Privacy Policy

The data controller responsible for your personal data is Heka Services Inc., operating the NARA platform (“we”, “us”, or “our”).

Registered address: Montreal, QC, Canada.
Contact email: privacy@nara.app

We collect and process the following categories of personal data:

Account data

Full name, email address, hashed password, profile avatar, language preference, and timezone. Collected at registration or invitation acceptance.

Organization data

Organization name, logo, sector, size, currency, work schedule, holidays, team structures, member roles, and permission settings. Created by organization owners during onboarding.

Work data

Tasks (titles, descriptions, assignments, priorities, deadlines, custom field values, subtasks, dependencies), time entries (start/end times, durations, labels, billable flags), files and documents (uploaded content, metadata, versions), messages (conversation content, reactions, mentions), and objectives (OKR titles, key results, progress).

Usage data

Server logs (IP address, browser type, request timestamps), navigation patterns within the application, feature usage frequency, and error reports. This data is collected automatically to maintain and improve the service.

Financial data (optional)

If the organization owner activates the Finance module: revenue entries, expense records, invoice uploads and extracted data, budget allocations. This data is processed only within the scope of the activated module.

We process your data on the following legal grounds:

• Performance of a contract — Processing necessary to provide the NARA platform and its features as described in our Terms of Service. This covers account management, task management, time tracking, messaging, file storage, and analytics.
• Legitimate interest — Processing necessary for service improvement, security monitoring, fraud prevention, and aggregated analytics. We balance our interests against your rights and ensure processing does not override your fundamental freedoms.
• Consent— Where required, we obtain your explicit consent before processing. This includes optional analytics cookies and marketing communications. You may withdraw consent at any time.
• Legal obligation — Processing necessary to comply with applicable laws, such as tax record retention or responding to lawful data access requests.

NARA uses AI technology powered by Anthropic Claude to provide intelligent features including:

• Task prioritization and workload suggestions
• Automated summaries of project status and team performance
• Contextual answers to questions within task threads
• Report generation and anomaly detection
• Document analysis and information retrieval (RAG)

When you use AI features, relevant context (such as task descriptions, project details, or conversation history) is sent to Anthropic's API for processing. This data is transmitted securely over encrypted connections.

Important: Anthropic does not use your data to train or improve their models. Your business data remains private and is processed solely to generate responses for your specific request. We do not retain AI-processed data beyond what is necessary to deliver the feature.

We use the following third-party service providers to operate the NARA platform:

All sub-processors are bound by data processing agreements that require them to protect your data to standards consistent with this Privacy Policy and applicable law.

We retain your data for as long as necessary to:

• Active accounts— Data is retained for the duration of your account and organization membership. Work data (tasks, messages, files, time entries) persists as long as the organization exists.
• Deleted accounts— When you delete your account, your personal profile data is removed within 30 days. Content you created within organizations (tasks, messages) may be retained as organizational records, anonymized where feasible.
• Deleted organizations — When an organization owner deletes their organization, all associated data (members, tasks, files, messages, time entries, objectives) is permanently deleted within 30 days.
• Server logs— Automatically purged after 90 days.
• Legal obligations— Certain data may be retained longer if required by law (e.g., financial records for tax compliance).

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right of access— Request a copy of the personal data we hold about you.
• Right to rectification — Request correction of inaccurate or incomplete data. You can also update most information directly in your profile settings.
• Right to erasure— Request deletion of your personal data, subject to legal retention obligations and legitimate organizational record-keeping.
• Right to data portability — Receive your data in a structured, commonly used, machine-readable format (CSV/JSON).
• Right to object— Object to processing based on legitimate interest, including profiling.
• Right to restrict processing — Request that we limit how we use your data while a complaint or objection is being resolved.
• Right to withdraw consent — Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email privacy@nara.app. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

Your data may be transferred to and processed in countries outside your country of residence, including the United States, where our sub-processors (Vercel, Supabase, Anthropic) are located.

For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Sub-processor certifications and compliance frameworks (e.g., SOC 2 Type II)
• Supplementary technical measures including encryption in transit and at rest

You may request a copy of the applicable transfer safeguards by contacting us.

We use cookies and similar technologies to operate the platform and remember your preferences. For detailed information about the types of cookies we use, their purposes, and how to manage them, please see our Cookie Policy.

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Row Level Security (RLS) on every database table, ensuring complete data isolation between organizations
• JWT-based authentication with org-scoped claims, preventing cross-organization access
• Regular security assessments and dependency auditing
• Access controls limiting employee access to production data

For more detail on our security architecture, see our GDPR Compliance page.

NARA is a business platform designed for professional use. We do not knowingly collect personal data from children under the age of 16. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete that information promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated policy on this page with a new date
• Sending an email notification to account holders for significant changes
• Displaying an in-app notice when you next log in

We encourage you to review this page periodically. Your continued use of NARA after changes are posted constitutes acceptance of the updated policy.

For any questions or requests relating to this Privacy Policy or your personal data, contact our Data Protection team:

• Email: privacy@nara.app
• Company: Heka Services Inc.
• Address: Montreal, QC, Canada