Privacy Policy

1. Who We Are

NORA ("NORA", "we", "our", or "us") is an AI-powered inbox management and day planning service accessible at noradaily.com and app.noradaily.com (the "Service"). We are the data controller for personal data collected through the Service. We are committed to handling your personal data responsibly and in full compliance with applicable privacy laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

If you have questions about how we handle your data, contact us at hello@noradaily.com.

2. Information We Collect

Information you provide directly

• Account information: Your name and email address when you authenticate via Google, Apple, or Microsoft OAuth.
• Payment information: Billing details are processed by Stripe. We never receive, see, or store full credit card numbers or bank account details.
• Communications: Messages you send us via our contact form or email, including support requests.
• Preferences and settings: Configuration choices you make within the app, such as scheduling preferences and notification settings.

Information collected automatically

• Usage data: Features used, frequency of access, session duration, button clicks, and navigation paths — used solely to improve the product.
• Device and log data: Browser type and version, operating system, IP address, referring URLs, and approximate geographic location (country/region level only).
• Performance data: Error logs and crash reports to help us diagnose technical issues.

Email data (with your explicit permission)

• When you connect an email account, we access message content, metadata (sender, recipient, subject, date), labels, and thread structure solely to deliver the features you requested.
• Email content is processed transiently in memory. We do not persistently store the full body of your emails beyond what is strictly necessary to render the current session.
• We do not use your email content to train AI models unless you explicitly opt in. This opt-in is always voluntary and can be revoked at any time from your account settings.

3. How We Use Your Information

We process your personal data only for the following purposes and under the listed legal bases:

• Service delivery (Contract): To provide, operate, maintain, and improve the NORA Service you signed up for.
• Personalization (Contract / Legitimate Interest): To tailor AI summaries, briefings, and suggestions to your preferences.
• Billing and account management (Contract): To process payments, manage your subscription, and send billing-related notices.
• Security and fraud prevention (Legitimate Interest): To detect, investigate, and prevent unauthorized access, abuse, or fraudulent activity.
• Legal compliance (Legal Obligation): To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
• Communications (Legitimate Interest / Consent): To send service updates, security alerts, and — where you have opted in — marketing messages. You may opt out of marketing at any time.
• Product analytics and improvement (Legitimate Interest): To understand how the Service is used and to make it better. Analytics data is anonymized or aggregated wherever possible.

We do not sell, rent, or trade your personal data to third parties for their marketing purposes. Ever.

We do not use your data for automated decision-making that produces legal or similarly significant effects on you without human review.

4. Email Access & OAuth

NORA connects to your Gmail or Outlook inbox using industry-standard OAuth 2.0. This means:

• We never see or store your email password at any time.
• You grant access through Google's or Microsoft's official, secure authorization flow.
• You can revoke NORA's access at any time from your Google Account settings (myaccount.google.com/permissions) or Microsoft Account settings, without needing to contact us.
• We request only the minimum OAuth scopes necessary to deliver the features you use. We do not request access to contacts, calendar, or other services unless you explicitly enable those integrations.
• Access tokens are stored encrypted at rest and are never shared with third parties except as required to fulfill the service (e.g., making authorized API calls on your behalf).
• Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
• We do not use Gmail or Google account data for advertising or ad targeting of any kind. Gmail data is never used to serve ads, build advertising profiles, or shared with advertising networks.
• No NORA employees or contractors read your email content, except with your explicit affirmative consent, when required for security purposes (e.g., investigating a reported abuse incident), or as required by law.

5. Data Storage & Security

Your data is stored using Supabase infrastructure hosted in the United States, with encryption at rest (AES-256) and in transit (TLS 1.2+). Our security measures include:

• End-to-end TLS/SSL encryption for all data in transit
• AES-256 encryption for sensitive data at rest
• Role-based access controls with the principle of least privilege
• Multi-factor authentication required for all internal administrative access
• Regular security audits and penetration testing
• Automated monitoring for suspicious access patterns
• Employees with access to personal data are bound by confidentiality obligations

No method of transmission over the internet or electronic storage is 100% secure. While we implement commercially reasonable safeguards, we cannot guarantee absolute security. We encourage you to use a strong, unique password for your linked Google or Microsoft account and to enable two-factor authentication.

6. Data Retention & Deletion

We retain your personal data for as long as your account is active and as necessary to provide the Service. Specific retention periods:

• Account data: Retained while your account is active and deleted within 30 days of account deletion.
• Email content: Processed transiently during sessions; not stored persistently beyond session cache, which is cleared automatically.
• Usage and analytics data: Retained in anonymized or aggregated form for up to 24 months.
• Billing records: Retained for 7 years as required by financial regulations.
• Support communications: Retained for up to 3 years to improve support quality, then deleted.
• Legal hold: Data subject to an active legal hold may be retained beyond these periods as required by law.

