Privacy Policy

For the purposes of applicable data protection legislation, the data fiduciary (under the DPDPA) and data controller (under the GDPR and UK GDPR) in respect of all personal data collected and processed through the Platform is Narion Research Technologies. All references to "Narion," "we," "us," or "our" in this Policy refer to the individual Proprietor operating under the trade name "Narion Research Technologies." Narion is not a company, corporation, or registered legal entity, and all data protection obligations described in this Policy are the direct obligations of the individual Proprietor in their personal capacity.

This Policy applies to all personal data and related information collected, received, or generated in connection with:

• Access to and use of the Platform through web-based, mobile-based, or API-based interfaces;
• Account registration, subscription activation, and account management;
• Communications between the User and Narion, including support requests, feedback, inquiries, and automated notifications;
• Use of third-party integrations or external services accessed through the Platform;
• Participation in research, beta programs, surveys, or other Platform-related activities conducted or facilitated by Narion.

This Policy does not apply to third-party websites, applications, or services that may be linked to from the Platform. Narion exercises no control over the data practices of such third parties, and Users are encouraged to review their policies independently.

This Policy is an integral part of and must be read alongside Narion's Terms of Service. In the event of any conflict between this Policy and the Terms of Service regarding data protection or privacy matters, this Policy shall govern to the extent of such conflict.

Narion is committed to the lawful, fair, and transparent processing of personal data in compliance with all applicable data protection and privacy laws. The regulatory framework governing Narion's data processing activities includes:

Where the requirements of two or more applicable data protection frameworks differ in respect of a particular processing activity, Narion shall apply the more stringent standard unless doing so would conflict with a mandatory provision of higher-priority applicable law. This commitment reflects Narion's policy of universal respect for individuals' fundamental privacy rights, irrespective of jurisdiction.

Under the DPDPA, Narion acts as a "Data Fiduciary" in respect of personal data of Indian data principals. Under the GDPR and UK GDPR, Narion acts as a "Data Controller." In either capacity, Narion determines the purposes and means of processing personal data. Where Narion engages third-party service providers to process personal data on its behalf, such providers act as Data Processors, and Narion shall ensure through appropriate contractual arrangements that they process data only in accordance with Narion's documented instructions, applicable law, and the commitments set out in this Policy.

In accordance with applicable data protection principles, Narion has embedded data protection considerations into the design, architecture, and operational procedures of the Platform. By default, only personal data strictly necessary for each specific processing purpose is collected, processed, stored, and retained. Narion continually reviews its data collection practices to identify and eliminate any collection of personal data that exceeds what is necessary for defined and legitimate purposes.

For the purposes of this Policy, defined terms include: "Personal Data" meaning any information that identifies or can identify a natural person; "Data Principal" / "Data Subject" meaning the individual to whom personal data relates; "Processing" meaning any operation performed on personal data; "Data Fiduciary" / "Data Controller" meaning the entity that determines the purposes and means of processing; "Data Processor" meaning a party processing data on the Data Controller's behalf; "Data Breach" meaning a security incident resulting in unauthorized access, disclosure, alteration, or loss of personal data; "Consent" meaning freely given, specific, informed, and unambiguous agreement to processing; and "Sensitive Personal Data" meaning personal data designated as requiring heightened protection under applicable law.

In this Policy: references to the singular include the plural and vice versa; references to any statute include any subsequent amendment or re-enactment; headings are for convenience only; "including" means "including without limitation"; "days" means calendar days unless specified as "business days"; and references to writing include electronic communications where appropriate.

Narion collects only such personal data as is adequate, relevant, and strictly limited to what is necessary in relation to each specified purpose of processing. Narion does not collect personal data speculatively, in anticipation of possible future uses, or beyond what is demonstrably required for defined, legitimate, and disclosed purposes.

When a User registers for an account, Narion collects:

• Full name or professional name as provided during registration;
• Primary email address, serving as the principal account identifier and communication channel;
• Organisation or company name, where the User represents an enterprise subscriber;
• Country or region of residence or operation, as provided during registration or inferred from billing or usage data;
• Preferred language and regional settings relevant to service delivery.

Narion does not require, and Users should not voluntarily provide, any government-issued identification numbers, national identity numbers, social security numbers, or similar official identification documents during standard registration.

