Privacy Policy

Last Updated: 23 June 2025

Effective Date: 23 June 2025

1. Introduction

This Privacy Policy describes how Nara ("we," "us," "our," or "Company") collects, uses, processes, and protects your personal information when you visit our website, use our services, or interact with us in any capacity. This policy applies to all users of our website and services, regardless of location.

We are committed to protecting your privacy and ensuring transparency in our data processing activities. This Privacy Policy explains your rights regarding your personal information and how you can exercise those rights.

Who We Are: Nara is an institutional platform and omnichain designed for tokenized real world assets

What This Policy Covers: This Privacy Policy applies to:

• Our website at https://www.nara.io/

• Any mobile applications we may offer

• Any other services or platforms that link to this Privacy Policy

Legal Basis for Processing: We process your personal information based on various legal grounds, including:

• Your consent

• Performance of a contract with you

• Compliance with legal obligations

• Our legitimate business interests

• Protection of vital interests

Definitions:

• Personal Information/Personal Data: Any information that identifies, relates to, describes, or is capable of being associated with a particular individual

• Processing: Any operation performed on personal data, including collection, use, storage, disclosure, or deletion

• Data Subject: An individual whose personal data is processed

• Data Controller: The entity that determines the purposes and means of processing personal data

• Third Party: Any individual or entity other than you and us

1. Information We Collect

We collect various types of information to provide and improve our services. The information we collect falls into the following categories:

2.1 Information You Provide Directly

Account Information: When you create an account with us, we collect:

• Full name

• Email address

• Username and password

• Phone number (if provided)

• Profile information and preferences

Contact Information: When you contact us or subscribe to our communications:

• Name and email address

• Phone number

• Address

• Message content and communication preferences

• Any additional information you choose to provide

Transaction Information: When you make purchases or engage in financial transactions:

• Billing and shipping addresses

• Payment method information (processed securely through third-party payment processors)

• Transaction history and purchase details

• Tax identification information (where required)

User-Generated Content: Information you provide when using our services:

• Comments, reviews, and feedback

• Photos, videos, or other media you upload

• Survey responses and form submissions

• Any other content you choose to share

2.2 Information We Collect Automatically

Device and Technical Information:

• IP address and approximate geographic location

• Device type, operating system, and browser information

• Screen resolution and device identifiers

• Network connection information

• Referring website or application

Usage Information:

• Pages visited and time spent on our website

• Features used and actions taken

• Search queries and results

• Click-through rates and user interactions

• Session duration and frequency of visits

Cookies and Tracking Data:

• Browser cookies and similar tracking technologies

• Web beacons and pixel tags

• Local storage and session storage data

• Analytics and performance data

2.3 Information from Third Parties

Social Media Integration: If you connect your social media accounts:

• Profile information from connected social platforms

• Friends lists and social connections (with your permission)

• Content you choose to share from social media

Business Partners and Service Providers:

• Information from our authorized partners and vendors

• Data from marketing and advertising partners

• Information from customer service and support providers

• Verification data from identity verification services

Publicly Available Sources:

• Information from public databases and records

• Publicly available social media profiles

• Business directories and professional networks

2.4 Sensitive Personal Information

We may collect certain categories of sensitive personal information, which receive additional protections under applicable privacy laws:

Financial Information:

• Bank account details (for payment processing)

• Credit card information (processed through secure third-party processors)

• Financial transaction history

Biometric Data:

• Facial recognition data (only if you opt-in to such features)

• Fingerprint data (for device authentication, if applicable)

Location Data:

• Precise geolocation information (only with your explicit consent)

• General location based on IP address

Health and Demographic Information:

• Health-related information (only if relevant to our services and with your consent)

• Racial or ethnic origin (only if voluntarily provided and legally permissible)

• Religious or philosophical beliefs (only if voluntarily provided)

Note on Sensitive Information: We only collect sensitive personal information when necessary for specific services and with your explicit consent. You have the right to withdraw this consent at any time, though this may limit certain features or services.

2.5 Children's Information

We do not knowingly collect personal information from children under the age of 13 (or the applicable age of digital consent in your jurisdiction) without verifiable parental consent. If we become aware that we have collected personal information from a child without proper consent, we will take steps to delete such information promptly.

2.6 How We Collect Information

Direct Collection Methods:

• Website forms and account registration

• Email communications and newsletters

• Customer service interactions

• Surveys and feedback forms

• Event registrations and webinars

Automatic Collection Methods:

• Cookies and similar tracking technologies

• Web analytics tools and services

• Server logs and access records

• Mobile app analytics (if applicable)

Third-Party Collection Methods:

• Social media platforms and integrations

• Marketing and advertising partners

• Data brokers and public record providers

• Business partners and affiliates

1. How We Use Your Information

We use the personal information we collect for various legitimate business purposes. The specific purposes depend on how you interact with our services and the legal basis for processing.

