Legal
Privacy policy
This Privacy Policy for Native AS ("Native," "Company," "we," "us," or "our") describes how and why we collect, store, use, and share ("process") your personal information when you use our services ("Services"), such as when you:
Visit our website at https://native.no or any website that links to this Policy
Use the Native platform to produce and publish content on social media
Engage with us in other ways, including sales, marketing, or events
Native is a B2B platform that helps businesses automate their social media content using artificial intelligence. We have customers in the United States, Norway, Sweden, Denmark, New Zealand, and a number of other countries, and this Policy is designed to comply with privacy laws across all jurisdictions where we operate — including the EU General Data Protection Regulation (GDPR), US state privacy laws, and the New Zealand Privacy Act 2020.
If you do not agree with our policies, please do not use the Services. For any questions, contact us at hei@native.no or via native.no/en/contact.
SUMMARY OF KEY POINTS
Introduction: Native values your privacy and is committed to protecting your personal information through transparent practices.
Information we collect: We collect information to deliver and improve the Services, including account information, payment data, content you create, usage data, and information from third-party integrations you connect.
How we use your information: We use your data to deliver, operate, and improve the Services, process payments, communicate with you, secure the platform, and meet legal obligations.
Use of AI: We use generative AI to produce content on behalf of our customers. We do not train AI models on your data, and our AI providers are contractually prohibited from using our inputs/outputs for training.
Legal bases: We process data based on contract, legitimate interest, consent, and legal obligations (GDPR Art. 6).
Sharing of personal information: We share data with service providers (processors) under data processing agreements, only when necessary to deliver the Services. We do not sell personal information.
Cookies: We use cookies based on consent for non-essential cookies, in compliance with applicable law (including the ePrivacy Directive in the EU and CCPA in California).
Social logins: When you log in with Google or other services, we receive basic profile data you have authorized.
Security: We implement technical and organizational safeguards in line with GDPR Art. 32 and US state law standards, including encryption, access control, and MFA.
Minors: Native does not knowingly collect data from individuals under 18, and complies with the Children's Online Privacy Protection Act (COPPA) for users under 13.
Your rights: You have the right to access, correct, delete, port, object, and withdraw consent. US, EU/EEA, and New Zealand users have specific additional rights described below.
Do-Not-Track and GPC: We do not currently respond to DNT signals due to the absence of an industry standard, but we honor Global Privacy Control (GPC) signals for California residents.
Jurisdiction-specific rights: We explicitly cover GDPR (EU/EEA), CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah), TDPSA (Texas), OCPA (Oregon), MCDPA (Montana), TIPA (Tennessee), and others, plus the New Zealand Privacy Act 2020.
Updates: We notify you of material changes by email or in the Services at least 30 days before they take effect.
Contact: hei@native.no or native.no/en/contact.
TABLE OF CONTENTS
Data controller and roles
Information we collect
How we use your information
Legal basis for processing
Use of artificial intelligence (AI)
Sharing of personal information
Cookies and tracking technologies
Social logins and platform integrations
How long we retain your information
Security
Minors
International data transfers
Your privacy rights
Do-Not-Track and Global Privacy Control
Jurisdiction-specific rights (US, EU/EEA, New Zealand, others)
Collection and use of Google user data
Collection and use of Canva user data
Updates to this Policy
How to contact us
How to review, update, or delete your data
1. Data controller and roles
Data controller for information about visitors to native.no, account holders, customer contacts, and leads is:
Native AS, registration no. 930 324 787 Behrens' gate 5, 0257 Oslo, Norway Email: hei@native.no Contact form: native.no/en/contact
Data processor: For personal information that our customers upload or publish through the Services (content, comments, follower information from connected social media, etc.), the customer is the data controller, and Native acts as a data processor under our Data Processing Addendum (DPA), available upon request.
This distinction follows GDPR Art. 4(7)–(8) and Art. 28 and is reflected in the "service provider" / "processor" definitions under CCPA/CPRA and other US state laws.
2. Information we collect
2.1 Information you voluntarily provide
Account and profile data: name, email, phone number, job title, employer, and password (stored as a hash).
