Privacy Policy
Effective date: 21 March 2026 | Last updated: 9 April 2026
NodeNarrative ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website at nodenarrative.io (the "Website") and use our marketing attribution platform (the "Platform", and together with the Website, the "Services").
We are based in Brisbane, Queensland, Australia. This policy is designed to comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA).
By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Services.
1. Who we are
NodeNarrative is a marketing attribution software company headquartered in Brisbane, Queensland, Australia. We provide a knowledge graph-based attribution platform that helps e-commerce businesses understand their customer journeys and optimise marketing spend.
| Entity | NodeNarrative |
| Address | Brisbane, Queensland, Australia |
| Website | nodenarrative.io (official site) |
| Privacy contact | privacy@nodenarrative.io |
2. Information we collect
2.1 Information you provide directly
When you interact with our Services, you may provide us with:
- Contact information: name, email address, phone number, and company name (e.g. when you submit our contact form or request a demo)
- Account information: email address, password, and organisation details when you create a Platform account
- Communications: any messages, feedback, or support requests you send us
- Payment information: billing details processed securely by our payment processor, Stripe. We do not store your full credit card number on our servers.
2.2 Information collected automatically
When you visit our Website or use our Platform, we may automatically collect:
- Device and browser information: IP address, browser type, operating system, device type, and screen resolution
- Usage data: pages visited, time spent on pages, referring URLs, and navigation paths
- Performance data: page load times, errors encountered, and interaction metrics
2.3 Platform customer data
When you use our Platform, you may integrate your e-commerce and marketing data sources. This "Customer Data" may include:
- Marketing touchpoint data (ad clicks, email opens, social interactions)
- E-commerce transaction data (order IDs, product information, revenue)
- Customer journey data that may contain personal information of your end customers
Our Platform includes a built-in privacy engine powered by Microsoft Presidio for automated PII detection and handling. We process Customer Data as a data processor on your behalf (under GDPR) or as a service provider (under CCPA). You remain the data controller or business with respect to your Customer Data.
3. How we use your information
We use your personal information for the following purposes:
| Purpose | Categories of data |
|---|---|
| Providing and maintaining our Services | Account info, Customer Data |
| Responding to enquiries and providing support | Contact info, communications |
| Processing payments and managing subscriptions | Account info, payment info |
| Sending transactional communications (e.g. confirmations, updates) | Contact info |
| Sending marketing communications (with your consent) | Contact info |
| Improving our Services and developing new features | Usage data, performance data |
| Ensuring security and preventing fraud | Device info, usage data |
| Complying with legal obligations | As required by law |
We will not use your personal information for purposes materially different from those described above without notifying you and, where required, obtaining your consent.
4. Legal basis for processing (GDPR)
If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following lawful bases:
| Lawful basis | Processing activities |
|---|---|
| Contract performance (Art. 6(1)(b)) | Providing the Platform, processing payments, account management |
| Legitimate interests (Art. 6(1)(f)) | Website analytics, service improvement, security, fraud prevention |
| Consent (Art. 6(1)(a)) | Marketing communications, non-essential cookies |
| Legal obligation (Art. 6(1)(c)) | Tax compliance, responding to lawful requests |
Where we rely on legitimate interests, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us.
5. How we share your information
We do not sell your personal information. We may share your information with the following categories of third parties:
| Third party | Purpose | Location |
|---|---|---|
| Cloudflare | Website hosting, CDN, DDoS protection, analytics | Global (US-headquartered) |
| Google Cloud Platform | Platform infrastructure and data processing | Australia (primary), US (backup) |
| Resend | Transactional email delivery | United States |
| Chatwoot (self-hosted) | Customer support ticketing, live chat, knowledge base | Australia (Google Cloud Platform) |
| Stripe | Payment processing | United States |
Each of these providers is bound by data processing agreements and is required to handle your data in accordance with applicable privacy laws. We may also disclose your information where required by law, regulation, or legal process.
