Privacy Policy
Effective date: February 2026
This Privacy Policy explains how Narrate Compliance Ltd collects, uses, and protects personal data across our website (narratecompliance.com) and our Narrate application (the "Platform").
1. Who we are
Narrate Compliance Ltd ("we", "us", "our") is the data controller for personal data collected via this website and acts as a data processor for client data within the Narrate application.
Registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
Company number: 16946191
Contact: support@narratecompliance.com
2. Scope of this policy
This policy covers two distinct contexts:
Website (narratecompliance.com): We act as the data controller for enquiry data, analytics, and marketing communications.
Narrate Platform: We act as a data processor on behalf of our clients (the data controllers) for compliance assessment data, audit findings, documents, and evidence stored within the application.
3. Website data collection
When you interact with our website, we collect limited personal data:
3.1 Website enquiry form
When you submit our contact form, we collect: full name, work email address, company name, service interest, and message content.
3.2 Meeting scheduling (Calendly)
When you book a call through Calendly, they collect your name, email address, and calendar availability data. Calendly acts as a data processor. See Calendly's Privacy Policy.
3.3 Video meetings (Zoom)
When you join a video call, Zoom may collect your name, email address, and meeting recordings (if enabled with your consent). See Zoom's Privacy Policy.
3.4 Technical data
Our hosting provider (Cloudflare) may collect standard web server logs including IP addresses, browser type, and pages visited for security and performance purposes.
4. Narrate Platform data
Important: When you use the Narrate Platform, your organisation is the data controller. Narrate Compliance Ltd acts as a data processor, processing data on your behalf in accordance with our service agreement.
4.1 Data we process in Narrate
The Narrate Platform processes the following categories of data on behalf of our clients:
User account data:
- Full name and email address
- Organisation/company name
- User role (admin or company user)
- Authentication credentials (securely hashed)
Company information:
- Company name, size, and industry
- Primary contact details
- Business function
- Selected ISO standard (ISO 42001, ISO 27001, or ISO 9001)
Compliance assessment data (Align module):
- Control-by-control compliance status (Aligned, Gap, Partial, N/A)
- Implementation notes and comments
- Priority levels and action items
- Compliance scores and progress metrics
- Section-by-section assessment results
Evidence and documentation:
- Uploaded evidence files (documents, screenshots, policies)
- Evidence descriptions and timestamps
- Document content created in the Toolkit
- Document status (Draft, Review, Approved, Published)
- Document metadata (CISO, DPO, dates)
Activity and audit data:
- User actions and timestamps
- Document version history
- Assessment change logs
4.2 AI features and data handling
The Narrate Platform includes optional AI-powered features to help with compliance workflows. These include evidence analysis and summarisation, document AI assistance, and governance meeting transcription. When AI features are used:
AI model and API terms:
- AI features are powered by OpenAI's GPT-4o model via the OpenAI Enterprise API, which operates under distinct terms from consumer ChatGPT products
- Zero Training: OpenAI contractually does not use any data submitted via the Enterprise API to train, retrain, or improve their models
- Zero Retention: OpenAI processes requests statelessly and does not retain input or output data for service improvement. API logs may be retained for up to 30 days solely for abuse and misuse monitoring, after which they are deleted
- Narrate uses a Retrieval-Augmented Generation (RAG) approach — your data is used as context for individual queries, not to train any proprietary model
Privacy Firewall (automatic redaction):
- Before any data is sent to the AI provider, Narrate applies a local Privacy Firewall — a PII redaction engine that runs within our secure environment
- The redaction engine automatically detects and removes: email addresses, credit card numbers, IP addresses, Social Security / national identity numbers, and phone numbers
- Redaction strictness can be configured by administrators: Standard mode or Aggressive mode for higher-sensitivity environments
- Redacted data never leaves the secure environment — only sanitised text is transmitted to the AI provider over TLS 1.3 encrypted channels
Customer AI controls:
- Global AI Toggle: Administrators can enable or disable all AI features at the organisation level at any time
- Per-Control Sensitivity: Individual controls can be marked as "High Sensitivity", which blocks AI analysis for those specific controls
- Redaction Strictness: Choose between Standard and Aggressive redaction levels based on your data sensitivity requirements
You can use the Platform with AI features fully disabled if preferred.