To delete your account and all associated data, go to Settings → Account → Delete Account in the app, or email hello@noradaily.com. We will confirm deletion within 30 days.

7. Third-Party Services

We use carefully selected third-party services to operate NORA. Each provider has been evaluated for data protection compliance:

• Supabase — Authentication, database, and file storage. SOC 2 Type II certified.
• Stripe — Payment processing. PCI-DSS Level 1 certified. We never store card details.
• Google (OAuth & Gmail API) — Authentication and Gmail integration. Subject to Google's privacy policy.
• Apple (Sign In with Apple) — Authentication. Apple does not share your personal email with us unless you choose to.
• Microsoft (OAuth & Outlook API) — Authentication and Outlook integration. Subject to Microsoft's privacy policy.
• Anthropic / OpenAI — AI inference for email summarization, drafting, and planning. Data sent to these services is subject to their enterprise data processing terms. We use API configurations that do not permit your data to be used to train their public models.
• Analytics (privacy-first) — We use privacy-first analytics that do not set persistent cookies, do not share data with advertising networks, and do not track users across websites.

We do not allow third-party advertising networks or data brokers to collect data about you through our Service.

8. International Data Transfers

NORA is based in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data may be transferred to and processed in the United States, which may not provide the same level of data protection as your home jurisdiction.

We rely on the following legal mechanisms for such transfers:

• Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to our service providers.
• Adequacy decisions where applicable.
• Your explicit consent for transfers where no other legal basis applies.

You may request a copy of the safeguards we use for international transfers by contacting hello@noradaily.com.

9. Cookies & Tracking

We use a minimal, purposeful approach to cookies:

• Strictly necessary cookies: Session tokens required to keep you signed in. These cannot be disabled without breaking the Service.
• Functional cookies: Remember your preferences (e.g., theme, language). These can be cleared via your browser settings.
• Analytics (cookieless): We use privacy-first analytics that do not require cookies and do not track you across other websites.

We do not use advertising cookies, cross-site tracking cookies, or fingerprinting. We do not participate in interest-based advertising networks.

If you send a Do Not Track (DNT) signal from your browser, we honor it by disabling non-essential analytics. We do not share data with third parties that ignore DNT signals.

10. Your Rights (GDPR & CCPA)

Rights for all users

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion ("right to be forgotten"): Request deletion of your personal data, subject to legal retention requirements.
• Portability: Receive a machine-readable copy of your data to transfer to another service.
• Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

Additional rights for EEA / UK residents (GDPR)

• Restriction: Request that we restrict processing of your data in certain circumstances.
• Objection: Object to processing based on legitimate interests, including for direct marketing.
• Automated decisions: Request human review of any automated decisions that significantly affect you.
• Lodge a complaint: You have the right to lodge a complaint with your local supervisory authority (e.g., your national Data Protection Authority).

Additional rights for California residents (CCPA / CPRA)

• Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Delete: Request deletion of your personal information (subject to certain exceptions).
• Correct: Request correction of inaccurate personal information.
• Opt-out of sale or sharing: We do not sell or share personal information for cross-context behavioral advertising. If this changes, you will have a clear opt-out.
• Limit use of sensitive personal information: You may limit how we use sensitive personal information.
• Non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise any of these rights, email hello@noradaily.com or use the in-app account settings. We will respond within 30 days (or 45 days where permitted by law for complex requests). We may need to verify your identity before fulfilling a request.

11. Children's Privacy

NORA is not directed at, and is not intended for use by, children under the age of 13 (or 16 in the EEA where required by applicable law). We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal data from a child, we will delete it promptly. If you believe a child has provided us with personal information, please contact us immediately at hello@noradaily.com.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify affected users without undue delay, and no later than 72 hours after becoming aware of the breach (where technically feasible), via email to the address associated with your account.
• Notify the relevant supervisory authority within 72 hours as required by GDPR.
• Provide clear information about the nature of the breach, the data involved, the likely consequences, and the measures taken to address it.

We maintain an internal data breach response plan and conduct regular drills to ensure rapid, effective response.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and through a prominent in-app notice at least 14 days before changes take effect. For non-material changes (e.g., clarifications or corrections), we will update the "Last updated" date at the top of this page.

If you disagree with changes to this policy, you may delete your account at any time. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

We maintain a version history of this policy. You may request prior versions by emailing hello@noradaily.com.

14. Contact & Data Protection

For any privacy-related questions, requests, or concerns, please contact us:

• Email: hello@noradaily.com
• Contact form: noradaily.com/contact

We aim to respond to all privacy requests within 5 business days and to fulfill them within 30 days. If you are located in the EEA and are not satisfied with our response, you have the right to lodge a complaint with your national Data Protection Authority.