6. Cookies and tracking technologies
Our Website uses the following technologies:
| Technology | Type | Purpose |
|---|---|---|
| Cloudflare Analytics | Essential / Analytics | Privacy-preserving site analytics (no personal data collection) |
| Session cookies | Essential | Maintaining your session state |
| Chatwoot live chat widget | Functional | Customer support chat. Loaded only when you interact with the chat widget. May store a session identifier to maintain conversation continuity. |
We do not use third-party advertising cookies or cross-site tracking. Our analytics are privacy-preserving and do not track individual users across websites.
You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. However, blocking essential cookies may affect the functionality of our Services.
For visitors in the EU/EEA: We obtain your consent before placing non-essential cookies on your device, in compliance with the ePrivacy Directive.
7. International data transfers
As an Australian company with global infrastructure, your personal information may be transferred to and processed in countries outside your country of residence, including:
- Australia: primary data processing, Platform infrastructure, and customer support (Google Cloud Platform, Sydney region)
- United States: email delivery (Resend), payment processing (Stripe), CDN and security (Cloudflare)
- Global edge locations: Cloudflare CDN nodes for Website performance
Safeguards for international transfers
Under Australian law (APP 8):
Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient does not breach the Australian Privacy Principles in relation to your information. We remain accountable for the handling of your information by overseas recipients.
Under GDPR:
Where we transfer personal data outside the EEA, we rely on appropriate safeguards including EU Standard Contractual Clauses (SCCs) approved by the European Commission, or the recipient's participation in recognised frameworks. Australia has been granted partial adequacy status by the European Commission.
Under CCPA:
We ensure all service providers handling California residents' personal information are bound by contractual obligations that meet CCPA requirements.
8. Data retention
We retain your personal information only for as long as necessary to fulfil the purposes described in this policy:
| Data category | Retention period |
|---|---|
| Contact form submissions | 2 years from submission, or until you request deletion |
| Account information | Duration of your account plus 30 days after account closure |
| Customer Data: raw events (Platform) | Per your plan's retention window (365 days standard, 730 days on Enterprise). Deleted within 30 days of account termination unless you request an export. |
| Customer Data: aggregated analytics (Platform) | Indefinite. De-identified, aggregated summaries (channel performance, conversion rates, attribution scores) are retained for trend analysis and year-over-year comparisons. These contain no personal information and cannot be used to identify individuals. Deleted within 30 days of account termination. |
| Payment records | 7 years (Australian tax law requirements) |
| Website analytics | Aggregated data only; no individual-level data retained |
| Support communications | 3 years from last interaction |
When personal information is no longer required, we securely delete or de-identify it using industry-standard methods.
9. Data security
We implement appropriate technical and organisational measures to protect your personal information, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Access controls and role-based permissions
- Regular security assessments and vulnerability scanning
- Automated PII detection and handling via our privacy engine
- Infrastructure hosted on SOC 2 Type II certified providers
- DDoS protection via Cloudflare
While we take reasonable steps to protect your information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.
10. Your privacy rights
10.1 Australian Privacy Principles (all users)
Under the Australian Privacy Act 1988, you have the right to:
- Access the personal information we hold about you (APP 12)
- Request correction of inaccurate, out-of-date, or incomplete information (APP 13)
- Make a complaint about our handling of your personal information
- Interact anonymously or pseudonymously where practicable (APP 2)
- Opt out of receiving direct marketing communications (APP 7)
If you are not satisfied with our response to a privacy complaint, you may contact the Office of the Australian Information Commissioner (OAIC).