To enable secure account access, Narion collects and maintains:

• Password hash only: Narion stores only a cryptographically hashed and salted version of the User's password, computed using a memory-hard hashing algorithm (bcrypt or Argon2). Narion never stores passwords in plaintext;
• API keys and authentication tokens issued for programmatic access;
• Multi-factor authentication enrollment data and device trust records, where activated;
• Login timestamps, session identifiers, and IP addresses associated with authentication events, retained for security audit and anomaly detection.

In connection with subscription management, Narion collects subscription tier, billing cycle, billing address, transaction identifiers, payment reference numbers, and records of payment outcomes. Narion expressly does not collect or store full payment card numbers, CVV/CVC, bank account numbers, or any other primary financial credentials. All sensitive payment data is processed exclusively by third-party payment processors under PCI DSS compliance. Narion receives only tokenized payment references and transaction status data.

When the User interacts with the Platform, Narion automatically collects:

• IP address and derived approximate geolocation data (country or city level), used for security, fraud prevention, and regional service configuration;
• Device information: device type, hardware model, operating system name and version, browser type and version;
• Session data: URLs of pages visited, referrer URL, session start and end timestamps, session duration, pages viewed, and navigation sequence;
• User interaction data: clicks, scrolls, in-Platform search queries, and feature utilization patterns;
• API access logs: endpoint accessed, request timestamps, request volumes, HTTP response codes, and error messages;
• System performance metrics: page load times, API response latencies, and error rates.

When the User communicates with Narion, Narion collects the full content of all communications, contact information provided, support ticket identifiers and case notes, and recordings or transcripts of live support sessions where such functionality is offered and the User has been notified.

For the avoidance of doubt, Narion does not collect, and has no legitimate purpose for collecting, any of the following:

• Genetic or biometric data;
• Health, medical, or clinical information;
• Religious beliefs, political opinions, or trade union membership;
• Criminal conviction or offence history;
• Racial or ethnic origin (except as incidentally reflected in regional settings);
• Full government-issued identification documents, except where specifically required for identity verification under institutional subscription arrangements.

If a User inadvertently submits data in any of the above categories, Narion will delete such data promptly upon identification and will not process it for any purpose.

Narion processes personal data strictly for specified, explicit, and legitimate purposes and does not process personal data in a manner incompatible with those purposes. Each processing activity is associated with a defined and independently justifiable legal basis.

Narion does not use personal data for any purpose incompatible with the purposes described in this Article. Where Narion intends to process personal data for a new purpose not listed herein, Narion shall assess compatibility, identify a lawful basis, and notify Users through the Policy update process in Article XV before such processing commences.

Under the SPDI Rules, 2011, sensitive personal data includes financial information including bank and card credentials; passwords and authentication secrets; biometric data; health or medical information; sexual orientation; and any other category so designated by applicable legislation. Narion processes two of these categories in limited circumstances: (a) hashed authentication credentials; and (b) billing reference data received from third-party payment processors.

In respect of any sensitive personal data processed by Narion, the following heightened obligations apply:

• Collection only with explicit, informed, prior consent of the User, except where required by law;
• Use solely for the purpose for which it was collected, without secondary use or disclosure except as required by law or with fresh explicit consent;
• No disclosure to third parties without explicit consent, save for payment processors under binding confidentiality and security agreements;
• Provision to the User of clear information about the type of sensitive data collected, the purpose, and the intended recipients before collection;
• Implementation of security practices as prescribed under the SPDI Rules, including adherence to ISO/IEC 27001 or equivalent security standards.

Narion does not process any special categories of personal data as defined in Article 9 of the GDPR (including health data, genetic data, biometric data used for unique identification, data concerning racial or ethnic origin, political opinions, religious beliefs, trade union membership, or sexual orientation) in connection with the Platform. Where any such data is inadvertently received, Narion will delete it promptly without further processing.

Narion may disclose personal data to carefully selected third-party service providers engaged to perform specific functions necessary for the Platform's operation:

• Cloud Infrastructure Providers: Providers of server hosting, data storage, content delivery, and related infrastructure. Contractually prohibited from accessing or using the data for any other purpose;
• Payment Processors: Including Razorpay, Stripe, Lemon Squeezy, PayU, and Cashfree. Receive billing details and transaction data strictly under their own terms, privacy policies, and PCI DSS obligations;
• Analytics and Monitoring Providers: Providers of application performance monitoring tools, who receive anonymized or pseudonymized technical usage data only;
• Email and Communication Service Providers: Providers of transactional email delivery services used to route service notifications and support communications;
• Security Service Providers: Providers of security scanning, vulnerability assessment, and threat intelligence services.

