Privacy Policy

Last updated: 12 Jan 2026

1) Controller

Controller (data protection law):

Poensgen Technology UG (haftungsbeschränkt)
Wiclefstr. 45, 10551 Berlin, Germany
Email: christianh.poensgen@gmail.com

2) What This Policy Covers

This Privacy Policy explains how we process personal data when you:

  • visit asknora.io (including blog and legal pages),
  • use the Nora application (the “Service”), and/or
  • connect third-party accounts (e.g., Google Analytics).

3) Categories of Personal Data We Process

Depending on how you use Nora, we process:

  1. Account and profile data: name, email address, user IDs, authentication/session identifiers.
  2. Organization and workspace data: organization name/slug, membership roles, client/workspace configuration (e.g., linked GA4 property ID/name).
  3. Content you submit:
    • chat/thread messages and prompts,
    • uploaded files (and derived data such as extracted text previews),
    • reports, plans, projects, skills, notes, and related metadata.
  4. Integration data (Google Analytics): OAuth tokens (encrypted at rest), connected Google account identifiers, analytics data retrieved through the GA APIs.
  5. Usage and billing data: subscription status, billing metadata, Stripe customer/subscription identifiers, credit ledger entries and usage totals.
  6. Technical data and logs: IP address, timestamps, device/browser information, error logs, and security/audit events.
  7. Website analytics and tracking data: event data, page views, cookie identifiers, and interaction/behavior data.

4) Purposes and Legal Bases (GDPR)

We process personal data for:

  1. Providing the Service (Art. 6(1)(b) GDPR): account access, threads, files, reports/projects, billing status, and support.
  2. Operating integrations you request (Art. 6(1)(b) GDPR and/or Art. 6(1)(a) GDPR): connecting to Google Analytics and retrieving analytics data at your direction.
  3. Security and abuse prevention (Art. 6(1)(f) GDPR): fraud prevention, rate limiting, incident detection, and service integrity.
  4. Billing, accounting, and compliance (Art. 6(1)(c) GDPR): invoicing-related records, tax/accounting retention.
  5. Product improvement (Art. 6(1)(f) GDPR): improving reliability, performance, UX, and understanding feature usage.
  6. Website analytics/marketing (Art. 6(1)(a) GDPR where consent is required).

5) AI Processing and Automated Tools

  1. When you use AI features, your Content may be sent to third-party AI providers to generate Output.
  2. Nora may also use optional tools (when enabled) such as Browser automation and Sandboxed code execution (e.g., Python).
  3. AI usage cost is effort-based and reflected in your Usage / Cost Center view; we store usage summaries and credit debits for transparency.

6) Cookies and Similar Technologies

We may use analytics and behavior tools on asknora.io. Depending on configuration and consent, these tools may set cookies or similar identifiers and process usage data. You can withdraw consent at any time through the mechanisms we provide.

7) Who We Share Data With

We share personal data only as needed:

  1. Subprocessors (see Section 12) that help us provide the Service.
  2. Other users you authorize (e.g., organization members).
  3. Public recipients when you create public report links.
  4. Authorities / professional advisors if required by law or to protect rights and safety.

8) International Data Transfers

Some subprocessors may process data outside the EEA/UK (notably in the United States). Where required, we rely on appropriate safeguards such as EU Standard Contractual Clauses (SCCs) and/or adequacy decisions.

9) Data Retention

We retain personal data only as long as necessary:

  • Account and workspace data: for the duration of your account and a reasonable period thereafter.
  • Content: until you delete it, your account is closed, or it is no longer needed.
  • Google OAuth tokens: until you revoke the connection or delete your account.
  • Billing records: as required by law (e.g., tax retention obligations).
  • Logs/security events: retained for a limited period appropriate for security and troubleshooting.

10) Security

We use technical and organizational measures designed to protect personal data, including access controls and encryption. You are responsible for securing your account and devices.

11) Your Rights

If GDPR applies to you, you may have rights to access, rectification, erasure, restriction, portability, and objection. To exercise these rights, contact us at christianh.poensgen@gmail.com.

12) Subprocessors

The following subprocessors may process personal data when providing Nora:

1. Clerk, Inc.

Purpose: Authentication / identity, session management.

Data: Account identifiers, email, session tokens.

2. Stripe, Inc.

Purpose: Payments / billing portal.

Data: Billing identifiers, transaction metadata.

3. Google LLC

Purpose: Google Analytics (website analytics) and Google OAuth + Analytics APIs.

Data: Website analytics identifiers/events; OAuth tokens; account labeling metadata.

4. OpenAI, L.L.C. / Anthropic, PBC

Purpose: generate AI Output and/or support AI file handling.

Data: prompts/messages, relevant context, file snippets.

7. Browser Use Cloud / Modal Labs, Inc.

Purpose: Browser automation and Sandboxed code execution.

Data: Task instructions, visited page content, code sent for execution.

    Your data is protectedPrivacy PolicyTerms