About Us
Narwh.AI is a brand of Narwhal Group Limited ("Narwhal", "NMG", "we", "us", "our"). NMG is a company registered in England and Wales (company number: 13603579), whose registered office address is at Spaces - Bristol, Programme, The Pithay, BS1 2NB. For the purposes of the General Data Protection Regulation (the "GDPR"), NMG is the controller in relation to your data.
Privacy Statement Summary:
This Privacy Policy ("Policy") explains how your information is collected, used, disclosed and processed by Narwhal Media Group LTD ("we" / "us" / "our") in relation to our platform Narwh.ai and its related services. This Policy applies where we are acting as a Data Controller, where we determine the purposes and means of processing personal data, for example, with respect to the personal data of our website visitors, platform users, clients, and partners.
How Your Information Will Be Collected and Used
We will only use your personal data for its intended purpose and where a lawful basis exists.
What will my data be used for?
We process personal data for a number of purposes. In relation to our clients and platform users, we might process personal data in order to register and manage client accounts, provide and administer our services, process payments and issue invoices, communicate with clients about the service, analytics, deliver customer support, and ensure the security and proper functioning of our systems. We also process this information to monitor usage of the platform, to authenticate access, to prevent unauthorised activities, and to comply with our legal and regulatory obligations. With respect to end-users of our clients, we might process information relating to opt-outs and associated records in order to respect their marketing preferences. For visitors to our website, we collect cookies and usage data to operate and secure the site, to analyse traffic and improve functionality, to generate statistics, to remember user preferences, and, where legally required, to obtain and respect consent for the use of non-essential cookies.
What data will be stored?
We will store your personal details in order to provide our services and run our company. For our business clients, this includes name, surname, title, email address, telephone number, potentially payment and card details, as well as account information such as usernames, passwords, and usage logs. For end-users of our clients, we may store information relating to marketing opt-outs and any associated data necessary to respect and record these preferences. For visitors to our website, we collect information through cookies and usage data, such as IP address, browser type, operating system, and interaction with our site, in order to operate, secure, and improve our services.
What data will be shared?
We may share personal data with our trusted service providers and business partners who support the delivery of our services. For business clients, this may include sharing contact and account details with payment processors, IT and hosting providers, customer support tools, and other professional advisors as necessary to administer the service and comply with legal obligations. For end-users of our clients, information relating to opt-outs may be shared with our clients to ensure that marketing preferences are respected and recorded. For website visitors, cookie and usage data may be shared with analytics and hosting providers in order to operate, secure, and improve our website. Where data is transferred outside the United Kingdom or the European Economic Area, we ensure that appropriate safeguards, contractual commitments, and risk assessments are in place to keep your information secure.
How is my data kept secure?
We will store your data on secure servers. We use industry-standard security protocols/technology to secure your data.
Who can access my data?
Access to your data is strictly controlled in line with our rigorous internal access control policies. Only authorised personnel within NMG Group who require access to perform their roles can view or process your information. We also share data with trusted service providers who support the delivery of our services, and all such providers are bound by contractual and legal obligations to keep your data secure and confidential.
Does Narwh.AI use AI?
Yes, our core services are powered by AI. We use AI systems to provide, improve, and optimise our services, enabling more personalised, efficient, and effective experiences for our clients and their end-users. While most of the personal data processed by our AI systems comes from our clients and is handled under their instructions, there are certain AI-driven processes where we act as a data controller in our own right.
What Data We Collect and Lawful Bases
| Data Subjects and types of data | Activity / Purpose | Lawful Basis under the GDPR |
|---|---|---|
| Business Clients (Name, surname, title, email address, telephone number, payment details (card details), account credentials (username and password), usage logs, and correspondence with end-users (where processed for compliance and security) | To register and manage client accounts | Contract performance |
| To provide and administer the platform/service | Contract performance | |
| To process payments and issue invoices | Contract performance and Legal obligation | |
| To provide customer support and respond to inquiries | Contract performance and consent | |
| To ensure system security, authenticate log-ins, and prevent unauthorized access | Legal obligation | |
| To monitor and analyse platform usage and maintain service functionality | Legitimate interests | |
| To send service and marketing related communications | Consent | |
| To process correspondence between clients and end-users for security reasons | Legal obligation | |
| End-Users of Clients (Opt-out records, marketing preferences, and correspondence with clients (where processed for compliance/security)) | To manage the opt-out lists | Legitimate interests (as joint controllers with our clients) |
| To process correspondence between clients and end-users for security reasons | Legal obligation | |
| Website Visitors (IP address, browser type, operating system, cookies and cookies preferences, usage data) | To operate the website and ensure security and performance | Legitimate interests |
| To generate aggregate statistics on website usage | Legitimate interests | |
| To analyse traffic and improve website functionality | Consent for non-essential cookies and Legitimate interests for strictly necessary cookies |
Cookies
Our Site uses analytics services provided by Google. Website analytics refers to a set of tools used to collect and analyse anonymous usage information, enabling us to better understand how our Site is used. This, in turn, enables us to improve our site.
