Introduction
This Privacy Policy explains how Nora Technologies LLC ("Nora", "we", "us", "our") collects, processes, stores, shares, and protects personal data when you use the Nora AI-powered property management assistant ("Service").
This Policy applies to:
- Agencies — property management companies and their staff who subscribe to Nora
- Tenants — individuals whose personal data is processed through Nora on behalf of an Agency
- Prospects — individuals who interact with Nora regarding property viewings or inquiries
We are committed to protecting personal data and complying with applicable data protection laws, including the GDPR (EU/EEA), UK GDPR, CCPA/CPRA (California), and other applicable US state privacy laws.
Data Controller and Processor Roles
The roles of data controller and data processor differ depending on whose data is being processed:
| Data Subject | Who Controls the Data | Nora's Role |
|---|---|---|
| Agency tenants and prospects | The Agency (data controller) | Nora (data processor) |
| Agency staff and managers | Nora Technologies LLC | Nora (data controller) |
Tenants: If you are a tenant and have questions about how your personal data is used, your first point of contact should be your property management agency. Nora processes your data only on the agency's documented instructions.
Personal Data We Collect
3.1 Agency Account Data
When an agency subscribes to Nora, we collect: agency name, registered address, and business contact details; manager name, WhatsApp and/or Telegram ID, and email address; billing information (processed via our payment provider — Nora does not store full card numbers); and property and unit information entered by the agency.
3.2 Tenant Data (Processed on Behalf of the Agency)
When tenants interact with Nora, the following data is collected and processed:
- First name (used in outbound communications)
- WhatsApp number and/or Telegram ID
- Unit number and property address
- Lease start and end dates, rent amount, and payment status
- Maintenance request descriptions and any photos submitted
- Emergency contact details (if provided during onboarding)
- GDPR/consent records including date, method of consent, and consent outcome
- Inbound message content used to classify and respond to requests
3.3 Prospect Data
When prospects inquire about properties through Nora: name (if provided), WhatsApp and/or Telegram ID, property preferences (bedrooms, budget, move-in date, pets), and viewing appointment details and confirmation status.
3.4 Automated System Logs
The system automatically records: message metadata (timestamps, channel, and a message preview — first 100 characters only); security events (rate limit breaches and injection attempts — phone numbers masked to last 4 digits in all logs); and system health metrics (response times, error rates, and queue depth).
How We Use Personal Data
| Purpose | Legal Basis (GDPR) | Legal Basis (US/CCPA) |
|---|---|---|
| Delivering the Nora service to agencies | Contract (Art. 6(1)(b)) | Contractual necessity |
| Processing tenant communications on agency's behalf | Legitimate interest / Contract | Service provision |
| Sending rent reminders and maintenance updates | Legitimate interest / Consent | Consent / Legitimate interest |
| Emergency escalation and tenant safety responses | Vital interests (Art. 6(1)(d)) | Vital interest |
| Billing and subscription management | Contract (Art. 6(1)(b)) | Contractual necessity |
| Security monitoring and fraud prevention | Legitimate interest (Art. 6(1)(f)) | Legitimate interest |
| Service improvement (aggregated, anonymized data only) | Legitimate interest (Art. 6(1)(f)) | Legitimate interest |
We never use tenant data for advertising, profiling for third-party purposes, or any purpose unrelated to providing property management services on the agency's behalf.
AI Model Training: Tenant conversation data and Agency data are never used to train, fine-tune, or improve any AI or machine learning model, including the models underlying the Nora service. Only aggregated, fully anonymized usage metrics may inform service improvements.
Automated Decision-Making: Nora uses automated processing to classify tenant messages and route requests. These automated processes do not produce legal or similarly significant effects on data subjects without human manager review. All significant actions are flagged for review by the Agency's designated manager. Data subjects have the right to request human review of any automated classification that affects them.
Data Retention
| Data Category | Retention Period |
|---|---|
| Financial records (rent, deposits, invoices) | 6 years from end of tenancy |
| General tenancy data (maintenance, communications, onboarding) | 3 years from end of tenancy |
| Prospect / inquiry data | 12 months from last interaction |
| Security and audit logs | 90 days |
| System health metrics | 30 days |
| Agency billing records | 7 years (tax compliance) |
| GDPR consent records | Duration of tenancy + 3 years |
Data is deleted or anonymized at the end of the applicable retention period, unless legal or regulatory obligations require longer retention. Where deletion is prevented by law, Nora will restrict further processing of the data and inform the Agency.
Third-Party Sub-processors
We use the following third-party services to deliver Nora. Each has been selected for their data protection standards and all are subject to contractual data protection obligations:
| Sub-processor | Purpose | Location | Transfer Safeguard |
|---|---|---|---|
| Anthropic PBC | AI language model (via OpenClaw framework) | USA | Anthropic API Terms of Service. Tenant PII is minimized before transmission. No standalone DPA. |
| DigitalOcean LLC | Server hosting and data storage | USA (New York) | SOC 2 Type II certified / DPA available |
| Google LLC | Operational dashboard (Google Sheets) | USA / EU | Google Workspace DPA / SCCs |
| Meta Platforms (WhatsApp) | Tenant messaging channel | USA | Meta Business Terms / SCCs |
| Telegram FZ-LLC | Tenant messaging channel | UAE (incorporated) | Telegram API Terms. EU agencies should note that Telegram's data location is not independently verifiable. |
We do not sell data to any third party. Sub-processors are contractually prohibited from using Agency or tenant data for their own commercial purposes.
