← Back to home

Privacy Policy

Last updated: April 10, 2026

This policy describes how we collect, use and protect your personal data when you use Narraya and its services.

1. Data Controller

The data controller is:

Narraya di Marco Ranica

Sole proprietorship

Email: [email protected]

For any questions regarding the protection of your personal data, contact us at [email protected].

2. Types of Data Collected

Data provided voluntarily

  • Email address and display name provided during registration
  • Creative content: texts, chapters, notes, character sheets and any other content created on the platform
  • Payment and billing data β€” handled entirely by Stripe. Narraya does not store credit card data
  • Texts submitted to AI features for analysis processing
  • Files imported via optional cloud storage integrations (Google Drive, Dropbox) β€” only upon explicit user action

Data collected automatically

  • Technical access and security logs
  • Aggregated and anonymous browsing data (via Plausible Analytics, without cookies)
  • Technical information about device and browser

3. Purposes and Legal Bases

We process your data exclusively for the following purposes, each with its own legal basis under Art. 6 GDPR:

PurposeLegal Basis
Providing the Narraya servicePerformance of contract (Art. 6.1.b)
Account management and authenticationPerformance of contract (Art. 6.1.b)
Payment processing and billingLegal obligation (Art. 6.1.c) + Contract (Art. 6.1.b)
AI processing of user textsPerformance of contract (Art. 6.1.b)
Platform security and abuse preventionLegitimate interest (Art. 6.1.f)
Aggregated and anonymous usage analysisLegitimate interest (Art. 6.1.f)
Service communicationsLegitimate interest (Art. 6.1.f)
Legal and fiscal obligationsLegal obligation (Art. 6.1.c)

Narraya does not sell personal data and does not perform profiling for advertising purposes.

4. Use of Artificial Intelligence and Text Processing

Narraya uses artificial intelligence tools to offer text analysis features. It is important to distinguish two cases:

Local Processing (LanguageTool)

Grammar checking features use a LanguageTool instance hosted on our servers in Germany (EU). Analyzed texts never leave our server and no data is transmitted to third parties for this feature.

No extra-EU transfer. No sub-processor involved.

External AI APIs

For advanced analysis features, texts are sent to the following AI providers exclusively to produce the requested analysis:

Ollama Cloud (Ollama Inc., USA)

Texts are processed transiently: they are not stored beyond the time required to complete the request. Ollama states it does not use user data to train its models.

Note: for some cloud models, Ollama may route requests to third-party sub-providers. This constitutes a residual risk the user should be aware of.

Google Gemini API (Google LLC, USA)

Texts sent via API are not used by Google to train foundation models. However, Google may retain prompts for up to 55 days for abuse monitoring purposes, as stated in the Vertex AI documentation.

Narraya does not authorize any AI provider to use user data to train their models.

5. Cloud Storage Integrations

Narraya allows users to connect their Google Drive or Dropbox account to import files into the platform.

  • The integration is optional and activated exclusively by the user through a standard OAuth flow. Narraya does not automatically access the user's storage.
  • Narraya requests only the minimum necessary permissions (reading selected files). It does not modify, delete or share files in the user's storage.
  • Only files explicitly selected by the user are imported and saved in the platform. Narraya does not maintain persistent access to the user's storage beyond what is necessary for the import.
  • Legal basis: performance of contract (Art. 6.1.b) and explicit consent via OAuth authorization (Art. 6.1.a).
  • Google Drive and Dropbox are independent data controllers for data stored in their respective services. Narraya is responsible only for data once imported.
  • The user can revoke OAuth authorization at any time from the provider settings (Google Account, Dropbox) and/or from Narraya settings.

