Naralive

Privacy Policy

Last updated: February 24, 2026

This Privacy Policy describes how Owalee ("we", "our", "the Company"), operator of Naralive.ai ("the Service"), collects, uses, and protects your personal data in compliance with the General Data Protection Regulation (GDPR).

1. Data controller

Owalee, operating the Naralive.ai service. Contact: privacy@naralive.com

2. Data collected

2.1 Data provided by the user

  • Account: email address, password (hashed), display name.
  • Profile: avatar, biography, writing style preferences.
  • Content: stories, character settings, votes, comments, reactions.

2.2 Automatically collected data

  • Technical: IP address, browser type, operating system, pages viewed.
  • Usage: interactions with the Service (votes, reads, time spent).
  • Cookies: session and authentication cookies (strictly necessary).

2.3 Data generated by the Service

  • Influence profiles: participation scores calculated from your interactions.
  • AI preferences: style and generation configurations linked to your account.

3. Purposes of processing

| Purpose | Legal basis | |---------|-------------| | Providing the Service | Performance of contract | | Authentication and security | Legitimate interest | | Experience personalization | Consent | | Notifications (email) | Consent (explicit opt-in) | | Usage statistics | Legitimate interest | | Billing and subscriptions | Legal obligation / Contract |

4. Data sharing

4.1 Subprocessors

We share your data with the following subprocessors, strictly necessary for the operation of the Service:

| Subprocessor | Usage | Location | |--------------|-------|----------| | Supabase | Hosting, database, authentication | EU / US | | Vercel | Frontend hosting | US | | Stripe | Payments | US | | Anthropic | AI generation (text) | US | | OpenAI | AI generation (text, embeddings) | US | | fal.ai | AI generation (images) | US |

4.2 Transfers outside the EU

Some subprocessors are located in the United States. Transfers are governed by Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework.

4.3 No sale of data

We never sell your personal data to third parties.

5. Data retention

| Data | Retention period | |------|-----------------| | User account | Duration of registration + 3 years after deletion | | Generated content | Lifetime of the story + 1 year | | Technical logs | 12 months | | Billing data | 10 years (legal obligation) | | Session cookies | Duration of session |

6. Your rights (GDPR)

Under the GDPR, you have the following rights:

  • Access: obtain a copy of your personal data.
  • Rectification: correct inaccurate data.
  • Erasure: request deletion of your data.
  • Portability: receive your data in a structured format.
  • Objection: object to processing on legitimate grounds.
  • Restriction: restrict the processing of your data.
  • Withdrawal of consent: withdraw your consent at any time.

To exercise your rights: privacy@naralive.com

Response time: 30 days maximum.

7. Security

We implement appropriate technical and organizational measures:

  • Encryption of data in transit (TLS) and at rest.
  • Secure authentication (bcrypt, JWT sessions).
  • Role-based access control (RLS at database level).
  • Data schema separation (public, private, service).

8. Cookies

The Service uses only strictly necessary cookies:

| Cookie | Purpose | Duration | |--------|---------|----------| | Supabase session | Authentication | Session | | Locale preference | Display language | 1 year |

No tracking or advertising cookies are used.

9. Minors

The Service is not intended for persons under 16 years of age. We do not knowingly collect data from minors.

10. Changes

We may update this Policy. Significant changes will be communicated by email or notification. The date of last update is indicated at the top of this page.

11. Contact and complaints

  • Email: privacy@naralive.com
  • Supervisory authority: you may file a complaint with the CNIL (www.cnil.fr).