Nora
Pricing-17%
← Home

Privacy Policy

Version 1.0 · Last updated: June 13, 2026

This Privacy Policy explains what information we collect, how we use it, with whom we share it and the rights you have. We attach great importance to it, because trust is at the heart of Nora.

The fundamental principle to remember: the content of your emails is never retained in our database. It is read live, at the moment an action requires it, then forgotten.

Identity of the Operator and person responsible for the protection of personal information

The Operator is William Dorval, operating the Nora application as a sole proprietorship, located in Shawinigan (Quebec), Canada.

Person responsible for the protection of personal information

The person responsible for the protection of personal information within the organization is:

  • Name - William Dorval.
  • Contact - via the contact form and by email at nora_official@outlook.com.

You can contact this person for any question relating to the processing of your personal information or to exercise your rights.

Information we collect

We collect only the information necessary for the operation of the Service. Concerning emails, we retain only metadata; never the body or the content.

Account

  • account email address;
  • password (encrypted by our authentication provider; never visible to the Operator);
  • display name (optional);
  • role, plan and billing status;
  • Stripe identifiers (customer, subscription);
  • date and version of acceptance of the terms;
  • administrative or suspension note, if applicable.

Connected mailboxes

  • email address of the connected mailbox;
  • provider (for example Outlook);
  • OAuth access and refresh tokens, encrypted in AES-256-GCM server-side (never transmitted to the browser; the refresh token never leaves the server);
  • scopes granted;
  • connection and last-use dates;
  • a key per mailbox derived irreversibly from the address and the provider.

Email metadata

For each email processed, we retain only:

  • the message identifier;
  • the subject;
  • the name and address of the sender;
  • the date of receipt;
  • the assigned folder or section;
  • the categories (color labels);
  • the importance;
  • the status (read, replied);
  • the sorting and reply timestamps;
  • the reason for sorting.

We NEVER retain the body or the content of the email.

Other information

  • Learned rules - a sender or domain match to a folder (no content).
  • Credits - your balance and an immutable ledger of debits and credits (action type, amount, reference, metadata).
  • AI usage - token counters per call (input, output, type); never the prompt or the response.
  • Technical logs - processed Stripe events (for idempotency), administrative audit log, sorting runs, Graph webhook subscriptions, agent state, send anti-duplicate log.
  • Consent log - proof of consent (who, when, type, document version, IP address, user agent).

What we do NOT collect

This section is essential:

  • The body and content of your emails are never written to our database. They are read LIVE via Microsoft Graph at the moment an action requires it, then forgotten.
  • No card number is collected or stored by us: payments are processed only by Stripe on a hosted page.
  • No human access to the content of your emails.

When we state that the content is not retained, that is accurate.

Purposes of processing

We use the collected information to:

  • create and manage your account and your connected mailboxes;
  • provide the features of the Service (sorting, 24/7 agent, Nora assistant, search, drafting);
  • process payments, subscriptions and credits;
  • improve the relevance of sorting through learned rules;
  • ensure security, prevent fraud and abuse;
  • comply with our legal and accounting obligations;
  • send you transactional communications (confirmation, password reset, important notices).

We process your information only to the extent necessary for these purposes.

Processing by artificial intelligence

To classify your emails and prepare drafts, the relevant content of an email is transmitted, at the relevant moment, to our AI providers:

  • Google (Gemini Live voice AI);
  • Anthropic (Claude, for classification and drafting).

This content is transmitted ONLY for the purpose of providing the Service, and is then not retained by us. The commercial AI interfaces we use do not train their models on our customers' data.

For automated decisions related to AI, see the "Automated decisions" section below.