3.1 Primary Business Operations

Service Provision and Account Management:

• Creating and managing your account

• Providing access to our services and features

•Processing transactions and fulfilling orders

• Delivering customer support and technical assistance

• Maintaining and improving service functionality

• Personalizing your user experience

Communication and Customer Relations:

• Responding to your inquiries and requests

• Sending service-related notifications and updates

• Providing customer support and technical assistance

• Conducting customer satisfaction surveys

• Managing your communication preferences

Legal and Compliance Obligations:

• Complying with applicable laws and regulations

• Responding to legal requests and court orders

• Preventing fraud and ensuring platform security

• Conducting internal audits and investigations

• Maintaining records as required by law

3.2 Marketing and Business Development

Marketing Communications (with your consent where required):

• Sending promotional emails and newsletters

• Providing information about new products and services

• Sharing relevant offers and discounts

• Conducting market research and analysis

• Personalizing marketing content and recommendations

Analytics and Business Intelligence:

• Analyzing user behavior and service usage patterns

• Conducting market research and competitive analysis

• Improving our products and services

• Developing new features and offerings

• Measuring the effectiveness of our marketing campaigns

Advertising and Promotion:

• Displaying relevant advertisements on our platform

• Partnering with third-party advertising networks

•Creating custom audiences for targeted advertising

•Measuring advertising performance and effectiveness

•Retargeting users who have visited our website

3.3 Technical Operations and Security

Platform Security and Fraud Prevention:

• Detecting and preventing fraudulent activities

• Monitoring for security threats and vulnerabilities

• Implementing access controls and authentication measures

• Conducting security audits and assessments

• Protecting against unauthorized access and data breaches

Technical Maintenance and Improvement:

• Maintaining and optimizing our website and services

• Troubleshooting technical issues and bugs

• Conducting system updates and maintenance

• Monitoring service performance and uptime

• Implementing new features and functionality

Data Analytics and Research:

• Analyzing usage patterns and user behavior

• Conducting A/B testing and experimentation

• Generating insights for business decision-making

• Improving user experience and interface design

•Developing predictive models and algorithms

3.4 Legal Basis for Processing (GDPR Compliance)

Under the General Data Protection Regulation (GDPR), we process your personal information based on the following legal grounds:

Consent: When you have given clear and specific consent for processing, such as:

• Marketing communications

• Optional features requiring personal data

• Cookies and tracking technologies (where required)

• Sensitive personal information processing

Contract Performance: When processing is necessary for:

• Providing services you have requested

• Fulfilling purchase orders and transactions

• Managing your account and user profile

• Delivering customer support

Legitimate Interests: When we have legitimate business interests that are not overridden by your privacy rights:

• Improving our services and user experience

• Conducting business analytics and research

• Preventing fraud and ensuring security

• Direct marketing to existing customers (where legally permitted)

Legal Obligation: When we must process data to comply with legal requirements:

• Tax and accounting obligations

• Regulatory compliance requirements

• Responding to legal requests and court orders

• Data breach notification requirements

Vital Interests: In rare cases where processing is necessary to protect life or physical safety:

• Emergency situations requiring immediate action

• Protecting individuals from harm or danger

3.5 Automated Decision-Making and Profiling

We may use automated systems to make decisions about you or create profiles based on your personal information. This includes:

Automated Decisions:

• Credit scoring and risk assessment (if applicable)

• Fraud detection and prevention systems

• Content recommendation algorithms

• Pricing and promotional offer determination

Profiling Activities:

• Creating user preference profiles for personalization

• Segmenting users for targeted marketing

• Analyzing behavior patterns for service improvement

• Generating insights for business intelligence

Your Rights Regarding Automated Processing:

• You have the right to request human review of automated decisions

• You can object to profiling for direct marketing purposes

• You may request information about the logic involved in automated decision-making

• You can challenge decisions that significantly affect you

3.6 Data Minimization and Purpose Limitation

We adhere to the principles of data minimization and purpose limitation:

Data Minimization: We only collect and process personal information that is:

• Necessary for the specified purposes

• Relevant to our business operations

• Adequate but not excessive for the intended use

Purpose Limitation: We use personal information only for:

• The purposes disclosed in this Privacy Policy

• Compatible purposes that are reasonably expected

• Purposes for which you have provided additional consent

• Legal obligations and legitimate interests as described above

Retention Alignment: We retain personal information only as long as necessary for the purposes for which it was collected, unless a longer retention period is required or permitted by law.

1. Information Sharing and Disclosure

We may share your personal information with third parties under specific circumstances and with appropriate safeguards. We do not sell your personal information to third parties for monetary consideration, but we may share it as described below.