Billing data: company name, billing address, registration number, and payment information. Card data is handled by Stripe — we do not store full card numbers.
User content: any content, feedback, comments, messages, or other information you create, edit, or publish through the Services.
Support inquiries and other communications with us.
2.2 Information collected automatically
Usage data: pages visited, features used, timestamps, and usage patterns.
Technical data: IP address, device type, browser type, operating system, language settings, and technical identifiers.
Location data: approximate geographic location based on IP address. We do not collect precise GPS location.
Logs and security data: event logs used for operations, troubleshooting, and security.
2.3 Information from third-party sources
Social media and connected services: when you log in with Google or connect Meta, LinkedIn, TikTok, X, Canva, Pexels, or other third parties, we receive profile information and tokens consistent with the permissions you grant.
Analytics platforms: aggregated data from PostHog, Meta Ads, and similar tools that help us understand how the Services are used.
Third-party data providers: we may receive supplemental information (e.g., firmographic B2B data) to verify business information.
2.4 Cookies and similar technologies
We use cookies and similar tracking technologies to improve the user experience, analyze engagement, and enable additional functionality. You can manage preferences via the cookie banner on native.no or through your browser. See Section 7.
2.5 Sensitive personal information
We do not knowingly collect special categories of personal information (GDPR Art. 9 / "sensitive personal information" under CCPA), such as ethnicity, religion, health information, biometric data, union membership, or sexual orientation. We encourage customers not to upload such content without a valid legal basis.
2.6 Information from minors
Native does not knowingly collect information from individuals under 18. See Section 11.
3. How we use your information
3.1 To deliver the Services and manage accounts
Create and manage user accounts and subscriptions.
Process payments and renew subscriptions.
Provide customer support and respond to inquiries.
3.2 To operate and improve the Services
Ensure stable operations and optimize performance.
Implement updates, improvements, and new features based on feedback and usage data.
Protect the platform, users, and data from threats and unauthorized access.
3.3 To produce content with AI
As described in Section 5, we use generative AI to produce text and images for our customers' social media. We process your data only for this purpose and do not share it with AI providers' training datasets.
3.4 To communicate with you
Send important updates and notifications about the Services.
Send marketing communications where permitted under applicable law (CAN-SPAM, GDPR Art. 6(1)(a)/(f), TCPA for SMS, etc.).
Request feedback and insights to improve the Services.
3.5 To comply with laws and regulations
Meet legal obligations, including bookkeeping requirements (Norwegian Bookkeeping Act § 13: 5-year retention).
Respond to lawful requests from authorities.
Enforce our terms and policies.
Protect the rights, property, and safety of Native, our users, and the public.
3.6 To analyze usage and develop the Services
Analyze aggregated/pseudonymized usage data to understand trends and user behavior.
Conduct research and development, including testing of new features.
3.7 No automated decisions with legal effect
We do not use AI or other tools to make decisions that have legal or similarly significant effects on individuals (GDPR Art. 22). We do not engage in profiling that produces legal effects under US state privacy laws.
4. Legal basis for processing
Purpose | Legal basis |
|---|---|
Delivering, operating, and improving the Services, including AI features | Contract, GDPR Art. 6(1)(b) |
Billing, accounting, and bookkeeping | Legal obligation, GDPR Art. 6(1)(c), Norwegian Bookkeeping Act § 13 |
Customer support and operational communication | Contract, GDPR Art. 6(1)(b) |
Security, abuse prevention, and operational stability | Legitimate interest, GDPR Art. 6(1)(f) |
Product development and analysis of aggregated/pseudonymized usage | Legitimate interest, GDPR Art. 6(1)(f) |
Marketing to existing B2B customers about similar services | Legitimate interest, GDPR Art. 6(1)(f) |
Marketing to other parties / newsletters | Consent, GDPR Art. 6(1)(a); CAN-SPAM compliance for US |
Cookies and similar technologies that are not strictly necessary | Consent (GDPR/ePrivacy); opt-out where required by US state laws |
Compliance with legal requirements and government orders | Legal obligation, GDPR Art. 6(1)(c) |
You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal (GDPR Art. 7(3)).
