EXIT

(Double tap ESC)

Facebook Instagram

Privacy Policy

Last Updated: 13 May 2025

1. Introduction

Narcissistic Abuse Foundation (“NAF”, “we”, “us”, or “our”) is a society incorporated under the Societies Act of British Columbia, Canada (BC Incorporation Number: S0083521), with its registered address at 11887 Burnett Street, Unit 301, Maple Ridge, British Columbia, V2X 6P6. NAF operates in Canada, the United States of America, Mexico, and the United Kingdom.

We are committed to protecting the privacy, dignity, and personal information of every person who interacts with our website and services.

This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you visit our website, use our services, purchase merchandise or event tickets, make a donation, or contact us in any capacity.

Given the sensitive nature of the subject matter our organisation addresses — narcissistic abuse and its impacts — we treat the privacy and safety of our users with the utmost seriousness. Please read this policy carefully.

2. Who This Policy Applies To

This policy applies to all individuals who:

  • Visit our website
  • Submit any form on our website (contact, story sharing, partnership, or volunteering forms)
  • Purchase merchandise or event tickets through our online store
  • Make a donation through our website
  • Subscribe to our communications

3. Information We Collect

3.1 Information You Provide Directly

Contact Form: Your name, email address, and the content of your message.

Story Sharing Form: Any personal information you choose to include in your story submission. We strongly advise against including details that could identify yourself or third parties if you wish to remain anonymous.

Partnership / Business Enquiry Form: Organisation name, contact person’s name, email address, phone number, and the nature of your enquiry.

Volunteering Form: Name, email address, phone number, location, availability, skills, and relevant experience.

Store Purchases: Name, billing address, shipping address, and email address. Payment card details are entered directly into Stripe, our third-party payment processor, and are never transmitted to or stored on our servers. Please refer to Stripe’s Privacy Policy at stripe.com/privacy for information on how Stripe handles your payment data.

Donations: Name, email address, billing address, and payment details. As above, all payment information is handled exclusively by Stripe.

Event Ticket Purchases: Name, email address, and billing information, processed via Stripe.

3.2 Information Collected Automatically

When you visit our website, we and our third-party service providers may automatically collect certain technical information, including:

  • IP address and approximate geographic location
  • Browser type and version
  • Device type and operating system
  • Pages visited and time spent on each page
  • Referring URL
  • Date and time of your visit

This information is collected through cookies and similar tracking technologies, which are managed through the cookie consent tool on our website.

3.3 Information We Do Not Collect

Our “Have You Experienced Narcissistic Abuse?” questionnaire is provided for awareness and self-reflection purposes only. It does not collect, transmit, or store any data whatsoever. All responses remain entirely within your browser and are never sent to us or any third party.

4. How We Use Your Information

We use the personal information we collect for the following purposes:

  • To respond to enquiries submitted via our contact form
  • To review and, with your explicit consent, publish stories submitted through our story-sharing form
  • To process partnership or volunteering enquiries
  • To process and fulfil merchandise orders and provide shipping updates
  • To process donations and send acknowledgement of receipt
  • To process event ticket purchases and send booking confirmations
  • To send communications you have opted into, such as our newsletter
  • To improve our website, services, and programmes
  • To comply with our legal and regulatory obligations
  • To detect, prevent, or investigate fraud or other unlawful activity

5. Legal Basis for Processing

Depending on your jurisdiction, we rely on one or more of the following legal bases to process your personal data:

  • Contract: Where processing is necessary to fulfil a purchase or other agreement (e.g. processing an order or donation).
  • Legitimate Interests: Where we have a legitimate organisational interest that is not overridden by your rights (e.g. fraud prevention, service improvement).
  • Consent: Where you have given us clear, informed consent for a specific purpose (e.g. newsletter subscription or story publication).
  • Legal Obligation: Where we are required to process data to comply with applicable law.

6. Sharing Your Information

We do not sell, rent, or trade your personal information to third parties for marketing purposes. We may share your information only in the following limited circumstances:

  • Stripe: All payment transactions are processed by Stripe, Inc. Stripe acts as an independent data controller for payment data. Please review Stripe’s Privacy Policy at stripe.com/privacy.
  • Other Service Providers: We work with trusted third-party providers who assist us in operating our website and services (e.g. email delivery, fulfilment partners, event ticketing platforms). These providers are contractually bound to protect your data and use it only to provide services to us.
  • Story Publication: If you submit your story and explicitly consent to its publication, we may share it on our website, social media channels, or in our materials. We will never publish your story without your explicit prior consent.
  • Legal Requirements: We may disclose your information if required by law, court order, or governmental authority in Canada, the USA, Mexico, or the UK.
  • Safety: In exceptional circumstances where there is a genuine and immediate risk to the safety of you or another person, we may share information with the appropriate authorities.

7. International Data Transfers

As an organisation operating across Canada, the USA, Mexico, and the UK, your personal data may be transferred to, stored, or processed in any of these countries. We take appropriate safeguards to ensure such transfers comply with applicable data protection laws, including where necessary implementing data processing agreements or relying on other lawful transfer mechanisms.

8. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

  • Contact and enquiry data: Up to 2 years from the date of last contact
  • Transaction records (store purchases, donations, event tickets): 7 years, in line with standard financial record-keeping obligations
  • Volunteering applications: 2 years from the date of submission, or until the volunteering relationship ends
  • Story submissions (where consent to publish has been given): Indefinitely, unless and until consent is withdrawn
  • Website analytics data: Up to 26 months

Where you request deletion of your data and we have no overriding legal obligation to retain it, we will act on your request within 30 days.

9. Your Rights

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data:

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure: Request deletion of your personal data, subject to legal retention requirements.
  • Right to Restrict Processing: Ask us to limit how we use your data in certain circumstances.
  • Right to Data Portability: Request a machine-readable copy of data you have provided to us.
  • Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting prior processing.
  • Right to Lodge a Complaint: You have the right to complain to the relevant supervisory authority in your jurisdiction.

9.1 Relevant Supervisory Authorities

  • Canada: Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca
  • United States: Federal Trade Commission (FTC) — ftc.gov; and relevant State Attorneys General
  • Mexico: Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI) — inai.org.mx
  • United Kingdom: Information Commissioner’s Office (ICO) — ico.org.uk

10. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, alteration, or disclosure. All payment transactions are handled by Stripe, which is PCI-DSS compliant. Data transmitted to and from our website is encrypted using SSL/TLS.

No method of transmission over the internet is entirely secure. In the event of a data breach that poses a risk to your rights, we will notify you and the relevant regulatory authorities as required by law.

11. Children’s Privacy

Our website and services are not directed at children under the age of 16 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information without appropriate consent, please contact us immediately and we will take steps to delete such information.

12. Third-Party Links

Our website may contain links to third-party websites, including social media platforms and partner organisations. This Privacy Policy does not apply to those websites. We encourage you to review the privacy policies of any third-party sites you visit.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will update the “Last Updated” date at the top of this policy and, where appropriate, notify you by email or a prominent notice on our website. Your continued use of our website after such changes constitutes your acceptance of the updated policy.

14. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or our handling of your personal data, please contact us:

Narcissistic Abuse Foundation
11887 Burnett Street, Unit 301
Maple Ridge, British Columbia, V2X 6P6
Canada
Email: narcisisticabusefoundation@gmail.com
Website: www.narcissisticabusefoundation.org

Note: The email address above is current as of the date of this policy and will be updated when a dedicated organisational email address is established. Please check our website for the most up-to-date contact details.