/settings or by writing to [email protected].narve.ai is the controller of personal data processed through the Service (except where we act as a processor on behalf of business customers — see our Data Processing Agreement).
Contact for privacy matters: [email protected]. Our legal imprint lists our registered business address and company number where applicable.
This Policy covers personal data processed when you visit our websites, use the Service, talk to our support team, open our emails, install our browser extension, receive our push notifications, or sign up for our newsletters.
Defined terms in this Policy track the GDPR / UK GDPR (controller, processor, data subject, personal data, processing, special category data). Equivalent terms apply under the CCPA ("business", "service provider", "personal information"), LGPD (controlador, operador), PIPEDA, APPI, DPDP Act, and similar laws.
We do not intentionally collect special categories of personal data (health, religion, sexuality, biometrics, genetics). Do not submit such data through forms or uploads.
We rely on the following GDPR/UK GDPR Article 6(1) bases (equivalents apply under LGPD, UK DPA, and state privacy laws):
| Purpose | Data | Legal basis |
|---|---|---|
| Create & operate your account; deliver the Service | 4.1, 4.3, 4.7, 4.9 | Contract (Art. 6(1)(b)) |
| Process payments, issue invoices, recover overdue amounts | 4.2 | Contract; Legal obligation (Art. 6(1)(b), (c)) |
| Authenticate sessions & prevent CSRF | 4.1, 4.4 | Contract; Legitimate interest in security (Art. 6(1)(b), (f)) |
| Rate-limit and detect abuse | 4.3, 4.4 | Legitimate interest in platform integrity (Art. 6(1)(f)) |
| Send transactional emails (token delivery, receipts, product notices) | 4.1, 4.7 | Contract (Art. 6(1)(b)) |
| Send newsletter / product updates | 4.1, 4.7 | Consent (Art. 6(1)(a)); withdrawable at any time |
| Respond to support requests | 4.5 | Legitimate interest (Art. 6(1)(f)); Contract where applicable |
| Improve the Service via aggregate analytics | 4.3, 4.4 (aggregated) | Legitimate interest (Art. 6(1)(f)) |
| Comply with tax, accounting, and other legal obligations | 4.2, 4.1 | Legal obligation (Art. 6(1)(c)) |
| Respond to valid legal requests, protect rights | any | Legal obligation (Art. 6(1)(c)); Legitimate interest (f) |
| Public-source social-media ingestion for credibility scoring | Public post metadata; public author handle | Legitimate interest (Art. 6(1)(f)) and, where applicable, Art. 85 journalistic & research derogation |
Where we rely on legitimate interest we have conducted a balancing assessment (LIA) and consider that our interest is not overridden by your rights and freedoms, given the limited and non-sensitive nature of the data and the safeguards in place.
| Name | Purpose | Duration |
|---|---|---|
pm_gateway_session | Logged-in session authentication (HttpOnly, Secure, SameSite=Lax). | Up to 90 days; rotates on login. |
_csrf | Protects against cross-site request forgery. | 2 hours; rotates. |
narve_gate_access | Closed-beta gate token. | 7 days. |
narve_impersonation | Admin impersonation token. Set only when an admin is impersonating a user for support debugging. | 4 hours; deleted on logout. |
narve-theme | Remembers light/dark mode. Stored in localStorage, not a cookie; never sent to our servers. | Until cleared. |
These cookies are strictly necessary for the Service to function. Under the ePrivacy Directive (Art. 5(3)) and UK PECR they are exempt from the consent requirement. Disabling them will prevent the Service from working.
We do not participate in behavioural advertising ecosystems. We do not share personal data with data brokers or ad networks. We do not build audiences for targeting purposes.
We run internal aggregate usage counts (total active users, feature-adoption percentages) from server-side logs; these aggregates are not linkable back to an individual.
We rely on the following categories of sub-processor / service provider (the current list is kept at /dpa#subprocessors):
| Category | Examples | Location |
|---|---|---|
| Hosting & CDN | Cloudflare, primary cloud host | Global edge; EU/US primary |
| Payments | Stripe | US, EU |
| AI model inference | Anthropic (Claude API) | US |
| Transactional email | Resend / Postmark (or equivalent) | US/EU |
| Push notifications | Web-push standard via Apple / Google / Mozilla push services | Various |
| Observability | Sentry | US/EU |
Each sub-processor is bound by contractual data-protection commitments (GDPR Art. 28 DPA). We post at least 30 days' advance notice of any new sub-processor so business customers can object; see the DPA for the objection process.