Subprocessors and data location

We use subprocessors to provide the Service. Each one plays a specific role and is located as follows:

  • Stripe - hosted payments (Checkout) and billing; we never receive or store your card numbers - United States / international.
  • Supabase - database (metadata only) and account authentication - data hosted in the United States.
  • Vercel - hosting of the website, the API routes and the 24/7 agent (cron and webhook) - United States.
  • Railway - hosting of the voice server (Nora assistant in real time) - United States.
  • Microsoft (Graph / Entra ID) - access to the Outlook mailbox (reading, moving and replying live) and connection to the mailbox - international.
  • Google - account connection (OAuth) and voice AI (Gemini Live) - United States / international.
  • Anthropic (Claude) - AI-assisted classification and drafting - United States.
  • Resend - transactional emails (confirmation, password reset) - United States.

Transfers outside Quebec and Canada

Your data may be communicated or processed outside Quebec and Canada, in particular in the United States. In accordance with Law 25, these transfers are governed by privacy impact assessments and by contractual protection clauses with our subprocessors.

Data retention

We retain your information for as long as necessary to provide the Service and to comply with our legal and accounting obligations.

When you delete your account, the associated metadata is erased. Some data may be retained longer where the law requires it (for example, accounting or billing records) or for security (for example, anti-fraud logs), for a reasonable and proportionate period.

Reminder: the body of your emails is never retained, so there is nothing to delete on that side.

Your rights

In accordance with applicable laws, you have in particular the following rights:

  • Access - obtain a copy of the personal information we hold about you;
  • Rectification - correct inaccurate or incomplete information;
  • Withdrawal of consent - withdraw your consent to processing;
  • Account deletion - request the erasure of your account and the associated metadata;
  • Portability - receive, in a structured and commonly used technological format, the computerized information you have provided to us.

To exercise these rights, write to us via the contact form. We will respond within the time limits provided by law.

Cookies

We use only cookies strictly necessary for the operation of the Service; there is no analytics, marketing or tracking cookie.

For details of the cookies used (name, purpose, duration) and how to manage them, see the Cookie Policy.

Security

We implement reasonable security measures that comply with industry standards, in particular:

  • encryption of OAuth tokens in AES-256-GCM server-side (the key is never exposed; the refresh token never leaves the server);
  • HTTPS everywhere;
  • data access carried out exclusively server-side, by means of a service key; isolation is enforced per account and per mailbox;
  • row-level security (RLS) enabled on all tables, in deny-by-default mode;
  • payments never expose your card numbers (Stripe hosted);
  • two-factor authentication (TOTP) mandatory for administrator access.

No security measure is infallible, but we strive to protect your information appropriately.

Privacy incidents

In the event of a privacy incident presenting a risk of serious harm, we take reasonable measures to limit its consequences and, in accordance with Law 25, we notify the persons concerned and the Commission d'acces a l'information du Quebec where the law requires it. We keep a register of privacy incidents.

Automated decisions

The Service uses AI to classify your emails in an assisted manner. This classification is intended to organize your mailbox; it does not produce any legal effect with respect to you.

  • Sending an email always requires your human confirmation; no communication is sent in a fully automated manner without your agreement.
  • You can correct or have corrected any classification carried out by the AI; Nora learns from your corrections.
  • Nora never deletes an email.

Minors

The Service is not intended for persons who have not reached the age required to use it (see the "Eligibility" section of the Terms of Use). We do not knowingly collect personal information concerning minors. If you believe that a minor has provided us with information, contact us so that we can take the appropriate measures.

Changes to this policy

We may modify this Privacy Policy to reflect changes to the Service or to our legal obligations. In the event of a significant modification, we will inform you by a reasonable means (for example, by email or by a notice within the Service). The up-to-date version is always accessible on this page.

Complaints

If you have a concern regarding the processing of your personal information, write to us first via the contact form or at nora_official@outlook.com; we will strive to resolve it.

You may also file a complaint with the competent authorities:

  • the Commission d'acces a l'information du Quebec;
  • the Office of the Privacy Commissioner of Canada.

A question about this document? Write to us via the contact form.

Nora

AI email assistant

© 2026 NoraAI email triage