Version 1.3 · Updated 21 May 2026

Privacy policy

How we collect, use and protect your data.

In brief

  • Your email is stored in the database for authentication only.
  • Your clients' GA4/Meta data is never stored in the database (Redis cache 6-24h maximum).
  • Google Analytics 4 (narratiq.fr audience) only loads with your explicit consent.
  • Contact: dpo@narratiq.fr, response within 30 days.
1

Who are we?

NarratIQ is a SaaS analytics and reporting service for freelancers and digital agencies.

Data controller

Matheo Zimmer

Legal form

Sole trader (micro-entrepreneur)

SIRET

10504893800010

Address

10 Rue Carnot, 54550 Pont-Saint-Vincent, France

DPO contact: dpo@narratiq.fr

2

Data we collect

2.1 Account data

  • Email address (unique identifier)
  • Name (optional)
  • Registration date and login history
  • Billing information (processed by Stripe; card numbers never reach us)

2.2 Client data you entrust to us

When you connect your clients' Google Analytics 4 or Meta Ads accounts, NarratIQ accesses only aggregated metrics (sessions, impressions, spend, etc.).

This data is never stored in the database. It passes through Redis cache (TTL 6-24h) and is automatically deleted. OAuth tokens are encrypted AES-256-GCM before any storage.

2.3 Technical data

  • Access logs (IP address, user-agent, action), retained for 90 days then automatically purged
  • Session and authentication cookies (see section 7)
3

Why we process this data

PurposeLegal basis
Service provision (dashboard, reports, alerts)Contract performance (Art. 6.1.b GDPR)
Billing and subscription managementContract performance + legal obligation
Transactional emails (reports, alerts, magic link)Contract performance
Security logs and internal auditLegitimate interest (Art. 6.1.f GDPR)
GDPR compliance (DPA, consent history)Legal obligation (Art. 6.1.c GDPR)
narratiq.fr audience measurement (Google Analytics 4)Consent (Art. 6.1.a GDPR · ePrivacy Directive Art. 5.3)
4

Sub-processors and transfers

All our primary data is hosted in the European Union. The US-based services below govern transfers via Standard Contractual Clauses (SCC).

ServiceRoleLocation
Neon PostgreSQLPrimary databaseEU · Frankfurt
Upstash RedisMetrics cache (short TTL)EU · Ireland (eu-west-1)
Cloudflare R2PDF storageEU
StripePayments (PCI-DSS certified)EU
ResendTransactional emailsEU
VercelApplication hostingEU · Frankfurt, Germany (fra1)
Vercel AnalyticsCookie-free audience measurement (anonymised server-side)EU · Vercel Edge
Google Analytics 4narratiq.fr audience, consent-onlyUSA (Google SCC)
Google (GA4 Data API)Client analytics data access, read-onlyGoogle DPA · read-only
Meta (Marketing API)Client ad data access, read-onlyMeta DPA · read-only
5

Retention periods

Account dataDuration of subscription + 30 days after cancellation
GA4/Meta client metricsRedis cache only · TTL 6-24h · never in database
PDF reportsDuration of subscription (stored on Cloudflare R2)
Access logs90 days maximum · automatically purged
Billing data10 years (legal accounting obligation)
Google Analytics cookies (_ga)2 years (managed by Google) · deletable via your browser
6

Your GDPR rights

In accordance with Articles 15 to 22 of the GDPR, you have the following rights:

Art. 15Right of access

JSON export of all your data via Settings.

Art. 16Right of rectification

Edit your email or name in Settings.

Art. 17Right to erasure

Account deletion from Settings → Danger zone. Cascade within 72h.

Art. 20Right to portability

JSON export of all your data via Settings.

Art. 21Right to object

Object to any processing based on legitimate interest via dpo@narratiq.fr.

Art. 77Right to lodge a complaint

Lodge a complaint with the relevant supervisory authority (e.g. ICO in the UK, CNIL in France) for non-compliant processing.

To exercise your rights: dpo@narratiq.fr. Response within 30 days.

7

Cookies

NarratIQ uses two categories of cookies: strictly necessary cookies for operation (set without consent, in accordance with ePrivacy Directive Art. 5.3) and audience measurement cookies set only with your explicit agreement.

