Privacy Policy

This Privacy Policy describes what Narro ("we," "our," or "us") collects when you use the Service, what we do with it, and the choices you have. We've tried to write it the way we'd want to read it: in plain language, without legal hedging where we can avoid it.

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.

Account Information: When you create an account, we collect your email address and password. Your password is encrypted and stored securely. We use Supabase Auth for authentication, which handles the secure storage of your credentials.

Profile Data: We collect information about the social media profiles you choose to follow, your feed configurations, feed preferences, theme selections, and other customization settings you create within the Service.

Usage Data: We collect information about how you interact with the Service, including pages visited, features used, and actions taken. We use PostHog for product analytics. PostHog sets first-party cookies to identify your session and stitch events together. We use it to understand which features people actually use, not to profile individuals or sell behavior.

Marketing Attribution Data: When you arrive at narro.info, we capture which marketing channel introduced you. This means UTM parameters in the URL (?utm_source=...), the shorthand ?ref= parameter we use in places like Reddit posts and podcast show notes, ad-platform click IDs (such as rdt_cid from Reddit) when present, and the website that linked to us. We store these in a first-party cookie callednarro_attr until you sign up, at which point they're attached to your account record. The point is to know that something like a Reddit post actually drove signups, so we know what's working. We don't sell this data. If your browser sends a DNT: 1 or Sec-GPC: 1 signal, we don't capture any of it.

Hashed Email: At signup, we compute a one-way cryptographic hash of your email address (sha256(lowercase(trim(email)))) and store it on your account record. The hash cannot be reversed to recover your email. When we run paid ads on a platform that supports server-side conversion measurement (currently Reddit), we may send this hash, the click ID that brought you to us, and the fact that you signed up to that platform's measurement API. The platform uses it only to confirm that an ad they showed you led to a signup. We never send your actual email address through this path. We do not send the hash to anyone else.

IP Address: Our servers see your IP address when you sign up and when you connect to the Service, the same as any web service. We resolve country from the IP at signup for analytics segmentation but don't retain the raw IP in your account record. Standard server access logs may retain IPs briefly per infrastructure defaults.

Error Logs: We collect error logs and diagnostic information through Sentry. This helps us identify and fix technical issues. Error logs may include your user ID, device information, and details about errors you encounter.

Content Data: The Service aggregates publicly available content from social media platforms. This content is stored to provide you with feeds. We do not claim ownership of this content, which belongs to the original creators.

We use the information we collect to:

• Provide, maintain, and improve the Service
• Manage your account
• Send you service-related communications, including account confirmations and important updates
• Personalize your experience and deliver content relevant to your preferences
• Monitor and analyze usage patterns to improve the Service
• Detect, prevent, and address technical issues and security threats
• Comply with legal obligations and enforce our Terms of Service

We share your information with third-party service providers who help us operate the Service. These providers are contractually obligated to protect your information and use it only for the purposes we specify:

• Authentication and Database Services: We use secure third-party services for authentication and data storage. Your account information and profile data are stored on secure infrastructure.
• Product Analytics (PostHog): We use PostHog to understand how the Service is used. PostHog sets first-party cookies and identifies sessions, but doesn't track you across other websites. We use the EU-hosted instance where applicable.
• Email Infrastructure: We use Resend for transactional email (account confirmations, password resets) and Bento for opt-in lifecycle email. Both receive the email address on file and the content of the messages we send.
• Error Tracking (Sentry): We use Sentry to identify and fix technical issues. Sentry receives error logs and diagnostic information about errors you encounter.
• Advertising Measurement APIs: When we run paid ads on a platform that supports server-side conversion measurement (currently Reddit), our backend sends a signup event to that platform's API after you create an account. The event includes a one-way hash of your email address, the click ID that brought you to us (if any), and your IP address and user agent at signup. The platform uses this only to confirm that an ad they showed you led to a signup. We do not load any advertising tracker into your browser, and we don't allow these platforms to use this data to retarget you for other advertisers.

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We may disclose your information if required by law, court order, or government regulation, or to protect our rights, property, or safety, or that of our users.

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of sensitive data in transit and at rest
• Secure authentication and access controls
• Regular security assessments and updates
• Limited access to personal information on a need-to-know basis

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

We retain your personal information for as long as your account is active or as needed to provide you with the Service. If you delete your account, we will retain your information for up to 90 days to allow for account recovery and to comply with legal obligations.

After the 90-day retention period, we will delete or anonymize your personal information, except where we are required to retain it for legal, regulatory, or accounting purposes.

Aggregated content from social media platforms may be retained longer as part of our system-wide cache, but this content is not associated with your personal account after deletion.

You have the following rights regarding your personal information:

• Access: You can access and review your account information and profile data through your account settings.
• Correction: You can update your account information, including your email address and preferences, at any time through your account settings.
• Deletion: You can delete your account at any time through your account settings. We will delete your personal information in accordance with our data retention policy.
• Export: You can request a copy of your personal data by contacting us at [email protected].
• Opt-Out: You can opt out of non-essential communications by adjusting your account settings or contacting us.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within a reasonable timeframe.

The Service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe that your child under 13 has provided us with personal information, please contact us at [email protected], and we will delete such information from our records.

If you are between the ages of 13 and 18, you must have your parent's or guardian's permission to use the Service.

We use a small number of first-party cookies and similar storage technologies. They're listed below.

• Authentication cookies / session storage: Used to keep you logged in. Required for the Service to function.
• PostHog cookies (first-party): Set by our product analytics to identify your browser session and stitch events together. Used for understanding feature usage and signup attribution. Not shared with advertisers.
• narro_attr cookie (first-party): Set when you arrive via a link with marketing attribution parameters (UTMs, ?ref=, or rdt_cid). Stores those values for up to one year so we can attach them to your account when you sign up. You can delete it any time by clearing site data.
• Local storage: Used for UI preferences (theme, view mode, etc.) and as a backup of thenarro_attr attribution data described above.

We do not load third-party advertising trackers into your browser. No Meta Pixel, no Reddit Pixel, no Google Ads tags, no Google Tag Manager, no LinkedIn Insight Tag, no TikTok Pixel. We do not track you across other websites.

When we run paid ads, we measure whether they worked by sending signup events from our backend directly to the ad platform's measurement API (server-to-server), not by loading the platform's tracking script in your browser. See §2 (Hashed Email) and §4 (Advertising Measurement APIs) for what gets sent.

Privacy signals. If your browser sends a DNT: 1 (Do Not Track) orSec-GPC: 1 (Global Privacy Control) header, we treat that as a request not to capture marketing attribution. The narro_attr cookie is not set, and no UTM, ?ref=, or click-ID parameters are stored. PostHog and authentication cookies are still used because they're required for the Service to function.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• The right to know what personal information we collect, use, and disclose
• The right to delete your personal information
• The right to opt-out of the sale of personal information (we do not sell personal information)
• The right to non-discrimination for exercising your privacy rights

To exercise your California privacy rights, please contact us at [email protected].

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

• The right to access your personal data
• The right to rectify inaccurate or incomplete data
• The right to erasure ("right to be forgotten")
• The right to restrict processing of your data
• The right to data portability
• The right to object to processing of your data
• The right to withdraw consent at any time

To exercise your GDPR rights, please contact us at [email protected]. We will respond to your request within 30 days.

If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection authority.

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from those in your country.

By using the Service, you consent to the transfer of your information to the United States and other countries where our service providers operate. We take appropriate measures to ensure that your information receives an adequate level of protection in accordance with this Privacy Policy.

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We may also notify you via email if the changes are significant.

Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the updated policy.

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Email: [email protected]