Narion shall ensure through appropriate data processing agreements that all Processors: (a) process personal data only on Narion's documented instructions; (b) implement appropriate technical and organisational security measures; (c) do not engage sub-processors without Narion's prior written authorisation; (d) cooperate with Narion in fulfilling Data Principal rights obligations; and (e) delete or return personal data at the end of the engagement.

Narion may disclose personal data to governmental authorities, law enforcement, regulatory bodies, or courts where legally required. To the extent permitted by law, Narion will endeavor to notify affected Users of any such disclosure request before complying. Narion will disclose the minimum amount of personal data strictly necessary to fulfill the legal obligation.

In the event of a transfer of Narion's business, trade name, or assets to a successor, personal data may form part of the transferred assets. Narion shall provide Users with advance notice, ensure the transferee is bound by equivalent data protection obligations, and, where required by applicable law, seek Users' consent prior to transfer.

Narion may share genuinely anonymized and aggregated data with third parties for academic research, industry analysis, or platform capability demonstration purposes, provided that such sharing cannot reasonably be used to re-identify any individual User.

Narion operates from India and processes personal data primarily within India. However, the nature of the Platform's global infrastructure and service providers may require that personal data be transferred to, stored in, or accessed from jurisdictions outside India. Such transfers may arise where cloud infrastructure is hosted in overseas data centres, third-party service providers operate processing facilities outside India, or Users access the Platform from jurisdictions outside India.

Where personal data is transferred to a jurisdiction that does not provide equivalent data protection, Narion shall implement one or more of the following safeguards:

• Standard Contractual Clauses (SCCs): Data processing agreements incorporating contractual clauses approved by the European Commission or analogous instruments recognized under Indian law;
• Adequacy Determinations: Reliance on formal adequacy decisions by the Government of India or other relevant regulatory authorities;
• Technical Safeguards: Application of end-to-end encryption, key management practices, and access controls ensuring that transferred data remains protected in transit and at rest;
• Processor Agreements: Binding contractual obligations on overseas processors to process data only on Narion's instructions and in accordance with applicable law.

By registering for and using the Platform, the User acknowledges and, where consent constitutes the applicable legal basis, consents to the international transfer and processing of their personal data as described in this Article. Users who do not wish their data to be transferred internationally should discontinue use of the Platform and request deletion of their data in accordance with Article XI.

Where Narion processes personal data of EEA data subjects and such data is transferred outside the EEA, Narion shall ensure compliance with Chapter V of the GDPR, relying on adequacy decisions, standard contractual clauses, or other valid transfer mechanisms as applicable. Narion shall maintain records of all such transfers and the safeguards applied.

Narion retains personal data for no longer than is necessary for the purposes for which it was collected, or for such longer period as is required or permitted under applicable law. Retention periods are determined by reference to the purposes of processing, applicable legal obligations, and legitimate interests in maintaining records for audit and dispute resolution.

Upon expiry of the applicable retention period, personal data shall be subject to secure deletion using industry-standard data destruction methods appropriate to the storage medium, or to effective anonymization rendering re-identification not reasonably practicable.

Notwithstanding the above, Narion may retain personal data beyond standard periods where required for Legal Hold purposes, including ongoing or anticipated legal proceedings or regulatory investigations, court orders or regulatory directions requiring preservation, or mandatory minimum retention periods under applicable law.

Narion implements a comprehensive set of technical, organisational, and procedural security measures designed to protect personal data against unauthorized access, disclosure, alteration, destruction, loss, and all other forms of unlawful or unauthorized processing. Narion's security practices are informed by internationally recognized standards including ISO/IEC 27001 and the security requirements prescribed under the SPDI Rules and the DPDPA.

• Encryption in Transit: All personal data transmitted between the User's device and the Platform is encrypted using Transport Layer Security (TLS) protocol version 1.2 or higher;
• Encryption at Rest: Personal data stored in Narion's databases and storage systems is encrypted using industry-standard symmetric encryption (AES-256 or equivalent);
• Password Security: User passwords are stored exclusively as salted cryptographic hashes computed using a memory-hard hashing algorithm (bcrypt, Argon2, or equivalent);
• Role-Based Access Controls: Access to personal data and production systems is governed by least-privilege principles. Privileged access requires multi-factor authentication;
• Audit Logging: Comprehensive audit logs of access to personal data and production systems are maintained;
• Vulnerability Management: Regular vulnerability assessments and security reviews of the Platform's infrastructure and codebase, with timely remediation of identified vulnerabilities;
• Data Isolation: User data is logically segregated within Narion's infrastructure to prevent unauthorized cross-user access.