CookieSet byPurposeDurationConsent
next-auth.session-tokenNarratIQAuthenticated sessionBrowser sessionNot required
__Host-next-auth.csrf-tokenNarratIQCSRF protection for formsBrowser sessionNot required
cookie_consentNarratIQSaves your cookie choice1 yearNot required
_gaGoogle AnalyticsVisitor identification (narratiq.fr audience)2 yearsRequired
_ga_[ID]Google AnalyticsAnalytics session data2 yearsRequired
Vercel Analytics sets no cookies. Data is aggregated anonymously server-side (hashed IP, not stored). No consent required.

You can change your choice at any time: the consent banner reappears if you delete the cookie_consent cookie from your browser, or via your browser's cookie settings.

8

Security and data protection

8.1 Technical protection mechanisms

Encryption at rest

All OAuth tokens (Google, Meta) are encrypted with AES-256-GCM before any storage in the database. The encryption key is stored exclusively as a server environment variable, never in the database.

Encryption in transit

All client-server and server-third-party API communications use TLS 1.3 exclusively. Unencrypted HTTP connections are refused.

Passwordless authentication

NarratIQ uses magic link authentication exclusively. No password is ever stored or transmitted.

User data isolation

Each user can only access their own data. API requests verify identity server-side on every call via the encrypted NextAuth session.

No persistent GA4/Meta storage

GA4 and Meta metrics only pass through a short-TTL Redis cache (6-24h). They are never written to the relational database or permanent files.

Tokens never logged

OAuth access tokens are never included in application logs or Vercel traces. Logs contain only opaque anonymised identifiers.

8.2 Access control and limitation

  • Google OAuth scopes are limited to the strict minimum required (read-only GA4 data (analytics.readonly)). NarratIQ never uses write scopes.
  • Meta tokens are limited to ads_read permissions only. No write action is requested or executed.
  • Access to a client account's data requires that the logged-in user is the owner of that account in NarratIQ (database check on every request).
  • Secrets (API keys, master tokens) are accessible only to server processes via encrypted Vercel environment variables, never exposed client-side.
  • The database is accessible only from Vercel production servers (private Neon connection string, not publicly exposed).

8.3 Data breach procedure

In the event of a confirmed or suspected personal data breach, NarratIQ commits to:

  1. 72hNotification to the relevant supervisory authority within 72 hours of discovery (in accordance with Art. 33 GDPR).
  2. ImmediatelyImmediate revocation of compromised OAuth tokens and invalidation of affected active sessions.
  3. 48hNotification to affected users within 48 hours if the breach presents a high risk to their rights (Art. 34 GDPR).
  4. ContactIncident reporting possible at any time via dpo@narratiq.fr or security@narratiq.fr.
9

Google data: use of sensitive scopes

NarratIQ uses the Google Analytics Data API (GA4) via OAuth 2.0. The information below details exactly how Google data is handled, in compliance with the Google API Services User Data Policy.

Google OAuth scopes requested

https://www.googleapis.com/auth/analytics.readonly

Read-only access to GA4 metrics from your properties (sessions, page views, traffic sources, etc.) to generate your NarratIQ reports.

https://www.googleapis.com/auth/userinfo.email

Verification of your Google identity only. Not stored beyond authentication.

Specific commitments for Google data

Limited use

GA4 data obtained via Google scopes is used exclusively to generate reports and dashboards requested by the authenticated user who owns the relevant GA4 account.

No transfer to third parties

GA4 data is never sold, transferred or shared with third parties. It is not used for advertising, profiling or external machine learning.

No persistent storage

GA4 metrics are never stored in the database. Only an encrypted Redis cache (TTL 6-24h) is used to avoid repeated API calls. It expires automatically.

Immediate revocation

You can revoke access at any time from Settings → Integrations, or directly from your Google account (myaccount.google.com/permissions). Tokens are deleted immediately.

Read-only

NarratIQ never writes to your GA4 properties. Access is strictly limited to reading aggregated metrics. No GA4 configuration changes are possible from NarratIQ.

Encrypted tokens

Your Google OAuth tokens (access token and refresh token) are encrypted with AES-256-GCM before any storage in the database. They are only decrypted at the time of the server-side API call.

10

Amendments

Any material change will be indicated on this page via the update date and, where possible, notified to active users. The current version is always accessible at this URL.

Current version: 1.3, updated 21 May 2026.