Privacy Policy - Narrative AI, Inc.

Effective Date: February 20, 2026

Last Updated: February 20, 2026

1. Introduction

Narrative AI, Inc. ("Narrative," "we," "us," or "our") operates a sales enablement platform that helps revenue teams generate personalized outreach using artificial intelligence. This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our website, web application, Chrome extension, and related services (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

- Email address (used as your username)

- First and last name

- Password (hashed, never stored in plaintext) or Google SSO authentication

2.2 CRM Data (Accessed on Your Behalf)

When you connect your CRM (HubSpot or Salesforce), we access:

- Contact records (names, email addresses, titles, phone numbers)

- Company records (company names, domains, industry)

- Deal/opportunity records (deal names, stages, amounts)

Important: We do not store your CRM data permanently. CRM data is accessed in real-time via your authenticated connection and used only for the duration of your session or to generate outputs you request. We never store your CRM OAuth tokens — they are managed by our integration partner, Nango.

2.3 LinkedIn Data

When you use our research features, we may access publicly available LinkedIn profile information (names, job titles, employment history, public posts) via third-party data providers. This data is cached temporarily (up to 90 days) and then automatically deleted.

2.4 Usage Data

We collect information about how you use the Service:

- AI-generated content (plays, emails, account intelligence) — retained while your account is active

- AI assistant conversations — automatically deleted after 180 days

- LLM response cache — automatically deleted after 7 days

- API request logs (IP address, user agent, request path, response status) — for security and performance monitoring

2.5 Payment Information

If you purchase a subscription, payment is processed by Stripe. We store your Stripe customer ID and subscription ID but never store credit card numbers, bank account details, or other payment instrument data.

2.6 Information from Google SSO

If you sign in via Google, we receive your Google account email, first name, and last name. We verify your identity with Google’s servers and do not receive or store your Google password.

3. How We Use Your Information

We use the information we collect to:

- Provide and operate the Service (Performance of contract)

- Authenticate your identity and secure your account (Legitimate interest: security)

- Generate AI-powered sales content using your CRM data (Performance of contract)

- Process payments and manage subscriptions (Performance of contract)

- Monitor for security incidents and abuse (Legitimate interest: security)

- Improve the Service and fix bugs (Legitimate interest: product improvement)

- Comply with legal obligations (Legal obligation)

We do not use your personal data to train AI models. Your CRM data and generated content are used solely to provide the Service to you.

4. How We Share Your Information

We do not sell your personal information. We share information only with the following categories of service providers, solely to operate the Service:

- Heroku (Salesforce, Inc.) — Application hosting, database — All application data (encrypted at rest)

- Vercel, Inc. — Frontend hosting, CDN — Static assets, API proxy traffic

- Nango — CRM OAuth token management — CRM OAuth tokens (encrypted at rest)

- Stripe, Inc. — Payment processing — Email, subscription data

- TrueFoundry — AI/LLM inference — Prompt text sent for generation (not stored by provider)

- Apify — LinkedIn data enrichment — Public LinkedIn profile URLs

We may also disclose your information if required by law, subpoena, or court order, or to protect the rights, safety, or property of Narrative, our users, or the public.

5. Data Retention

- Account information — Until you delete your account

- CRM data — Not permanently stored (real-time access only)

- LinkedIn profile cache — 90 days (auto-deleted)

- AI assistant conversations — 180 days (auto-deleted)

- LLM response cache — 7 days (auto-deleted)

- LLM call statistics — 90 days (auto-deleted)

- Transaction/billing logs — Retained for accounting and legal compliance

- API audit logs — 90 days

6. Data Security

We implement the following security measures:

- Encryption in transit: TLS 1.2+ on all connections, HSTS enforced

- Encryption at rest: Database encrypted via Heroku PostgreSQL managed encryption

- Authentication: JWT tokens with 15-minute access tokens and 7-day refresh tokens; httpOnly cookies for web sessions

- Rate limiting: Brute-force protection on authentication endpoints (5 requests/minute)

- Input validation: SOQL injection prevention, XSS sanitization, file upload size limits

- Audit logging: All authentication and administrative actions logged with structured audit trail

- CI/CD security scanning: Automated dependency auditing and static analysis on every code change

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

7.1 Access and Portability

You may request a copy of the personal data we hold about you.

7.2 Correction

You may update your account information at any time through the Service.

7.3 Deletion (Right to Erasure)

You may permanently delete your account and all associated data at any time through the Service. Account deletion removes your profile, preferences, conversations, documents, transaction history, and all other user-owned data. Company-level data shared with team members survives individual account deletion.

7.4 Restriction and Objection

You may request that we restrict or cease processing your personal data in certain circumstances.

7.5 Withdraw Consent

Where processing is based on consent, you may withdraw consent at any time by disconnecting integrations or deleting your account.

To exercise any of these rights, contact us at privacy@narrativeai.com.

8. California Residents (CCPA)

If you are a California resident, you have the right to:

- Know what personal information we collect, use, and disclose

- Request deletion of your personal information

- Opt out of the sale of personal information — we do not sell personal information

- Non-discrimination for exercising your privacy rights

To make a verifiable consumer request, contact privacy@narrativeai.com.

9. European Residents (GDPR)

If you are in the European Economic Area (EEA) or United Kingdom, Narrative processes your data under the legal bases described in Section 3. Your data is transferred to and processed in the United States. We rely on our sub-processors’ standard contractual clauses and compliance programs to ensure adequate protection of transferred data.

Our Data Processing Agreement (DPA) is available upon request for enterprise customers.

10. Cookies

Our web application uses:

- Authentication cookies (httpOnly, Secure) — required for the Service to function

- Authentication status cookie (non-httpOnly) — used by client-side code to check login state

We do not use advertising cookies, tracking pixels, or analytics cookies that share data with third parties.

11. Children’s Privacy

The Service is not directed to individuals under 16. We do not knowingly collect personal information from children. If we learn that we have collected data from a child, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the “Last Updated” date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

For privacy inquiries, data requests, or complaints:

Narrative AI, Inc.

Email: mike@getnarrativeai.com