Privacy Policy

What we collect

When you use Nora, we collect:

• Your contact identifier. Your phone number, email, or messaging ID, so we can reply to you.
• Messages and voice. Text and audio you send, processed to generate replies.
• Name and preferences. Timezone, language, home address, and similar settings you share.
• Precise location. If you choose to share your location, Nora can access your GPS coordinates to provide weather, nearby places, and other location-aware help. This is entirely opt-in and processed locally on our server.
• Personal context. Facts extracted from your conversations (dietary preferences, relationships, etc.) so Nora can help you better over time. Some facts are explicitly stated by you; others are inferred from context.
• Conversation summaries. Per-topic summaries extracted from past conversations (e.g. “discussed travel plans”), used to maintain context across sessions. These do not contain your exact messages.
• Recent conversation excerpts. A short window of recent messages, stored temporarily to maintain conversational continuity. These are periodically replaced as conversations progress.
• Pending actions. Action items and follow-ups extracted from conversations (e.g. “book dentist appointment”). These expire automatically or when completed.
• Connected account credentials and metadata. If you link Google, Microsoft, Todoist, TickTick, or GitHub, we store the connection details needed to act on your behalf. Depending on the integration, this may include encrypted tokens or third-party connected-account identifiers.
• Payment information. If you subscribe to Nora+, Stripe processes your payment card details on our behalf. We do not store your card number.
• Conversation quality assessments. AI-generated evaluations of conversation quality for service improvement, containing brief conversation excerpts.

Legal basis for processing

We process your data to perform the Nora service you signed up for. The legal basis is contract performance (GDPR Article 6(1)(b)). Personal context you share voluntarily (memory facts, saved preferences) is processed under legitimate interest (Article 6(1)(f)): providing you with a useful, context-aware assistant. Conversation quality analysis is also processed under legitimate interest (Article 6(1)(f)) for service improvement. We analyze conversations using AI to identify quality issues, feature gaps, and areas for improvement. These assessments contain brief excerpts from conversations and are accessible only to our team. You can object to this at any time. We never use your data for advertising and never sell it.

Who processes your data

Delivering the service requires the following sub-processors. Where available, we engage processors under their standard data processing terms:

Services that receive your personal data

• Anthropic (anthropic.com). Your messages and personal context are processed by Claude to generate responses, extract conversation summaries, and manage memory.
• Google (Gemini) (ai.google.dev). Your messages are sent to Gemini to generate replies. Also used for image generation, understanding images you send, web search, and indexing your personal context for memory search.
• OpenAI (openai.com). Voice messages you send are transcribed using Whisper.
• ElevenLabs (elevenlabs.io). Text is sent to synthesise voice replies when Nora responds with audio.
• Perplexity (perplexity.ai). Your search queries may be sent to Perplexity for web search when needed.
• Stripe (stripe.com). Processes your payment when you subscribe to Nora+. Stripe receives your payment card details, billing address, and transaction history.
• Supabase (supabase.com). Your data is stored in a Supabase database hosted in the EU.
• Vercel (vercel.com). The landing page and dashboard (nora.fyi) are hosted on Vercel. Vercel Analytics collects aggregate, cookieless page-view data. No personal data is stored.
• Telegram (Telegram FZ-LLC) (telegram.org/privacy). If you use Nora via Telegram, your messages, photos, and voice recordings are delivered through the Telegram Bot API.

Connected services (only if you link them)

• Composio (hosted integration layer) (composio.dev/privacy). If you connect supported providers through Nora's hosted connection flow, Composio processes the auth hand-off, linked-account state, and provider API requests on Nora's behalf.
• Apple (CalDAV / CardDAV / IMAP) (apple.com). If you connect iCloud, your calendar events, contacts, and iCloud mail are accessed via Apple's protocols using an app-specific password. The password is stored encrypted and never shared.
• Microsoft (Graph API) (microsoft.com). If you connect Microsoft, your Outlook inbox, calendar, and To Do data are accessed via Microsoft Graph.
• Google (Calendar, Gmail, and Tasks API) (google.com). If you connect Google, your calendar events, email messages, and tasks are accessed via the respective Google APIs on your behalf.
• TickTick (Appest Inc) (ticktick.com/privacy). If you connect TickTick, your tasks are accessed via the TickTick API on your behalf.
• Todoist (Doist Inc) (todoist.com/privacy). If you connect Todoist, your tasks are accessed via the Todoist API on your behalf.
• GitHub (Microsoft) (github.com). If you connect GitHub, your repository activity is accessed via the GitHub API on your behalf.

