA requests, we will verify your identity before processing your request.
International data transfers
Narrativa OÜ is an Estonian company, and personal data collected through the Service is stored and processed in Estonia and the European Union. Where we transfer personal data outside the EEA, the United Kingdom, or Switzerland, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:
- Transfers to countries benefiting from an adequacy decision by the European Commission.
- Standard Contractual Clauses (“SCCs”) approved by the European Commission.
- Other lawful transfer mechanisms as appropriate.
For transfers of personal data to the United States, we rely on the EU-U.S. Data Privacy Framework (“DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework, as applicable. Narrativa is committed to complying with the DPF Principles with respect to all personal data received from the EEA, the United Kingdom, and Switzerland in reliance on the respective Data Privacy Frameworks. If there is any conflict between the terms of this Privacy Policy and the DPF Principles, the DPF Principles shall govern. To learn more about the Data Privacy Framework, please visit https://www.dataprivacyframework.gov.
Individuals whose personal data has been transferred to the United States under the DPF have the right to access their personal data and to request that it be corrected, amended, or deleted if it is inaccurate or has been processed in violation of the DPF Principles. Requests may be directed to [email protected].
International visitors
This Service is operated by Narrativa OÜ, an Estonian company. If you access the Service from outside Estonia, please be aware that your personal information will be transferred to, stored in, and processed in Estonia and the European Union. All international transfers of personal data are carried out in accordance with the GDPR, the data protection laws and regulations of the EU, and the safeguards described in the “International Data Transfers” section above. Where required by applicable law, we will obtain your consent or rely on another lawful mechanism before transferring your personal data.
Updates to privacy policy
Narrativa reserves the right to update and change this Privacy Policy at any time. Where changes materially affect your rights or obligations, Narrativa will notify you by email (where we hold your email address) or by posting a prominent notice on the Site prior to such changes taking effect. The “Last Updated” date at the top of this Privacy Policy indicates when it was last revised. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.
Contact
Please contact us with any questions you may have at [email protected].
If you have any questions about this Privacy Policy, wish to exercise any of your data subject rights, or have concerns about how your personal data is being processed, please contact us at:
Narrativa OÜ
Email: [email protected]
If you are not satisfied with our response to your enquiry or complaint, you have the right to lodge a complaint with the relevant supervisory authority. In Estonia, the competent authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), which can be contacted at https://www.aki.ee.