10.2 GDPR rights (EU/EEA/UK residents)
If you are in the European Economic Area, United Kingdom, or Switzerland, you have additional rights under the GDPR:
- Right of access (Art. 15): obtain a copy of your personal data
- Right to rectification (Art. 16): correct inaccurate data
- Right to erasure (Art. 17): request deletion of your data ("right to be forgotten"). You can also delete your account directly from your account settings without contacting support
- Right to restriction (Art. 18): limit how we process your data
- Right to data portability (Art. 20): receive your data in a structured, machine-readable format
- Right to object (Art. 21): object to processing based on legitimate interests or direct marketing
- Right to withdraw consent (Art. 7): withdraw consent at any time without affecting prior processing
- Right regarding automated decisions (Art. 22): not be subject to decisions based solely on automated processing with legal or significant effects
To exercise these rights, contact us at privacy@nodenarrative.io. We will respond within 30 days (or one month under GDPR). You also have the right to lodge a complaint with your local data protection authority.
10.3 CCPA/CPRA rights (California residents)
If you are a California resident, you have the following rights under the CCPA as amended by the CPRA:
- Right to know: what personal information we collect, use, disclose, and sell
- Right to delete: request deletion of your personal information
- Right to correct: correct inaccurate personal information
- Right to opt-out: opt out of the sale or sharing of personal information
- Right to limit: limit the use and disclosure of sensitive personal information
- Right to non-discrimination: not be discriminated against for exercising your rights
We do not sell or share your personal information as defined by the CCPA/CPRA. We do not use sensitive personal information for purposes beyond what is necessary to provide our Services.
To exercise your CCPA rights, contact us at privacy@nodenarrative.io. We will verify your identity before processing your request and respond within 45 days.
11. Automated decision-making
Our Platform uses algorithmic processing to provide marketing attribution insights. This includes:
- Attribution modelling: automated analysis of marketing touchpoints to determine their contribution to conversions. This processing is performed on Customer Data provided by our business customers.
- PII detection: automated scanning of Customer Data to detect and flag potential personal information, using Microsoft Presidio.
These automated processes provide analytical insights to our business customers and do not make decisions that produce legal or similarly significant effects on individuals. The attribution models generate statistical weightings; they do not make automated decisions about individual end customers.
In accordance with the Privacy and Other Legislation Amendment Act 2024 (Cth), we will provide additional disclosures about automated decision-making involving personal information as required when the relevant provisions commence on 10 December 2026.
12. Children's privacy
Our Services are not directed at children under the age of 16 (or 13 in jurisdictions where that is the applicable age). We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without appropriate parental consent, we will take steps to delete that information promptly.
If you believe we have collected information from a child, please contact us at privacy@nodenarrative.io.
13. Data breach notification
We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Australian Privacy Act 1988. In the event of an eligible data breach that is likely to result in serious harm:
- We will notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable
- We will notify affected individuals as soon as practicable, including a description of the breach, the kinds of information involved, and recommended steps
- We will complete our assessment within 30 days of becoming aware of a potential breach
Where GDPR applies, we will notify the relevant supervisory authority within 72 hours of becoming aware of a qualifying breach, and affected individuals without undue delay where there is a high risk to their rights and freedoms.
If you believe there has been a security incident involving your data, please contact us immediately at privacy@nodenarrative.io.
14. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:
- We will update the "Last updated" date at the top of this page
- For material changes affecting your rights, we will provide reasonable notice via email or a prominent notice on our Website at least 30 days before the changes take effect
- Where required by law, we will obtain your consent to material changes
We encourage you to review this policy periodically. Your continued use of our Services after changes become effective constitutes your acceptance of the revised policy.
15. Contact us
If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have a privacy complaint, please contact us:
| privacy@nodenarrative.io | |
| General enquiries | hello@nodenarrative.io |
| Post | NodeNarrative, Brisbane, QLD, Australia |
We aim to respond to all privacy-related enquiries within 30 days. If you are not satisfied with our response:
- Australia: You may lodge a complaint with the Office of the Australian Information Commissioner (OAIC)
- EU/EEA/UK: You may lodge a complaint with your local data protection authority
- California: You may contact the California Privacy Protection Agency (CPPA)
This Privacy Policy was last reviewed on 21 March 2026. We recommend that this document be reviewed by a qualified legal professional to ensure it meets the specific requirements of your business. This document does not constitute legal advice.