The analytics service(s) used by our site use(s) Cookies to gather the required information. You do not have to allow us to use these cookies. However, whilst our use of them does not pose any risk to your privacy or your safe use of our site, it does enable us to continually improve our site, making it a better and more useful experience for you.
The analytics service(s) used by our site use(s) the following Cookies:
Name of Cookie: _ga, _gat, _gid (Third party, provided by Google for usage in analytics tracking only).
In addition to the controls that we provide, you can choose to enable or disable Cookies in your internet browser. Most internet browsers also enable you to choose whether you wish to disable all Cookies or only third-party Cookies. By default, most internet browsers accept Cookies, but this can be changed. For further details, please consult the help menu in your internet browser or the documentation that came with your device.
You can choose to delete Cookies on your computer or device at any time, however you may lose any information that enables you to access Our Site more quickly and efficiently including, but not limited to, login and personalisation settings.
It is recommended that you keep your internet browser and operating system up-to-date and that you consult the help and guidance provided by the developer of your internet browser and manufacturer of your computer or device if you are unsure about adjusting your privacy settings.
How We Use Your Data
We use the personal data we collect to provide, maintain, and improve the Narwh.AI platform and its supporting services. This means that, depending on the context, we may use your information to set up and manage your account, authenticate your logins, and ensure that only authorised users are able to access the system. Where clients provide us with their own customer or end-user data, we act primarily as a processor, ensuring that the information is used only for the purposes agreed in our contracts. At the same time, there are certain situations in which Narwh.AI determines its own purposes for processing, for example when we analyse system usage, monitor correspondence between clients and their end-users for security reasons, or develop and optimise our services. In those cases, we act as a controller.
In addition, we use your data to communicate with you about the platform, whether that is to confirm account details, respond to support requests, or notify you about service updates and improvements. If you provide your consent, we may also use your information to send you newsletters or details of features or services that we believe will be of interest to you.
Finally, we use data to measure the effectiveness of our services and marketing, to detect and prevent fraud or misuse of our systems, and to comply with legal obligations.
Transferring Your Data
The data that we collect from you, as described in this Privacy Policy, could be accessible from, transferred to, or stored in countries that may not have the same data protection laws as those of the country in which you initially provided the information. In any case, we apply appropriate safeguards to make sure that cross-border transfers of personal data comply with applicable law and seek to ensure that your data continues to receive a comparable level of protection.
In particular, if you're in the European Economic Area (EEA) and your personal data is transferred to third-party service providers in countries not considered adequate by the European Commission (EC), we establish and implement appropriate contractual, organizational, and technical measures with these third-party companies. This is done by using Standard Contractual Clauses as approved by the EC, by examining the countries to which the data may be transferred through data transfer impact assessments, and by imposing specific technical and organizational measures.
For transfers of your personal data outside of the United Kingdom (UK), we apply the equivalent mechanisms and appropriate safeguards for the UK, such as UK addendum to SCCs.
Please contact us at hello@nmg.group for further information about the particular data protection mechanism used by us when transferring your personal data to a third country.
Data storing and Security
We take the storage of your personal data very seriously and apply strict technical and organisational measures to keep it safe. All data that you provide to us, or that we process on behalf of our clients, is stored securely within systems that meet recognised industry standards, including encryption in transit and at rest. Our servers are located in the United Kingdom and the European Union, and we do not transfer your information outside these jurisdictions unless appropriate safeguards and agreements are in place.
Access to stored data is carefully controlled in line with our access management policies. Only authorised personnel and trusted service providers, bound by contractual and legal obligations, are able to handle your information, and even then, only to the extent necessary for the performance of their duties.
Data Retention
Narwh.AI follows a data retention policy that sets out how long different categories of information are kept and for what reasons. In general, we retain your personal data only for as long as is necessary to provide the services you have requested, meet legal and regulatory requirements, and fulfil the purposes explained in this Privacy Policy.
For example, we may retain account-related data for 30 days after you delete your account, to allow for recoverable data and account restoration. After this period, your account information is permanently deleted, unless a longer retention period is required by law or needed to resolve an ongoing dispute.
In certain cases, we may retain limited, anonymised or hashed information for a further period in order to demonstrate compliance with legal and regulatory obligations, to respond to potential disputes, and to support our internal governance. Beyond these periods, data is deleted or irreversibly anonymised so that it can no longer be linked back to an individual.
Your Rights
Your rights will be determined by the country in which you reside. If you reside in the European Economic Area or the United Kingdom, you have certain rights under GDPR in relation to your personal data.
1. Right of access – You have the right at any time to ask us for a copy of the personal information that we hold about you, and to check that we are lawfully processing it.
2. Right of rectification – If personal information that we hold about you is not accurate or is out of date and requires amendment or correction you have a right to have the data rectified or completed.
