Privacy Policy
Responsible in the sense of the data protection laws
Narrafix
Owner: Christopher Kling
Mainzer Str. 74
64293 Darmstadt
Darmstadt, Germany
E-Mail: info@narrafix.audio
General Information
We take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy. When you visit our website or use our services, various personal data is collected. Personal data is data that can be used to identify you personally.
This privacy policy explains what data we collect, what we use it for and for what purpose. It also explains how and for what purpose this is done.
1. Data Collection on our Website
a) Type of Data Processed
In particular, we process the following personal data if you provide it to us when using our services:
- Contact details (name, e-mail address, address if applicable)
- Payment information (in the context of payment processing)
- Project data (e.g. project title)
- Uploaded audio files (as part of the service offered)
Processing is carried out for the purpose of providing our services, managing your user account, processing payments and communicating with customers.
b) Legal Bases of the Processing
The processing of your personal data is based on the following legal bases:
- Art. 6 Para. 1 lit. b GDPR (fulfillment of contract): For the provision of our service, fulfillment of the user agreement and for payment processing.
- Art. 6 Para. 1 lit. a GDPR (consent): Insofar as you have given us your consent, e.g. for the setting of cookies that are not technically necessary (analysis services).
2. Hosting and Data Transfer
a) Hosting with Supabase
We host our services with an external service provider (Supabase). Personal data may be stored and processed on its servers. Supabase is used for the secure and efficient provision of our online services (legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR). We have concluded corresponding order processing contracts with Supabase to ensure the protection of your data. Supabase is SOC2 type 2 compliant. This is an important security guideline for handling sensitive customer data. The infrastructure, policies and procedures are also designed to meet industry-standard compliance and regulatory frameworks, including SOC-2 Type 2, HIPAA, GDPR and more. All customer data is encrypted at rest with AES-256 and in transit with TLS. Sensitive information such as access tokens and keys are encrypted at the application level before being stored in the database.
b) Transfer of Audio Files to External Service Providers
In order to provide our core service (editing of audio recordings), uploaded audio files are transmitted to specialized external processing services. The processing takes place exclusively in order to provide the service you have commissioned (editing of audio recordings) (Art. 6 para. 1 lit. b GDPR). Agreements are in place with these service providers that guarantee an appropriate level of data protection. We ensure that this service provider acts in compliance with the GDPR and takes appropriate technical and organizational measures to protect your data. The infrastructure, policies and procedures are also designed to meet industry-standard compliance and regulatory frameworks, including SOC-2 Type 2, HIPAA, PCI DSS, GDPR, CCPA and all applicable local government and legal requirements. Furthermore, MFA, RBAC and VPNs are used to regulate and secure all employee access to data systems. All data is encrypted in process and at rest with industry-standard encryption, including TLS 1.3 and AES-256.
c) Exclusion of the Use of Data for AI Training
Furthermore, all parties and external service providers generally exclude the use of the data provided for the development or training of generative AI applications or machine learning. Corresponding agreements have been concluded with all affiliated external service providers.
d) Payment Processing via Stripe
We use the payment service provider Stripe to process payments. The provider within the EU is Stripe Payments Europe, Ltd, Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. Stripe may process data such as name, address, email address and payment information (e.g. credit card details) as part of payment processing.
According to its own statements, Stripe is GDPR-compliant and implements suitable technical and organizational measures to protect personal data. Further information on data protection at Stripe can be found at: https://stripe.com/de/privacy.
Processing via Stripe is based on Art. 6 para. 1 lit. b GDPR (fulfillment of contract) and, if necessary, on legitimate interests in secure and efficient payment processing in accordance with Art. 6 para. 1 lit. f GDPR.
e) Data Transfer to Third Countries
If external service providers process personal data outside the European Economic Area (EEA), this will only take place if an adequate level of data protection is guaranteed. This can be achieved, for example, by concluding standard contractual clauses with the service providers.
3. Cookies and Analysis Tools
a) Cookies
Our website uses cookies. These are small text files that are stored on your end device. Some cookies are technically necessary to ensure the basic functions of the website.
Insofar as we use other (non-technically necessary) cookies, this is only done on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR. You can give or refuse your consent via our cookie banner. You can also delete or block cookies at any time in your browser settings.
b) Google Analytics
We use Google Analytics, a web analysis service of Google Ireland Limited, on the basis of your consent (Art. 6 para. 1 lit. a GDPR). Google Analytics uses cookies to analyze your use of the website. The information generated about your use of this website is usually transmitted to a Google server and stored there.
We use Google Analytics to constantly improve our website and make it more user-friendly. You can revoke your consent at any time with effect for the future by adjusting the cookie settings.
Further information on data protection at Google can be found at: https://policies.google.com/privacy.
4. Storage Period and Deletion
We only store your personal data for as long as is necessary for the above-mentioned purposes. There is no automatic deletion on our part. However, you have the option of requesting the deletion of your data at any time (see Rights of data subjects). As soon as your user relationship ends and there are no legal retention periods to the contrary, your data will be deleted at your request.
5. Rights of Data Subjects
You have the following rights in particular within the framework of the applicable data protection regulations:
- Information about your personal data stored by us (Art. 15 GDPR)
- Correction of incorrect data (Art. 16 GDPR)
- Deletion of your personal data (Art. 17 GDPR), provided that there are no statutory retention obligations to the contrary
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Objection to the processing of your data (Art. 21 GDPR), provided that the processing is based on our legitimate interests
- Withdrawal of your consent (Art. 7 (3) GDPR) with effect for the future, if the processing is based on consent
To assert these rights, please contact:
E-mail: info@narrafix.audio
You also have the right to lodge a complaint with a competent data protection supervisory authority if you believe that your personal data is being processed unlawfully.
6. No Automated Decision-Making
Automated decision-making or profiling within the meaning of Art. 22 GDPR does not take place.
7. Safety
We take appropriate technical and organizational measures to protect your data from loss, misuse, unauthorized access or disclosure.
8. Amendment of this Privacy Policy
We reserve the right to amend this privacy policy from time to time in order to always comply with current legal requirements or to implement changes to our services in the privacy policy. The current privacy policy will then apply to your next visit.
Status: 13.12.2024