For US users, our processing is also justified by your purchase of, registration for, or use of the Services, and by our legitimate business interests as defined under applicable state privacy laws.
5. Use of artificial intelligence (AI)
Native uses generative AI to help customers produce content for social media. The following principles apply:
5.1 No model training on your data
Native does not use customer data, user data, or content to train or fine-tune AI models. We have contractually agreed with our AI providers (OpenAI, Anthropic, Google, xAI) that content sent through the Services will not be used for training.
5.2 AI providers as processors
OpenAI, Anthropic, Google (Gemini), and xAI process content temporarily to generate responses. Processing takes place either in the EU/EEA or in the US under EU Standard Contractual Clauses (SCC 2021/914) and/or the EU–US Data Privacy Framework. See Section 12.
5.3 Transparency about AI-generated content
Under the EU AI Act (Regulation (EU) 2024/1689) Art. 50, content that is artificially generated or manipulated must be identifiable as such. AI-generated content in Native is identifiable in our interface.
When you, as a customer, publish AI-generated content under your own editorial control on your social media channels, you act as the "deployer" and are responsible for evaluating whether disclosure is required — particularly if the content constitutes a deep fake or informs the public on matters of public interest (AI Act Art. 50(2) and (4)).
5.4 No automated decisions
We do not use AI to make decisions with legal or similarly significant effect (GDPR Art. 22; US state law profiling provisions).
5.5 Your responsibility for uploaded content
As a customer, you represent and warrant that you have all necessary rights (copyright, privacy, right of publicity, name and likeness rights) to all material you upload or ask the AI to process.
You may not use the Services to create or distribute unauthorized impersonations of identifiable persons, including celebrities, public figures, or any private individual. This includes prohibited deep fakes and likeness misuse under, among others:
New York Civil Rights Law §§ 50–51
California Civil Code § 3344
Tennessee ELVIS Act 2024 (Ensuring Likeness, Voice, and Image Security Act)
Other applicable state right-of-publicity statutes
Violations may result in immediate account suspension. Report violations to hei@native.no for prompt review and removal. See also our Terms of Service and Acceptable Use Policy.
5.6 Limitations on AI training
If your data — through consent or another legal basis — has been used to train AI models by a third party, such data cannot always be extracted or removed from the model retroactively. As described in 5.1, Native has contracts that prevent such training, so this should be a hypothetical scenario for our customers.
6. Sharing of personal information
We do not sell personal information, and we do not share it for cross-context behavioral advertising as those terms are defined under CCPA/CPRA and other US state laws. We have not sold or shared personal information for cross-context behavioral advertising in the preceding 12 months.
We share personal information with the following categories of recipients, always under a data processing agreement (GDPR Art. 28) where applicable:
6.1 Service providers (sub-processors / processors)
Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
Amazon Web Services (AWS) | Cloud storage and operations | EU/EEA | — |
Google Cloud (GCP) | Cloud services and infrastructure | EU/EEA | — |
Stripe | Payment processing | EU + US | DPF + SCC |
OpenAI | AI text and image generation | EU/US | DPF + SCC |
Anthropic | AI text generation | EU/US | DPF + SCC |
Google Gemini / Vertex AI | AI text and image generation | EU/EEA | — |
xAI | AI text generation | US | SCC |
Ayrshare | Publishing to social media APIs | US | DPF + SCC |
Firecrawl | Web scraping for AI context | US | SCC |
Canva | Importing design files chosen by the customer | EU/US | DPF + SCC |
Google Drive / Google Calendar | Customer-activated integrations | EU/US | DPF + SCC |
Slack | Internal communication and customer dialogue | EU/US | DPF + SCC |
PostHog | Product analytics | EU | — |
Pexels | Stock image library | EU/US | — |
An updated list of sub-processors is available on request, and material changes are notified to customers under our DPA.
6.2 Other recipients
Professional advisors: auditors, accountants, lawyers — subject to confidentiality.