Note on Anthropic: Anthropic does not currently offer a standalone GDPR Data Processing Agreement to API users. For EU agencies with strict GDPR requirements regarding this sub-processor, please contact mj@meetnora.app to discuss available mitigations, including data minimization measures applied before any data is transmitted to Anthropic's API.
Security Measures
We implement the following technical and organizational security measures:
- Server hardening: UFW firewall, fail2ban intrusion prevention, SSH key-only authentication, and automatic security updates
- Encryption at rest: DigitalOcean volume encryption enabled on all production storage
- Encryption in transit: TLS on all external communications
- Access control: Gateway authentication tokens, restricted file permissions, and role-based access controls
- Rate limiting: Automated blocking of suspicious message volumes
- Injection protection: All inbound messages treated as untrusted input; injection attempts are logged, blocked, and flagged
- Data minimization: Phone numbers masked to last 4 digits in all logs; full names not used in shared operational contexts
In the event of a personal data breach, Nora will notify affected Agencies without undue delay and, where required by law, within 72 hours of becoming aware of the breach.
Individual Rights
8.1 EU/EEA and UK Tenant Rights (GDPR / UK GDPR)
If you are an EU/EEA or UK tenant, you have the following rights in relation to your personal data:
- Right of Access: Request a copy of your personal data held by your agency
- Right to Rectification: Request correction of inaccurate or incomplete data
- Right to Erasure: Request deletion of your data (subject to legal retention obligations)
- Right to Restriction: Request that processing is limited in certain circumstances
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Withdraw consent at any time by replying STOP to any Nora message
- Right Not to be Subject to Solely Automated Decisions: Request human review of any automated classification that affects you
To exercise your rights, contact your property management agency in the first instance. The agency will coordinate with Nora as the data processor.
8.2 California Resident Rights (CCPA / CPRA)
California residents have the right to: know what personal information is collected and how it is used; request deletion of personal information (subject to legal exceptions); opt out of the sale or sharing of personal information (Nora does not sell or share data for cross-context behavioral advertising); correct inaccurate personal information; limit use and disclosure of sensitive personal information; and non-discrimination for exercising these rights.
To submit a CCPA/CPRA request: mj@meetnora.app
8.3 Agency Rights
Agencies may request a full data export at any time by contacting mj@meetnora.app. On termination of subscription, data is available for export for 30 days. After that period, data is deleted in accordance with the retention schedule in Section 5.
AI Disclosure and Consent Gate
When a new tenant is onboarded through Nora, they receive a consent message that clearly explains:
- That they will be communicating with an AI-powered property management assistant operated on behalf of their agency
- What personal data is collected and how it is used
- How to withdraw consent at any time (reply STOP to any Nora message)
- Contact details for data-related inquiries
No tenant personal data is stored until consent has been given. If consent is declined, only a minimal record (phone number, agency, consent outcome, timestamp) is retained in the consent log for compliance purposes. This record cannot be used to send further communications.
Data Deletion Requests
To request deletion of personal data:
- Tenants: Contact your property management agency, who will submit a deletion request to Nora on your behalf
- Agencies: Email mj@meetnora.app with your agency name and the specific request
- Prospects: Email mj@meetnora.app with the WhatsApp number or Telegram ID used
We will respond to all deletion requests within 30 days. Where legal retention requirements prevent full deletion, we will identify what data must be retained and the legal basis for doing so.
Children's Data
The Nora service is not intended for use with individuals under the age of 18. We do not knowingly collect or process personal data of minors. If you believe a minor's data has been submitted through the Service, please contact mj@meetnora.app immediately and we will take prompt action to delete it.
Changes to This Policy
We will notify Agencies of material changes to this Privacy Policy with at least 14 days' advance notice via email to the Agency's registered address. The updated Policy will also be published at meetnora.app/privacy.
Continued use of the Service after the effective date of any updated Policy constitutes acceptance of the changes.
Contact, DPO Status, and Complaints
Data protection enquiries, requests, or complaints
Nora Technologies LLC
30 N Gould St, STE R, Sheridan, WY 82801, USA
Data Protection Officer: Nora Technologies LLC is not currently required to appoint a Data Protection Officer under Article 37 GDPR based on our current scale and nature of processing. All data protection queries are handled directly by our founder: mj@meetnora.app. This status will be reviewed as the business scales.
EU/EEA and UK Users: If you are not satisfied with our response, you have the right to lodge a complaint with your national data protection supervisory authority. In the UK: ICO at ico.org.uk. In Ireland: Data Protection Commission at dataprotection.ie.
US Users: California residents may contact the California Privacy Protection Agency at cppa.ca.gov. Residents of other US states may contact their state Attorney General's office.
Nora Technologies LLC · meetnora.app/privacy · Last Updated: May 2026