Privacy Policy

Effective date: March 7, 2026 · Last updated: March 7, 2026

This policy describes how Davide Petrilio processes your personal data in connection with the Nari Chrome extension, in accordance with the EU General Data Protection Regulation (GDPR).

1. Data controller

The data controller is:

Davide Petrilio

davide@aevra.co

2. What data we collect and why

We only collect data that is necessary to provide the service.

Data

Purpose

Legal basis (GDPR Art. 6)

Email address, hashed password

Account creation and authentication

Performance of a contract (Art. 6(1)(b))

Recorded workflows: page URLs, clicks, form inputs, navigation events

Core functionality: saving and replaying your workflows

Performance of a contract (Art. 6(1)(b))

Workflow metadata: names, timestamps, notes

Organising and displaying your saved workflows

Performance of a contract (Art. 6(1)(b))

Workflow data sent to Google Gemini (AI feature, optional)

Generating AI-assisted guidance when you explicitly activate the feature

Consent (Art. 6(1)(a)) — opt-in only, withdrawable at any time

Recording only starts when you explicitly initiate it. We do not collect data passively or in the background.

3. AI features

When you activate the optional AI feature, relevant workflow data is forwarded through our server to Google Gemini. Our server acts solely as a proxy — no data is logged or stored on it. The transmission is encrypted in transit. This processing is based on your explicit consent, which you can withdraw at any time by disabling the feature.

Google Gemini processes data subject to Google's privacy policy. When using the AI feature, data may be processed by Google on servers outside the EU. By activating the feature you acknowledge this transfer. We rely on Google's Standard Contractual Clauses as the transfer mechanism.

4. Data storage and security

All data is stored on Supabase in the EU (West Europe) region. Data is encrypted at rest and in transit (TLS). Access is restricted to your authenticated account. Supabase processes data under a Data Processing Agreement in compliance with GDPR.

5. Data retention

Your data is retained for as long as your account remains active. You can delete individual workflows at any time from within the extension. To delete your entire account and all associated data, contact us at davide@aevra.co — we will process the request within 30 days.

6. Your rights under GDPR

As a data subject in the EU, you have the following rights:

Access — request a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate or incomplete data.
Erasure — ask us to delete your data ("right to be forgotten").
Portability — receive your data in a structured, machine-readable format.
Restriction — ask us to limit how we process your data in certain circumstances.
Objection — object to processing based on legitimate interests.
Withdraw consent — where processing is based on consent (AI feature), withdraw it at any time without affecting prior processing.

To exercise any of these rights, email davide@aevra.co. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority (e.g. the Italian Garante or the authority in your country of residence).

7. Third-party processors

Supabase — database and authentication, EU region. Privacy policy.
Google Gemini — AI processing, opt-in only. Privacy policy.

We do not share your data with any other third parties, and we do not sell your data.

8. Children

Nari is not directed at children under 16 (or the applicable age in your EU member state). We do not knowingly collect data from minors.

9. Changes to this policy

We may update this policy as the product evolves. We will notify you by email if changes are material. The "last updated" date at the top reflects the most recent revision.

Davide Petrilio · davide@aevra.co

10. Contact Us

If you have any questions about this Privacy Policy, please contact us at davide@aevra.co.