Government authorities: where we have a legal obligation to disclose.
Business transfers: in the event of a merger, acquisition, or sale of assets, your information may be transferred to the buyer. We will notify you before processing is transferred, and the buyer must comply with practices consistent with this Policy.
Affiliates: if Native becomes part of a corporate group, information may be shared internally under equivalent protection.
Anonymized/aggregated data: may be shared without restriction for analytics, research, or marketing.
6.3 Categories of personal information disclosed (CCPA/CPRA)
For California residents, in the preceding 12 months we have disclosed the following categories of personal information for business purposes to the categories of recipients listed above:
Identifiers (name, email, IP address, account ID)
Customer records (billing details, contact information)
Commercial information (subscription history, transaction data)
Internet/electronic activity (usage logs, device information)
Geolocation data (approximate, IP-derived)
Professional/employment information (job title, employer)
Inferences (preferences, content engagement patterns)
We do not disclose sensitive personal information beyond what is necessary to provide the Services as requested by the user.
6.4 Social media platforms and joint controllership
When you connect accounts to Meta (Facebook/Instagram), LinkedIn, TikTok, X, or other platforms, those services process your information as independent controllers under their own terms. For certain analytics functions (e.g., Meta Page Insights), Native and the platform may be joint controllers under GDPR Art. 26. You can revoke access by disconnecting integrations in the app or by removing permission directly with the platform.
7. Cookies and tracking technologies
7.1 Types of cookies we use
Strictly necessary cookies: required for the Services to function (login, security, page loading). No consent required.
Functional cookies: remember preferences such as language and settings.
Analytics cookies: measure how the Services are used (PostHog, Google Analytics).
Marketing cookies: used for retargeting and targeted advertising (Meta Pixel, LinkedIn Insight Tag).
7.2 Consent and management
Use of non-essential cookies requires your consent in jurisdictions where this is required (EU/EEA under the ePrivacy Directive, UK PECR). For California residents, you may opt out of the sale or sharing of personal information through targeted advertising cookies via the cookie banner or by enabling Global Privacy Control (GPC) in your browser.
You can also block cookies in your browser settings, but please note that this may affect functionality.
7.3 Third-party analytics
We engage third-party services (PostHog, Meta, Google) to analyze use and provide statistical insights. These are subject to their own privacy policies.
7.4 Detailed cookie disclosure
A detailed cookie notice with the name, purpose, provider, and duration of each cookie is available via the cookie banner on native.no.
8. Social logins and platform integrations
8.1 Use of social logins
When you register or log in via Google or another third-party provider, you give us access to your email address and basic profile information consistent with your settings with that provider.
8.2 Data handling
The information is used to create and manage your Native account. We do not publish on your behalf to social media accounts without your explicit consent given through the platform's authorization flow.
8.3 Security and privacy
We maintain strict standards for data protection so that your information is handled securely and not used beyond the purposes described in this Policy.
8.4 Your control
You can manage your privacy settings directly with the social media service, and you can disconnect integrations at any time within the Native app.
9. How long we retain your information
Category | Retention period |
|---|---|
Account and profile data | During the contract period + 90 days after termination |
Content and media library | During the contract period; deleted within 90 days after termination |
Billing and accounting data | 5 years after end of fiscal year (Norwegian Bookkeeping Act § 13) |
Support communications | Up to 24 months after last contact |
Logs and security data | Up to 12 months, then deletion or anonymization |
Marketing data (leads) | Up to 24 months from last interaction, or until consent is withdrawn |
Tokens for connected services (Google, Canva, etc.) | Deleted within 30 days after disconnection or account closure |
Backups (cache) | Automatically deleted within 90 days |
Cookies | See cookie notice |
We review retention practices regularly to ensure compliance with legal requirements and operational needs. You may request deletion of your data at any time by contacting hei@native.no.
10. Security
We implement appropriate technical and organizational safeguards under GDPR Art. 32 and applicable US state law standards, including:
Encryption in transit (TLS 1.2+) and at rest (AES-256).
Access control under the principle of least privilege with role-based access.
