Privacy

Privacy policy

Last updated: 20 April 2026

This policy explains what data Natter collects, why we collect it, and what we do with it. We've written it in plain English because legal jargon is the enemy of trust.

Quick summary: We collect the brand, domain, keywords, and (optionally) email you submit, plus basic web analytics. We use this to run your AI citation check, email you the result if you asked, and improve the product. We do not sell your personal information. You can change your cookie choices or delete your data at any time.

Who we are

Natter ("we", "us", "our") is operated by Bright Digital Limited, registered in New Zealand. Contact: hello@natter.solutions.

What we collect

When you use the free AI citation check, you give us:

Your name or your brand name
Your website domain
Your approximate location (city and country)
Your target keywords
Your email address (optional)

When you pay for a full report, Stripe processes the payment. We receive the payment status and your email from Stripe but we never see or store your card details.

We also collect standard web analytics data: your IP address (hashed and truncated), browser type, the pages you view, the time you spend on each page, and which ad or link brought you to us. This is collected via Google Analytics 4 and Google Tag Manager, and only when you have given consent via our cookie banner.

Why we collect it

To run the citation check you asked for. Your brand, domain, keywords and location are sent to AI engine APIs (OpenAI, Anthropic, Google, Perplexity, SerpAPI) so we can query them on your behalf.
To email you the report. Only if you provided an email. Sent via Resend.
To process payment if you unlock a paid report (via Stripe).
To improve the product using aggregated, non-identifying analytics.
To let you opt in to marketing emails. If you do. We don't email you marketing unless you've opted in.

Who we share it with

We share the minimum necessary data with the following third parties, all of which have their own privacy policies:

OpenAI: brand and keywords are sent to query ChatGPT.
Anthropic: brand and keywords are sent to query Claude and to generate the gap analysis.
Google: for Gemini API queries, AI Overview lookups via SerpAPI, and Google Analytics.
Perplexity: for Perplexity API queries.
SerpAPI: to retrieve Google AI Overviews.
Resend: to deliver emails.
Stripe: to process payments.

We do not sell your personal information. In the narrower definition used by the California Consumer Privacy Act (CCPA/CPRA), some advertising cookies may qualify as "sharing" personal information with Google for cross-context behavioural advertising. You can disable these at any time via the cookie banner.

How long we keep it

Data type	Retention period
Your scan results and brand profile	24 months after your last scan, then deleted or anonymised
Payment records	7 years (required by accounting law)
Waitlist email	Until you unsubscribe, or 3 years of inactivity
Google Analytics data	14 months (GA4 default)
Support emails	2 years

You can ask us to delete your data at any time (see "Your rights" below).

Your California privacy rights

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give you specific rights over your personal information.

Categories of personal information we collect

Category (CCPA terminology)	Examples	Source
Identifiers	Email address, IP address (hashed)	You, your browser
Commercial information	Payment history, subscription status	You, via Stripe
Internet activity	Pages viewed, referring URL, session duration	Your browser (only with consent)
Geolocation data	City and country (approximate, no precise GPS)	You (entered in form) or IP-based lookup
Inferences	Brand visibility score, competitor patterns	Derived from scan results

Your rights as a California resident

Right to know what personal information we collect, use, disclose, or sell
Right to delete personal information we've collected from you
Right to correct inaccurate personal information
Right to opt out of sale or sharing of your personal information for cross-context behavioural advertising
Right to limit use of sensitive personal information (we don't collect any)
Right to non-discrimination for exercising any of the above

How to exercise these rights

Email hello@natter.solutions with the subject line "California Privacy Request" and tell us which right you want to exercise. We will verify your identity by confirming the email matches an email in our records. We respond within 45 days.

Do Not Sell or Share My Personal Information

We do not sell personal information for money. However, advertising cookies on our site (Google Ads, Google Analytics) may constitute "sharing" under California's CPRA definition. You have two ways to opt out:

Click the button below to open the cookie preferences panel and disable Advertising cookies:
Use a browser that sends a Global Privacy Control (GPC) signal. Natter automatically respects GPC and disables advertising cookies for any visitor whose browser sends this signal.

Cookies we use

Cookie / technology	Purpose	Category	Duration
natter_consent (localStorage)	Stores your cookie consent choice	Essential	1 year
Scan session token (URL hash)	Lets you return to your scan results	Essential	Session
_ga, _ga_*	Google Analytics 4, distinguishes users and sessions	Analytics (optional)	Up to 13 months
_gcl_au	Google Ads conversion tracking	Advertising (optional)	90 days
NID, SID (via Google Ads)	Google advertising attribution	Advertising (optional)	Varies (see Google)

Analytics and Advertising cookies only load after you accept them via the cookie banner. You can change your choice at any time:

Your rights (all users)

Depending on where you live, you also have rights under GDPR (Europe/UK), the Privacy Act 2020 (New Zealand), the Privacy Act 1988 (Australia), and other state laws such as Virginia's VCDPA, Colorado's CPA, Connecticut's CTDPA, Utah's UCPA, and Texas's TDPSA. These generally include:

The right to know what data we hold about you
The right to correct inaccurate data
The right to have your data deleted
The right to object to marketing
The right to data portability
The right to complain to a data protection regulator

Email hello@natter.solutions with the subject line "Data request" and we'll respond within 30 days.

International transfers

Natter is operated from New Zealand, but our third-party service providers are largely based in the United States. By using Natter, you acknowledge that your data will be processed in countries outside your own. Where applicable, we rely on the Standard Contractual Clauses or equivalent transfer mechanisms offered by each provider.

Children

Natter is not intended for users under the age of 16. We do not knowingly collect personal information from children. If you believe we have, email us and we will delete it.

Security

We take reasonable technical and organisational measures to protect your data: encryption in transit (HTTPS everywhere), access controls on our infrastructure, and regular review of third-party providers. No system is 100% secure, but we take this seriously.

Changes

If we materially change this policy, we'll email users we have email addresses for and update the "Last updated" date at the top. We won't use your data in materially new ways without giving you the chance to opt out.