4.1 Service Providers and Business Partners

Essential Service Providers: We share personal information with trusted third-party service providers who assist us in operating our business:

• Payment Processors: To process transactions and handle billing (e.g., Stripe, PayPal, Square)

• Cloud Storage Providers: To store and manage data securely (e.g., Amazon Web Services, Google Cloud, Microsoft Azure)

• Email Service Providers: To send communications and newsletters (e.g., Mailchimp, SendGrid, Constant Contact)

• Customer Support Platforms: To provide customer service and technical support (e.g., Zendesk, Intercom, Freshdesk)

• Analytics Providers: To analyze website usage and user behavior (e.g., Google Analytics, Adobe Analytics, Mixpanel)

Marketing and Advertising Partners:

• Advertising Networks: To display relevant advertisements (e.g., Google Ads, Facebook Ads, LinkedIn Ads)

• Marketing Automation Platforms: To manage marketing campaigns and lead generation

• Social Media Platforms: When you interact with our social media integrations

• Affiliate Partners: To track referrals and manage partnership programs

Professional Service Providers:

• Legal Counsel: For legal advice and representation

• Accounting and Tax Services: For financial reporting and tax compliance

• Auditing Firms: For compliance and security audits

• Consulting Services: For business strategy and technical consulting

4.2 Business Transactions

Mergers and Acquisitions: In the event of a merger, acquisition, reorganization, or sale of assets, your personal information may be transferred to the acquiring entity. We will:

• Provide notice of any such transaction

• Ensure the acquiring entity honors this Privacy Policy

• Give you the opportunity to opt-out if the new entity's practices differ significantly

Due Diligence: We may share personal information with potential buyers, investors, or partners during due diligence processes, subject to appropriate confidentiality agreements.

4.3 Legal and Regulatory Requirements

Legal Compliance: We may disclose personal information when required by law or in response to:

• Subpoenas, court orders, or legal process

• Government investigations or regulatory inquiries

• Tax authorities and financial regulators

• Law enforcement requests with proper legal authority

Protection of Rights and Safety: We may share personal information to:

• Protect our legal rights and interests

• Enforce our terms of service and policies

• Prevent fraud, abuse, or illegal activities

• Protect the safety and security of our users and the public

• Investigate potential violations of our terms

4.4 Consent-Based Sharing

With Your Explicit Consent: We may share personal information with third parties when you have provided specific consent, such as:

• Integrating with third-party applications or services

• Participating in joint marketing campaigns

• Sharing information with business partners for specific purposes

• Publishing testimonials or case studies (with your permission)

Social Media Sharing: When you choose to share content on social media platforms or connect your social media accounts, information may be shared according to your social media privacy settings and the platform's terms of service.

4.5 Categories of Third Parties

The following table outlines the categories of third parties with whom we may share personal information:

4.6 International Transfers

Cross-Border Data Transfers: Some of our service providers and partners are located outside your country of residence. When we transfer personal information internationally, we ensure appropriate safeguards are in place:

For EU/EEA Residents:

• Adequacy Decisions: Transfers to countries with adequate protection as determined by the European Commission

• Standard Contractual Clauses: EU-approved contractual terms for international transfers

• Binding Corporate Rules: Internal policies for multinational organizations

• Certification Schemes: Participation in approved certification programs

For Other Jurisdictions:

• Contractual protections requiring equivalent privacy standards

• Compliance with applicable cross-border transfer regulations

• Regular monitoring and auditing of international partners

4.7 Data Sharing Limitations

Restrictions on Third-Party Use: When we share personal information with third parties, we:

• Limit the use to specified purposes only

• Require contractual commitments to protect the data

• Prohibit further sharing without authorization

• Mandate deletion when the purpose is fulfilled

• Conduct regular audits and compliance checks

No Sale of Personal Information: We do not sell personal information for monetary consideration. However, under some privacy laws (such as the CCPA), certain data sharing activities may be considered "sales." If you are a California resident, you have the right to opt-out of such sharing.

4.8 Aggregate and De-identified Information

We may share aggregate, de-identified, or anonymized information that cannot reasonably be used to identify you. This includes:

• Statistical information about user demographics

• Aggregated usage patterns and trends

• Market research and industry reports

• Benchmarking and comparative analysis

Such information is not considered personal information and is not subject to the restrictions in this Privacy Policy.

1. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Our retention practices are designed to balance your privacy rights with our legitimate business needs.

5.1 General Retention Principles

Purpose-Based Retention: We retain personal information based on the specific purpose for which it was collected:

• Account Information: Retained while your account is active and for a reasonable period after account closure

• Transaction Records: Retained for the period required by applicable financial and tax regulations

• Communication Records: Retained for customer service purposes and legal compliance

• Marketing Data: Retained until you opt-out or withdraw consent

Legal and Regulatory Requirements: Certain information must be retained to comply with legal obligations:

• Financial Records: 7 years for tax and accounting purposes (may vary by jurisdiction)

• Employment Records: As required by labor laws and regulations

• Health Information: As mandated by healthcare regulations (if applicable)

• Legal Documents: For the duration of any legal proceedings plus applicable statute of limitations

5.2 Specific Retention Periods

Account and Profile Information:

• Active Accounts: Retained while account remains active

• Inactive Accounts: Deleted after 3 years of inactivity (with prior notice)

• Closed Accounts: Most data deleted within 30 days, some records retained for legal compliance

Transaction and Financial Data:

• Purchase History: Retained for 7 years for tax and warranty purposes

• Payment Information: Credit card data deleted immediately after processing; transaction records retained per legal requirements

• Billing Records: Retained for 7 years or as required by applicable law

• Refund and Dispute Records: Retained for 3 years after resolution

Communication and Support Data:

• Customer Service Records: Retained for 3 years for quality assurance and training

• Email Communications: Retained until you unsubscribe or for 2 years, whichever is sooner

• Chat and Phone Records: Retained for 1 year for service improvement

• Feedback and Surveys: Retained for 2 years or until purpose is fulfilled

Technical and Usage Data:

• Server Logs: Retained for 90 days for security and troubleshooting

• Analytics Data: Aggregated data retained indefinitely; individual data for 26 months

• Cookie Data: Varies by cookie type (session cookies deleted when browser closes; persistent cookies per their expiration dates)

• Device Information: Retained for 2 years or until device is no longer used

5.3 Automated Deletion Processes

Scheduled Deletion: We have implemented automated systems to delete personal information when retention periods expire:

• Daily Processes: Remove expired session data and temporary files

• Monthly Reviews: Delete inactive user accounts and expired marketing data

• Annual Audits: Comprehensive review of all retained data for compliance

Data Minimization: We regularly review and minimize the personal information we retain:

• Quarterly Assessments: Evaluate necessity of retained data categories

• Annual Policy Reviews: Update retention schedules based on business needs and legal changes

•Continuous Monitoring: Automated alerts for data approaching retention limits

5.4 Extended Retention Circumstances

Legal Holds: We may retain personal information beyond normal retention periods when:

• Litigation: Data relevant to ongoing or anticipated legal proceedings

• Regulatory Investigations: Information subject to government inquiries

• Compliance Audits: Data required for regulatory compliance reviews

• Dispute Resolution: Information necessary for resolving customer or business disputes

Business Continuity: Certain information may be retained longer for legitimate business purposes:

• Fraud Prevention: Data necessary to prevent future fraudulent activities

• Security Incidents: Information related to security breaches or investigations

• Product Liability: Data relevant to product safety and liability issues

• Intellectual Property: Information necessary to protect our intellectual property rights

5.5 Data Deletion and Destruction

Secure Deletion Methods: When personal information reaches the end of its retention period, we ensure secure deletion:

• Electronic Data: Cryptographic erasure and overwriting of storage media

• Physical Documents: Secure shredding and destruction by certified vendors

• Backup Systems: Removal from all backup and archival systems

• Third-Party Systems: Coordination with service providers to ensure complete deletion

Verification and Documentation: We maintain records of data deletion activities:

• Deletion Logs: Automated records of when and what data was deleted

• Audit Trails: Documentation of deletion processes and verification

• Compliance Reports: Regular reporting on retention and deletion activities

• Third-Party Confirmations: Certificates of destruction from service providers

5.6 User-Initiated Deletion

Account Deletion: You can request deletion of your account and associated personal information:

• Self-Service Options: Account deletion tools in your user dashboard

• Customer Support: Assistance with account closure and data deletion

• Verification Process: Identity verification required for security purposes

• Confirmation: Written confirmation of account and data deletion

Selective Data Deletion: You may request deletion of specific categories of personal information:

• Marketing Data: Opt-out of marketing communications and delete related data

• Optional Information: Remove non-essential profile information

• Historical Data: Delete old transaction or communication records (subject to legal requirements)

• Third-Party Integrations: Disconnect and delete data from linked services

5.7 Exceptions to Deletion

Legal and Regulatory Exceptions: We may be unable to delete certain information due to:

• Legal Obligations: Requirements to retain records for tax, employment, or regulatory purposes

• Ongoing Investigations: Data subject to legal holds or regulatory inquiries

• Dispute Resolution: Information necessary for resolving ongoing disputes

• Safety and Security: Data required to prevent fraud or protect user safety

Technical Limitations: Some data may persist due to technical constraints:

• Backup Systems: Data in backup systems may take additional time to remove

• Cached Data: Temporary copies in content delivery networks or caches

• Aggregated Data: Information that has been aggregated or anonymized

• System Logs: Technical logs that may contain references to deleted data

5.8 Retention Schedule Updates

Regular Reviews: We regularly review and update our retention schedules:

• Annual Policy Review: Comprehensive evaluation of all retention periods

• Legal Updates: Adjustments based on changes in applicable laws

• Business Changes: Modifications based on evolving business needs

• Technology Updates: Improvements to deletion and retention systems

Notification of Changes: We will notify you of significant changes to our retention practices:

• Privacy Policy Updates: Changes reflected in updated privacy policy

• Direct Communication: Email notification for material changes affecting your data

• Website Notices: Prominent notices on our website for policy updates

• Opt-Out Opportunities: Options to object to extended retention periods where legally permissible

1. Data Security

We implement comprehensive security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. Our security practices are designed to meet or exceed industry standards and comply with applicable data protection regulations.