No information security system is impenetrable, and the transmission of data over the internet carries inherent and unavoidable risks. Narion does not guarantee absolute security of personal data and cannot warrant that unauthorized third parties will never succeed in defeating Narion's security measures.

In the event that Narion becomes aware of a Data Breach affecting Users' personal data, Narion shall immediately take steps to contain the breach; conduct a prompt internal investigation; submit required regulatory notifications within prescribed timeframes (72 hours under GDPR); notify affected Users where a breach poses significant risk; and implement appropriate measures to prevent recurrence.

Users who suspect their account or personal data may have been compromised should contact Narion immediately at privacy@narionresearch.com.

Depending on the User's jurisdiction, the User may be entitled to exercise one or more of the rights described in this Article. Narion is committed to facilitating the exercise of these rights in a transparent, timely, and non-discriminatory manner. Narion shall not penalise, disadvantage, or treat unfavorably any User solely because they have exercised a right to which they are entitled under applicable law.

The User has the right to request confirmation as to whether personal data concerning them is being processed by Narion and, where it is, to receive a copy of that data together with the purposes of processing, the categories of data involved, the recipients or categories of recipients, the anticipated retention period, and any other information required under applicable law. Narion shall provide the requested information free of charge within thirty (30) days of receipt of a valid, verified request.

The User has the right to request the correction of any inaccurate or incomplete personal data held by Narion. Certain categories of data may be corrected directly through the account management interface. For other categories, correction requests should be submitted to Narion through the contact details in Article XVI.

The User has the right to request deletion of their personal data where: the data is no longer necessary for its original purpose; the User withdraws consent and no other legal basis applies; the User objects and no overriding legitimate grounds exist; the data has been processed unlawfully; or erasure is required by applicable law.

The User may request that Narion restrict processing of their personal data to storage only, pending resolution of a dispute, where the accuracy of the data is contested; processing is unlawful but the User prefers restriction to erasure; Narion no longer requires the data but the User needs it for legal claims; or the User has objected and Narion's legitimate grounds assessment is pending.

Where processing is based on consent or contractual necessity and is carried out by automated means, the User has the right to receive the personal data they have provided to Narion in a structured, commonly used, machine-readable format (such as JSON or CSV), and to transmit it to another controller where technically feasible.

The User has the right to object at any time to processing of their personal data where such processing is based on Narion's legitimate interests. The User's right to object to processing for direct marketing purposes is absolute and unconditional. Where processing is based on the User's consent, the User may withdraw that consent at any time without affecting the lawfulness of prior processing.

• The right to receive a summary of personal data being processed and the processing activities;
• The right to correction and erasure of inaccurate, incomplete, or no-longer-necessary personal data;
• The right to obtain a summary of all third parties with whom personal data has been shared;
• The right to grievance redressal through a defined complaints procedure with the Grievance Officer;
• The right to nominate another individual to exercise these rights in the event of the data principal's death or incapacity.

• Right to know: To request disclosure of categories and specific pieces of personal information collected, sources, business purposes, and third-party recipients;
• Right to deletion: To request deletion of personal information, subject to certain exceptions;
• Right to correct: To request correction of inaccurate personal information;
• Right to opt out of sale or sharing: Narion does not sell or share personal data; this right is therefore not triggered by Narion's practices;
• Right to non-discrimination: Narion shall not discriminate against Users for exercising their CCPA/CPRA rights.

To exercise any of the rights described in this Article, the User should submit a written request to:

• Privacy Email: privacy@narionresearch.com (Subject line: "Data Rights Request — [Type of Right]");
• Legal Email: legal@narionresearch.com (for complex or dispute-related requests);
• Grievance Portal: as provided on Narion's website.

Narion shall respond to all valid rights requests within thirty (30) calendar days of receipt and verification of identity. Narion will not charge a fee for rights requests except where requests are manifestly unfounded, repetitive, or excessive.