We are a global service and may transfer personal data outside your country of residence. Where we transfer personal data from the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on appropriate safeguards:
A transfer-risk assessment (TIA) has been completed for each relevant third country, considering local surveillance laws and the practical risk of government access. Contact [email protected] to request a summary.
| Category | Retention |
|---|---|
| Active account data | Duration of the account + 30 days after deletion |
| Billing records & invoices | 7 years (EU/UK tax law) or as required in your jurisdiction, whichever is longer |
| Session tokens | Revoked after 7 days of inactivity or on logout |
| CSRF tokens | 2 hours (rolling) |
| Security / audit logs | 90 days |
| Application & request logs | 30 days rolling |
| Error events (Sentry) | 90 days |
| Support tickets & email threads | 3 years from last correspondence |
| Newsletter subscribers | Until unsubscribed + 30 days |
| Marketing consent records | 3 years after withdrawal |
| Social-media posts we ingest | 30 days raw content; derived credibility features retained indefinitely in de-identified form |
Exported data bundles (/settings/privacy → request export) | 7 days after generation, then auto-expire |
| Inactive accounts | Notified after 24 months of inactivity, then deleted after a further 30 days |
| Deletion request fulfilment | Within 30 days of a verified request, subject to legal holds |
Retention periods may be extended where necessary to comply with legal obligations, resolve disputes, or enforce our agreements.
We maintain organisational and technical safeguards appropriate to the risk, including:
No security measure is perfect. We will notify affected users and, where applicable, competent authorities of personal-data breaches in accordance with GDPR Art. 33/34 (within 72 hours to the supervisory authority), UK GDPR, and analogous laws.
Core features of the Service rely on machine-processed analysis of publicly available posts to produce credibility scores. These scores are not used to make decisions producing legal or similarly significant effects concerning you as a user. We do not use automated decision-making within the meaning of Art. 22 GDPR to make decisions about you (such as refusing service or setting prices).
You have the right to:
To exercise your rights email [email protected]
or use the self-service controls in /settings/privacy (data export) and
/settings → Delete account (which calls POST /account/delete).
We respond within one calendar month (extensible by two months for complex requests); we
will verify your identity before acting. There is no fee unless your request is manifestly
unfounded or excessive.
If you are a California resident, in addition to §14 you have the right to:
To submit a request, email [email protected] or use the in-app tools. An authorised agent may submit a request on your behalf with your signed permission; we will verify your identity and the agent's authority.
Categories of personal information collected, business purposes, and recipients are described in §4–§9 and map to the CCPA categories (identifiers, customer records, commercial information, internet/network activity, geolocation at a coarse level, inferences).
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Delaware (DPDPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), New Hampshire (NHPA), New Jersey (NJDPA), Tennessee (TIPA), Minnesota (MNCDPA), Maryland (MCDPA), Indiana, and Rhode Island have comparable rights to access, correct, delete, obtain copies, and opt out of targeted advertising, sale, or profiling that has a legal/ significant effect. Because we do not engage in sale, targeted advertising, or Art. 22-type profiling, opt-out signals primarily apply to "sharing" categories which we do not use.
Colorado residents may appeal a refusal to act on a request by replying to our response; if unresolved you may contact the Colorado Attorney General.
Titulares de dados pessoais no Brasil têm o direito de: (i) confirmação da existência de tratamento; (ii) acesso aos dados; (iii) correção de dados incompletos, inexatos ou desatualizados; (iv) anonimização, bloqueio ou eliminação de dados desnecessários; (v) portabilidade; (vi) eliminação dos dados tratados com consentimento; (vii) informação sobre entidades com as quais compartilhamos dados; (viii) informação sobre a possibilidade de não fornecer consentimento e as suas consequências; (ix) revogação do consentimento; (x) revisão de decisões automatizadas. Contato: [email protected]. Autoridade: ANPD (gov.br/anpd).
Residents of Canada have the right to access and correct their personal information, to withdraw consent, and to be notified of breaches that pose a real risk of significant harm. Residents of Québec additionally have the right to data portability, the right to de-indexation, and specific consent rules under Law 25. Contact [email protected]; you may escalate to the Office of the Privacy Commissioner of Canada (priv.gc.ca) or the Commission d'accès à l'information du Québec.