6.1 Technical Security Measures

Encryption and Data Protection:

• Data in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3 or higher encryption protocols

• Data at Rest: Personal information stored in our databases is encrypted using AES-256 encryption or equivalent standards

• Key Management: Encryption keys are managed through secure key management systems with regular rotation

• Database Security: Multi-layer database security including encryption, access controls, and activity monitoring

Network and Infrastructure Security:

• Firewalls: Advanced firewall systems to prevent unauthorized network access

• Intrusion Detection: Real-time monitoring systems to detect and respond to security threats

• DDoS Protection: Distributed denial-of-service attack protection and mitigation

• Secure Hosting: Infrastructure hosted with reputable cloud providers meeting SOC 2 Type II standards

Application Security:

• Secure Development: Security-by-design principles in all software development

• Regular Testing: Automated and manual security testing including penetration testing

• Vulnerability Management: Regular scanning and patching of security vulnerabilities

• Code Reviews: Security-focused code reviews and static analysis

6.2 Administrative Security Controls

Access Management:

• Principle of Least Privilege: Employees and systems have access only to data necessary for their role

• Multi-Factor Authentication: Required for all administrative access to systems containing personal information

• Regular Access Reviews: Quarterly reviews of user access rights and permissions

• Immediate Revocation: Prompt removal of access when employees leave or change roles

Employee Security Training:

• Privacy and Security Training: Mandatory training for all employees handling personal information

• Regular Updates: Ongoing education about emerging threats and security best practices

• Incident Response Training: Specialized training for security incident response team members

• Confidentiality Agreements: All employees sign confidentiality and data protection agreements

Vendor and Third-Party Management:

• Due Diligence: Security assessments of all third-party service providers

• Contractual Requirements: Data processing agreements with security and privacy requirements

• Regular Audits: Periodic security audits of key vendors and partners

• Incident Coordination: Coordinated incident response procedures with third parties

6.3 Physical Security Measures

Data Center Security:

• Controlled Access: Biometric access controls and 24/7 security monitoring

• Environmental Controls: Climate control, fire suppression, and power backup systems

• Equipment Security: Secure disposal and destruction of hardware containing data

• Visitor Management: Strict visitor access controls and escort requirements

Office Security:

• Secure Workspaces: Locked offices and secure storage for sensitive documents

• Clean Desk Policy: Requirements to secure or remove sensitive information from workspaces

• Device Security: Encryption and remote wipe capabilities for mobile devices and laptops

• Disposal Procedures: Secure destruction of physical documents and electronic media

6.4 Monitoring and Detection

Security Monitoring:

• 24/7 Monitoring: Continuous monitoring of systems and networks for security threats

• Log Analysis: Automated analysis of security logs and audit trails

• Anomaly Detection: Machine learning-based detection of unusual access patterns or activities

• Threat Intelligence: Integration with external threat intelligence sources

Incident Detection and Response:

• Automated Alerts: Real-time alerts for potential security incidents

• Response Team: Dedicated security incident response team available 24/7

• Escalation Procedures: Clear escalation paths for different types of security incidents

• Forensic Capabilities: Digital forensics capabilities for incident investigation

6.5 Data Backup and Recovery

Backup Procedures:

• Regular Backups: Automated daily backups of all critical data and systems

• Encrypted Storage: All backup data encrypted using industry-standard encryption

• Geographic Distribution: Backups stored in multiple geographic locations for redundancy

• Retention Management: Backup retention policies aligned with data retention requirements

Disaster Recovery:

• Recovery Plans: Comprehensive disaster recovery and business continuity plans

• Regular Testing: Quarterly testing of backup and recovery procedures

• Recovery Time Objectives: Defined targets for system and data recovery times

• Communication Plans: Clear communication procedures during recovery operations

6.6 Privacy by Design

Data Minimization:

• Collection Limits: Systems designed to collect only necessary personal information

• Purpose Limitation: Technical controls to prevent use of data beyond stated purposes

• Automated Deletion: Systems automatically delete data when retention periods expire

• Anonymization: Automatic anonymization of data where possible for analytics and research

Privacy Controls:

• Consent Management: Technical systems to manage and track user consent

• Access Controls: Granular controls over who can access different categories of personal information

• Audit Trails: Comprehensive logging of all access to and processing of personal information

• Data Subject Rights: Automated systems to facilitate exercise of privacy rights

6.7 Security Incident Response

Incident Response Plan:

• Immediate Response: Procedures for immediate containment and assessment of security incidents

• Investigation Process: Systematic investigation and documentation of security incidents

• Notification Procedures: Clear procedures for notifying affected individuals and regulatory authorities

• Remediation Steps: Comprehensive remediation and recovery procedures

Breach Notification:

• Rapid Assessment: Immediate assessment of potential data breaches within 24 hours

• Regulatory Notification: Notification to relevant data protection authorities within 72 hours where required

• Individual Notification: Direct notification to affected individuals when required by law

• Public Disclosure: Transparent communication about significant security incidents

6.8 Compliance and Auditing

Security Standards Compliance:

• ISO 27001: Implementation of information security management systems

• SOC 2 Type II: Annual audits of security controls and procedures

• GDPR Compliance: Technical and organizational measures to ensure GDPR compliance

• Industry Standards: Adherence to relevant industry-specific security standards

Regular Security Audits:

• Internal Audits: Quarterly internal security assessments and reviews

• External Audits: Annual third-party security audits and penetration testing

• Vulnerability Assessments: Regular vulnerability scans and assessments

• Compliance Reviews: Periodic reviews of compliance with security policies and procedures

6.9 User Security Responsibilities

Account Security:

• Strong Passwords: Recommendations for creating and maintaining strong passwords

• Two-Factor Authentication: Optional two-factor authentication for enhanced account security

• Suspicious Activity: Reporting procedures for suspicious account activity

• Regular Updates: Keeping contact information current for security notifications

Safe Practices:

• Phishing Awareness: Education about phishing and social engineering attacks

• Secure Connections: Recommendations for using secure internet connections

• Software Updates: Importance of keeping devices and software updated

• Privacy Settings: Guidance on configuring privacy and security settings

6.10 Continuous Improvement

Security Program Evolution:

• Regular Reviews: Annual reviews and updates of security policies and procedures

• Threat Assessment: Ongoing assessment of emerging security threats and risks

• Technology Updates: Regular updates to security technologies and tools

• Best Practices: Adoption of evolving industry best practices and standards

Investment in Security:

• Resource Allocation: Continued investment in security infrastructure and personnel

• Training and Development: Ongoing training and professional development for security team

• Technology Innovation: Adoption of new security technologies and methodologies

• Industry Collaboration: Participation in security industry forums and information sharing

1. Your Privacy Rights

You have important rights regarding your personal information. The specific rights available to you depend on your location and the applicable privacy laws. We are committed to facilitating the exercise of these rights and responding to your requests promptly and transparently.

7.1 Universal Privacy Rights

Right to Information and Transparency:

• Clear Information: You have the right to clear, understandable information about how we process your personal information

• Processing Purposes: You can request information about why we collect and use your personal information

• Data Categories: You have the right to know what categories of personal information we collect about you

• Source Information: You can request information about the sources from which we collect your personal information

Right to Access:

• Data Access: You have the right to request a copy of the personal information we hold about you

• Processing Details: You can request information about how we process your personal information

• Data Recipients: You have the right to know with whom we share your personal information

• Retention Periods: You can request information about how long we retain your personal information

7.2 Rights Under the General Data Protection Regulation (GDPR)

For EU/EEA Residents:

Right to Rectification:

• Correction: You have the right to request correction of inaccurate or incomplete personal information

• Updates: You can update your personal information at any time through your account settings

• Verification: We may request verification of your identity before making corrections

• Third-Party Notification: We will notify relevant third parties of corrections where appropriate

Right to Erasure (Right to be Forgotten):

• Deletion Request: You can request deletion of your personal information under certain circumstances

• Grounds for Erasure: When the data is no longer necessary, you withdraw consent, or the processing is unlawful

• Exceptions: We may retain information where required by law or for legitimate interests

• Third-Party Notification: We will inform third parties of deletion requests where feasible

Right to Restrict Processing:

• Processing Limitation: You can request that we limit how we process your personal information

• Circumstances: When accuracy is contested, processing is unlawful, or you object to processing

• Storage Only: We may store but not further process restricted data

• Notification: We will inform you before lifting any restrictions on processing

Right to Data Portability:

• Data Transfer: You can request your personal information in a structured, machine-readable format

• Direct Transfer: You can request that we transfer your data directly to another service provider

• Technical Feasibility: Subject to technical feasibility and security considerations

• Scope: Applies to data processed based on consent or contract performance

Right to Object:

• Processing Objection: You can object to processing based on legitimate interests or for direct marketing

• Marketing Opt-Out: You can opt-out of marketing communications at any time

• Profiling: You can object to automated decision-making and profiling

• Balancing Test: We will cease processing unless we have compelling legitimate grounds

7.3 Rights Under the California Consumer Privacy Act (CCPA/CPRA)

For California Residents:

Right to Know:

• Categories of Information: You can request information about the categories of personal information we collect

• Sources: You have the right to know the sources from which we collect personal information

• Business Purposes: You can request information about our business or commercial purposes for collecting personal information

• Third-Party Sharing: You have the right to know the categories of third parties with whom we share personal information

Right to Delete:

• Deletion Request: You can request deletion of personal information we have collected about you

• Verification Process: We will verify your identity before processing deletion requests

• Exceptions: We may retain information for specific legal, business, or security purposes

• Confirmation: We will confirm completion of deletion requests

Right to Opt-Out of Sale/Sharing:

• No Sale: We do not sell personal information for monetary consideration

• Sharing Opt-Out: You can opt-out of sharing personal information for targeted advertising

• "Do Not Sell or Share" Link: Available on our website footer for easy access

• Global Privacy Control: We honor Global Privacy Control signals where technically feasible

Right to Correct:

• Inaccurate Information: You can request correction of inaccurate personal information

• Verification: We will verify your identity and the accuracy of the correction request

• Response Time: We will respond to correction requests within 45 days

• Third-Party Notification: We will notify service providers of corrections where appropriate

Right to Limit Sensitive Personal Information:

• Sensitive Data: You can limit our use of sensitive personal information

• Essential Uses Only: We will limit use to essential business purposes only

• Opt-Out Process: Simple opt-out process available through your account settings

• Exceptions: Certain uses may be necessary for service provision or legal compliance

7.4 Rights Under Other Privacy Laws

Virginia Consumer Data Protection Act (VCDPA):

• Access and Portability: Right to access and receive personal data in a portable format

• Correction: Right to correct inaccuracies in personal data

• Deletion: Right to delete personal data

• Opt-Out: Right to opt-out of targeted advertising and sale of personal data

Colorado Privacy Act (CPA):

• Transparency: Right to transparent information about data processing

• Access: Right to access personal data

• Correction: Right to correct personal data

• Deletion: Right to delete personal data

• Portability: Right to data portability

• Opt-Out: Right to opt-out of targeted advertising and data sales

Other State Laws: We comply with privacy laws in all states where we operate, including Connecticut, Utah, and other states with comprehensive privacy legislation.

7.5 How to Exercise Your Rights

Online Request Portal:

• Self-Service Options: Many rights can be exercised through your account dashboard

• Privacy Request Form: Dedicated online form for submitting privacy requests

• Secure Submission: Encrypted submission process to protect your information

• Request Tracking: Ability to track the status of your privacy requests

Contact Methods:

• Email: [email protected]

• Online Chat: Customer support chat with privacy-trained representatives

Verification Process:

• Identity Verification: We will verify your identity before processing requests

• Account Holders: Account login credentials may be sufficient for verification

• Non-Account Holders: Additional verification information may be required

• Authorized Agents: Procedures for authorized agents to submit requests on your behalf

7.6 Response Timeframes

Standard Response Times:

• GDPR Requests: Within 30 days (extendable to 60 days for complex requests)

• CCPA Requests: Within 45 days (extendable to 90 days with notification)

• Other State Laws: As required by applicable law, typically 30-45 days

• Urgent Requests: Expedited processing for urgent security or safety concerns

Communication:

• Acknowledgment: We will acknowledge receipt of your request within 5 business days

• Status Updates: Regular updates on the progress of complex requests

• Completion Notice: Confirmation when your request has been completed

• Appeal Process: Information about appeal procedures if you are unsatisfied with our response

7.7 Limitations and Exceptions

Legal Limitations:

• Legal Obligations: We may be unable to fulfill requests that conflict with legal obligations

• Ongoing Investigations: Requests may be limited during active legal proceedings or investigations

• Safety and Security: Requests may be denied if they would compromise safety or security

• Third-Party Rights: Requests may be limited to protect the rights and freedoms of others

Technical Limitations:

• System Constraints: Some requests may be limited by technical system capabilities

• Data Interconnections: Complex data relationships may affect the scope of certain requests

• Backup Systems: Data in backup systems may take additional time to address

• Aggregated Data: Anonymized or aggregated data may not be subject to individual rights

7.8 No Discrimination

Equal Treatment:

• No Retaliation: We will not discriminate against you for exercising your privacy rights

• Service Continuity: Your access to our services will not be denied for exercising rights

• Equal Pricing: We will not charge different prices based on privacy choices

• Service Quality: The quality of our services will not be affected by your privacy decisions

Exceptions:

• Necessary Differences: Some service differences may be necessary based on the data available

• Legal Requirements: Certain legal requirements may necessitate different treatment

• Voluntary Programs: You may choose to participate in programs that offer benefits in exchange for data

7.9 Authorized Agents

Agent Authorization:

• Written Authorization: Authorized agents must provide written permission from the consumer

• Verification Requirements: Both the agent and consumer identity must be verified

• Power of Attorney: Agents with power of attorney may submit requests with proper documentation

• Business Agents: Businesses may authorize agents to submit requests on behalf of employees

Agent Responsibilities:

• Accurate Representation: Agents must accurately represent the consumer's request

• Confidentiality: Agents must maintain confidentiality of consumer information

• Compliance: Agents must comply with all applicable privacy laws and regulations

• Communication: Agents must facilitate communication between us and the consumer as needed

1. International Data Transfers

We may transfer your personal information to countries outside your country of residence, including countries that may not have the same level of data protection as your home country. We ensure that all international transfers are conducted with appropriate safeguards to protect your personal information.

8.1 Transfer Mechanisms and Safeguards

For EU/EEA Residents:

• Adequacy Decisions: We transfer data to countries deemed adequate by the European Commission (such as the UK, Canada, and others)

• Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses for transfers to countries without adequacy decisions

• Binding Corporate Rules: Where applicable, we rely on approved Binding Corporate Rules for intra-group transfers

• Certification Schemes: We may use approved certification schemes and codes of conduct

For Other Jurisdictions:

• Contractual Safeguards: We implement contractual protections requiring equivalent privacy standards

• Cross-Border Transfer Agreements: We comply with applicable cross-border transfer regulations

• Regular Monitoring: We conduct regular assessments of international partners' privacy practices

8.2 Countries and Regions

Primary Transfer Destinations:

• United States: For cloud hosting, analytics, and customer support services

• European Union: For data processing and customer service operations

• Canada: For certain technical and customer support functions

• United Kingdom: For business operations and data processing activities

Transfer Purposes:

• Cloud Storage and Hosting: Secure data storage and website hosting services

• Customer Support: Providing customer service and technical support

• Analytics and Research: Understanding user behavior and improving services

• Marketing and Advertising: Delivering relevant marketing communications and advertisements

1. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our website, analyze usage patterns, and deliver personalized content and advertisements.