Cookies are small text files placed on a User's device by a website, enabling recognition of the device and storage of session, preference, or activity data. In addition to cookies, Narion may employ related tracking technologies including web beacons, local storage objects, and session tokens. All such technologies are subject to the principles and controls described in this Article.

Narion does not use, and expressly prohibits on the Platform:

• Advertising or targeting cookies used to serve personalized advertisements based on cross-site browsing behavior;
• Third-party social media tracking pixels that report User activity to social media platforms;
• Fingerprinting scripts or supercookies designed to re-identify Users who have cleared standard cookies.

Where applicable law requires prior consent before placing non-essential cookies, Narion shall present Users with a clear and informative consent interface on their first visit. Users may accept all categories, accept only strictly necessary cookies, or customize their preferences by category. Users retain the ability to control cookies through browser settings. Narion respects browser-level "Do Not Track" signals where technically feasible.

The Platform is designed, developed, and intended exclusively for use by adults who have attained the age of majority in their jurisdiction, and in no event by persons under the age of eighteen (18) years. Narion does not direct the Platform's features, marketing, or outreach toward individuals under the age of eighteen.

Narion does not knowingly collect, solicit, process, store, or retain personal data from any individual under the age of eighteen (18) years. Where Narion discovers or is notified that personal data has been collected from a minor without verifiable parental or guardian consent, Narion shall promptly delete the minor's personal data from all systems, terminate the minor's account, and investigate and implement measures to prevent recurrence.

If a parent or guardian becomes aware that their minor child has provided personal data to Narion without proper authorization, they should contact Narion immediately at privacy@narionresearch.com. Narion shall treat such requests with priority and respond within five (5) business days.

The Platform may contain hyperlinks to external websites, applications, or services operated by third parties not affiliated with Narion. Such links are provided for User convenience only. Narion has no control over the content, privacy practices, data processing activities, or security measures of any third-party website or service, and expressly disclaims all responsibility and liability for the privacy practices of such third parties. Users are strongly encouraged to review the privacy policy and terms of service of any third-party website they visit before providing personal data.

Where the Platform integrates with or connects to third-party platforms, data sources, or analytical tools, such integrations may involve the transfer of technical data to the relevant third-party service. Privacy practices applicable to such integrations are governed by the third party's own privacy policies. The User is solely responsible for reviewing and accepting the terms and privacy policies of any third-party service they use in connection with the Platform.

Narion reserves the right to amend, modify, supplement, or replace this Privacy Policy at any time, at its sole discretion, to reflect changes in applicable law, regulatory guidance, Platform functionalities, or Narion's data processing practices. All modifications shall be effective from the date of publication on Narion's official website, unless a later effective date is specified.

Where a proposed modification constitutes a material change to this Policy, Narion shall provide advance notice as follows:

• Email notification to the registered account email address, sent not less than fourteen (14) calendar days before the modified Policy takes effect, describing the nature of the material changes in plain and accessible language;
• Prominent notice on the Platform dashboard or home page, displayed throughout the notice period;
• Where required by applicable law, an affirmative opt-in or re-consent mechanism prior to continued processing under the modified Policy.

Where the User continues to access or use the Platform following publication of a modified Policy without objecting, such continued use constitutes acceptance of the modified Policy. Users who object to a material modification may exercise their right to request deletion of their personal data and terminate their account in accordance with Article XI and the Terms of Service.

Narion maintains an archive of previous versions of this Policy, available upon request to any User wishing to review the historical development of Narion's privacy practices. Requests should be directed to privacy@narionresearch.com.

In accordance with the Information Technology Act, 2000, the SPDI Rules, 2011, and the Digital Personal Data Protection Act, 2023, Narion has designated a Grievance Officer responsible for receiving, addressing, and resolving all complaints, queries, and data-related concerns from Users. The Grievance Officer shall acknowledge all complaints within 48 hours and endeavor to resolve them within 30 days of receipt.

Users who believe that Narion's processing of their personal data violates applicable data protection law retain the right to lodge a complaint with the competent supervisory authority in their jurisdiction. Relevant supervisory authorities include:

• India (DPDPA): The Data Protection Board of India, once constituted pursuant to the DPDPA's implementing regulations;
• European Union (GDPR): The data protection supervisory authority of the EU member state in which the User resides or works;
• United Kingdom (UK GDPR): The Information Commissioner's Office (ICO) — www.ico.org.uk
• California, USA (CCPA/CPRA): The California Privacy Protection Agency (CPPA) — cppa.ca.gov