3. Right of erasure – In certain circumstances, you have the right to request that personal information we hold about you is erased (e.g. if the information is no longer necessary for the purposes for which it was collected or processed).
4. Right to object to or restrict processing – In certain circumstances, you have the right to object to our processing of your personal information. For example, if we are processing your information on the basis of our legitimate interests, and there are no compelling legitimate grounds for our processing which override your rights and interests.
5. Right of data portability – In certain instances, you have a right to receive any personal information that we hold about you in a structured, commonly used and machine-readable format.
6. Right to withdraw consent – In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. You can exercise this right by accessing our Preference Centre.
Exercising Your Rights
1. If you wish to exercise any of your rights under the GDPR or if you wish to discuss our use of your data, please email us at hello@nmg.group
2. Our lead supervisory authority for the processing set out in this Privacy Policy is the UK Information Commissioner's Office (ICO). If you are unhappy with how we have processed your data, you have the right to make a complaint to the ICO.
3. If you are resident in the European Economic Area and you believe we are unlawfully processing your personal information, you also have the right to complain to your local data protection supervisory authority. You can find their contact details here: https://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm
Children's Privacy
Narwh.AI does not knowingly collect or process personal data from children under the age of 18. Our services are designed for business clients and their end-users, and we do not intentionally target or market to children. If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete it without undue delay. Parents or guardians who believe their child's data has been provided to us can contact us to request its removal.
AI Subjects notice
We are committed to providing innovative tools to our clients to help them manage their customer relationships effectively. To achieve this, as a data processor for our clients, we may process our clients' end users' (referred to as "AI Subjects") personal data through our AI-powered platform, Narwh.ai. Narwh.ai is a cloud-based software platform provided by Narwhal Group that allows our Clients to configure and deploy AI Agents and use AgenticAI Services to support a variety of business processes.
How Narwh.ai Works
The use of Narwh.ai's AI-powered features depends entirely on each Client's subscription and preferences, and Clients may choose to opt out of AI functionality. When a Client chooses to enable AI Agents, we may process their end users' data in order to provide services to that Client. This data may include call content and voice data, SMS, email, and web chat correspondence, any additional personal data contained in those communications, as well as any AI Subjects' data provided by our clients or collected by us on their behalf.
Please note that sentiment analysis may be carried out on correspondence, but this will never result in profiling that has legal or similarly significant effects. Narwh.ai does not make autonomous decisions about individuals. While the system may generate recommendations or insights, our clients and their end users are required to have a human make the final decision, taking all relevant factors into account.
Our AI system is powered by a foundation model from OpenAI. We have executed an Enterprise Services and Data Processing Agreement with OpenAI, which includes Standard Contractual Clauses to ensure adequate safeguards for personal data. OpenAI is contractually prohibited from using our Clients' data, queries, or responses to train or improve its models.
In addition to our Terms, the use of Narwh.ai and its features are subject to OpenAI's usage policies, which you can review at https://openai.com/policies/usage-policies.
Monitoring and Platform Integrity
As the Narwh.ai provider, we also process certain data as a controller in order to ensure that the platform operates as intended, remains secure, and is not subject to abuse. For this purpose, we may process Narwh.ai inputs, outputs and platform usage data under the legal bases of legitimate interest and legal obligation. This processing is carried out in full compliance with the GDPR, and our approaches to international data transfers, technical and organisational measures, and data subject rights, as described elsewhere in this Privacy Policy, also apply to the processing described in this section. For any questions regarding Narwh.ai governance or data protection, please contact us at hello@nmg.group.
Contact Us
To contact us about anything to do with your personal data and data protection, including to make a subject access request, please use the following details:
Data Protection Officer: Joey Rickman
Email address: hello@nmg.group
Telephone number: 0117 251 0225
Postal Address: Narwhal Media Group, Spaces - Bristol, Programme, The Pithay, BS1 2NB
Our EU Representative
Under Article 27 of the GDPR, we have appointed an EU representative to act as our data protection agent. Our nominated EU representative is:
Company name: Instant EU GDPR Representative Ltd Name: Adam Brogden Email: contact@gdprlocal.com Tel+ 353 15 549 700 EU Dublin Address: INSTANT EU GDPR REPRESENTATIVE LTD, 69 Esker Woods Drive, Lucan, Co. Dublin Ireland
Our UK Representative
Under Article 27 of the UK Data Privacy Act, we have appointed a UK representative to act as our data protection agent. Our nominated UK representative is:
Company name: GDPR Local Ltd. Name: Adam Brogden Email: contact@gdprlocal.com Tel +44 1772 217800 UK Address: 2 Marsh Road, BS3 2NA
Changes to this Privacy Policy
From time to time, we may update this Privacy Policy. This Privacy Policy is our most up-to-date version, and it supersedes any earlier version.
Last reviewed: October, 2025