Privacy Policy
Last updated: February 2025
1. Who We Are
Narratree is operated by John Scrooby trading as Narratree. We are the operator of the Narratree platform (narratree.io). For the purposes of UK data protection law, we act as a data controller in respect of the personal data we collect about you as a user of our Service, and as a data processor in respect of employee or team member data that you upload or import into the Service.
If you have any questions about this Privacy Policy or how we handle your data, please contact us at hello@narratree.io.
2. What Data We Collect
2.1 Account Data (We are the Controller)
When you sign up using Google or Microsoft OAuth, we collect your name, email address, and profile picture. We use this data to create and manage your account, authenticate your access, and communicate with you about the Service.
2.2 Organisation Data (You are the Controller)
When you create org charts or connect an HR system (BambooHR or BreatheHR), the Service may process personal data about your employees or team members, such as names, job titles, departments, reporting lines, email addresses, start dates, and profile photos. You are the data controller for this data, and we process it solely on your behalf as a data processor. This processing is governed by our Data Processing Agreement.
2.3 AI-Assisted Import Data
When you use the AI-assisted data import feature, the data you provide (such as spreadsheet content or text) is sent to Anthropic’s API for processing. This data is used solely to structure and import your organisational data into the Service. Anthropic processes this data in accordance with their own privacy policy and data processing terms. We do not use this data for any other purpose.
2.4 Usage and Analytics Data
We collect anonymised usage data through PostHog and Google Analytics to understand how the Service is used and to improve it. This may include pages visited, features used, browser type, device type, and approximate location derived from IP address. We do not use this data to identify individual users.
3. Legal Basis for Processing
We process your personal data on the following legal bases under UK GDPR:
| Data | Legal Basis | Purpose |
|---|---|---|
| Account data (name, email) | Contract performance (Art. 6(1)(b)) | To provide and manage your account |
| Organisation/employee data | Contract performance (Art. 6(1)(b)) | To deliver the Service on your behalf as processor |
| Usage and analytics data | Legitimate interests (Art. 6(1)(f)) | To improve the Service and understand usage patterns |
| Service communications | Legitimate interests (Art. 6(1)(f)) | To notify you of changes, downtime, or security issues |
4. Third-Party Sub-Processors
We use the following third-party services to operate the platform:
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Google Cloud Platform | Hosting and data storage | All Service data | Europe (EU) |
| Anthropic | AI-assisted data import | Data provided during AI import only | US |
| PostHog | Product analytics | Anonymised usage data | EU |
| Google Analytics | Web analytics | Anonymised usage data | EU/US |
| Google / Microsoft (OAuth) | Authentication | Name, email, profile picture | US |
Where data is transferred outside the UK, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions, in accordance with UK GDPR.
5. Data Retention
We retain your account data for as long as your account is active. Organisation data is retained for as long as you use the Service. Upon account termination, you have thirty (30) days to export your data. After this period, we will delete your data in accordance with our standard processes. Anonymised analytics data may be retained indefinitely as it cannot be linked to any individual.
6. Your Rights
Under UK GDPR, you have the following rights in relation to your personal data:
Right of Access
You can request a copy of the personal data we hold about you.
Right to Rectification
You can ask us to correct inaccurate data.
Right to Erasure
You can request deletion of your personal data.
Right to Restrict Processing
You can ask us to limit how we use your data.
Right to Data Portability
You can request your data in a structured, machine-readable format.
Right to Object
You can object to processing based on legitimate interests.
To exercise any of these rights, please contact us at hello@narratree.io. We will respond within one month of receiving your request.
If you are unsatisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.
7. Cookies
We use essential cookies to maintain your session and authenticate your access. We also use analytics cookies via PostHog and Google Analytics to understand how the Service is used. You can manage cookie preferences through your browser settings.
8. Security
We implement appropriate technical and organisational measures to protect your data, including encryption in transit and at rest, tenant isolation, and secure credential storage. While we take reasonable steps to safeguard your data, no system is completely secure, and we cannot guarantee absolute security.
9. Children
The Service is not directed at anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you at least thirty (30) days in advance via the email address associated with your account. Your continued use of the Service after the updated policy takes effect constitutes your acceptance of the changes.
11. Contact
If you have any questions about this Privacy Policy, please contact us at hello@narratree.io.