9.1 Types of Cookies We Use

Essential Cookies:

• Session Management: Maintaining your login session and user preferences

• Security: Protecting against fraud and ensuring website security

• Load Balancing: Distributing website traffic for optimal performance

• Error Tracking: Identifying and resolving technical issues

Analytics Cookies:

• Usage Analytics: Understanding how visitors interact with our website

• Performance Monitoring: Measuring website performance and user experience

• A/B Testing: Testing different versions of website features

• Conversion Tracking: Measuring the effectiveness of marketing campaigns

Marketing Cookies:

• Advertising: Delivering relevant advertisements based on your interests

• Retargeting: Showing you relevant ads on other websites

• Social Media Integration: Enabling social media sharing and interactions

• Personalization: Customizing content based on your preferences and behavior

9.2 Cookie Management

Your Cookie Choices:

• Cookie Consent Banner: Clear options to accept or reject non-essential cookies

• Cookie Settings: Granular controls to manage different types of cookies

• Browser Settings: Instructions for managing cookies through your browser

• Opt-Out Tools: Links to industry opt-out tools and preference centers

Cookie Duration:

• Session Cookies: Deleted when you close your browser

• Persistent Cookies: Remain on your device for a specified period or until manually deleted

• Third-Party Cookies: Managed by third-party services according to their policies

1. Third-Party Services

We integrate with various third-party services to enhance our offerings. These services have their own privacy policies and practices.

10.1 Categories of Third-Party Services

Analytics and Performance:

• Google Analytics: Website traffic and user behavior analysis

• Adobe Analytics: Advanced analytics and reporting

• Hotjar: User experience and behavior tracking

Marketing and Advertising:

• Google Ads: Online advertising and remarketing

• Facebook Pixel: Social media advertising and analytics

• LinkedIn Ads: Professional network advertising

Customer Support:

• Zendesk: Customer service and support ticketing

• Intercom: Live chat and customer communication

• Freshdesk: Help desk and customer support

Payment Processing:

• Stripe: Credit card and payment processing

• PayPal: Alternative payment processing

• Square: Point-of-sale and payment processing

10.2 Third-Party Responsibilities

Data Processing Agreements: We maintain data processing agreements with all third-party service providers that handle personal information on our behalf.

Privacy Policy Links: We encourage you to review the privacy policies of third-party services:

• Google Privacy Policy

• Facebook Privacy Policy

• LinkedIn Privacy Policy

1. Children's Privacy

We are committed to protecting the privacy of children and comply with applicable children's privacy laws, including the Children's Online Privacy Protection Act (COPPA).

11.1 Age Restrictions

Minimum Age Requirements:

• General Services: Our services are not intended for children under 13 years of age

• EU/EEA Residents: We do not knowingly collect data from children under 16 without parental consent

• Other Jurisdictions: We comply with local age requirements for digital consent

11.2 Parental Rights and Controls

Parental Consent: Where required by law, we obtain verifiable parental consent before collecting personal information from children.

Parental Rights: Parents have the right to:

• Review their child's personal information

• Request deletion of their child's personal information

• Refuse further collection or use of their child's personal information

1. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

12.1 Notification of Changes

Material Changes: We will provide prominent notice of material changes through:

• Email Notification: Direct email to registered users

• Website Banner: Prominent notice on our website

• In-App Notification: Notifications within our mobile applications

Minor Changes: Non-material changes will be reflected in the updated policy with a new "Last Updated" date.

12.2 Effective Date

Changes to this Privacy Policy will become effective 30 days after posting, unless a longer notice period is required by law or we specify otherwise.

1. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Privacy Officer:

• Email: [email protected]

General Contact:

• Website: https://www.nara.io/

• Customer Support: [email protected]

Response Time: We will respond to privacy inquiries within 5 business days and privacy requests within the timeframes required by applicable law.

1. Complaints and Regulatory Information

You have the right to file complaints about our privacy practices with relevant regulatory authorities.

14.1 Regulatory Contacts

European Union/EEA:

• Lead Supervisory Authority: [TO BE DETERMINED BASED ON MAIN ESTABLISHMENT]

Local Data Protection Authorities: Contact information available at edpb.europa.eu

United States:

• Federal Trade Commission: consumer.ftc.gov

• State Attorneys General: Contact information for your state's attorney general office

Other Jurisdictions:

• Canada: Office of the Privacy Commissioner of Canada - priv.gc.ca

• United Kingdom: Information Commissioner's Office - ico.org.uk

14.2 Internal Complaint Process

Before contacting regulatory authorities, we encourage you to contact us directly so we can address your concerns promptly and effectively.