4.3 Purpose of processing
We process this data solely to provide the Narrate Platform service, including:
- Enabling you to assess and track your ISO compliance journey
- Generating compliance documents with smart placeholder substitution
- Calculating and displaying real-time compliance scores
- Storing and organising evidence for audit purposes
- Providing dashboards, reports, and progress tracking
- Providing AI-powered compliance assistance via Narrator
- Enabling admin users to manage multiple client organisations
- Processing subscription payments
- Sending transactional emails (task assignments, notifications)
- Providing technical support when requested
4.4 Data security measures
The Narrate Platform implements robust security controls:
- Row Level Security (RLS): Database-level access controls scoped by company_id ensure users can only access data belonging to their organisation. Every database query is filtered at the row level
- Data isolation: Multi-tenant architecture with strict tenant isolation — no cross-tenant data access is possible
- Encryption at rest: All data is encrypted using AES-256 encryption
- Encryption in transit: All connections use TLS 1.3 encrypted channels
- Authentication: JWT-based secure sessions with Supabase Auth
- Just-in-Time (JIT) access: Narrate engineers cannot view customer evidence or data without explicit, time-bound permission grants. Access is revoked automatically after the permitted window
- Access logging: All data access is logged for security monitoring and audit purposes
- Auto-save with cloud sync: Real-time data persistence with visual confirmation
4.5 Data location
Narrate Platform data is hosted in the European Union (EU) region via Supabase (Frankfurt). For specific data residency requirements, please contact us.
5. Service providers (sub-processors)
We use the following service providers to deliver our services:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database (PostgreSQL), authentication, and file storage for the Narrate Platform | EU (Frankfurt) |
| Vercel | Application hosting and deployment for the Narrate Platform | EU |
| OpenAI | AI features (GPT-4o Enterprise API) for evidence analysis, document assistance, and governance transcription. Zero training, zero retention | USA |
| Stripe | Payment processing for subscriptions (PCI DSS Level 1 compliant, payment data tokenised) | USA/EU |
| Resend | Transactional email delivery for task assignments and notifications | USA |
| Cloudflare | Website security, performance, and analytics | Global (EU processing) |
| Formspree | Website enquiry form processing | USA |
| Microsoft 365 | Email and business communications | EU |
| Calendly | Meeting scheduling | USA |
| Zoom | Video conferencing | USA/EU |
All sub-processors are bound by appropriate data processing agreements and maintain security certifications relevant to their services.
6. How we use your data
Website data: To respond to enquiries, schedule meetings, send service-related communications, and comply with legal obligations.
Narrate Platform data: Solely to provide the contracted services as instructed by our clients (the data controllers), including compliance assessment, document generation, evidence management, and reporting.
7. Legal basis for processing
We process personal data based on:
- Contract: To deliver services you have engaged us for (including Narrate Platform access)
- Legitimate interests: To respond to enquiries and improve our services
- Legal obligation: To comply with applicable laws
- Consent: Where you have given specific consent (e.g., for meeting recordings)
8. International transfers
Some service providers are based outside the UK/EEA. Where data is transferred internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs), UK International Data Transfer Agreement (IDTA), or adequacy decisions where applicable.
9. Data retention
| Data type | Retention period |
|---|---|
| Website enquiry data | 3 years from last contact |
| Narrate Platform client data | Duration of contract + 30 days (or as specified in service agreement) |
| Audit trail logs | 1 year for compliance purposes |
| OpenAI API logs | 0 days (stateless processing). Up to 30 days retained by OpenAI solely for abuse monitoring, then deleted |
| Payment records | 7 years (legal/accounting requirement); payment card data is never stored by us (tokenised via Stripe) |
| Client records (accounting) | 7 years after engagement ends |
| Technical/security logs | 90 days |
Upon contract termination, Narrate Platform data can be exported by the client and will be securely deleted within 30 days unless otherwise agreed or required by law.
10. Your rights
Under UK GDPR, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Request erasure ("right to be forgotten")
- Restrict processing
- Data portability
- Object to processing
- Withdraw consent (where processing is based on consent)
For website data: Contact support@narratecompliance.com.
For Narrate Platform data: Please contact your organisation's administrator, who can submit requests to us, manage user access, or export data via the Platform settings. We will assist your organisation in responding to data subject requests.
11. Data breach notification
In the event of a personal data breach affecting Narrate Platform data, we will notify affected clients without undue delay (and within 72 hours where feasible) to enable them to meet their own regulatory obligations.
12. Complaints
If you are unhappy with how we handle your data, you can complain to the Information Commissioner's Office (ICO) at ico.org.uk.
13. Changes to this policy
We may update this policy from time to time. Material changes will be communicated to Narrate Platform clients via email or in-app notification. The "Effective date" above shows when it was last updated.
14. Contact
Questions about this policy or data protection matters: support@narratecompliance.com