Privacy Policy

What we collect

When you use Nora, we collect:

• Your contact identifier — your iMessage address, so we can reply to you.
• Messages and voice — text and audio you send, processed to generate replies.
• Name and preferences — timezone, language, home address, and similar settings you share.
• Precise location — if you choose to share your location via Apple's location sharing, Nora can access your GPS coordinates to provide weather, nearby places, and other location-aware help. This is entirely opt-in and processed locally on our server.
• Personal context — facts extracted from your conversations (dietary preferences, relationships, etc.) so Nora can help you better over time. Some facts are explicitly stated by you; others are inferred from context. You can view and delete any fact.
• Conversation summaries — per-topic summaries extracted from past conversations (e.g. “discussed travel plans”), used to maintain context across sessions. These do not contain your exact messages.
• Recent conversation excerpts — the last 5–8 message exchanges before a session rotation, stored temporarily to maintain conversational continuity. These contain your actual messages and are replaced on each session rotation.
• Pending actions — action items and follow-ups extracted from conversations (e.g. “book dentist appointment”). These expire automatically after 30 days or when completed.
• Connected account tokens — if you link Google, Microsoft, Todoist, TickTick, or GitHub, we store tokens to act on your behalf.

Legal basis for processing

We process your data to perform the Nora service you signed up for — the legal basis is contract performance (GDPR Article 6(1)(b)). Personal context you share voluntarily (memory facts, saved preferences) is processed under legitimate interest (Article 6(1)(f)): providing you with a useful, context-aware assistant. You can object to this at any time. We never use your data for advertising and never sell it.

Who processes your data

Delivering the service requires the following sub-processors. Each operates under a data processing agreement or equivalent terms:

• Anthropic (anthropic.com) — your messages are sent to Claude to generate replies. Conversation history is also processed by Claude at session boundaries to extract facts and summaries for memory. Stored facts may be periodically analysed to detect patterns and consolidate related entries.
• Google (Gemini) (ai.google.dev) — used for image generation, understanding images you send, and indexing your personal context for memory search.
• OpenAI (openai.com) — voice messages you send are transcribed using Whisper.
• ElevenLabs (elevenlabs.io) — text is sent to synthesise voice replies when Nora responds with audio.
• Perplexity (perplexity.ai) — your search queries and monitoring conditions are sent to Perplexity for real-time web search.
• Supabase (supabase.com) — your data is stored in a Supabase database hosted in the EU.
• Vercel (vercel.com) — the landing page (nora.fyi) is hosted on Vercel. Vercel Analytics collects aggregate, cookieless page-view data (page URL, referrer, country). No personal data is stored. DPA available at vercel.com/legal/dpa.
• ipinfo.io (ipinfo.io) — your IP address is sent to ipinfo.io to detect your country for phone number formatting on the sign-up form. No other data is sent.
• Apple (CalDAV / CardDAV / IMAP) (apple.com) — if you connect iCloud, your calendar events, contacts, and iCloud mail are accessed via Apple's CalDAV, CardDAV, and IMAP protocols using an app-specific password. The password is stored encrypted and never shared.
• Microsoft (Graph API) (microsoft.com) — if you connect Microsoft, your Outlook inbox, calendar, and To Do data are accessed via Microsoft Graph. Microsoft pushes email and calendar change notifications directly to Nora.
• Google (Calendar API) (google.com) — if you connect Google, your calendar events are accessed via the Google Calendar API. Google pushes calendar change notifications directly to Nora.
• TickTick (Appest Inc) (ticktick.com/privacy) — if you connect TickTick, your task titles and due dates are accessed via the TickTick API on your behalf.
• GitHub (Microsoft) (github.com) — if you connect GitHub, your commit history, pull requests, and repository activity are accessed via the GitHub API on your behalf.
• Telegram (Telegram FZ-LLC) (telegram.org/privacy) — if you use Nora via Telegram, your messages, photos, and voice recordings are delivered through the Telegram Bot API. Telegram processes message delivery; message content is not retained by Telegram beyond delivery.
• Nucleon AS — AI agent runtime. Processes conversation messages to generate responses. Runs on dedicated hardware in Norway. Conversation session data is retained in session files until cleared.

If you connect a third-party service (such as Google Calendar, Todoist, TickTick, or GitHub), only the data you authorise is shared with that service. No other parties have access to your personal data.

International transfers

Anthropic, Google (Gemini and Calendar API), OpenAI, ElevenLabs, Perplexity, Vercel, Microsoft, TickTick (Appest Inc), and GitHub (Microsoft) are US-based companies. Transfers of personal data to them rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or the EU-US Data Privacy Framework where applicable.

What you must provide

Your iMessage address is required to use Nora — it is a contractual requirement. Without it, we cannot send you replies. All other data (name, preferences, personal context) is optional. Not providing it simply means Nora has less context to help you, but you can still use the service.

AI training

We do not use your messages, personal context, or any other personal data to train AI models. Your data is sent to third-party AI providers solely to generate responses for you. Each provider’s data handling is governed by their own data processing agreement with us — see the sub-processor list above.

Children’s privacy

Nora is not directed at children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal data from a child under 13, we will delete it promptly. If you believe a child under 13 is using Nora, please contact privacy@nora.fyi.

How long we keep it

We keep your data for as long as your account is active. Workflow run history is automatically deleted after 90 days. Conversation summaries are capped at 500 entries per user; oldest entries are replaced as new ones are created. Pending actions expire after 30 days. If you delete your account, we remove your data within 24 hours.

Your rights

Under GDPR, you have the right to:

• Access — ask us what we hold about you.
• Delete — text Nora “delete my data” or use the Account page in your dashboard.
• Correct — tell Nora if something is wrong, or update it in Account settings.
• Portability — download a copy of your data from Account settings in your dashboard.
• Restrict — ask us to pause processing while a dispute is resolved.
• Object — object to processing based on legitimate interest, including memory storage, at any time.

To exercise any right, email privacy@nora.fyi or text Nora directly. You can also lodge a complaint with your national data protection authority — in Norway: Datatilsynet.

Do Not Sell or Share

We do not sell your personal information. We do not share your personal information for cross-context behavioural advertising. There is no need to opt out because we simply do not engage in these practices.

Additional rights for US residents

If you reside in a US state with a comprehensive privacy law (including California, Virginia, Colorado, Connecticut, Texas, and others), you may have additional rights under your state’s law, such as:

• Right to know — what personal information we collect and how we use it.
• Right to delete — request deletion of your personal information.
• Right to correct — request correction of inaccurate information.
• Right to opt out — of the sale or sharing of personal information (we do not sell or share your data).
• Right to non-discrimination — we will not treat you differently for exercising your rights.

To exercise these rights, email privacy@nora.fyi or text Nora directly. We will respond within 45 days as required by applicable law.

Categories of personal information we collect: identifiers (phone number, email), personal records (name, address), internet activity (messages, usage data), geolocation (if you opt in), and inferences (conversation summaries, personal context). We collect these for the purposes described in this policy and do not use them for unrelated purposes without notice.

Contact

Questions? Email privacy@nora.fyi.

Nucleon AS · Rostockgata 82, 0194 Oslo, Norway