Privacy Policy

Last updated: June 2026

This policy explains what personal data Natterio collects, why, and what your rights are under UK GDPR and the UK Data Protection Act 2018.

Who we are

Natterio is operated at natterio.com. We are in the process of registering with the Information Commissioner's Office (ICO) as required.

Two layers of data processing

Natterio operates two distinct roles depending on whose data is involved:

• Data we collect from you (the community owner): When you sign up and manage your account on natterio.com, Natterio is the data controller. This policy covers that data.
• Data collected by your community site: When your community members interact with the site you build on Natterio, you (the community owner) are the data controller for their personal data. Natterio acts as your data processor under Article 28 UK GDPR. You are responsible for having a lawful basis for processing your members' data and for maintaining your own privacy policy for your community site.

If you are a community owner looking for guidance on your members' data obligations, contact us at privacy@natterio.com.

What data we collect and why

Account and sign-in

If you sign in, we collect your email address and store a session record. We use this solely to authenticate you. We do not send marketing emails. The legal basis is the performance of a contract (providing you access to member features you have requested).

Server logs

Like all web servers, our hosting provider (Cloudflare) automatically records standard access logs (IP address, browser type, pages visited, timestamps). These are retained for up to 30 days for security and diagnostic purposes. The legal basis is legitimate interests.

Billing

If you subscribe to a paid plan, Stripe processes your payment. We store your Stripe customer and subscription identifiers and your plan status, but never your full card number. The legal basis is performance of a contract.

Consent records

When you create an account or import a site, we record that you accepted our terms — including the wording you agreed to, a timestamp, and the IP address and browser the request came from. We keep this as proof of consent. The legal basis is compliance with a legal obligation and our legitimate interest in maintaining accurate records.

Analytics

We collect basic first-party analytics — anonymous events such as page views, sign-ups, and feature usage — to understand how the platform is used and improve it. These events do not include your name or email and are not shared with any third-party analytics service. We do not use advertising or cross-site tracking cookies. The legal basis is legitimate interests.

Cookies

We use a single session cookie (authjs.session-token) if you sign in. This is a strictly necessary cookie and does not require your consent. We do not use advertising, analytics, or tracking cookies.

Who we share data with

We use a small number of trusted providers to run the service. We never sell, rent, or share your data for marketing purposes. Our sub-processors are:

• Neon — database hosting (EU region), where your account data is stored.
• Cloudflare — hosting, content delivery, and security; processes request metadata (including IP addresses) to serve and protect the site.
• Resend — email delivery, used solely to send you sign-in links.
• Stripe — payment processing for paid plans. Your card details are entered directly with Stripe and are never stored on our systems; we receive only a token and your billing status.
• Anthropic — AI generation. When you use the site builder, the details you enter (such as your community name and description) are sent to Anthropic to generate your site. Your inputs are not used to train their models.

How long we keep your data

Account data is kept for as long as you have an account. If you request deletion, we will erase your account and associated data within 30 days. Server logs are deleted after 30 days.

Your rights

Under UK GDPR you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — ask us to correct inaccurate data
• Erasure — ask us to delete your data (“right to be forgotten”)
• Portability — receive your data in a machine-readable format
• Object — object to processing based on legitimate interests
• Withdraw consent — where processing is based on consent

To exercise any of these rights, email us at privacy@natterio.com. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the ICO at ico.org.uk.

Security

We use HTTPS for all data in transit. Our database provider encrypts data at rest. We use passwordless authentication (magic links) so no passwords are ever stored. We review security practices regularly.

Changes to this policy

We will update this page if our practices change. Continued use of the site after a change constitutes acceptance of the updated policy.

This policy is provided for transparency. It is not professional legal advice. If you have questions, contact us at privacy@natterio.com.