Australian residents have rights under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (including APP 12 access and APP 13 correction). Complaints may be lodged with the Office of the Australian Information Commissioner (oaic.gov.au). New Zealand residents have rights under the Privacy Act 2020 and may contact the Office of the Privacy Commissioner (privacy.org.nz).
Swiss residents have rights under the revised Federal Act on Data Protection, including access, rectification, deletion, data portability, and the right to lodge a complaint with the Federal Data Protection and Information Commissioner (edoeb.admin.ch).
Japan (APPI) — right of disclosure, correction, deletion, suspension of use, and to receive information about third-party provision.
South Korea (PIPA) — right of access, correction, deletion, suspension of processing, and to withdraw consent.
Singapore (PDPA) — right of access and correction; right to withdraw consent with reasonable notice.
India (DPDP Act 2023) — right to access, correct, erase, and to nominate another individual; grievance officer is contactable at [email protected].
South Africa (POPIA) — right of access, correction, deletion, and to object; complaints to the Information Regulator (inforegulator.org.za).
The Service is not directed to children. We do not knowingly collect personal data from anyone under 18 (or the age of majority in your jurisdiction, if higher). In the United States we require all account-holders to be 18+ in part to satisfy COPPA compliance. In the United Kingdom we follow the ICO Age-Appropriate Design Code. If you believe a child has provided us with data, contact [email protected] and we will delete the data promptly.
Marketing emails (if any) are sent only to users who opt in and include one-click unsubscribe links compliant with CAN-SPAM (US), CASL (Canada), ePrivacy (EU), and UK PECR. Withdrawing consent does not affect transactional emails required for the Service (e.g., password reset, billing receipts, security alerts).
Our site does not currently respond to browser DNT headers (there is no consistent
industry-wide standard). We do, however, honour the Global Privacy Control
(Sec-GPC: 1) header as a valid opt-out signal for sale/sharing under the CCPA
and equivalent U.S. state laws.
In the event of a personal-data breach that is likely to result in risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority within 72 hours and, where the risk is high, affected individuals without undue delay. Equivalent obligations apply under UK GDPR, CCPA, LGPD, PIPEDA, POPIA, and state breach-notification statutes.
To produce source credibility scores we periodically fetch publicly visible posts from third-party social platforms (e.g., X, Bluesky). We process:
@alice).We do not collect private messages, non-public content, or build consumer profiles on authors beyond features needed to score their historical accuracy at predicting event outcomes. Processing is based on Art. 6(1)(f) legitimate interest, supported by Art. 85 GDPR journalistic / research derogations as transposed in national law.
Authors have the right to object (Art. 21) to having their public posts included in our credibility data. Contact [email protected]. We will remove scored data for an identified account within 30 days absent overriding compelling legitimate grounds.
Raw post content is deleted after 30 days; only de-identified aggregate features (accuracy ratios, calibration metrics) are retained longer, and those are not used to identify the individual.
If you choose a public username and make public contributions (e.g., takes, comments, predictions) those are visible to other users and may be indexed by search engines. You can delete public contributions at any time; caches held by third-party search engines are not within our control but we will reasonably assist in requesting removal.
When you contact support we process your email, message content, and any account context to resolve your request. Content is retained for up to 3 years from last correspondence (UK Limitation Act / equivalent statute of limitations) unless a legal hold applies.
We update this Policy from time to time. Material changes are notified by email or in-product banner at least 14 days before taking effect (30 days for material changes affecting EU/UK consumers). The latest version is always available at /privacy.
Complaint to us: [email protected]. We acknowledge within 5 business days and aim to resolve within 30 days.
Data Protection Officer: where appointed, contact [email protected] with subject line "DPO".
EU Art. 27 representative: if you are in the EU/EEA and we act as a controller established outside the EU, you may also contact our EU representative. Contact details are posted at /dpa#eu-representative.
UK Art. 27 representative: if you are in the UK and we act as a controller established outside the UK, contact details are posted at /dpa#uk-representative.
Supervisory authorities: you have the right to complain to any EU supervisory authority (list at edpb.europa.eu), to the UK ICO (ico.org.uk), the Swiss FDPIC, the Canadian OPC, Brazil's ANPD, Australia's OAIC, or the competent authority in your jurisdiction.
narve.ai
Privacy inquiries & data requests:
[email protected]
Legal notices: {{ legal_email }}
Support: {{ support_email }}
Response time: within one month of a verified request (extensible by two months for
complex requests under GDPR Art. 12(3)).