Multi-factor authentication (MFA) for employees with access to production data.
Logging and monitoring of access and events.
Vulnerability management and regular security reviews.
Incident response procedures with defined accountability.
Data processing agreements with all sub-processors.
Employee training in privacy and security practices.
In the event of a personal data breach, we will notify:
The Norwegian Data Protection Authority within 72 hours where required (GDPR Art. 33).
Affected individuals without undue delay where there is a high risk (GDPR Art. 34).
US state attorneys general and affected individuals in line with applicable state breach-notification laws (such as California Civil Code § 1798.82).
Other regulators where required by applicable law.
Despite our safeguards, no electronic transmission or storage technology can be guaranteed 100% secure. We encourage you to use strong passwords, MFA, and to keep your login credentials confidential.
11. Minors
The Services are intended for businesses and not for individuals under 18. We do not knowingly collect information from minors and do not target this demographic in marketing.
For US users, we comply with the Children's Online Privacy Protection Act (COPPA) and do not knowingly collect data from children under 13. We also comply with applicable state laws governing minors' data, including the California "Shine the Light" law and Connecticut, Texas, and other state requirements regarding processing of minors' data.
If you discover that a minor has provided us with information, contact hei@native.no and we will delete it promptly.
12. International data transfers
Personal information is primarily stored within the EU/EEA (AWS Frankfurt and Google Cloud Europe). Some sub-processors process information in the United States or other third countries. Such transfers are made only on the basis of one of the following:
Adequacy decision — including the EU–US Data Privacy Framework for certified US recipients (GDPR Art. 45).
EU Standard Contractual Clauses (SCC 2021/914) supplemented by transfer impact assessments and, where necessary, technical measures (encryption, pseudonymization), under GDPR Art. 46.
For UK users, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs.
For New Zealand users, transfers comply with Information Privacy Principle 12 (IPP 12) of the Privacy Act 2020, which requires that recipients are subject to comparable privacy protections or that the data subject provides explicit informed consent.
You may request a copy of the transfer safeguards by contacting hei@native.no.
13. Your privacy rights
You have the right to:
Access the information we hold about you (GDPR Art. 15; equivalent rights under US state laws).
Correct inaccurate information (Art. 16).
Delete information when conditions are met (Art. 17).
Restrict processing (Art. 18).
Receive your data in a structured, commonly used format — data portability (Art. 20).
Object to processing based on legitimate interest, including direct marketing (Art. 21).
Withdraw consent at any time (Art. 7(3)).
Lodge a complaint with a data protection authority (Art. 77).
To exercise rights, send a verifiable request to hei@native.no or via native.no/en/contact. You may use an authorized agent. We do not discriminate against users who exercise their rights.
We generally respond within 30 days for GDPR requests (Art. 12(3)) and within 45 days for US state law requests, with the option of a 45-day extension where reasonably necessary, with notice to you.
14. Do-Not-Track and Global Privacy Control
14.1 Do-Not-Track (DNT)
Most browsers offer a Do-Not-Track feature. There is no uniform industry standard for how DNT signals should be processed, and we do not currently respond to DNT signals. If a standard is adopted, we will adjust accordingly and update this Policy.
14.2 Global Privacy Control (GPC)
For California residents, we treat GPC signals as a valid request to opt out of the sale/sharing of personal information under CCPA/CPRA. We also honor GPC signals for residents of Colorado, Connecticut, and other states that recognize such universal opt-out mechanisms. Native does not "sell" or "share" personal information as those terms are defined under CCPA, so the GPC signal confirms our existing practice.
15. Jurisdiction-specific rights
15.1 United States — federal and state level
The US has no comprehensive federal privacy law. Instead, a range of state laws apply. We recognize and respect the rights of US users regardless of state, and offer the following rights to all US users by default:
Right to know / access the categories of personal information collected, sources, purposes, and recipients.
Right to delete personal information.
Right to correct inaccurate information.
Right to data portability where technically feasible.
Right to opt out of sale, sharing, or targeted advertising.
Right to opt out of profiling with legal or similarly significant effect.