Query-only services (no personal data sent)

The following services receive only your query (e.g. a place name, sport, or ticker symbol) and no personal data:

• Google Maps Platform. Place searches and driving directions.
• OpenStreetMap (Nominatim). Resolving GPS coordinates to addresses.
• Transitous (MOTIS). Public transport routing.
• Entur. Public transport routing in Norway.
• Open-Meteo. Weather forecasts.
• ESPN. Sports scores and fixtures.
• Yahoo Finance. Stock prices, crypto, and market data.
• Frankfurter. Currency exchange rates.

If you connect a third-party service (such as Google Calendar, Todoist, TickTick, or GitHub), only the data you authorise is shared with that service and the processors needed to facilitate that connection. No other parties have access to your personal data.

International transfers

Anthropic, Google, OpenAI, ElevenLabs, Perplexity, Stripe, Vercel, Microsoft, TickTick (Appest Inc), GitHub, and Composio are US-based companies. Todoist (Doist Inc) is based in Portugal but may process data via US infrastructure. Where available, transfers to US-based processors are covered by Standard Contractual Clauses (SCCs) included in their data processing terms, or the EU-US Data Privacy Framework for certified companies. Query-only services (weather, sports, transit, etc.) receive only search terms, not personal data.

What you must provide

A contact identifier (phone number, email, or messaging ID) is required to use Nora. This is a contractual requirement. Without it, we cannot send you replies. All other data (name, preferences, personal context) is optional. Not providing it simply means Nora has less context to help you, but you can still use the service.

AI training

We do not use your messages, personal context, or any other personal data to train AI models. Your data is sent to third-party AI providers solely to generate responses for you. Each provider’s data handling is governed by their published API terms. See the sub-processor list above.

Children’s privacy

Nora is not directed at children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal data from a child under 13, we will delete it promptly. If you believe a child under 13 is using Nora, please contact privacy@nora.fyi.

How long we keep it

We keep your data for as long as your account is active. Conversation data, workflow history, and pending actions are automatically cleaned up on a rolling basis. If you delete your account, we remove your data within 30 days.

Your rights

Under GDPR, you have the right to:

• Access. Ask us what we hold about you.
• Delete. Text Nora “delete my data” or use the Account page in your dashboard.
• Correct. Tell Nora if something is wrong, or update it in Account settings.
• Portability. Download a copy of your data from Account settings in your dashboard.
• Restrict. Ask us to pause processing while a dispute is resolved.
• Object. Object to processing based on legitimate interest, including memory storage, at any time.

To exercise any right, email privacy@nora.fyi. You can also lodge a complaint with your national data protection authority. In Norway: Datatilsynet.

Do Not Sell or Share

We do not sell your personal information. We do not share your personal information for cross-context behavioural advertising. There is no need to opt out because we simply do not engage in these practices.

Additional rights for US residents

If you reside in a US state with a comprehensive privacy law (including California, Virginia, Colorado, Connecticut, Texas, and others), you may have additional rights under your state’s law, such as:

• Right to know. What personal information we collect and how we use it.
• Right to delete. Request deletion of your personal information.
• Right to correct. Request correction of inaccurate information.
• Right to opt out. Of the sale or sharing of personal information (we do not sell or share your data).
• Right to non-discrimination. We will not treat you differently for exercising your rights.

To exercise these rights, email privacy@nora.fyi. We will respond within 45 days as required by applicable law.

Categories of personal information we collect: identifiers (phone number, email, messaging ID), personal records (name, address), internet activity (messages, usage data), geolocation (if you opt in), payment information (if you subscribe to Nora+), and inferences (conversation summaries, personal context). We collect these for the purposes described in this policy and do not use them for unrelated purposes without notice.

Contact

Questions? Email privacy@nora.fyi.

Nucleon AS · Rostockgata 82, 0194 Oslo, Norway