6. Sub-Processors and Third Parties

Personal data may be shared with the following service providers, acting as Data Processors (Art. 28 GDPR):

ProviderServiceCountryTransfer MechanismPrivacy Policy
Google LLC (Firebase)AuthenticationUSAEU-USA DPFLink
Google LLC (Gemini API)AI inferenceUSAEU-USA DPFLink
Stripe Inc.PaymentsUSA/IrelandEU-USA DPFLink
Cloudflare Inc.CDN + Storage (R2)USAEU-USA DPFLink
Ollama Inc.AI inference (cloud)USASCC (Art. 46 GDPR)Link
Resend Inc.Transactional emailUSAEU-USA DPFLink
Google LLC (Drive)Cloud storage (optional)USAEU-USA DPFLink
Dropbox Inc.Cloud storage (optional)USAEU-USA DPFLink
Hetzner Online GmbHVPS, Database, RedisGermany (EU)N/A (EU)Link
Hostinger International Ltd.Domain managementCyprus/Lithuania (EU)N/A (EU) + SCC for subLink

LanguageTool does not appear in this table as it is hosted internally on Narraya's servers in Germany (EU) and does not constitute an external sub-processor.

7. Extra-EU Data Transfers

Some of our providers are based in the United States. For each extra-EU data transfer we adopt the following mechanisms, in order of priority:

  1. DPF: Data Privacy Framework EU-USA (DPF): European Commission adequacy decision C(2023) 4745 of 10/07/2023, confirmed by the EU General Court in September 2025. Applicable to: Google, Stripe, Cloudflare, Resend, Dropbox.
  2. SCC: Standard Contractual Clauses (SCC): standard contractual clauses approved by the European Commission (Decision EU 2021/914), as a safeguard for providers not DPF-certified. Applicable to: Ollama Inc.

No extra-EU provider is used without a declared and documented transfer mechanism.

8. Data Retention Period

We retain your data for the time strictly necessary for the purposes for which it was collected:

CategoryDurationReason
User content (texts, drafts)Account duration + 30 days after deletionContract performance
Account dataAccount duration + 30 daysContract performance
Technical and security logs90 daysLegitimate interest
Fiscal and payment data10 yearsItalian legal obligation
Texts sent to AI APIsNot retained by Narraya β€” transient processingN/A
Analytics data (Plausible)Aggregated and anonymous β€” no personal dataN/A

At the end of the retention period, data is deleted or irreversibly anonymized.

9. Data Subject Rights (GDPR)

Under Articles 15-22 of the GDPR, you have the following rights:

  • Access (Art. 15): request confirmation and a copy of your personal data
  • Rectification (Art. 16): correct inaccurate or incomplete data
  • Erasure (Art. 17): request deletion of your account and data
  • Restriction (Art. 18): request restriction of processing in certain cases
  • Portability (Art. 20): receive your data in a structured, readable format
  • Objection (Art. 21): object to processing based on legitimate interest
  • Withdrawal of consent (Art. 7.3): withdraw consent at any time without affecting the lawfulness of prior processing

To exercise your rights, write to [email protected]. We will respond within 30 days of receiving your request.

You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali β€” [email protected] β€” www.garanteprivacy.it).

10. Data Security

We adopt appropriate technical and organizational measures to protect your personal data, including:

  • TLS encryption in transit for all communications
  • Encryption at rest for the database
  • Role-based access control and least-privilege principle
  • Secure authentication via JWT with short-lived tokens + HttpOnly refresh tokens
  • Security logging and anomaly monitoring
  • Regular backups with secure storage

No system is 100% immune, but we are constantly committed to improving our security measures.

11. Data Breach Notification

In accordance with Articles 33 and 34 of the GDPR, in case of a personal data breach posing a risk to the rights and freedoms of data subjects, Narraya will:

  • Notify the Data Protection Authority within 72 hours of discovery (Art. 33 GDPR)
  • Inform affected users without undue delay if the breach poses a high risk (Art. 34 GDPR)
  • Communicate: nature of the breach, categories of data involved, likely consequences and measures taken

If you suspect a breach of your personal data, contact us immediately at [email protected].

12. Changes to This Policy

This policy may be updated following changes to services or legal obligations. In case of substantial changes, we will inform you by email and update the date at the top of the page.

13. Contacts and Supervisory Authority

Data Controller:

Narraya di Marco Ranica

Email: [email protected]

Competent supervisory authority:

Garante per la Protezione dei Dati Personali

www.garanteprivacy.it β€” [email protected]

Cookie PolicyTerms of ServiceHome