Right to non-discrimination when exercising rights.
Right to limit use of sensitive personal information.
The following state laws are particularly relevant:
State | Law |
|---|---|
California | California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) |
Virginia | Virginia Consumer Data Protection Act (VCDPA) |
Colorado | Colorado Privacy Act (CPA) |
Connecticut | Connecticut Data Privacy Act (CTDPA) |
Utah | Utah Consumer Privacy Act (UCPA) |
Texas | Texas Data Privacy and Security Act (TDPSA) |
Oregon | Oregon Consumer Privacy Act (OCPA) |
Montana | Montana Consumer Data Privacy Act (MCDPA) |
Tennessee | Tennessee Information Protection Act (TIPA) |
Iowa | Iowa Consumer Data Protection Act |
Indiana | Indiana Consumer Data Protection Act |
Delaware | Delaware Personal Data Privacy Act |
New Jersey | New Jersey Data Privacy Act |
New Hampshire | New Hampshire Data Privacy Act |
Maryland | Maryland Online Data Privacy Act |
Minnesota | Minnesota Consumer Data Privacy Act |
Native does not "sell" or "share" personal information for cross-context behavioral advertising as those terms are defined under CCPA/CPRA. We have not sold personal information in the past 12 months and have no plans to do so.
California "Shine the Light": California residents may request, once per year and free of charge, information about disclosures of personal information to third parties for direct marketing purposes. Since we do not disclose personal information for third-party direct marketing, no such disclosures have occurred.
To exercise rights: send a verifiable request to hei@native.no or via native.no/en/contact. You do not need an account to submit a request. You may use an authorized agent (with written permission). We respond within 45 days, with the possibility of a 45-day extension if reasonably necessary, with notice to you.
Right to appeal: If we deny your request, you may appeal by replying to our response email or contacting hei@native.no. We will respond to appeals within 60 days (or as required by your state's law). If your appeal is denied, you may contact your state attorney general or applicable privacy authority.
California complaints: California residents may complain to the California Privacy Protection Agency (cppa.ca.gov) or the California Attorney General.
Right of publicity: Native prohibits any use of the Services to create or distribute unauthorized impersonations of identifiable persons. This includes rights under, among others:
New York Civil Rights Law §§ 50–51
California Civil Code § 3344
Tennessee ELVIS Act 2024 (Ensuring Likeness, Voice, and Image Security Act)
Other applicable state right-of-publicity laws
Violations may be reported to hei@native.no for prompt review and removal.
15.2 EU/EEA — including Norway, Sweden, Denmark, and other member states
GDPR applies directly. Complaints may be filed with:
Norway: Datatilsynet (datatilsynet.no), Postboks 458 Sentrum, 0105 Oslo.
Sweden: Integritetsskyddsmyndigheten (imy.se).
Denmark: Datatilsynet (datatilsynet.dk).
Other EU/EEA countries: the supervisory authority in your country of residence.
15.3 United Kingdom (UK GDPR and Data Protection Act 2018)
For UK users, UK GDPR and the Data Protection Act 2018 apply in addition to this Policy. Complaints may be filed with the Information Commissioner's Office (ico.org.uk).
15.4 Switzerland (revFADP)
For Swiss users, the revised Federal Act on Data Protection (revFADP, in effect September 1, 2023) applies. Complaints may be filed with the Federal Data Protection and Information Commissioner (FDPIC).
15.5 New Zealand (Privacy Act 2020)
For users in New Zealand, the 13 Information Privacy Principles (IPPs) apply. Personal information is transferred out of New Zealand only in accordance with IPP 12 — i.e., to recipients subject to comparable protection (such as GDPR in EU/EEA) or with the explicit informed consent of the data subject.
Our privacy contact serves as the "Privacy Officer" for New Zealand and can be reached at hei@native.no. Complaints may be filed with the Office of the Privacy Commissioner (privacy.org.nz).
15.6 Australia (Privacy Act 1988)
For Australian users, the Australian Privacy Principles (APPs) under the Privacy Act 1988 apply. Complaints may be filed with the Office of the Australian Information Commissioner (oaic.gov.au).
15.7 Canada (PIPEDA and provincial laws)
For Canadian users, the Personal Information Protection and Electronic Documents Act (PIPEDA) and relevant provincial laws (Quebec Law 25, BC PIPA, Alberta PIPA) apply. Complaints may be filed with the Office of the Privacy Commissioner of Canada (priv.gc.ca).
15.8 Brazil (LGPD)
For Brazilian users, Lei Geral de Proteção de Dados (LGPD) applies. Complaints may be filed with the Autoridade Nacional de Proteção de Dados (ANPD).
15.9 Other jurisdictions
We strive to comply with applicable privacy laws in all countries where we operate. If you are located in a jurisdiction not explicitly listed above and wish to exercise privacy rights, contact hei@native.no, and we will process the request in accordance with applicable law.
16. Collection and use of Google user data
When you connect Google accounts to the Services, we may access and collect the following based on your explicit permissions:
Basic profile information (name, email address, profile picture).
Connections to social media and permissions to publish posts.
Content you authorize us to publish on your behalf.
16.1 Limitations
We do NOT use Google user data for:
AI model training or machine learning.
Targeted advertising or marketing.
Sale or transfer to third parties.
Any purpose beyond providing our core social media services.
16.2 Permitted uses
We use Google user data exclusively to:
Authenticate your account and maintain secure access.
Publish content to your connected social media accounts.
Deliver analytics related to your social media performance.
Provide the specific features you have requested.
16.3 Compliance with Google API Services User Data Policy
The use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
17. Collection and use of Canva user data
When you connect your Canva account to the Services, we collect and process Canva user data to enable design import.
17.1 Data we collect from Canva
Basic profile information (name, email address).
Design files you choose to import.
Design metadata (titles, creation dates).
Folder structures that help you find and select designs.
17.2 How we use Canva user data
We use Canva user data exclusively to:
Authenticate and maintain your connection to Canva.
Display your Canva designs for selection and import.
Store imported designs in your content library.
Enable scheduling and publishing of imported designs to your connected social media platforms.
We do NOT use Canva user data for:
AI model training or machine learning.
Advertising, ad targeting, or marketing.
Sale or transfer to third parties.
Any purpose beyond those described in this Policy.
17.3 Retention of Canva user data
Imported designs: stored in your content library until you delete them or close your account.
Connection data: retained as long as your Canva account is connected to the Services.
On disconnection: Canva authentication data is deleted within 30 days.
On account closure: all Canva user data is deleted within 30 days.
17.4 Data breach notification
In the event of a data breach that may affect Canva user data, we will:
Notify Canva via email at legal@canva.com within 48 hours of discovery.
Notify affected users in accordance with applicable privacy laws.
Take immediate steps to contain and remediate the breach.
17.5 Security measures
Canva user data is protected by encryption in transit and at rest, access controls, regular security reviews, and secure deletion procedures.
17.6 Your rights
You can disconnect your Canva connection at any time in account settings, request a copy of the Canva user data we hold about you, or request deletion. Contact hei@native.no.
18. Updates to this Policy
We may update this Privacy Policy as needed. The updated version will be marked with a new "Last updated" date and takes effect when published.
Material changes will be communicated by email or in the Services at least 30 days before they take effect. Earlier versions are available upon request to hei@native.no.
19. How to contact us
For questions or requests regarding this Policy, contact our privacy contact:
Native AS Registration no. 930 324 787 Behrens' gate 5, 0257 Oslo, Norway
Email: hei@native.no Contact form: native.no/en/contact
For US users, privacy rights requests may also be submitted via native.no/en/contact.
20. How to review, update, or delete your data
Review: Log into Native and open account settings, or contact hei@native.no for a full data export.
Update: Update profile information directly in Native, or contact us for assistance.
Delete: Request account deletion by contacting hei@native.no. We will delete the data within 30 days, except for data we are required to retain under bookkeeping or other applicable laws (see Section 9).
This document was last updated April 26, 2026. Version 2.0.